Apply to Attend: Nexus Conference 2024: Sept. 10-12
Claroty Nexus Logo
Topics:
See all in Cyber Resilience See all in Articles
See all in Videos
See all in Podcasts
In this episode of the Nexus Podcast, Claroty Team82 researcher Noam Moshe explains the challenges involved in gathering attack forensic artifacts from OT devices, in this case, Unitronics PLCs that were exploited in 2023 in attacks against water facilities in the U.S. and Israel.
Operational Technology
Industrial

Nexus Podcast: Noam Moshe on Extracting Forensic Data from Unitronics PLCs

Michael Mimoso
/
Aug 8, 2024

Traditional forensics on programmable logic controllers (PLCs) generally relies on extracting logs from Windows-based engineering workstations and other information from systems on the enterprise network. 

Extracting artifacts from the PLC itself is a tougher proposition, given the proprietary nature of these operational technology (OT) devices, especially the protocols over which they communicate.

Read Team82’s blog about this research.

In this episode of the Nexus Podcast, Claroty Team82 researcher Noam Moshe explains the challenges involved in gathering attack artifacts from OT devices, in this case, Unitronics PLCs that were exploited in 2023 in attacks against water facilities in the U.S. and Israel.

Unitronics’ Vision line of PLCs are integrated HMI/PLC devices that control numerous physical processes within water treatment facilities and other industries. In the attacks last year, a group known as the CyberAv3ngers, believed to be linked to Iranian state-sponsored activity, defaced devices at the affected facilities. 

In most cases, the devices were directly connected to the internet, lacking any measure of authentication, which greatly facilitated these attacks. 

During this discussion, Moshe explains how this threat actor’s actions were largely meant to demonstrate their access to the PLCs, and instill some fear and chaos, rather than a direct manipulation of water quality or availability. 

Team82 researched these affected devices, in particular the PCOM protocol developed by Unitronics for communication between the assets and engineering workstations. Two forensics tools were developed for this research project that allowed Team82 to not only connect to the PLCs, but also extract information about the attackers’ activities, including dates and times these illicit connections were made, system information, keyboard configurations, and more. 

Unitronics has addressed the vulnerability disclosed by Team82. Both forensic tools are freely available on Team82’s GitHub page.

Operational Technology
Industrial
Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know

Get the Nexus Connect Newsletter

Subscribe

Listen on Apple Podcasts. Listen on Spotify Podcasts.

Share

LinkedIn Twitter Facebook Email

Featured Articles

Considerations for Medical Device Vulnerability Remediation Technical Debt in OT Environments: How It's Different and Why it Matters The Purdue Model's Risky Blindspot

Featured Videos

Browse by Topics

Cyber Resilience Cybersecurity Insurance Federal Food & Beverage Healthcare Industrial Internet of Things Nexus Conference Operational Resilience Operational Technology Ransomware Risk Management Technical Debt Vulnerability Management Zero Trust

You might also like…

Read more
In this episode of the Nexus Podcast, Alethe Denis, a senior security consultant at Bishop Fox, joins to discuss the ongoing effectiveness of open-source intelligence analysis and social engineering tactics as a precursor to larger intrusions against critical infrastructure.
Cyber Resilience
Healthcare
Industrial
Risk Management

Nexus Podcast: Alethe Denis on Social Engineering, Red-Teaming

Michael Mimoso
On this episode of the Nexus Podcast, Alon Dankner of the Technion Institute in Israel explains his research into the Siemens S7 protocol and PLCs. A vulnerability uncovered during research allows an attacker to expose and steal private cryptographic keys by leveraging a severe vulnerability and configuration error.
Operational Technology

Nexus Podcast: Alon Dankner on Extracting Private Crypto Keys from PLCs

Michael Mimoso
In this episode of the Claroty Nexus Podcast, Alexander Antukh, the chief information security officer at AboitizPower, the Philippines’ largest owner and operator of renewable energy, discusses one path toward translating risk and losses into business terms: cyber risk quantification (CRQ).
Risk Management

