Reconnaissance in the Cyber Kill Chain: The First Step to Attacking ICS

Disclaimer: This article reflects my personal views and is not related to my employer in any way.

Introduction

?? The Cyber Kill Chain is a model that breaks down cyberattacks into distinct stages, showing how attackers move from initial reconnaissance to full system compromise. Originally developed for military, then to IT networks. I will apply this model to ICS/OT environments to help understand how industrial attacks unfold.

The goal of this series is to analyze each stage of an attack, explaining how threats progress step by step. By knowing what happens at each stage, you can detect attacks earlier and build stronger defenses.

You begin with ?? Reconnaissance, the first phase, where attackers gather intelligence about the target. They study the network, identify key systems, and find ways to gain access. If reconnaissance goes undetected, attackers can move forward with more advanced steps, increasing the risk to operations. Gathering information takes 80% of attack time, so it's important part.

Understanding the full attack chain is critical for OT security. By following the Cyber Kill Chain in ICS, you can anticipate threats, disrupt attacks early, and protect industrial environments from real-world cyber risks.

?? And of course stages can repeat during attack. When you get a new access to systems you can repeat them.

1. Methods of Reconnaissance

HOW does this happen?

Attackers start by gathering information about their target before launching an attack. In OT environments, reconnaissance is critical because industrial systems often have legacy devices, weak security controls, and predictable architectures. This section covers how attackers collect intelligence, both online and offline, without alerting defenders.

[>] Passive vs Active

Reconnaissance can be either passive or active, depending on whether the attacker interacts with the target system.

• passive reconnaissance : the attacker collects information without directly engaging with the target. This includes analyzing public data, searching online forums or monitoring network traffic without sending requests
• active reconnaissance : the attacker interacts with the target system to gather data. This includes scanning networks, probing devices or using social engineering techniques like phishing emails

[>] Open-Source Intelligence - OSINT

Many details about OT environments can be found in public sources. Attackers use OSINT techniques to collect information without touching the target network.

• company websites : details about infrastructure, vendors, and technologies in use
• job postings : job descriptions may reveal security tools, network architecture or PLC models
• social media & forums : engineers discussing troubleshooting issues might unknowingly expose sensitive details about industrial control systems
• public documents : PDFs, manuals, and reports often contain metadata with usernames, email addresses or software versions

[>] Network Scanning & Footprinting

If attackers move to active reconnaissance, they start scanning the network to identify devices and services.

• port scanning : tools like Nmap and Masscan help find open ports on OT devices, revealing exposed services
• banner grabbing : Attackers send simple queries to devices to extract version numbers and identify vulnerabilities
• protocol-specific queries : many OT protocols (Modbus, DNP3, BACnet) do not have authentication, allowing attackers to request system details

[>] Physical Reconnaissance

Not all reconnaissance happens online. Attackers may gather intelligence by visiting facilities, tricking employees or searching for discarded information.

• site visits : walking around an industrial site can reveal entry points, security cameras, or exposed network ports
• dumpster diving : old network diagrams, login credentials, or system manuals can be found in the trash
• social engineering : attackers may pose as technicians, delivery personnel or employees to gain access to sensitive areas or extract information

2. Tools & Techniques

WHAT tools are used

This section covers the tools attackers use during reconnaissance in OT environments. These tools help collect information from public sources, scan networks, extract metadata, and manipulate human behavior through social engineering. Understanding these tools allows defenders to recognize reconnaissance activities and take preventive measures.

[>] OSINT Tools

Attackers use open-source intelligence (OSINT) tools to find publicly available data without interacting with the target network.

• shodan & censys : search engines that scan the internet for exposed devices, including industrial control systems like PLC & HMI
• google dorking : using advanced Google search queries to find sensitive information like login pages, configuration files, and internal documents
• whois & dns tool : services that provide domain registration details and subdomains, helping attackers map an organization’s infrastructure
• metadata extraction: tools like Exiftool analyze hidden data in files, such as usernames, software versions & document history

[>] Network Scanning Tools

Once attackers start interacting with the target network, they use scanning tools to identify active devices, open ports, and exposed services.

