SCADA Hacking – Industrial Systems Woefully Insecure

Use Netsparker


It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants, refineries and all kinds of other powerful and dangerous things.

SCADA Hacking - Industrial Systems Woefully Insecure

The latest talk given on the subject shows with just 4 lines of code and a small hardware drop device a SCADA based facility can be effectively DoSed by sending repeated shutdown commands to suscpetible systems.


Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well.

A presentation at last week’s BSides conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.

The talk – Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code – reviewed 25 years of industrial control kit, going back to the days of proprietary equipment and X21 connections before discussing proof-of-concept attacks.

Mike Godfrey, chief exec at INSINIA, told El Reg that industrial control kit has long been developed with safety, longevity and reliability in mind. Historically everything was “air-gapped” but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring without having to physically go around and take readings and check on devices, which are often as not in hazardous environments.


It was ok before everything started getting wired up to networks, but with SCADA systems pre-dating the kind of security controls we need to stay safe, it’s hard to retrofit them.

Especially with the control software being on outdated versions of Windows dating back to Windows 98, which is so easily popped it’s laughable (and in this case, scary).

Industrial control systems run water supply, power grid and gas distribution systems as well as factories, building management systems and more. INSINIA has developed test rigs to assess the effectiveness of real-world systems that the security consultancy is asked to check. Testing attacks such as spoofing on real-world systems is likely to bring things down, Godfrey added.

Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.

INSINIA has developed a device that automatically scans networks and shuts down components. The “weaponised” Arduino micro-controller looks like a regular programmable logic controller (PLC) to other devices on the network. If it is physically planted on a targeted environment, it can quickly enumerate networks before sending stop commands. It can “kill industrial processes with only four lines of code”, according to Godfrey.

He added that it wouldn’t be possible to apply a simple reset in the event of such an attack, so a targeted environment could be taken down again and again.

BSides presentations are often accompanied by the release of proof-of-concept code but the software here exploits systemic vulnerabilities that are unlikely to be resolved any time soon, so INSINIA is not releasing the tech even to its ethical hacker peers.

Godfrey said that for industrial control plants, keeping the processes running is the prime concern. He claimed many plants “self-insure” to cover for the losses and disruption caused by security incidents, which he said already happen on an under-publicised scale.

In this case not releasing the code is a good idea as these systems are not likely to get updated ever, the more likely move forward is to decomission them and replace them with more modern, native network connected systems or even cloud based controllers – which is the direction Industrial IoT is moving in.

It’s an area which is lagging far behind other industries and is ripe for nation state attacks, if you can take another countries power grid offline, that’s a pretty significant win.

Source: The Register

Posted in: Exploits/Vulnerabilities


Latest Posts:


Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.


Comments are closed.