- 14 Tem 2024
- 388
- 10
- 356
SCADA & ICS Attack
SCADA and ICS are systems that aimed to assist in Control and Management in the areas such as
Electricity and Energy, Water & Waste Management, Petrochemicals, Data Centers, Nuclear/Gas/Oil Power Plants
and Transportation Systems (Air, Maritime, etc.), Pipelines.
! We need to understand that targeting and attacking industrial systems not only damages the
corporate network infrastructure, but also the natural environment, animals and all other living things.
We start with understanding basic concepts which are used in this thread.
ICS (Industrial Control System)
ICS systems allow to directly control the industrial processes and systems. ICSs are often used
in the electricity, water, oil and gas, chemical, transportation and other industries.
There are 4 different types of ICS: SCADA (Supervisory Control and Data Acquisition),
PLC (Programmable Logic Controllers), DCS (Distributed Control Systems),
IACS (Industrial Automation and Control Systems).
PLC (Programmable Logic Controllers)
PLC (Programmable Logic Controllers) is a small industrial computer designed to execute
logic functions executed by electrical hardware (relays, switches and mechanical timer, etc.).
PLCs are able to control complex processes and are used in both SCADA and DCL systems.
PLCs have memory to store instructions to be implemented in automation systems.
DCS (Distributed Control Systems)
DCS (Distributed Control Systems) are used to control industrial processes such as electrical
energy management, oil and gas, water management, chemicals and automotive. Distributed Control
Systems or DCSs are a system in which processes and control systems are controlled separately.
The information of this type of ICS is not provided from a single center but is distributed.
SCADA (Supervisory Control and Data Acquisition)
SCADA (Supervisory Control and Data Acquisition) helps to collect, process and analyze the data.
SCADA systems help to centrally control and monitor different industrial systems. As an example of
SCADA protocols, we can take DNP3 (Distributed Network Protocol, port: 20000 TCP/UDP), Modbus
(port: 502 TCP) to communicate with RTU, PLC sensors.
HMI (Human-Machine Interface) is a software/hardware that allows monitoring and controlling the
process of systems, and changing control parameters. The HMI also displays process status information, history,
reports and other necessary information to operators and managers.
ICS Protocols
Each ICS protocol has its own communication port. As an example, we can take most commonly used
ports for ICS protocols. We also need to know that even a simple port scanning with nmap, unimap, etc.
will give negative results for industrial systems.
| Protocols | Ports |
|---|---|
| Modbus | 502 TCP |
| DNP | 19999 |
| DNP3 | 20000 TCP and 20000 UDP |
| EtherCAT | 34980 UDP |
| Ethernet/IP | 44818 TCP, 44818 UDP, 2222 UDP |
| BACnet/IP | 47808 UDP |
| FL-net | 55000 - 55003 UDP |
| Fieldbus | 1089 - 1091 TCP and 1089 - 1091 UDP |
| ICCP | 102 TCP |
| Profinet | 34962 - 34964 TCP and 34962 - 34964 UDP |
| OPC UA Binary | Vendor Specific |
| OPC UA Discovery Server | 4840 TCP |
| OPC UA XML | 80 TCP and 443 TCP |
| ROC Plus | 4000 TCP and 4000 UDP |
| Red lion | 789 TCP |
| Niagra Fox | 1911 TCP and 4911 TCP |
| IEC-104 | 2404 TCP |
ICS (Industrial Control System) Vendors & Attack Vectors
Each ICS/SCADA company has its own characteristics and target sectors (electricity, water,
oil and gas, chemicals, transportation). In addition, the amount of usage of certain vendors
will be different according to the target country. According to the analysis, the most targeted SCADA/ICS
vendors are Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs
and Open Platform Communications UnifiedArchitecture (OPC UA) servers. The attackers are mainly
targeting Energy Sector organizations and Water Treatment sectors.
Schneider Electric MODICON and MODICON Nano PLCs, TM251, TM241, M258, M238, LMC058 and LMC078,..etc.
and OMRON Sysmac NJ and NX PLCs for NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK and
R88D-1SN10F-ECT,. .etc. In the picture we can see another different type of vendors that are targeted by
attackers in the most of the SCADA/ICS Attacks:
There are different methods that attackers use to attack industrial environments, for example:
After gaining full access to the HMI Web-based environment of SCADA/ICS systems threat actors are
able to modify or execute some commands as administrator in SCADA systems, but we need to remember
that just accessing the web-based HMI console will not be enough to Impact and damage SCADA/ICS
industrial systems, because only by accessing the web-based console we do not fully control them,
we may have obstacles in some places. In this thread we will focus on how to analyze web-based attacks in
SCADA/ICS environments. The next attack technique is the “targeted attack”, where they will attack the corporate
network infrastructure and from there they will access the SCADA/ICS Control Area Network and after gaining
full access to the area where computer and systems used for Control and Management for SCADA/ICS Systems,
attackers can execute any command as administrator. Before continuing with web attacks against the HMI,
we will take a look at how SCADA/ICS attacks are carried out inside the corporate network.
