The automation technology used to manage and perform various industrial operations such as line management control and operations control are part of what is known as operational technology:
Industrial control systems (ICS) cover a huge part of the operational technology segment, and are used to monitor and control various operations such as automating production, the control and monitoring of hardware systems, regulating temperature by controlling water levels, and the flow at a nuclear facility. Most ICS usage is done in very critical systems that are required to be available all the time.
The hardware that is used for ICS is of two types, programmable logic controllers (PLCs), or discrete process control systems (DPC), which are in turn managed by Supervisory Control and Data Acquisition (SCADA) systems. SCADA allows and makes easy the management of ICS systems by providing interface-based control rather than the user having to manually enter each and every command. This makes the management of these systems robust and easy, thereby allowing for a very high availability:
The main components are as follows:
- The SCADA display unit is basically the component that holds an interactive interface for the administrator to review, verify, and modify various commands that are to be passed to the ICS systems. This allows the user to control the ICS system from a distance without actually being in the field. For example, a remote administrator can use a web portal to manage configurations of all the thermostats in a building.
- The control unit acts as a bridge between the SCADA display unit and the remote terminal unit. It is always required for the control unit to send the data coming from remote terminal units to the SCADA display units in real time. This is required in order to notify the administrator of any malfunctions which can be looked at and fixed to ensure the high availability of the system.
- Remote terminal units (RTUs) can be a PLC (a Programmable Logic Controller, which is a manufacturing industry standard computer that is used in manufacturing to process and execute instructions), which connects multiple devices to the SCADA network, enabling them to be monitored and administered from great distances. These links between the RT, the control unit, and the SCADA display unit don't need be in the form of a wired network – it can also be a wireless network.
It is very important to secure these SCADA systems, as a simple misconfiguration could lead to a catastrophe in an actual industrial manufacturing environment. There are many open source tools that can be used for this purpose. Nmap is one such tool that allows users to write custom scripts for SCADA/ICS system port scanning. Furthermore, an analyst can use Metasploit modules to exploit these vulnerabilities in a SCADA/ICS environment.
The following are some of the Metasploit modules that can be used to identify and exploit issues on the SCADA/ICS systems:
|
Vendor |
System/component |
Metasploit module |
|
7-Technologies |
IGSS |
exploit/windows/scada/igss9_igssdataserver_listall.rb |
|
|
|
exploit/windows/scada/igss9_igssdataserver_rename.rb |
|
|
|
exploit/windows/scada/igss9_misc.rb |
|
|
|
auxiliary/admin/scada/igss_exec_17.rb |
|
AzeoTech |
DAQ Factory |
exploit/windows/scada/daq_factory_bof.rb |
|
3S |
CoDeSys |
exploit/windows/scada/codesys_web_server.rb |
|
BACnet |
OPC Client |
exploit/windows/fileformat/bacnet_csv.rb |
|
|
Operator Workstation |
exploit/windows/browser/teechart_pro.rb |
|
Beckhoff |
TwinCat |
auxiliary/dos/scada/beckhoff_twincat.rb |
|
General Electric |
D20 PLC |
auxiliary/gather/d20pass.rb |
|
|
|
unstable-modules/auxiliary/d20tftpbd.rb |
|
Iconics |
Genesis32 |
exploit/windows/scada/iconics_genbroker.rb |
|
|
|
exploit/windows/scada/iconics_webhmi_setactivexguid.rb |
|
Measuresoft |
ScadaPro |
exploit/windows/scada/scadapro_cmdexe.rb |
|
Moxa |
Device Manager |
exploit/windows/scada/moxa_mdmtool.rb |
|
RealFlex |
RealWin SCADA |
exploit/windows/scada/realwin.rb |
|
|
|
exploit/windows/scada/realwin_scpc_initialize.rb |
|
|
|
exploit/windows/scada/realwin_scpc_initialize_rf.rb |
|
|
|
exploit/windows/scada/realwin_scpc_txtevent.rb |
|
|
|
exploit/windows/scada/realwin_on_fc_binfile_a.rb |
|
|
|
exploit/windows/scada/realwin_on_fcs_login.rb |
|
Scadatec |
Procyon |
exploit/windows/scada/procyon_core_server.rb |
|
Schneider Electric |
CitectSCADA |
exploit/windows/scada/citect_scada_odbc.rb |
|
SielcoSistemi |
Winlog |
exploit/windows/scada/winlog_runtime.rb |
|
Siemens Technomatix |
FactoryLink |
exploit/windows/scada/factorylink_cssservice.rb |
|
|
|
exploit/windows/scada/factorylink_vrn_09.rb |
|
Unitronics |
OPC Server |
exploit/exploits/windows/browser/teechart_pro.rb |
There are many open source tools as well that can be used to perform these operations. One such tool is PLCScan.
PLCScan is a utility that's used to identify PLC devices using port scanning methodology. This identifies the packets received from specific ports to specific signatures of various SCADA/PLC devices that have been previously documented. It uses a set of scripts in the backend to perform these operations.
Scanning a control system by using automation scripts could be a tedious task, as they can crash very easily. Most of the SCADA/ICS systems are legacy systems with legacy software, which are not very cost-effective for replacement and do not have enough hardware to be automated. This results in a lot of vulnerabilities.