[BOOK] Industrial Control System Security(4/8) - Fundamental Understanding from an IACS UR E26 and E27 Certification Perspective

📚 Book Review IACS UR E26 / E27 Threat Modeling Maritime OT

[BOOK] Industrial Control System Security (3/3)

Chapter 4: Threat Modeling Fundamentals — Attack Chain Structure & EWS Pivot Analysis

⚓

Blue Horizonist

Maritime and Cyber Security Consultant / ISP Consultant

📅March 20, 2026

Book Information

Industrial Control System Security

Author: Pascal Ackerman · Published: 2019 · Korean Edition: Acon
Principal Industrial Cybersecurity Consultant @ Rockwell Automation (since 2015) · 15+ years in large-scale industrial systems & network security

The first three chapters built the defensive structure — OT characteristics, network architecture, and host security. Chapter 4 asks the next essential question: "How does an attacker actually penetrate the system?" Understanding the attack structure is a prerequisite for meaningful control design. Security architecture always follows: System Understanding → Attack Understanding → Control Design → Verification.

Book Flow

Ch 1

OT Nature

→

Ch 2

Network Arch

→

Ch 3

Host Security

→

Ch 4

Attack Chain

Chapter 4

Threat Modeling Fundamentals — Structural Understanding

4.1 Structure of the OT Attack Chain

Chapter 4 explains attacks through a six-stage kill chain practically aligned with MITRE ATT&CK for ICS, the Lockheed Martin Cyber Kill Chain, and the NIST attack lifecycle. OT attacks differ from IT attacks in both objective and path.

IT Attack Objectives

· Data theft · Financial gain

OT Attack Objectives

· Process control · Operational disruption · Physical damage

OT Attack Path

IT Network → OT Network → Engineering Workstation → PLC / HMI

---

4.2 Structure of Each Attack Stage

Stage 1

Initial Access

Establishing a foothold inside the network boundary. In OT environments, the following entry points are especially dangerous.

Attack Methods

Browser exploit Vulnerable service Phishing VPN credential theft

OT-Specific Danger Points

EWS internet use Maintenance laptop Vendor remote access

UR E26: Malicious Code Protection · Patch Management · Authentication Control

Stage 2

Execution

The attacker runs arbitrary code inside the system. Once this stage succeeds, the attacker can operate freely within the compromised host.

Execution Methods

Exploit payload Script execution Malicious binary DLL injection

Defensive Technologies

Application Allow-list Endpoint Protection Script restriction

Stage 3

Privilege Escalation

Most exploits begin with user-level privileges. The attacker's goal is Administrator privileges: Low privilege → kernel exploit → admin privilege

UAC bypass Token impersonation Vulnerable service Misconfigured privilege

OT Risk: Administrative privileges on the EWS translate into PLC programming privileges — privilege escalation equals control over the industrial process.

Stage 4

Credential Access

The attacker obtains authentication information of other accounts to move deeper. Without credentials, lateral movement and domain compromise are impossible.

LSASS memory dump SAM database extraction Credential harvesting

Stage 5

Lateral Movement

The attacker moves to other systems inside the internal network. In OT, the primary targets are:

Engineering Workstation HMI PLC Gateway

A dual-NIC EWS becomes a very dangerous pivot point — bridging IT and OT networks simultaneously.

Stage 6

Impact

The attacker's final objective. In OT, Impact does not mean IT damage — it means impact on the physical system.

PLC logic modification Process shutdown Safety system disablement Sensor spoofing

---

Chapter 4 — Direct Linkage to UR E26 / E27

UR E26 test items are designed based on attack stages. Chapter 4 explains the underlying logic behind each test item.

Attack Stage	UR E26 Corresponding Control
Initial Access	Malicious Code Protection
Execution	Mobile Code Control
Privilege Escalation	Authorization Enforcement
Credential Access	Authenticator Management
Lateral Movement	Communication Integrity
Impact	Deterministic Output

OT security is not simply about protecting devices; it is about blocking the attacker's path of movement. Attackers move: Internet → IT Network → OT Network → Engineering Workstation → PLC. Security architecture must create control points at each stage along this path.

Additional Learning

Why Can the EWS Become a Highly Dangerous Pivot Point?