Nexus Podcast: Alexander Antukh on Cyber Risk Quantification

Michael Mimoso
In this episode of the Nexus Podcast, Vincente Diaz, a threat intelligence strategist on Google’s VirusTotal team, explains how AI and ML engines are being used in VirusTotal’s malware analysis, and how those results differ from what a traditional AV engine's analysis might render.
Cyber Resilience

Nexus Podcast: Vincente Diaz on Using AI for Malware Analysis

Michael Mimoso
On the latest episode of the Nexus Podcast, Rockwell Automation Senior Network & Solution Consultant Ahmik Hindman joins to discuss patching and vulnerability management of operational technology (OT) and industrial control systems (ICS).
Operational Technology
Vulnerability Management

Nexus Podcast: Ahmik Hindman on Patching OT and ICS

Michael Mimoso
Dr. Bilyana Lilly, an expert on geopolitics and Russia’s codification of information warfare as a strategy, says that the war in Ukraine has only temporarily delayed Russia’s activity against the West in cyberspace. On the latest Claroty Nexus podcast, she reinforces the idea that despite the fact that Russia is operating under severe resource constraints, CISOs should be preparing for the inevitable ramp-up of cyberattacks against critical infrastructure.
Risk Management
Cyber Resilience

Nexus Podcast: Dr. Bilyana Lilly on Information Warfare

Michael Mimoso
In this episode of the Claroty Nexus Podcast, Bishop Fox CEO and Cofounder Vinnie Liu explains how offensive security specialists, including red teams, are working alongside incident response specialists during incidents, including ransomware attacks. Organizations in healthcare and other critical industries, for example, bring in offensive specialists in an attempt to find and lock down other exposures to avoid reinfections or separate intrusions that could lead to further data loss or reputational damage.
Healthcare
Ransomware
Cyber Resilience

Nexus Podcast: Vinnie Liu on Offensive Security Testing During Incidents

Michael Mimoso
diana-kelly-podcast.png
Cyber Resilience
Risk Management
Vulnerability Management

Nexus Podcast: Diana Kelley on Securing AI Systems

Michael Mimoso
jennifer-minella.jpeg
Operational Technology

Nexus Podcast: Jennifer Minella on Converging IT/OT from the Ground Up

Michael Mimoso
charles_blauner_team8.jpg
Risk Management

Nexus Podcast: Charles Blauner on the CISO’s Personal Risk Equation

Michael Mimoso
mikko-1715700422.jpeg
Ransomware
Cyber Resilience

Nexus Podcast: Mikko Hypponen on 10 Years of Corporate Ransomware

Michael Mimoso
Adm. Michael S. Rogers, USN (Ret.) joins the Nexus podcast to discuss the Biden administration's National Cybersecurity Strategy, and its themes of cyber resilience and critical infrastructure protection.
Cyber Resilience
Risk Management

Nexus Podcast: Adm. Michael Rogers on Geopolitics and Defending Critical Infrastructure

Michael Mimoso

Latest on Nexus Podcast

See all episodes
The Nexus podcast features conversations with security leaders, researchers, and experts sharing their expertise on cyber-physical systems security.
In this episode of the Nexus Podcast, Alethe Denis, a senior security consultant at Bishop Fox, joins to discuss the ongoing effectiveness of open-source intelligence analysis and social engineering tactics as a precursor to larger intrusions against critical infrastructure.
Cyber Resilience
Healthcare
Industrial
Risk Management

Nexus Podcast: Alethe Denis on Social Engineering, Red-Teaming
On this episode of the Nexus Podcast, Alon Dankner of the Technion Institute in Israel explains his research into the Siemens S7 protocol and PLCs. A vulnerability uncovered during research allows an attacker to expose and steal private cryptographic keys by leveraging a severe vulnerability and configuration error.
Operational Technology

Nexus Podcast: Alon Dankner on Extracting Private Crypto Keys from PLCs
In this episode of the Nexus Podcast, Claroty Team82 researcher Noam Moshe explains the challenges involved in gathering attack forensic artifacts from OT devices, in this case, Unitronics PLCs that were exploited in 2023 in attacks against water facilities in the U.S. and Israel.
Operational Technology
Industrial

Nexus Podcast: Noam Moshe on Extracting Forensic Data from Unitronics PLCs