Hi everyone, One of my client had a breach today on is industrial network. They don't have in house IT and theirs consultants is better at installing printer that managing industrial network.
I have been called on site to restart the plant after a crash. After few hours i realized that some device had been attacked by brute force to break password, logs in PLC and SCADA were insane.
The problem is that the attacked devices are on a VLAN with inbound rules that block everything and only one outbound rule to a server on a specific port with protocol inspection.
I thinked that someone physically connect to the network.. looked on security cameras and nothing. We check the SCADA PC with AV and nothing.
Then I ask an acces to all firewall and switch and i did some research in the log. I found the packet used for the attack on the switch were the equipments were connected. But source ip did not exist and the MAC was not listed for any components in this vlan.
After few research i found that this switch unlink trunk to firewall. Also carry WirelessGuest VLAN. On DHCP of the WirelessGuest I found the MAC that send the attack packets. And i also found the exact same packet with only one difference, they VLAN header was different.
This VLAN as no acess to automation VLAN so the firewall so the firewall should have not change the header.
Do someone's have any idea how a mid 20 blond guy with a f150 black truck with a latop ( thanks to outside security camera ) had been able to do that? And any good documentation on how to project the network against that kind of attack ?
Note : sorry for typos. English is my second language and i still have difficulties.
No comments:
Post a Comment