In this lab, we step into the role of a cybersecurity analyst working in the Security Operations Center (SOC) at AetherCore Technologies, a company that provides engineering and manufacturing services for electronic products, including industrial solar energy systems. AetherCore relies on programmable logic controllers (PLCs) to manage the solar panel systems in its facilities. These systems are critical for maintaining the company's solar energy production and efficient operation.
Recently, AetherCore's engineering team reported a significant disruption in their solar panel operations. Several panels have gone offline, and attempts to remotely restart them have failed. The incident occurred shortly after 16:10, following a spike in network activity. Initial hardware checks found no physical issues with the panels or the PLCs.
We have been tasked with investigating whether this outage was caused by a cybersecurity incident. There is suspicion that an insider threat may be involved, using their access to the network to manipulate the PLCs and disrupt solar panel operations. By analyzing network traffic captured during the incident timeframe, we will identify the attacker's methodology, trace their reconnaissance activities, and determine how they exploited the industrial control systems to cause the operational disruption.
Before diving into the analysis, this section introduces the core concepts and artifacts referenced throughout the lab to provide context for the investigation.
Industrial Control Systems (ICS)
ICS are networks and devices used to monitor and control physical processes in environments such as factories, power plants, water treatment facilities, and solar farms. An ICS environment typically consists of sensors, actuators, field controllers, and supervisory systems. Communication between these components relies on