SCADA Hacking – Industrial Systems Woefully Insecure

Use Netsparker


It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants, refineries and all kinds of other powerful and dangerous things.

SCADA Hacking - Industrial Systems Woefully Insecure

The latest talk given on the subject shows with just 4 lines of code and a small hardware drop device a SCADA based facility can be effectively DoSed by sending repeated shutdown commands to suscpetible systems.


Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well.

A presentation at last week’s BSides conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.

The talk – Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code – reviewed 25 years of industrial control kit, going back to the days of proprietary equipment and X21 connections before discussing proof-of-concept attacks.

Mike Godfrey, chief exec at INSINIA, told El Reg that industrial control kit has long been developed with safety, longevity and reliability in mind. Historically everything was “air-gapped” but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring without having to physically go around and take readings and check on devices, which are often as not in hazardous environments.


It was ok before everything started getting wired up to networks, but with SCADA systems pre-dating the kind of security controls we need to stay safe, it’s hard to retrofit them.

Especially with the control software being on outdated versions of Windows dating back to Windows 98, which is so easily popped it’s laughable (and in this case, scary).

Industrial control systems run water supply, power grid and gas distribution systems as well as factories, building management systems and more. INSINIA has developed test rigs to assess the effectiveness of real-world systems that the security consultancy is asked to check. Testing attacks such as spoofing on real-world systems is likely to bring things down, Godfrey added.

Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.

INSINIA has developed a device that automatically scans networks and shuts down components. The “weaponised” Arduino micro-controller looks like a regular programmable logic controller (PLC) to other devices on the network. If it is physically planted on a targeted environment, it can quickly enumerate networks before sending stop commands. It can “kill industrial processes with only four lines of code”, according to Godfrey.

He added that it wouldn’t be possible to apply a simple reset in the event of such an attack, so a targeted environment could be taken down again and again.

BSides presentations are often accompanied by the release of proof-of-concept code but the software here exploits systemic vulnerabilities that are unlikely to be resolved any time soon, so INSINIA is not releasing the tech even to its ethical hacker peers.

Godfrey said that for industrial control plants, keeping the processes running is the prime concern. He claimed many plants “self-insure” to cover for the losses and disruption caused by security incidents, which he said already happen on an under-publicised scale.

In this case not releasing the code is a good idea as these systems are not likely to get updated ever, the more likely move forward is to decomission them and replace them with more modern, native network connected systems or even cloud based controllers – which is the direction Industrial IoT is moving in.

It’s an area which is lagging far behind other industries and is ripe for nation state attacks, if you can take another countries power grid offline, that’s a pretty significant win.

Source: The Register

Posted in: Exploits/Vulnerabilities


Latest Posts:


RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.


No comments yet.

Leave a Reply