A Multi-Layer Industrial-IoT Attack Taxonomy: Layers, Dimensions, Techniques and Application

Industrial IoT (IIoT) is a specialized subset of IoT which involves the interconnection of industrial devices with ubiquitous control and intelligent processing services to improve industrial system's productivity and operational capability. In essence, IIoT adapts a use-case specific architecture based on RFID sense network, BLE sense network or WSN, where heterogeneous industrial IoT devices can collaborate with each other to achieve a common goal. Nonetheless, most of the IIoT deployments are brownfield in nature which involves both new and legacy technologies (SCADA (Supervisory Control and Data Acquisition System)). The merger of these technologies causes high degree of cross-linking and decentralization which ultimately increases the complexity of IIoT systems and introduce new vulnerabilities. Hence, industrial organizations becomes not only vulnerable to conventional SCADA attacks but also to a multitude of IIoT specific threats. However, there is a lack of understanding of these attacks both with respect to the literature and empirical evaluation. As a consequence, it is infeasible for industrial organizations, researchers and developers to analyze attacks and derive a robust security mechanism for IIoT. In this paper, we developed a multi-layer taxonomy of IIoT attacks by considering both brownfield and greenfield architecture of IIoT. The taxonomy consists of 11 layers 94 dimensions and approximately 100 attack techniques which helps to provide a holistic overview of the incident attack pattern, attack characteristics and impact on industrial system. Subsequently, we have exhibited the practical relevance of developed taxonomy by applying it to a real-world use-case. This research will benefit researchers and developers to best utilize developed taxonomy for analyzing attack sequence and to envisage an efficient security platform for futuristic IIoT applications.


I. INTRODUCTION
The Industrial Internet of Things (IIoT) refers to the application of Internet of Things (IoT) in industrial sector to monitor, collect, exchange, process and analyze data gained from industrial devices [1]. IIoT empowers industries with self-organizing and self-optimizing capabilities via real time monitoring and control of production environment [2] [3] [4]. The potential technologies which utilize IoT to enable IIoT for facilitating improvement in productivity, efficiency, and revenue are Artificial Intelligence (AI), Big Data, Radio Frequency Identification (RFID), and Wireless Sensor Network (WSN) and cognitive computing.
Industrial Internet of Things (IIoT) encompasses a vast amount of disciplines such as energy production, manufacturing, agriculture, healthcare, retail, transportation, logistics and many more [5]. According to a recent estimation of Gartner, there were approximately 4.80 billion IIoT assets present in the world in the year 2019. Further, Gartner has predicted that in the year 2020, this number will increase by 21 percent [5]. However, in spite of these manifold opportunities, the advancement of IIoT leads to a multitude of cyber security risks. Additionally, in 2019, Talos published 87 advisory articles about IoT and ICS vulnerabilities [5] Nevertheless, most of the practical IIoT deployments are brown-field in nature which involves both new and legacy technologies (SCADA). The merger of these technologies causes high degree of cross-linking and decentralization which ultimately provides support for numerous access points into the industrial network. Therefore, industrial organizations are not only vulnerable to SCADA attacks but also to IIoT specific attacks. Conventional industrial systems consist of resource powerful devices, for instance computers and smart phones, while on the other hand IIoT have resource constrained devices such as sensors [6] [7]. This scenario make the protection of IIoT components more expensive and made the system vulnerable to advance types of attacks such as node capturing, and tampering [8]. In addition to that IIoT nodes are mostly connected to insecure wireless medium which is constrained in nature in terms of energy, processing power and memory [6].
The attack span and probability of attack conduction have increased with the integration of IoT technology in industrial sector as industries are also exposed to IoT specific attacks. Therefore, a common in depth understanding and knowledge of various types of IIoT attacks is indispensable for the documentation, communication and derivation of mitigation measures of attack. This paper has focused on provisioning of a method for the in-depth analysis and categorization of IIoT specific attacks, thus providing aid in resisting new attacks and improving IIoT security. For this, we have developed a dedicated IIoT specific attack taxonomy. There are so many taxonomies present in the literature [9] [10] [11] [12] [13] related to IoT attacks but they are of little use when conducting a IIoT specific security assessment. The developed taxonomy focuses on adversaries whose primary goal is to disrupt an industrial control process, destruction of property by causing temporary or permanent damage and further creation of knowledge base which could effectively characterize and describe post compromise adversary behavior in IIoT domain.
The proposed taxonomy consists of 11 layers which are: Initial Access, Execution, Persistence, Evasion, Discovery, Lateral Movement, Collection, Command and Control, Inhibit Process Control and Impact. These layers presents attack conduction steps in a sequenced manner. Our developed multilayer taxonomy provides an objective methodology to analyze vulnerabilities at a deeper level of granularity. Contrary to this, linear or horizontal taxonomies [15] [16] [17] [18] present in the literature are helpful only for understanding the features of a particular attack and does not aid in reducing the subjectivity of the process of attack. Our developed taxonomy begin with a high level of abstraction and progressively go lower in minute details to identify techniques and tactics of specific attack. Each layer is further divided into dimensions. These dimensions are used to further refine the way of conduction of attack. There are total 94 dimensions present in the taxonomy. Each dimension consist of possible attack techniques which could be used for the conduction of specific dimension attack. We have identified approx. 100 IIoT attack techniques.
To sum up, our developed taxonomy is primarily of value to risk assessment management, security analysts' system designers and as well as network administrator of IIoT domain. Following are the major contributions of this paper. Fig. 1 provides a comprehensive overview of key contributions in the paper. layers of the proposed taxonomy are presented in a attack conduction step sequence. It covers the possible process of attack starting from initial access to its impact on the industrial environment. • Application of Taxonomy: We further contributes in this paper by the application of developed taxonomy on a real world use-case. • Knowledge of IIoT Attacks: A taxonomy of IIoT attacks based on various layers, dimensions, techniques is presented. The developed taxonomy contributes theoretically to the knowledge of IIoT attacks by providing a source to identify extensive security considerations which are prevalent in industrial sector.
The organization of the paper is as follows. In Section II, we have presented our developed Multi-Layer IIoT Attack Taxonomy8. Section III presents the application of taxonomy on a real world use-case. Finally, Section IV concludes the paper.

