What is a Man-in-the-Middle (MitM) attack?
A Man-in-the-Middle (MitM) attack is one in which an attacker invisibly inserts themselves between two communicating parties, with the aim of eavesdropping on, manipulating or redirecting traffic without the parties noticing.
In OT environments, this is a critical risk in communication between PLCs, HMIs, SCADA and field devices — especially when using outdated or unsecured protocols such as Modbus, DNP3 or OPC Classic.
🧠 How does a MitM attack work?
- The attacker intercepts network traffic between two legitimate parties
- They can passively eavesdrop or actively modify the traffic (e.g. changing values)
- Both parties believe they are communicating directly with one another
- Without detection mechanisms, the attack often remains unnoticed
🎯 Examples of MitM in an OT context
| Scenario | Consequence |
|---|---|
| Falsifying measurement values between sensor and PLC | Incorrect process control (e.g. pump continues to run) |
| Modifying commands within Modbus-TCP traffic | Opening/closing valves based on falsified data |
| SSL strip between HMI and web interface | Theft of passwords or session data |
| Injection of false alarm messages into SCADA | The operator is misled or distracted from real incidents |
🛡️ Detection and defence measures
| Measure | Explanation |
|---|---|
| Encryption (TLS, VPN, IPsec) | Secure communication between OT components |
| Authentication and Code Signing | Ensure messages come from legitimate sources |
| DPI | Recognise tampering or anomalous protocol traffic |
| Anomaly detection / IDS | Detect suspicious behaviour such as repeated ARP requests |
| Network segmentation | Limit access to critical parts of the network |
| Zero Trust Architecture | Continuously verify every connection and authentication |
| MAC Binding / Port Security | Prevent spoofing at switch level |
Outdated protocols such as Modbus and DNP3 have no built-in security. Additional network protection is therefore essential.
🔁 Related risks
| Attack type | Relationship to MitM |
|---|---|
| Spoofing | Used to impersonate a legitimate device |
| Replay Attack | Old messages are replayed to repeat actions |
| Session Hijacking | Taking over sessions using stolen tokens or credentials |
| ARP poisoning | Technique used to redirect traffic via the attacker |
📌 In summary
A Man-in-the-Middle attack represents a fundamental risk in unsecured OT networks. By intercepting or manipulating traffic, an attacker can disrupt processes or spy on them invisibly.