Rhebo Industrial Protector registered multiple communication via the protocol types VNC, NetBIOS and SMB. The protocols are typically used by Windows devices for remote configuration and file sharing.

‍

Their usage is usually not wanted in industrial networks.

The protocols are often used by malware (e.g. NotPetya and WannaCry). If the affected devices have direct or indirect access to the Internet, the ICS is at risk of compromise or infection.‍

‍

Threats:

• financial loss due to production downtime
• power failure due to blackout
• system recovery and repair costs

Rhebo Industrial Protector frequently identifies communication via ports for which security vulnerabilities are known (i.e. CVE vulnerabilities). In some cases, this anomaly correlates with suspicious communication patterns.

‍

For example, in one case Rhebo Industrial Protector reported communication over a questionable port used by the Windows WBT Server for Remote Desktop Protocol (RDP). Only a few packets were transmitted during the communication, which is uncharacteristic for RDP connections.

Ports for which vulnerabilities are known are regularly used by Trojans and malware for communication.

‍

The characteristics of the exemplary communication (short-term and encrypted) additionally support the assumption of malicious communication and a compromise of network components.‍

‍

Threats:

• financial loss due to production downtime
• power failure due to blackout
• system recovery and repair costs
• loss of customer trust

The analysis identified some devices communicating via software for whose current version in use serious vulnerabilities are known.

‍

The used ports and access patterns were particularly noticeable.

The known security gaps allow attackers to crash the system or execute arbitrary code (i.e. malware). This poses an acute threat to system security.‍

‍

Threats:

• financial loss due to production downtime
• disrupted supply due to blackout
• system recovery and repair costs

A device in the control network used an independently assigned fallback IP address.

‍

This anomaly often occurs when a new device does not receive an IP address from the authorized DHCP server for various reasons.

‍

The device is obviously not known in the network.

Potentially the device was placed with malicious intent to spy on the network or install malware. Furthermore, unknown devices and their communication can compromise the functionality of the ICS leading to malfunctions or disruptions.‍

‍

Threats:

• financial loss due to theft of intelligence
• financial loss through downtime
• loss of customer trust

Rhebo Industrial Protector registered many DNS requests to servers on the Internet, which are located in address spaces of different CDNs (Content Distribution Networks).

‍

The requested servers are located on the Internet and it is not clear who is operating them.

There is a high risk that malware or ransomware is installed in the network via such servers. Furthermore, hackers can use this access for industrial espionage.‍

‍

Threats:

• financial loss due to theft of intelligence
• potential costs through downtime
• loss of customer trust