detecting-stuxnet-style-attacks

Featured

This skill covers detecting sophisticated cyber-physical attacks that follow the Stuxnet attack pattern of modifying PLC logic while spoofing sensor readings to hide the manipulation from operators. It addresses PLC logic integrity monitoring, physics-based process anomaly detection, engineering workstation compromise indicators, USB-borne attack vectors, and multi-stage attack chain detection spanning IT-to-OT lateral movement through to process manipulation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Stuxnet-Style Attacks ## When to Use - When implementing advanced threat detection for high-value OT targets (nuclear, chemical, critical infrastructure) - When building detection for APT-style attacks targeting PLC logic and process manipulation - When establishing PLC logic integrity monitoring to detect unauthorized modifications - When investigating suspected process anomalies that may indicate cyber-physical attacks - When designing defense-in-depth strategies against nation-state level OT threats **Do not use** for basic OT intrusion detection (see detecting-attacks-on-scada-systems), for malware analysis of Stuxnet samples (see malware reverse engineering skills), or for PLC programming and logic development. ## Prerequisites - Detailed understanding of the Stuxnet attack chain and MITRE ATT&CK for ICS framework - PLC logic backup repository with known-good baseline copies of all PLC programs - Engineering workstation monitoring (EDR with OT awareness) - Physics-based process models for the controlled physical process - Network monitoring for industrial protocol traffic analysis ## Workflow ### Step 1: Understand the Stuxnet Attack Chain Map detection opportunities across the multi-stage Stuxnet-style attack chain. ```yaml # Stuxnet-Style Attack Chain and Detection Points attack_chain: stage_1_initial_access: technique: "USB-borne malware targeting air-gapped network" mitre_ics: "T0847 - Replication Through Removable Media" detection:...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-attacks-on-scada-systems

This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security tools miss.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-anomalies-in-industrial-control-systems

This skill covers deploying anomaly detection systems for industrial control environments using machine learning models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue devices, and correlating network anomalies with physical process data from historians.

12,642 Updated today
mukul975
AI & Automation Featured

performing-plc-firmware-security-analysis

This skill covers analyzing Programmable Logic Controller (PLC) firmware for security vulnerabilities including hardcoded credentials, insecure update mechanisms, backdoor functions, memory corruption flaws, and undocumented debug interfaces. It addresses firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, Schneider Modicon), static analysis of firmware images, dynamic analysis in emulated environments, and comparison against known-good baselines to detect tampering.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ot-network-security-assessment

This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical infrastructure.

12,642 Updated today
mukul975
AI & Automation Listed

plc-code-analysis

Standalone skill for multi-perspective PLC code security and quality analysis. Triggers on: "review", "audit", "analyze", "security check", "vulnerability scan", "code review", "check this code", "is this safe", "find issues" when combined with PLC, SCL, ST, LAD, FBD, Structured Text, or block context. Also triggers when the user pastes PLC code and asks for feedback, or uploads exported SimaticML XML files. This skill is independent of tia-openness-roadmap — it does not perform engineering automation. It analyzes code that has already been exported, pasted, or is accessible via the TIA Portal MCP server.

16 Updated yesterday
Czarnak