What is a Replay Attack?
A replay attack is an attack in which an attacker intercepts legitimate communications and resends (replays) them later to perform unwanted actions. The message looks valid, because it comes from a trusted device, but it is replayed outside its original context.
In OT networks, replay attacks can lead to unintended machine control, deception of SCADA interfaces or the overwriting of process data in Historian systems.
π§ Example in an OT context
| Scenario | Consequence of the replay |
|---|---|
| The attacker replays a previous βopen valveβ command | The valve opens again, outside the intended moment |
| Manipulated sensor values are resent | SCADA shows incorrect readings |
| Management command sequences from a PLC are replayed | The production process is unintentionally affected |
| An authenticated login is replayed | System access without a valid session |
π Why does this work?
- Many OT protocols (such as Modbus, DNP3, S7 Comm) have no session security or time stamps
- Data is often not encrypted and not signed
- Devices cannot tell the difference between an original and a replayed message
- Legacy systems were designed for availability, not authenticity
π Protection against replay attacks
| Measure | Explanation |
|---|---|
| Message Authentication Codes (MACs) | Confirm that messages are genuine and unaltered |
| Time stamps + nonce | Prevent the reuse of old messages |
| Secure protocols such as TLS and OPC UA | Session-level protection with encryption and integrity checks |
| Code Signing for firmware | Prevents replay of manipulated updates or configurations |
| Anomaly detection | Recognises patterns of repeated or unusual communication |
| Zero Trust Architecture | Donβt trust messages purely based on origin; evaluate content and behaviour |
π§ Specific OT measures
- Use OPC UA instead of OPC Classic β it supports authentication and session management
- Implement IEC 62443-3-3 measures such as SL3 for cryptographic integrity
- Log all commands, including time stamp, in the Historian or SIEM
- Detect repeated messages with identical content and no intervening events
π§ͺ Detecting a replay attack
| Signal | Detection method |
|---|---|
| Repeated command without cause | Anomaly detection, IDS, behaviour scripts |
| Falsified sensor values | Illogical trends or duplicate values in the Historian |
| Exact copies of old packets | Identifiable with Wireshark, including time comparison |
π In summary
Replay attacks abuse the lack of time context and verification in OT communication. Securing messages alone is not enough β you need to verify content, sessions and origin.