Securing OT-relevant aspects of SCADA, DCS & ICS – with solutions

Exercice 1 : Course objective in one sentence

Can you state, in one sentence, what the course objective is?

This is a fictious question to show what a published solution looks like.

Solution

The objective is :

“Understand what OT really means - the characteristics, the issues - and how to ensure that the challenges of these systems are addressed.”

Source: General Informations

Exercice 2 : Differences between IT and OT

Describe what the differences between IT and OT are - note at least 3 elements and describe in what OT and IT differ.

Solution

The main differences are :

• IT focuses on data management, while OT focuses on physical processes
• IT systems prioritize confidentiality; OT systems prioritize availability and safety.
• OT environments have stricter uptime requirements due to real-time operations.

Exercice 3 : Ukrainian Power Grids Cyberattack

One of the famous incidents cited in literature (and newspapers) is the attack on Ukrainian Power Grids in 2015-2016. Look at the following material :

• Cyberattacks on Ukraine’s Power Grid 2015-2016 - Part 1 (Video)
• Cyberattacks on Ukraine’s Power Grid 2015-2016 - Part 2 (Video)
• Analysis of the Cyber Attack on the Ukrainian Power Grid (pdf)

And explain :

• what happened and when
• what the elements that were used by the attackers in order to succeed were
• what the, apparently, main motivation of the attackers was

Note

Someone will be picked up randomly to present - in 5 minutes - the results of the personal analysis.

Solution

The solution is… the presentation you made in class.

Exercice 4 : Risk Management

In the context of Risk Management, what is assessed in validation of risk phase? What elements shall be available?

Solution

In the Validation of Risk phase of the risk assessment process, the goal is to ensure that the identified risks are accurately reflected in the risk register or inventory, and that the risk treatment plans are appropriate, effective, and aligned with the organization’s risk appetite and tolerance. Here’s what is typically assessed during the validation of risk phase:

1. Risk Identification Verification:
   • Confirm that all potential threats, vulnerabilities, and risks have been accurately identified.
   • Verify that no significant risks have been overlooked or omitted from the risk register.
2. Risk Analysis Accuracy:
   • Assess whether the likelihood and impact ratings assigned to each risk are reasonable, accurate, and consistently applied.
   • Check if the risk analysis methodology used was appropriate and followed correctly.
3. Risk Prioritization:
   • Ensure that risks have been prioritized correctly based on their combined likelihood and impact (risk score or risk value).
   • Validate that high-priority risks have been identified and are receiving adequate attention.
4. Risk Treatment Plan Assessment:
   • Review the proposed risk treatment plans to ensure they:
     • Are appropriate, effective, and proportionate to the level of risk.
     • Address both the cause (threat or vulnerability) and the effect (risk).
     • Consider a mix of avoidance, mitigation, acceptance, and transfer strategies.
5. Risk Register Completeness and Accuracy:
   • Verify that the risk register contains all relevant information for each risk, such as:
     • Risk description
     • Unique identifier or code
     • Cause (threat or vulnerability)
     • Effect (risk)
     • Likelihood and impact ratings
     • Risk score or value
     • Ownership or accountable party
     • Status (open, in progress, closed)
     • Date identified/updated
6. Alignment with Organizational Risk Appetite and Tolerance:
   • Ensure that the risk treatment plans are consistent with the organization’s risk appetite and tolerance levels.
   • Confirm that risks that exceed the organization’s risk tolerance have been appropriately addressed.

The Validation of Risk phase is typically performed by a group of stakeholders, including representatives from risk management, business units, internal audit, legal, and compliance functions. This collaborative approach helps ensure that risks are accurately assessed and effectively managed to protect the organization’s objectives.

Exercice 5 : Balancing Security and Availability in Critical Infrastructure

Given the strict Service Level Agreement (SLA) requirements mentioned in Citation 3, how can organizations ensure high availability while maintaining robust security measures in their ICS? What trade-offs might they need to consider, and what best practices can help strike a balance between security and operational needs?