Attackers can penetrate the internal network of the SCADA/ICS organizations using different attack vectors,
for example, attacking perimeters using different vulnerabilities: SQL Injection, Arbitrary File Upload and
Remote Command Execution, Configuration errors, Source code vulnerabilities, Outdated software, brute...etc.
or they can purchase access of internal network from Access Brokers. Access to the corporate network may
vary depending on the attacker's capabilities. Once inside the internal network, attackers starts information
gathering about internal network servers, WS (workstations) and different vulnerabilities, and try to find the network
area for SCADA/ICS systems and computers, then they try to escalate privileges using different attack
vectors, and then lateral movement step comes in order to pivot around and try to access the systems and computers
used to control SCADA industrial systems.For full attack techniques for ICS you can learn from ATT&CK Matrix:
ATT&CK MATRIX for ICS
Before launching an attack, threat actors starts an information gathering step. Attackers can find the
physical locations of SCADA/ICS in different countries. for example: Attackers try to find the physical location of a water
or energy station. This technique will not be used in all attack scenarios, but it is a good technique to determine the physical
location of targets to better understand the target environment and this technique called in other words “GeoStalking”.
For example, using the Electrical Japan Power Plant Database, we can see Japan's energy supply
(power station map) and energy usage. Here, using a specific location in Google Maps, we can
list all hydro, wind, solar and nuclear power plants.The attacker can use physical locations to convert
them into IP addresses for further attack steps.For this, the attacker can use different services, for example:
Maxmind, which allows to convert location data into IP addresses. The attacker can then use a port scan
or Shodan to investigate the IP addresses in more detail.
Discovering SCADA/ICS web-based HMI (Human-Machine Interface)
Attackers can use different methods to find Web-based HMI consoles of SCADA/ICS systems.
Mostly they can use Shodan, Censys,...etc. and in some cases google dorks. Using Shodan,
we can search SCADA/ICS systems by vendor, port and product names.
- Shodan -
For example, we can search for specific SCADA/ICS systems using different search filters.
For Modbus --> port:502
(as I mentioned before, Modbus protocol works on port 502)
SIEMENS S7 --> port:102
(S7 (S7 Communication) is a special protocol of Siemens)
Schneider Electric --> ClearSCADA
(application used by Schneider Electric)
Schneider Electric - PM820SD port: 161
(PM820SD model of Schneider Electric)
PowerLogic PM800 port:80
(PowerLogic PM800 model of Schneider Electric)
ION8650
(PowerLogic ION8650 A/B/C model of Schneider Electric)
Another method to find the web-based HMI console of SCADA/ICS systems is to use google dorks.
We will take some google dorks as an example to find industrial system HMIs.
google dork to find HMI console for Simatic web interface --> inurl: "Miniweb Start Page"
google dork to find Siemens S7 series PLC controllers --> inurl: "Portal/Portal.mwsl"
google dork to find General Electric device web portal --> inurl: "ProficyPortal/default.asp"
google dork to find Schneider Electric device web portal --> intitle: "ClearSCADA Home"
When we enter one of the search results we see the following web page. For Name and Password,
the attacker can use different methods (usually it is easy to attack web interfaces of HMIs) and they can
use methods such as password guessing, brute-force technique, finding web vulnerabilities.
Threat actors also try to use the method for connecting to open industrial systems
using VNC or attacking the username/password of VNC users.
In addition, attackers can use specific software to connect to SCADA/ICS systems.
For example, to connect to SIMATIC ICS, attackers can try to use WinCC.
To connect to Honeywell ICS, attackers can try to use Experion, etc.
After some analysis of SCADA/ICS systems in Shodan, I found several open HMI consoles.
For administrator privileges, attackers can try to use different attack vectors as I
mentioned before in order to log into HMI consoles as administrator.
Exposed ALJAZIRA Gas Power Plant
There are many different SCADA/ICS results, so I have chosen only
2 of them and show you them as examples.
As an example, new CVE vulnerabilities that are recently identified include:
CVE-2024-56336: Siemens, Bootloader Vulnerability with score 9.8 in SINAMICS S200 Drives.
The vulnerability, tracked as CVE-2024-56336, allows an attacker to damage or gain access
to the device by installing untrusted firmware. The vulnerable devices include all SINAMICS S200
versions with serial numbers starting with SZVS8, SZVS9, SZVS0 or SZVSN and FS number 02.
! It should be noted that Siemens has not yet released any firmware updates to patch the vulnerability.
As you can see, even though SCADA/ICS industrial systems are critical sectors, they are often
vulnerable and most of them are not protected against different types of attacks.
web-based HMI interfaces of SCADA and ICS industrial systems
