Exploiting Control Device Vulnerabilities: Attacking Cyber-Physical Water System

Industrial Control Systems (ICS) are transitioning from isolated, custom built systems to those employing general purpose computer hosts, wireless networks, and artificial intelligence. An increasing number of vulnerabilities in ICS devices is a major cause for concern since it provides potential adversaries with a simple approach to exploit and attack unpatched ICS systems. In light of this, the paper explores attack vectors that target unpatched system vulnerabilities and their impact on the ICS, demonstrated using Waste Water Treatment Plant (WWTP) testbed. Denial of Service (DoS), Buffer overflow, privilege escalation, unauthorized command injection attacks are executed and their impacts are investigated using CIA and STRIDE threat modeling. The main outcomes of the study are, 1) An update on public advisory CVE-2021-33834 by Moxa. 2) Demonstration of attack on a device with publicly accessible Proof of Concept (POC) of another device using Modbus buffer overflow vulnerability. Finally, various recommendations are made that can be used for security penetration testing to identify security flaws, as well as directions for product developers to implement security by design.