A red team’s journey into industrial security
Learn how a red team navigated an engagement focusing on OT network at Titan Industrial Solutions. Did they succeed?
Titan Industrial Solutions is a fictional manufacturing company that produces high-precision components for the aerospace industry. Their factory floor is controlled by an intricate Operational Technology (OT) network, including Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and Industrial IoT (IIoT) devices. Concerned about the growing threat of cyberattacks on industrial systems, Titan's leadership hires a red team to evaluate their security.
Before any testing begins, the red team collaborates with Titan’s leadership to define the scope of the engagement. Through the scoping exercise, the team attempts to establish clear boundaries, deciding which systems can be tested, what attack methods are permitted, and whether production OT infrastructure will be involved.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
The team comes across many challenges during scoping of this engagement. Balancing security testing with operational safety, as aggressive testing could cause downtime. Defining attack scenarios—should the red team simulate insider threats, supply chain attacks, or cyber-physical sabotage? Legal and compliance constraints, as certain testing activities might violate industry regulations.
Next, the red team develops a Rules of Engagement (RoE) document. This outlines authorized testing techniques, time windows for testing to avoid disrupting peak production hours, and emergency stop procedures in case testing unexpectedly impacts operations. This document answers questions such as how clearly defined are the boundaries for testing OT environment? Does the organization have an emergency rollback plan?
With the scope and rules of engagement defined, the red team begins their operations. A significant challenge emerges early, limited documentation. Like many OT environments, Titan’s network has evolved over decades, with undocumented legacy systems still in use. To work around this issue, the red team uses employee interviews to map out Titan’s OT ecosystem.
The red team then starts with passive testing. They soon uncover an issue, OT and IT networks are not properly segmented. This means that a breach in the corporate network could allow an attacker to pivot into the OT environment. Other findings and constraints include the lack of a dedicated testbed for security assessments, legacy protocols with no authentication, and strict uptime requirements that limit when testing can be conducted.
As the engagement continues, the red team focuses on identifying attack paths. Titan allows engineers to troubleshoot factory equipment remotely, but the red team finds that the remote access solution relies on weak authentication methods. Using credential stuffing attacks, the red team successfully gains access to a remote engineering workstation. From there, they simulate how a real attacker could alter setpoints in the manufacturing process, potentially leading to defective products or safety hazards. However, they stop short of making actual changes, as testing in live OT environments must be carefully controlled.
The red team also attempts to infiltrate Titan’s factory under the guise of a third-party contractor. They observe weak visitor policies, with minimal badge enforcement and no background checks for external vendors. By tailgating an employee, the team gains unauthorized access to a control room. Inside, they discover an unlocked engineering workstation with direct access to Titan’s SCADA system. Had this been a real attacker, they could have executed commands to disrupt production or disable safety controls.
After completing their assessment, the red team compiles a detailed report outlining the vulnerabilities they found, including poor network segmentation, weak remote access security, inadequate physical security, and a lack of security awareness among OT personnel. The remediation phase sparks a conflict between the IT and OT teams. IT wants to implement strict security controls immediately, such as forcing firmware updates and enforcing multi-factor authentication. OT, on the other hand, argues that making these changes without extensive testing could lead to system failures.
How should Titan resolve this conflict?
Red Team Notes
The red teaming exercise at Titan Industrial Solutions revealed major challenges in scoping, IT-OT collaboration, and operational safety.
- Key vulnerabilities discovered included poor network segmentation, weak remote access security, inadequate physical security, and lack of multi-factor authentication.
- The engagement highlighted the need for structured remediation, phased implementation, and improved collaboration between IT and OT teams to enhance industrial cybersecurity without disrupting critical operations.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.