1. What Is a Pivot System?

A Pivot System is an intermediate foothold the attacker uses — after compromising one system — as a bridge to move toward more important targets. The goal is not the initially compromised system, but what lies beyond it.

IT Environment Examples

·User PC → Domain Controller

·Web server → Internal DB server

·VPN server → Internal network

2. Why Does the EWS Become a Pivot?

The EWS is not just a PC — it is the only system that has the authority to modify the control system. If the EWS is compromised, there is no need to attack the PLC directly.

Main Functions of the EWS

PLC program upload/download HMI configuration Firmware update Parameter changes Process logic modification

3. Network Position of the EWS — Why It Becomes a Pivot Structurally

The EWS understands both worlds simultaneously — making it the gateway that enables IT → OT movement.

IT Network │ (Maintenance / File transfer / Update) Engineering Workstation ← PIVOT │ (Control protocol) PLC / HMI / Control Network

Zone	EWS Role
IT Network	Files, patches, remote access
OT Network	PLC control

4. Position of the EWS in Real Attack Flows

Internet ↓ Corporate IT ↓ IT Workstation / Server ↓ Engineering Workstation ← Pivot ↓ PLC / DCS ↓ Physical Process

Stuxnet

→Infection of Windows systems

→Infection of engineering software

→PLC logic modification

Triton

→Penetration into the IT network

→Compromise of the EWS

→Attack on the safety controller

5. Why Attackers Favor the EWS

①

Direct PLC Communication via OT Protocols

Modbus EtherNet/IP Profinet OPC

These protocols are not used in general IT systems — to attack a PLC, access to the EWS environment is required first.

②

Administrative Privileges Are Common

Local administrator privileges Software installation ability Engineering tool execution

③

Highly Trusted by the Network

PLCs often follow an implicit policy: "The engineering workstation is a trusted system." PLCs rarely validate commands originating from the EWS.

④

Security Controls Are Often Weak

EDR installation restricted Antivirus updates limited Low security visibility

6. Technical Structure of an EWS Pivot Attack

Step 1

Initial Access — IT Workstation compromise

Phishing · Browser exploit

Step 2

Credential Access — domain credentials obtained

Hash dump · Password reuse

Step 3

Access to the EWS — lateral movement

RDP · SMB · PsExec

Step 4

Abuse of engineering tools — uses legitimate software

Siemens Step7 · Rockwell Studio5000 · Schneider Control Expert

Using legitimate tools makes detection extremely difficult

Step 5

PLC logic modification

Ladder logic modification · Parameter changes · Firmware update

7. Why the EWS Pivot Is Dangerous

Characteristic	Description
Privilege	PLC control privileges
Connectivity	Connected to both IT and OT networks
Trust	A system trusted by the PLC

When Privilege + Connectivity + Trust combine, the EWS becomes the perfect pivot system for an attacker.

8. EWS Protection Strategy — Core Security Controls

①

Network Isolation

Place EWS in a dedicated OT network · Prohibit direct IT access

②

Jump Server Architecture

IT → Jump Server → EWS → PLC (segmented access path)

③

Application Allow-list

Only engineering software and system utilities permitted

④

Credential Protection

Prohibit Domain Admin accounts · Manage privileged access carefully

⑤

Session Recording

All EWS activities must be recorded

9. Connection to UR E26 / E27

UR E26 Test Item	Meaning in Relation to the EWS
Human User Identification	User authentication on the EWS
Authorization Enforcement	Access privileges to the PLC
Account Management	Administrative account management
Communication Integrity	EWS ↔ PLC communication
Malicious Code Protection	Protection of the EWS from malware

A substantial portion of UR E26 testing effectively validates EWS security.

In OT attacks, the Engineering Workstation plays the role of Bridge + Privilege Hub + Control Gateway. Attackers follow: IT compromise → EWS pivot → PLC control. OT security architecture must be designed in the reverse direction: Protect EWS → Protect PLC → Protect Process.

#ICSsecurity #OTsecurity #ThreatModeling #AttackChain #IACS #URE26 #URE27 #MaritimeCyberSecurity #MITRE #EWS #Maritime40

⚓

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security

Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.
(👉 메인 페이지: https://shippauljobs.blogspot.com/)

🌐 More Articles ↗