CISA References Case Study Demonstrating Risk of Network Access Through Backdoors

  • Issue Date:

    April 28, 2022

  • Importance


  • Summary

    A Cybersecurity and Infrastructure Security Agency (CISA) Secured Architecture Design Definition references a case study demonstrating risk of network access through backdoors and holes.

  • Systems Impacted

    Remotely accessible client Operations Technology Control Systems including plant Wi-Fi networks.

Illustrating the risk of network access via backdoors

Advisory Details

A backdoor presents an opportunity to circumvent network perimeter protections.  A hole is exploited by an attack conducted by penetrating network perimeter defenses.

An adversary parks outside the plant alongside a state highway and uses a mobile  Wi-Fi scanning rig to discover the plant’s OT wireless network.  The adversary captures the necessary information by monitoring the wireless network and drives off.  The adversary uses an offline dictionary attack and over the course of time determines the wireless credentials and connects to the OT network through the WAP.   With this accessibility the adversary is able to conduct network discovery and plan a future attack.

An adversary discovers public IP address associated with the plant and scans the network to find open ports. The adversary finds a port not blocked by the VPN firewall.  The adversary can access insecure file share to discover a path through the DMZ to the SCADA system by dropping a remote access tool.  A successful denial of service attack is conducted for several hours until the attacker deletes recon files and departs.

Actions and/or Recommendations

Harden and protect the perimeter using a defense-in-depth strategy.  Document all access points, turn-off SSI D broadcasts and enable MAC filtering.  Regularly review and assess the wireless network for exposures and rogue devices.

Develop intrusion detection capability to assure that whoever is in the system is authorized, authenticated and accountable.  Report suspicious activity including IP address the Internet Service Provider can provide which might indicate network scanning activity.

Change default passwords and implement policies and practices to change access credentials. Hide or obfuscate information to prevent release of information beneficial to the adversary.

About REAL Matters and Mangan Inc.

REAL Matters advisories are published to communicate cybersecurity threats and risks within the Operational Technology (OT) environment and where Critical Infrastructure vulnerabilities are identified. The purpose of this newsletter is to inform, propose suggested approaches to mitigate the risk as well as provide feedback on how Mangan Cybersecurity is approaching the issue(s) addressed.

Mangan Inc. is a nationally-recognized Specialty Engineering, Automation, and Integration company, providing a full-range of services to the Oil & Gas, Refining, Pipeline, Chemicals, and Life Sciences Industries. Established in Long Beach, California in 1990, Mangan’s multiple office locations include sites in California, Georgia, New Hampshire, North Carolina, Texas, and Louisiana. Mangan’s 350+ employee-owners bring expertise, innovation, and safety as their core mission to some of the largest companies in the world.

Scroll to Top