In this cybersecurity investigation, we're faced with a critical incident at an industrial facility where an attacker has breached the network and caused physical damage to air tanks by compromising a Programmable Logic Controller (PLC). This scenario represents one of the most concerning types of cyber attacks - those with kinetic impacts that cross from the digital realm into physical damage. Our investigation leverages Arkime, a powerful network security monitoring tool that provides full packet capture capabilities. Through Arkime, we'll examine the network traffic that was captured during the attack, allowing us to reconstruct the sequence of events and determine exactly how the attacker gained access to the industrial control system and manipulated it to cause damage.
Throughout this walkthrough, we'll employ a methodical approach to digital forensics, examining various aspects of the captured traffic including IP addresses, communication protocols, HTTP requests, specialized industrial protocols, and commands that directly interact with the PLC's inputs and outputs. We'll analyze how the attacker gained initial access, authenticated to the control system, identified critical components, and finally executed commands that resulted in the physical damage to the air tanks. This type of attack represents an increasingly common threat to industrial environments, where legacy systems, specialized protocols, and direct connections to physical equipment create unique security challenges. By understanding the techniques used in this attack, security professionals can better protect similar industrial control systems from comparable threats in the future.
Let's be