Social Engineering: Your automation network's largest security vulnerability

Posted by Matt Newton on Mar 21, 2017 8:00:00 AM

Social engineering doesn't take the form of traditional computer hacking
When most people think about cyber security, they probably conjure up thoughts of someone locked away in a dark room, wearing the same grey hoodie for months. Staring at a screen for days at a time looking for just the right network packet to tell them where and how to attack. But that's not always how hacking is done.

We imagine the typical hacker staring at lines of code and process control network packets streaming across the screen of a MacBook Pro, its lid all decked out with programming language stickers and ant- establishment rhetoric.

Our hacker's pale face hasn’t seen the light of day in weeks. With acid techno blaring away in their headphones, they’ve been busily hacking away, brute-forcing that four-character password on the PLC you left connected to your public DSL connection.

If only that old DSL router you pulled out of the closet supported NAT connections based on TCP ports, you could’ve at least added some level of security to your PLC network. But you opted to connect the PLC directly to the Internet. And now our imaginary hacker just used Brutus to crack your password.


With access to the city’s process control network and water treatment system, they’ll surely be back for a ransomware attack on the district in a few weeks.

Subscribe to the OptoBlog

Social engineering gains a victim's trust to get access to digital assetsWhile this scenario fits what most people think about when cyber security comes to mind, it's not really what a social engineering attack looks like.

Which is part of what makes it so dangerous. 

Social engineering takes a completely different approach to breaking into networks and the computer systems attached to them. It doesn’t involve cracking digital systems so much as it preys on humanity’s natural inclination to trust other people.

Ask any cyber security professional, and they’ll tell you the weakest link in any procedure related to security is the human being involved in the process.

The person who accepts a given person or scenario at face value is the social engineering hacker's favorite target.

It doesn’t matter how many layers of defense you’ve built around your automation devices to protect them from cyber security threats. If a person lets an attacker into the building and gives them access to the control network, all your efforts go out the window. All the air gapping in the world won’t save your network from a determined social engineering hacker.

Social engineering preys on human psychology and curiosity in order to compromise a target. Here are five common social engineering attacks to watch out for in your factory or plant.

Always trust but verify unknown visitors to your plant or factoryTailgating: Sometimes known as piggybacking, tailgating is when someone who lacks proper authentication follows an employee into a restricted area.

Organizations where people don't know each other well or companies with high employee turnover are especially vulnerable to tailgating.  

But in any setting, imagine someone casually striking up a conversation with you as you both stroll past the front desk.

A show of familiarity like this might be enough to keep the office administrator from asking an attacker to sign in before proceeding to restricted areas.

No matter what your position in the company, be vigilant and assume anyone you don’t know absolutely shouldn't have access to restricted areas.

Phishing: Perhaps the most common type of social engineering attack, phishing is an attempt to get personal information like names, addresses, passwords, etc. through means like shortened links or hidden embedded links in emails.

Always be sure the email you’re reading is from the person you think it is. And don’t click on links to sites you’re not familiar with. It may also be a good idea to disable automatically displaying images in your email, as they can link to sites with malicious software.

Quid Pro Quo: Imagine you get a call from an IT service manager telling you the computer running your HMI software is infected with malicious code, and you need to immediately install a software patch from the company’s secure software site before the entire control network and the attached devices are infected.

Don't insert unknown USB flash drives

This is an example of a quid pro quo social engineering attack: the attacker promises a quick fix in exchange for installing a small software patch.

Quid Pro Quo also occurs when an attacker promises a free service or gift in exchange for information.

In either case, once the attacker convinces the target they’re who they say they are, the victim provides network access credentials or other sensitive information that gives the attacker direct control of a computer or access to the control network. 

When it comes to defending against quid pro quo attacks remember, if the offer sounds too good to be true it probably is. Verify what's being offered against a reliable source.

Baiting: We all know, or at least should know, the story behind Stuxnet. How do you break into an underground facility tightly secured with armed guards and quietly destroy millions of dollars' worth of nuclear energy equipment? Free USB thumb drives is how.

Baiting uses the promise of an item or good to entice victims. These promises may come in the form of free music or movie downloads, maybe even USB keys left on the ground in a parking lot, to get victims to surrender their login credentials for secure physical sites or computer systems.

So don't be baited: don't insert USB keys into your automation systems unless you're 100% sure where they came from.

Pretexting: A pretexting attack involves the hacker building a false sense of trust with the victim. The attacker builds a credible story about who they are and what they’re doing to gain the victim's trust. For example, an electrician may show up to a water district to repair some outlets.

This kind of believable story is used to gain trust with the victim, but it may end up in an all-out assault on the SCADA network running the water treatment plant. So apply the age old wisdom of trust but verify.

Cyber security is a hot topic in the industrial automation space these days, and for good reason. The industry has figured out that adding an RJ45 connector and IP address to industrial controllers and devices means those systems are now susceptible to attacks and exploits that traditional IT equipment has dealt with for decades.

As a result, some operations technology professionals are beginning to learn the art and science of protecting automation assets through industrial cyber security. But the age-old hacker tradecraft of social engineering is a concept every operations technology professional—in fact, pretty much every personneeds to be vigilantly aware of.

For more cyber security tips and tricks, subscribe to the Opto 22 blog.

Subscribe to the OptoBlog

Topics: Process control, PACs, Networking, Security

Written by Matt Newton

    Subscribe to Email Updates

    Recent Posts

    Posts by Topic

    see all