What is Session Hijacking?
Session Hijacking is an attack technique in which an attacker takes over the control of an active user or device session. The attacker impersonates the victim, often without the victim noticing.
In OT networks, session hijacking can lead to unauthorised control of systems, modification of parameters, or manipulation of SCADA visualisations.
🧠 How does Session Hijacking work?
- A legitimate session is established (e.g. via HMI, remote access, or engineering tool)
- The attacker intercepts or guesses the session ID, tokens, or connection attributes
- Traffic control or command takeover follows (for example via Man-In-The-Middle)
- The attacker can then act as the original user without needing to re-authenticate
🎯 Examples in the OT context
| Scenario | Consequence |
|---|---|
| Web-based HMI via browser | Attacker takes over the session ID and sends commands |
| Remote desktop or VPN connection | The connection is hijacked and taken over |
| Engineering tool such as TIA Portal active | Attacker pushes projects or code without permission |
| Historian or visualisation portal | Incorrect data is viewed or modified via the hijacked session |
🔓 Why is it possible?
- Use of unencrypted protocols such as HTTP, VNC, Telnet
- Sessions without expiry or active monitoring
- Lack of multi-factor authentication (MFA)
- Static or predictable session IDs
- Unmonitored behaviour during a session (e.g. IP change or re-authentication)
🔐 Protective measures
| Measure | Description |
|---|---|
| TLS encryption | Session tokens are not readable to eavesdroppers |
| MFA on HMIs/web portals | Renders session takeover useless without additional verification |
| IP binding or user fingerprinting | Tying the session ID to a source IP or device characteristics |
| Session timeout | Automatically terminating inactive sessions |
| Zero Trust Architecture | Continuously verify behaviour and access, not just at login |
| SIEM or anomaly detection | Recognise unusual behaviour during an active session |
🔧 Monitoring and detection
| Detection method | Description |
|---|---|
| SIEM log analysis | Multiple sessions from different IPs with the same account |
| Session replay patterns | Repeated commands or suspicious timestamps |
| Sudden privilege escalation | A user unexpectedly gains more privileges during a session |
| IDS detects session takeover attempts | For example, via cookie or header manipulation |
📌 In summary
Session Hijacking is a silent but impactful attack that allows a malicious actor to gain full control over an existing system — without brute force or new logins.
Especially in OT, where long-running sessions are often left unattended, protection through encryption, authentication, and behavioural evaluation is crucial.