Attack Vectors
API Injection & Abuse
Direct backend access via WAF bypass or SQLi. Exposed S3 buckets from misconfigured CORS policies.
Broken Authentication
Misconfigured CORS headers, weak session management, and over-privileged API tokens.
Countermeasures
WAF & API Gateway
Strict ingress filtering, rate limiting, and request signing. Schema validation on all endpoints.
DevSecOps Pipelines
Automated SAST/DAST in CI/CD. SBOM scanning. Container image signing with cosign.
Attack Vectors
Broker Poisoning
Injecting bogus MQTT telemetry to corrupt analytics. Topic flooding to exhaust broker memory.
Route Hijacking
ARP spoofing to intercept unencrypted traffic. MQTT over port 1883 (plaintext) interception.
Countermeasures
mTLS Authentication
Client certificates required for all producers and consumers. CA-signed cert bundles, bcrypt passwords.
Strict ACLs
Topic-level write restrictions enforced by broker ACL. Principle of Least Privilege per client ID.
Attack Vectors
Firmware Implants
Loading malicious container images onto edge devices. Supply chain compromise via unverified registries.
Model Poisoning
Adversarial noise injected into Edge AI sensor inputs to force false-negative anomaly predictions.
Countermeasures
Secure Boot / TPM
Hardware root-of-trust enforces signed kernel execution only. Attestation via TPM 2.0.
Input Data Validation
Rigorous physics-based sanity checks on sensor readings. Statistical bounds enforcement before inference.
Attack Vectors
Command Injection
"Modbus Write Coil" attacks to force actuator state. Stuxnet-class logic manipulation via rung insertion.
Legacy Protocol Abuse
Unauthenticated Modbus/Profinet traffic on routable segments. No native encryption — trivially sniffable.
Countermeasures
Read-Only Gateway Enforcement
Strict "Function Code 03 only" — all write function codes (FC05, FC06, FC16) blocked at gateway level.
OT-IDS / Deep Packet Inspection
Passive inline DPI for Modbus, S7, EtherNet/IP. Anomalous register access patterns trigger instant alert.
Compliance Framework
APPLIED
STANDARDS
STANDARDS
01
IEC 62443-4-2
Component-level security requirements for control system components. Security levels SL-1 through SL-4 mapped to each layer.
OT SECURITY
02
NIST SP 800-82r3
Guide to OT Security. DMZ architecture, network segmentation, and remote access controls per NIST recommendations.
ICS SECURITY
03
Purdue Model
ISA/IEC 62443 zone-and-conduit model applied across all layers. Explicit conduit boundaries with monitored firewall pairs.
ARCHITECTURE
04
RFC 8446 — TLS 1.3
All northbound data flows encrypted with TLS 1.3. MQTT over TLS 1.3 (port 8883). OPC UA Sign+Encrypt mode enforced.
TRANSPORT
Controls Matrix
DEFENCE-IN-DEPTH
CONTROLS
CONTROLS
| Control | Mechanism | Layer | Standard |
|---|---|---|---|
| Zone Segmentation | VLANs + dual HA firewall pair | Network | ISA-62443 |
| MQTT mTLS | Client cert + bcrypt password + OT CA | Transport | RFC 8446 |
| OPC UA Security | SignAndEncrypt mode, cert pinning | Transport | IEC 62541 |
| Jump Host + MFA | PAW in OT DMZ, PAM credential vault | Access | Zero-Trust |
| SIEM + Log Forwarding | Syslog → DMZ collector → SIEM | Monitoring | NIST 800-82 |
| Read-Only Enforcement | FC03 only, FC05/06/16 blocked | OT/PLC | ISA-62443 |
| Staged Patch Mgmt | WSUS mirror in DMZ, offline staging | Maintenance | ISA-62443 |
| Secure Boot / TPM | TPM 2.0 hardware attestation | Edge HW | NIST 800-82 |
SECURITY_OPS_TOOLKIT
Wireshark (S7/Modbus)
Snort IDS
Shodan
ModbusPal
OWASP ZAP
Trivy
OpenSSL 3.x
Mosquitto mTLS
Nmap / Nessus
Claroty / Dragos
HashiCorp Vault
Falco (K8s)