Attack surfaces and attack vectors

Industrial security risk was discussed in Chapter 1, An Unprecedented Opportunity at Stake. To assess the risk of an attack to a system, two commonly used terms are attack surface and attack vector. Both of these terms are closely tied to the industry the system was designed for, the specific deployment use case, and the associated business objectives.

The attack surface spans across the system components that can potentially contribute to an attack. For example, in a traditional ICS system connected only to the SCADA network, the attack surface includes exposure to the insider threats, physical threats, vulnerabilities in proprietary SCADA protocols, and so on. However, when an ICS system is connected to a cloud platform, vulnerabilities in the cloud technologies, for example, IP-based WAN connectivity, remote configuration, and device management, and so on. get added to the equation. To sum up, IIoT significantly expands the attack surface of industrial systems and infrastructure.

An attack vector includes the tools and technologies that can contribute to an attack. This too is closely tied to the industry and the technologies involved. A threat actor can utilize a variety of mechanisms to launch an attack to compromise a system. So, attack vectors for an IIoT system could be physical, or network-, software-, or supply chain-related. Examples of common cyberattack vectors are phishing campaigns, insecure wireless networks, removable media, mobile devices, malicious web components, viruses, and malware.

Given the cyber-physical nature of the risks involved in IIoT, security practitioners must factor in the physical consequences of threats, attack surfaces, and attack vectors while assessing the overall risk associated with any IIoT deployment.