During the last weeks I’ve been involved in some SCADA systems testing. It has been quite a new world for me, no memory overflows or ROP, no specific deobfuscator  techniques;  just plain text analysis, sometimes even too easy old web style (in)security.

Sometimes the difficulty of the intrusion was just a matter of few minutes. For example in the following scenario the web server protection was based on .htaccess file holding a really insecure password (3 minutes of bruteforcing). The following images represent a supervisor (and controller) of an entire farm. Attackers could easily stop water services, power supplies and heaters.

Sometimes the entire system relizes on unsecure protocol (Telnet) and the bruteforce is just a metter of hours. In the specific case just 1.5h

Even more dangerous when you enter in a system able to control the electric power supply of a huge building and you discover that you were not the first one !!

Who put evil.exe there ?? This specific case was even not password protected ! WoW. (I feel a little bit lame at this moment…) And the list is just huge.

There are some “smarter” systems who calculates passwords on unescaped javascript:

Systems which lets open logs and open control panel because “hidden”, and so secured enough ! (0_o!)

Or even who check the presence of a cookie to authorize to configure an entire Power Cell !

At this stage seems that SCADA security is at the very beginning of its history. Unfortunately SCADA systems are really important and might affect thousands, hundred thousands of people. I wont immage a nuclear station managed according to these security standards! It would be just scarry.
Since I am totally newbie on SCADA security, I started some research on my own and I found some interesting resources that shows more advance attacks techniques such as the following:
PLCScan: how to find out PLC and how to deal with them:

Metasploit MOdule WinVNC Harvester:

How to recover S7 PLC/TIA portal password

 Hope this BLOG-POST helps to encrease security awareness on SCADA systems. They are huge, important and they can affect the real life of many citizens. Each water station, electric station, nuclear station, but also each airport, each industry owns a SCADA system to monitor and (sometime) to control machineries.

4 thoughts on “ SCADA (in)Security ”

  1. In your testing did you use SHODAN – the search engine – it packs a lot of information showing how vulnerable SCADA systems are.

    Also, just wanted to share that we have organized a SCADA Live Demo with industry experts May 21st titled: “Warning: Hackers Can Destroy Your Automation Plant – SCADA Malware Infection In 2 Simple Steps”

    I thought to share since the event is on topic with this post!

    Thanks – Lily

    Here's the link: SCADA Security and training

Comments are closed.