ATTACKING ICS/SCADA

5 min readJul 30, 2020

INTRODUCTION

Just like any other organization, ICS/SCADA is not free from cybersecurity attacks. In fact, this is the most dangerous among other compared to others. It does not just damage the organization’s reputation or implicates financial impact but lives — Cyber Kinetic. This attack concerns the lives of any living things like plants, Animals, and human.

This article will tackle security attacks on general ICS/SCADA environment — power grid, waste and water management, petrochemical, data center, nuclear power plants, and transportation systems (air, maritime and railway) and will focus on the most neglected attack surfaces; physical and system (OS and firmware).

ATTACKING PHYSICAL SECURITY

Social engineering has never been changed since day one. Impersonation is still one of the most common ways that adversaries can get through and inside the facilities and execute their malicious motives. Pretending to be someone will always be their way; IT guy, janitor, delivery man, inspector, business partner, vendor, client, or simply by just tailgating with the legit employee while entering the premises. Sounds like a “Mission Impossible” movie, yes it is!

The most epic story in the ICS/OT is the insider threat. This is where the vendor plug-in their USB drive loaded with payload or Malware infections without the control engineering guy scanning it before connecting to the HMI or workstation inside the ICS. This always happened even with the presence of the company policy especially when the vendor and the employee already had built their relationship as point-of-contact inside the organization.

So even “air-gapped” devices are not exempted on this attack when the adversary is already inside ICS and just waiting for the perfect timing to accomplish their mission without anyone noticing the action until an accident occurs.

Signaling Communication Devices

When was the last time you visited an e-commerce site and checked the price of a gps jamming device? It is not that expensive. This device can also be used for spoofing. What do you think an autopilot plane or maritime and others use for navigation?

Communication Channel

GSM or LTE spoofing the circle line tunnel interferes with the signaling communication between the train and the track. The same happens with the aircraft between the tower controller and the others.

Wi-Fi

This is the same with the communication channel where it can be spoofed, hijacked, or jammed to interfere with the signaling communication. Wardriving is very popular with wi-fi hacking using so many open source tools.

CCTV

Changing the direction of the camera within the premises using an FM radio jammer combined with Samurai Linux distro would accomplish an adversaries easy way in to manipulate operations through the HMI, RTU, or MTU and do damage on the ICS/SCADA.

ATTACKING LOGICAL SECURITY

In the current generation of the ICS/OT (4th Gen), air-gap has been evolved into a connected network and even accessible from the Internet to make the life of the administrators easier. This also made the life of the hackers simpler in attacking their target.

Reconnaissance

In the cyber kill chain either using either Mandiant or Lockheed Martin’s model, this is the very first stage where an adversary plans the attack. For ICS/SCADA, using Shodan and Google Dorking are the most common methodologies to find their target.

Searching for a random victim is not that complicated as much as the hacker knows the CIP and ports where the services are running from different vendors.

1. SHODAN — these are the most common search filters that can be used to find a target from Shodan portal.

Modbus — this is the most commonly used ICS/SCADA protocol with fewer security features like the absence of authentication and also no encryption during message transmission across the network.
Port:502 — the port number used by Modbus protocol.
BACnet — this is the protocol used for the Building Automation System (BAS) for HVAC application.
Port:10 or Port:530 — the port that BACnet protocol used.
S7 (by Siemens) — this is the service that Siemens devices are most commonly using.
Port:502 Country:XX (where XX are the country code) — a combination of search filters in Shodan to locate both port and country at the same time.
Net:1.2.3.0/8 — search filter to identify network segment range.
ClearSCADA — this is the application used by Schneider Electric on their devices.
Domain:xyz.com — to specify a targeted domain, this filter can be used with Shodan search.

2. DORK — Google searching with ICS/SCADA target is the same with the IT.

intitle:”Miniweb Start Page” — this is an HMI panel for Simatic web interface.
inurl:”Portal/Portal.mwsl” — Siemens S7 series of PLC controllers.
inurl:”ProficyPortal/default.asp” — General Electric device web portal
intitle:”ClearSCADA Home” — Schneider Electric device web portal

3. MALTEGO CE — this community edition of Maltego can be a good tool for automated tasks on both Shodan and Google searches. This is readily available in Kali and other security Linux distros.

This stage is crucial for the adversaries as they leverage the effort in looking for vulnerabilities, appliance types, firmware version, and apps configurations they found from Shodan, which they can use for a watering hole attack in a later stage or in parallel with a Spear Phishing attack.

Phishing or Spear Phishing

After finding a target company from the reconnaissance stage, Phishing is the most common and yet effective strategy to compromise a potential privileged AD account and perform a lateral movement from the IT network to the OT environment. This happens when there is no network segmentation between them.

CONCLUSION

While there is another attack surface that an adversary can utilize to attack the ICS/SCADA environment, methodologies mentioned here are the easiest amongst them.

To mitigate the risk of these attacks and to implement defense-in-depth, this has been shared in author’s recorded talk during the HITB-GSEC Singapore 2018.

ABBREVIATIONS

CCTV: Closed-Circuit Television

HMI: Human Machine Interface

HVAC: Heating, Ventilating, and Airconditioning Control

ICS: Industrial Control System

IT: Information Technology

MTU: Master Terminal Unit

RTU: Remote Terminal Unit

SCADA: Supervisory Control and Data Acquisition

OT: Operational Technology

WIFI: Wireless Fidelity

REFERENCES