• nmap : the most widely used network scanning tool, used to map devices, open ports, and running services
• masscan : a high-speed port scanner capable of scanning entire networks in seconds
• zmap : another fast scanner used for large-scale internet-wide scanning
• banner grabbing tools – attackers use simple scripts or tools to extract device information like nc and telnet for manual banner grabbing

[>] Metadata Extraction

Many industrial organizations unknowingly expose sensitive data through document metadata. Attackers use specialized tools to extract this information.

• foca : scans public documents (PDFs, Word, Excel) for hidden metadata such as usernames, internal email addresses, and software versions
• exiftool : extracts metadata from images and documents, revealing details about software and hardware configurations
• strings command : finds hidden text inside files, useful for extracting credentials from misconfigured applications

[>] Social Engineering Techniques

Attackers often exploit human behavior to gather intelligence. Social engineering techniques trick employees into revealing information or taking actions that compromise security.

• phishing emails : fake emails designed to steal credentials or install malware
• pretexting : attackers pretend to be IT support, vendors, or managers to extract sensitive details
• phone calls : callers impersonate employees or suppliers to gain trust and request access credentials
• baiting : leaving infected USB drives near an industrial site, hoping someone plugs them into a company computer

3. Reconnaissance in OT Networks

how is it in OT

Reconnaissance in OT environments is different from traditional IT reconnaissance. Industrial networks use specialized protocols, legacy devices, and segmented architectures that impact how attackers gather information. This section explains the unique challenges of OT reconnaissance, the types of data attackers look for, and how they exploit OT-specific protocols.

[>] Challenges of OT Reconnaissance

Unlike IT networks, OT environments have several factors that change how reconnaissance is performed:

• limited direct access : many OT networks are air-gapped or segmented, making direct scanning more difficult
• legacy devices : older PLCs, RTUs, and SCADA systems often lack modern security features, making them easier to identify
• unencrypted traffic : many OT protocols transmit data in plain text, allowing attackers to capture valuable information
• operational sensitivity : scanning OT networks can cause disruptions, making stealth more critical for attackers

[>] Identifying Assets in OT Networks

Attackers need to map out the industrial network and identify key assets before launching an attack. They do this by:

• capturing network traffic : passive monitoring helps identify IP addresses, device types, and communication patterns
• analyzing known ip ranges :m any industrial systems use predictable IP addresses, such as 192.168.x.x or 10.x.x.x
• discovering scada & hmi systems : web-based HMIs or exposed remote access points are common entry points
• identifying engineering workstations : these devices have software for programming PLCs and are often the most valuable target

[>] OT Protocols That Reveal Information

Many industrial protocols were designed without security in mind, making reconnaissance easier for attackers. Some commonly exploited OT protocols include:

• modbus : allows reading registers and identifying device details without authentication
• dnp3 : often used in energy and water systems; attackers can learn network topology through response messages
• s7 protocol : can reveal PLC models, firmware versions, and running processes
• bacnet : used in building automation; can expose device lists and system settings

[>] Publicly Available ICS Information

Even without direct network access, attackers can gather intelligence using publicly available sources:

• vendor documentation : manuals and whitepapers often describe how industrial devices communicate, helping attackers craft targeted scans
• online training courses – Videos and PDFs reveal common configurations and default settings used in OT environments
• github repositories : public scripts and tools sometimes contain default passwords, configuration files, or example network setups
• regulatory filings & reports : companies in critical infrastructure sectors often publish compliance reports that include network details

4. Defensive Strategies

Conclusion

Reconnaissance is the first step in the Cyber Kill Chain, where attackers gather intelligence to plan their next moves. If undetected, this phase gives them the knowledge needed to exploit weaknesses, increasing the risk of a successful attack.

By understanding reconnaissance techniques - both passive and active - you can better defend against them. Network segmentation, access controls, traffic monitoring, and employee awareness are key to limiting the information attackers can collect. Detecting and disrupting reconnaissance early can stop attacks before they escalate.

In the next article, you will move to the Weaponization phase, where attackers prepare tools and exploits based on the intelligence gathered during reconnaissance. Understanding this transition helps us anticipate threats and strengthen OT security.

You are at Level 3 Documentation Tree - OT Kill Chain 1/5 Skill

Don't forget to check your main Leveling Guide

And put ?? comments or ?? likes, it helps a lot to get your feedback!

Yours, Zakhar