Solution

To balance security and availability in critical infrastructure, organizations should implement a risk-based approach that focuses on identifying and protecting high-value targets while minimizing disruptions to operations. This can be achieved through the following measures:

• Prioritize Critical Assets: Identify and prioritize critical assets based on their importance to operations and potential impact if compromised.
• Implement Defense-in-Depth with Layered Security: Deploy multiple security layers, such as network segmentation, firewalls, intrusion detection/prevention systems (IDS/IPS), and access controls, to protect critical assets without sacrificing availability.
• Enhance Monitoring and Visibility: Implement robust monitoring tools and processes to quickly detect and respond to potential security incidents, minimizing their impact on operations.
• Establish Redundancy and Failover Mechanisms: Design the system with redundancy and failover mechanisms to ensure high availability even in the event of a security incident or hardware failure.
• Regular Testing and Simulation: Conduct regular security testing, simulations, and drills to validate that security measures are effective and do not negatively impact availability.

By employing these best practices, organizations can maintain a robust security posture while minimizing disruptions to critical infrastructure operations and ensuring high availability.

Exercice 6 : Study Cases

In your respective groups, you will look at paper(s) for a given incident (or related to similar episodes). Your duty is to provide :

1. a written report containing
   • when and what happened
   • what means were used to enable the attack
   • assess what, if any, Purdue’s level were involved in the attak
   • if available, the motivation of the attacker(s)
   • if known, the estimated financial impact. Likewise, if estimated, (potential) casualties resulted from the attack
   • whether it affects OT, IT or both
2. a 6’ presentation showing your findings (followed by a Q&A session)

Next week you will be asked to a) share the report among your colleagues and b) present your findings.

The 9 cases :

• Colonial pipeline

  • https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/
  • https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10181159
  • https://www.researchgate.net/profile/Lazarus-Gawazah/publication/383206534_To_Pay_or_Not_to_Pay-_The_US_Colonial_Pipeline_Ransomware_Attack/links/66c1b6bf8d007355925dd805/To-Pay-or-Not-to-Pay-The-US-Colonial-Pipeline-Ransomware-Attack.pdf

• Saudi Arabian petrochemical plant

  • https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware/
  • https://pylos.co/wp-content/uploads/2022/10/Day1-1400-Green-Zeroing-in-on-XENOTIME-analysis-of-the-entities-responsible-for-the-Triton-event.pdf
  • https://scadahacker.com/library/Documents/Cyber_Events/Nozomi%20-%20TRITON%20-%20The%20First%20SIS%20Cyberattack.pdf

• UK’s National Health Service (NHS) ransomware attack

  • https://www.cmaj.ca/content/189/22/E786.short
  • https://www.nature.com/articles/s41746-019-0161-6
  • https://ieeexplore.ieee.org/abstract/document/10050485

• Israel’s water facilities attack

  • https://www.timesofisrael.com/cyber-attacks-again-hit-israels-water-system-shutting-agricultural-pumps/
  • https://www.radiflow.com/blog/cyber-attack-targets-israels-water-supply-analysis-and-mitigation-recommendations/
  • https://arxiv.org/pdf/2001.11144

• Attacking insulin pumps

  • Insulin pump hack delivers fatal dosage over the air
  • Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system
  • Securing Automated Insulin Delivery Systems: A Review of Security Threats and Protective Strategies

• Heating, ventilation, and air conditioning (HVAC) attacks

  • Target Hackers Broke in Via HVAC Company
  • Target vendor, Fazio Mechanical, confirms being victim of attack
  • Breaking the Target: An Analysis of Target Data Breach and Lessons Learned

• Polish Power Grid under attack in 2025

  • Poland Power Grid Attack Targets Distributed Energy Facilities
  • CERT Energy Sector Incident Report - 29 December 2025

• Urgent/11 - a 9/11 for the devices

  • 11 Zero Day Vulnerabilities Impacting Billions of Mission-Critical Devices
  • Exploring and Exploiting Programmable Logic Controllers with URGENT/11 Vulnerabilities

• Water supply facility under attack

  • Hacker tries to poison water supply of Florida city
  • Compromise of U.S. Water Treatment Facility
  • Oldsmar water treatment facility report

Note

You can obviously use further papers / inputs for as long as these are referenced (and accessible either publicly or with basic academic credentials) correctly in your reports / presentations.