II. MULTI-LAYER IIOT ATTACK TAXONOMY
In this section, we have presented our taxonomy which consists of IIoT attack techniques, dimensions and impact. The taxonomy consist of 11 layers, 94 dimensions, and approximately 100 techniques as shown in Fig. 3 Layers in the taxonomy are presented in attack conduction sequence manner. It covers the possible sequence of attack starting from initial access to its impact. Further, the layers are divided into dimensions. These dimensions represents the type of attacks which could be conducted under the specific taxonomy layer. Associated attack techniques are stated along with every dimension. In Fig. 2 shows the relationship of IoT, IIoT and SCADA technologies. It elaborates that IIoT is a part of IoT and SCADA is the part of IIoT incase of brownfield architecture of IIoT which includes legacy technologies such as SCADA. This clearly exhibits that SCADA attacks are the part of IIoT attacks. Some of the examples of IIoT techniques are also shown in 4. Following is the description of taxonomy.

A. Layer 1: Initial Access
Initial access layer consists of the techniques which adversaries use to get into the IIoT environment. The purpose of these techniques is to compromise the operational technologies assets and external remote services. The operational technologies may include physical devices, software and operational equipment. Initial access mechanism may also intervene in the operation of outside devices such as controllers or removable media to infect IIoT operations. Initial Access Layer's dimensions are: Internet Accessible Device, Exploit Public Facing Application, Wireless Compromise, Data Historian Compromise, Engineering Workstation Compromise, External Remote Services, Replication through Removable Media, Drive by Compromise, Supply Chain Compromise and Spear-phishing attachment.

B. Layer 2: Execution
Execution consists of attacks that enables adversary to run adversary-controlled code on a local

E. Layer 5: Discovery
Discovery consists of techniques which are used to gain information about the industrial environment such as information about internal network, control system devices and running processes. These techniques help adversaries to identify that which network they could control and perform malicious operations. Discovery layer's dimensions are: Network Sniffing, Input/Output Module Discovery, Network Connection Enumeration, Remote System Discovery, and Control Device Identification.

F. Layer 6: Lateral Movement
Lateral movement techniques are used by adversaries to enter and control remote systems present on the network. These techniques make use of default credentials, known account credentials and vulnerable services for entering into the control systems present on the network. Lateral Movement Layer's dimensions are: Valid Accounts, Program Organization Unit, Remote File Copy, Default Credentials, Exploitation of Remote Services, and External Remote Services. .

G. Layer 7: Collection
Collection consists of attack techniques in which the adversary tries to obtain contextual feedback such as device role identification or gathering system schematics in an industrial environment.

H. Layer 8: Command and Control
Command and control consists of techniques that adversaries utilize to send unauthorized commands to compromised systems, devices and controllers in the industrial environment. The compromised assets may include HMIs, servers, data historians and engineering workstations. Command and Control layer's dimensions are: Standard Application Layer Protocol, Connection Proxy, and Commonly Used Ports.

I. Layer 9: Inhibit Response Function
Inhibit response function consist of techniques which adversaries use to hide feedback coming from industrial systems related to safety, quality assurance, and operator intervention function which respond back in case of failure, hazard or unstable state.

J. Layer 10: Impair Process Control
Impair process control consist of techniques which adversaries use to malfunction control logic and cause adverse effects on the processes being controlled in the targeted industrial environment. In addition to that, these techniques could also include blockage or manipulation of reporting messages and control logic.

