What is ARP Poisoning?
ARP poisoning is an attack in which an adversary sends forged ARP messages onto the network with the goal of manipulating the ARP tables of other devices. As a result, traffic is rerouted via the attacker, who can intercept, alter or block it.
In OT networks, ARP poisoning can lead to manipulation of control traffic between PLCs and SCADA systems without users noticing.
🧠 What does ARP do?
- ARP (Address Resolution Protocol) translates IP addresses into MAC addresses
- Devices store ARP mappings in a local cache (temporary memory)
- These ARP tables are not authenticated and are overwritten automatically
🎯 What is ARP poisoning?
In ARP poisoning, an attacker sends forged ARP replies, such as:
“The IP address of the PLC belongs to my MAC address”
Result: the victim then sends traffic to the attacker instead of the real PLC.
This enables:
- Man-In-The-Middle attacks
- Replay Attacks
- Loss of integrity or availability of OT systems
⚠️ Examples in an OT context
| Scenario | Effect |
|---|---|
| Attacker hijacks traffic between SCADA and PLC | Faulty control or data manipulation |
| Historian receives data from the attacker | Log files contain manipulated values |
| Operator believes they are controlling the system, but… | …commands are routed via the attacker |
| Rogue laptop on a guest port | Can impersonate an HMI or engineering station |
🔐 Security measures
| Measure | Description |
|---|---|
| Dynamic ARP Inspection (DAI) | Verifies ARP packets against DHCP Snooping data |
| IP Source Guard | Allows only traffic with valid IP/MAC/port combinations |
| Port Security | Limits the number of allowed devices per switch port |
| MAC Binding | Binds known MAC addresses to fixed ports |
| 802.1X | Requires authentication for network access |
| Zero Trust Architecture | Verifies all communication, including within the internal OT network |
🔍 Detecting ARP poisoning
| Method | Explanation |
|---|---|
| ARP cache analysis | Identifying duplicate IP/MAC pairs |
| SIEM rules | Alerting on sudden ARP changes |
| Wireshark or IDS | Detecting unusual ARP traffic (frequency, conflicts) |
| Anomaly detection | Analysing behaviour patterns, such as repeated traffic with new MAC addresses |
🧪 Tools for simulation or detection
arpwatch— monitoring tool for ARP changes-
ettercap,bettercap— simulation of ARP poisoning (lab environments only) arp -a— manual inspection of ARP tables on Windows/Linux
📌 In summary
ARP poisoning is an invisible attack that can manipulate communication between OT devices. Prevention requires Layer 2 security such as DAI, Port Security and network segmentation.