Exercice 7 : Purdue Model

What are the key benefits of understanding the Purdue Model (PERA) for securing industrial control systems? Name at least 3 of them.

Solution

The key benefits of understanding the Purdue Model (PERA) for securing industrial control systems include the following :

• It outlines the interaction between IT and OT environments
• Understanding the model is essential for effective cybersecurity strategies
• It facilitates better communication between IT and OT teams
• It aims to reduce the risk of cyber threats to critical infrastructure

The Purdue Model consists of five distinct levels, each with specific functions, ranging from enterprise systems to field devices.

Exercice 8 : Government actions

Take a moment to think what a government can do to increase cybersecurity at national level?

Solution

Governments can

• governments create policies and strategies, such as executive orders, to strengthen cybersecurity overall, including federal networks and critical infrastructure. These policies include obligations for risk analysis, incident handling, business continuity, supply chain security, and vulnerability management. They also address basic cyber hygiene, cryptography, access control, and vulnerability disclosure
• create National Cybersecurity Agencies to oversee and coordinate efforts in protecting national cyberspace -implement Laws and Regulations to enforce cybersecurity laws that mandate compliance with specific standards for both private and public entities
• build and enhance Cybersecurity Infrastructures. Governments may invest in developing and maintaining critical cybersecurity infrastructure such as cyber defense centers, incident response teams, and early-warning systems to detect and respond to cyber threats
• support Research and Innovation to develop new technologies, tools and methods to address emerging threats
• foster International Cooperation. Cybersecurity is a global challenge and nations often collaborate on international platforms (like the U.N. and EU) to set global standards and norms.
• establish Incident Response Capabilities. Governments can set up Computer Emergency Response Teams (CERTs) or National Computer Security Incident Response Teams (CSIRTs) to respond to and manage cyber incidents. These teams provide technical assistance, incident response, and forensics during and after a cyber attack
• define Cybersecurity Awareness and Education programs promoting awareness among citizens about safe online practices to offering specialized training and certification for cybersecurity professionals
• define Cyber Resilience and Recovery Plans. National governments prepare disaster recovery and business continuity plans to ensure that organizations can quickly recover from cyber incidents

Exercice 9 : Critical Infrastructure - in Switzerland

Based on the Swiss definition of critical infrastructure :

• How are critical infrastructure priorities ranked or weighted within the Swiss framework, considering the diverse sectors included (e.g., energy, finance, public health, etc.)?
• Are the critical infrastructure definitions used in Switzerland consistent with those used by international bodies or other countries, such as the U.S. or the EU?

Solution

1. In Switzerland the following domains do belong to the definition of critical infrastructure

   • Energy (natural gas supply, oil supply, power supply, district and process heating)
   • Finances (financial and insurance services)
   • Information & communication
   • (information technologies, media, postal service, telecommunications)
   • Public administration (teaching and research, cultural assets, parliament, government, justice, - administration)
   • Public health (medical care, laboratory services)
   • Public safety (armed forces, emergency services, civil defence)
   • Transport (air transport, rail transport, road transport, water transport)
   • Food and water (food supply, water supply)
   • Waste disposal (refuse, sewage)

   These domains are split into

   • very high criticality
   • high criticality
   • regular criticality

2. Although the definitions are similar, critical sectors have been identified by the European Union (EU) and individual countries around the globe in different manners.

Exercice 10 : Critical Infrastructure (CI) resilience vs. Critical Infrastructure Protection (CIP)

What distinguishes Critical Infrastructure (CI) resilience from Critical Infrastructure Protection (CIP) ?

Solution

Critical Infrastructure (CI) resilience evolved from Critical Infrastructure Protection (CIP) concepts and represents a paradigm shift.

