In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems Industrial control system (ICS) is a term that includes many types of control systems and instrumentation used in industrial production, such as supervisory control and data acquisition systems (SCADA), distributed control systems (DCS) and other components like programmable logic controllers (PLC). ICS typically used in industries such as electrical, oil, or gas.
Figure 1: Illustration of a control panel of an ICS The most important components of an ICS are:
Sensors and Actuators: Communication with the physical world Local HMI (Human Machine Interface): Supervision and Control RTU: Remote Terminal Unit PLC: Programmable Logic Controller IED: Intelligent Electronic Device Supervisor: Process Supervision Data Historian: Recording of all information at the production / SCADA level
A programmable logic controller (PLC), is an industrial (digital) computer which has been adapted for the control of manufacturing processes. It is one of the most important components of pentesting ICS.
Figure 2: Example of a PLC – Siemens s7-1200 Industrial control systems are one of the most favorite targets of the hackers because of many points:
Easy targets: Lack of security training = Easy social engineering
No security measures
Out-dated OS
No security policy
Default passwords
Default configuration
No patch management policy
Perfect target for hacktivists
There are many risks of ICS the most critical ones are:
Social Engineering Hacking & Cracking Denial of Service Virus & Malware Weak policies Physical risk Vulnerabilities in OS/APP
Figure 3: Methodology of pentesting ICS The first step in pentesting ICS is the reconnaissance. In this step, we will try to gather the maximum information about the target from public resources and search engines (Google Hacking, Shodan.io …) that will help us to perform our attack on the target. The second step consists of scanning the target to gather the services and open ports on the target to exploit potential vulnerabilities present in this ones. The third step is the enumeration, which is the process to gather information about usernames, groups, machines and servers name, network resources and shares on the targeted network. Then we can start disrupting our target with attacks like Denial of service, or infect the target with techniques such like:
Inject Malware Escalate Privileges Open Backdoors Persistence
Shodan
Shodan is a powerful search engine that use bots to find specific types of computers (CCTV, routers, PLC, Servers, etc.) connected to the internet (With the option to use filters). Shodan provides very useful information (easily) for hackers, like banners, metadata, and testing default passwords.
Figure 4: Shodan.io
Diggity tools
SearchDiggity is the attack tool of the Google Hacking Diggity Project which contains many modules that exploit search engines to find useful information.
Figure 5: Modules of SearchDiggity You can also check this article present on InfoSec Institute: https://resources.infosecinstitute.com/search-engine-hacking-manual-and-automation/
NMAP
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. It’s considered as the most powerful scanner in the market due to he’s multitude of options.
Figure 6: Nmap You can also check this article present on InfoSec Institute: https://resources.infosecinstitute.com/nmap-cheat-sheet/
PLCSCAN
PLCScan is python script that checks the availability of two interesting ports, TCP 102 and TCP 502, then, it will call other scripts based on the port. By example, if it discovers the TCP 502 open, it will call the Modbus functions, to collect information like the device identification.
Figure 7: PLCScan
Metasploit
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. It also includes many exploit-oriented ICS.
Figure 8: PLCScan You can also check this article present on InfoSec Institute: https://resources.infosecinstitute.com/metasploit-cheat-sheet/ In this article, we had a brief introduction about pentesting Industrial Control Systems. ICS security is real issue and a big question mark nowadays that need to be improved to avoid critical attacks. The most significant attack that we can note is the Stuxnet malware, which attacked the Iranian Nuclear facilities and caused the explosion of many centrifuges. In the next articles, we will go deeper into ICS/SCADA Security,