III. APPLICATION AND EVALUATION OF TAXONOMY
After the completion of the development of IIoT Multi-Layer Attack Taxonomy, we validated it by its application on a real world use-case of an IIoT attack incident. For application of taxonomy, we have selected the use-case of a German Steel Factory which was attacked in 2014 [19]. We Fig. 4. Example of IIoT Attack Techniques have divided the incident into manageable steps as shown in Fig.5, which helps us to segregate attack steps of the incident for analyzing incident in depth by utilizing our developed taxonomy. Following are the steps for attack.

Fig. 5. German Steel Factory Attack Steps
• Step 1: The adversary gain access to the industrial system using spear phishing email. The phishing email consisted of a document which was infected with malicious code. • Step 2: Once the spear phishing email was opened, the attached malicious code targets the vulnerabilities of an application on the system of steel factory. In this way, the adversary gain remote access to the industrial network. • Step 3: In the third step, the adversary established a foothold on the industrial network system by compromising various workstations. For entering into the network, the adversary make use of key loggers, network scanning and password attacks. • Step 4: After establishing a foothold on the industrial network, adversary started its further movement and damage using trojanized installers, exploit kits and watering hole attack. • Step 5: System which are known to be impacted are: -Control system components and functions such as hot blast system, kinetic process model, mass and energy balancers. -Centralized controllers (PLCs) -Safety Instrumented System (SIS) -HMI The combined effect of all these attacks, resulted in Loss of Control (LoC) of plant and its sub-functions which has lead to physical destruction. After dividing the incident into steps, we applied our developed taxonomy on it layer by layer. Fig.6 shows the application of taxonomy. We start with the first step of the attack in which the attacker initially tries to gain access of the industrial network using spear phishing email. Spear phishing attack technique is used in which the attacker make us of malicious email attachment to install malware on the targeted system of gain confidential information. According to our taxonomy, this attack can be classified under Initial Access layer and lies under its dimension of Exploit Public Facing Application and Spear-phishing Attachment.
In the second step, the attacker has installed a malware into any of the device or computer of industrial system via spear-phishing attachment execution (opening). The installed malware opened hidden doors in the system for the attacker to provide remote access to disrupt the plant operation. This attack lies under the second layer of the taxonomy which is Execution and lies under the dimension of Command Line Interface, Project File Infection and User Execution.
In the third step, the attacker has gained credential information of various industrial devices and workstations for the continuation of attack. For this attacker has used key-logging, password attack and network scanning. This behavior lies under the third layer of Persistence and under the dimension of Valid Accounts. In addition to that, this behavior may also lie under the layer of Discovery and under the dimension of Network Service Scanning because of the conduction of network scanning attack in this step.
In the fourth step, the attacker make further movement and conduction of attacks using trojanized installers, exploit kits and watering hole attack. According to our taxonomy, this step lies under the layer of Lateral Movement and under the dimension of Exploitation of Remote Services.
According to the damage information provided in Step 5 , this step lies under the layer of Impact and under the dimension of Damage to Property, Loss of Control, Loss of Safety, Loss of View and Manipulation of Control.
Our application of the taxonomy shows that the attack steps involved in the real world incident differ with respect to their unique characteristics, attack layers, attack dimensions and attack techniques. Our taxonomy, helps to illustrate the attack conduction in a structured way and provide means to analyze the attack deeply using layers and dimensions. Furthermore, it also helps to analyze the attack conduction pattern and provides a holistic view of the incident.

IV. CONCLUSION
The tally of attacks on Industrial-IoT and so the damage to industrial production system and revenue -continues to increase exponentially, provoked by high degree of cross linking and resource constrained nature of IoT devices. Yet, the techniques,complexity, impact of attacks on IIoT remain deficiently illustrated and unsatisfactorily understood. In response to this problem, we developed a multi-layer IIoT attack taxonomy.The taxonomy consist of 11 layers, 94 dimensions and approx.100 IIoT specific attack techniques. Layers represent the attack conduction steps of an incident in a timely fashion, starting from initial access to the impact of an incident. Each layer consist of dimensions which represents the possible types of attacks which fall under the category of that specific layer. With each dimension, we have mentioned possible IIoT attack techniques which could be used to exploit that specific dimension of IIoT.
To exhibit the application and practical usefulness of our developed IIoT attack taxonomy, we applied it to a real world attack use case of German Steel Factory. First, we divided the incident into single attack steps. Then, we mapped those attack steps to our taxonomy layers and further dimensions according to the nature of those steps. In this way, our taxonomy provided a holistic overview of an incident along with the attack conduction sequence, steps, and techniques. Additionally, it provides a foundation for researchers and developers to determine and analyze attacks in a structured manner in order to devise their mitigation measures.