Key distinctions:

• CIP focused on adequately protecting CI from all possible hazards and threats, such as natural disasters, technological issues, accidents, and deliberate attacks. It pursued an all-hazards approach, attempting to identify and mitigate all dangers.
• CI resilience shifts the focus to identifying and reducing the vulnerabilities of CI. It enables CI to prevent, endure, and rebound swiftly from disruptions, ideally ensuring continuous service provision in the event of incidents and crises. Rather than attempting to protect against every possible threat or hazard, CI resilience acknowledges that not all sources of disruption can be known or anticipated. This is especially true when considering the level of interdependence and the cascading effects between CI as well as the nature of threats within cyberspace. Furthermore, the move from CIP to CI resilience also shifted the focus from a predominantly physical asset-based view of CI to one that regards CI as systems and networks providing vital services.
• CIP had limitations because the all-hazards approach was unrealistic and, in some instances, economically infeasible.
• The EU has adopted language that clearly marks a shift from protecting CI to the resilience of CE (Critical Entities) and the essential services they provide. While the Swiss strategy describes and aims for resilience, it nevertheless still uses the label of CI and CI operators, and the emphasis on the services is less dominant than in the CER.
• CI resilience enables systems to prevent, endure, and rebound swiftly from disruptions, ensuring continuous service.
• CI is characterized by strong interdependencies stemming from globalization, urbanization, digitalization, and an all-incumbent cyberspace.
• The Swiss strategy emphasizes the role that prepared and resilient authorities can play in supporting CI operators if disruptive events occur, underlining the federal nature of Switzerland’s political system. Switzerland independently established and implemented approaches and measures to CI resilience that are aligned with those of both NATO and the EU.

Exercice 11 : Swiss Criminal Code

According to the Swiss Criminal Code, what are some of the legal ramifications related to unauthorized access to systems? Does this apply to OT systems as well?

Solution

The Swiss Criminal Code :

• includes articles addressing data theft (Art. 143), unauthorized access to a data processing system (Art. 143bis), data damage (Art. 144), computer fraud (Art. 147), obtaining personal data without authorization (Art. 179), and disclosure of personal data to a third country or an international body (Art. 349c)
• does apply to any type of system

Exercice 12 : Going from Critical Infrastructure Protection (CIP) to Critical Infrastructure (CI)

Read through Comparing Critical Infrastructure Policy Updates (or here), a paper aimed at presenting the relations between EU and Swiss policies, and write down what the major points in your opinion are.

Solution

The evolution from Critical Infrastructure Protection (CIP) to Critical Infrastructure (CI) resilience marks a shift in security policy. CIP focused on protecting CI from hazards through an all-hazards approach, but this had limitations due to economic infeasibility and the unrealistic nature of identifying all possible threats. CI resilience shifts the focus to identifying and reducing vulnerabilities, enabling systems to prevent, endure, and rebound from disruptions while ensuring continuous service. This approach acknowledges that not all disruptions can be anticipated, especially considering the interdependence and cascading effects between CI and cyber threats.

Switzerland, the EU, and NATO have incorporated resilience into their CI security approaches. The EU’s Critical Entities Resilience (CER) Directive replaces the 2008 Directive on CIP, focusing on critical entities (CE) and their services rather than general CI sectors. CER aims to advance the resilience of CE and their services as crucial elements for security and defense. Measures include national strategies, risk assessments, emergency planning, and information exchange.

Switzerland’s National Strategy for Critical Infrastructure Protection, updated in June 2023, also aligns with CI resilience, aiming to prevent large-scale outages and minimize damage. The strategy proposes measures to enhance resilience and cooperation among stakeholders. While the Swiss strategy aims for resilience, it still uses the term “critical infrastructure protection,” and its emphasis on services is less dominant than in the CER. Key differences between the EU and Swiss approaches include:

• The EU’s terminology shift from CI to CE, emphasizing essential services
• The Swiss strategy being less specific on relevant threats and hazards
• The CER being a binding directive for member countries, while the Swiss CIP is a national strategy with requirements arising from sectoral legislation

Cooperation among stakeholders, especially between the private and public sectors, is paramount. Switzerland can observe CI-related developments within NATO and the EU to learn from their experiences.