What is Spoofing?
Spoofing is a collective term for attacks in which an attacker poses as a trusted device, user, or service. The aim is to create deception in order to gain access to systems, information, or process control.
In OT networks, spoofing can lead to data falsification, unauthorised control of equipment, or undermining of network security.
🧠 Common types of spoofing in OT
| Type of spoofing | Description |
|---|---|
| MAC spoofing | Attacker copies the MAC address of an existing device (e.g. PLC) |
| IP spoofing | Attacker uses the same IP address as a legitimate system |
| ARP spoofing | Misleads other devices about which MAC corresponds to which IP → Man-In-The-Middle |
| DNS spoofing | A wrong DNS response routes traffic to malicious systems |
| Protocol spoofing | Emulating industrial protocols such as Modbus or OPC to send false signals |
🎯 Spoofing in the OT context
| Scenario | Consequence |
|---|---|
| MAC spoofing of a SCADA server | Network traffic is rerouted or sabotaged |
| IP spoofing of an HMI | Operators receive false visualisations or controls |
| ARP spoofing between PLC and Historian | Man-in-the-middle attack on production data |
| Fake Modbus traffic | Unauthorised control of actuators or sensors |
🛡️ Protective measures
| Measure | Description |
|---|---|
| MAC Binding | Bind known MAC addresses to fixed ports |
| Port Security | Limit the number of allowed devices per switch port |
| 802.1X | Requires authentication before network access |
| DHCP Snooping | Verifies which IPs were obtained by which MAC address |
| IP Source Guard | Blocks IP packets without a valid DHCP binding |
| Anomaly detection | Recognises spoofing attempts via behaviour patterns or duplicate addresses |
| Zero Trust Architecture | Trust nothing, verify everything — even within the internal network |
🔍 Detection of spoofing
- ARP inspection: Detect duplicate IP/MAC bindings
- IDS/IPS such as Suricata or Zeek can flag active spoofing attempts
- Network monitoring tools can visualise anomalies in traffic patterns
- SIEM collects and correlates spoofing-related logs from switches/firewalls
📌 In summary
Spoofing is a fundamental threat in OT networks, since trust in identity is crucial. By blocking spoofing through network security and behavioural detection, you prevent systems from being misled or hijacked.