Pentesting ICS Systems
Security of ICS systems is one of the most critical issues of this last year.
In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems
What should you learn next?
Introduction
Industrial control system (ICS) is a term that includes many types of control systems and instrumentation used in industrial production, such as supervisory control and data acquisition systems (SCADA), distributed control systems (DCS) and other components like programmable logic controllers (PLC).
ICS typically used in industries such as electrical, oil, or gas.
Figure 1: Illustration of a control panel of an ICS
Components of an ICS
The most important components of an ICS are:
- Sensors and Actuators: Communication with the physical world
- Local HMI (Human Machine Interface): Supervision and Control
- RTU: Remote Terminal Unit
- PLC: Programmable Logic Controller
- IED: Intelligent Electronic Device
- Supervisor: Process Supervision
- Data Historian: Recording of all information at the production / SCADA level
What is a PLC?
A programmable logic controller (PLC), is an industrial (digital) computer which has been adapted for the control of manufacturing processes. It is one of the most important components of pentesting ICS.
Figure 2: Example of a PLC - Siemens s7-1200
Why ICS are the perfect target?
Industrial control systems are one of the most favorite targets of the hackers because of many points:
- Easy targets: Lack of security training = Easy social engineering
- No security measures
- Out-dated OS
- No security policy
- Default passwords
- Default configuration
- No patch management policy
- Perfect target for hacktivists
Risks of ICS
There are many risks of ICS the most critical ones are:
- Social Engineering
- Hacking & Cracking
- Denial of Service
- Virus & Malware
- Weak policies
- Physical risk
- Vulnerabilities in OS/APP
Pentest methodology of ICS
Figure 3: Methodology of pentesting ICS
The first step in pentesting ICS is the reconnaissance. In this step, we will try to gather the maximum information about the target from public resources and search engines (Google Hacking, Shodan.io …) that will help us to perform our attack on the target.
The second step consists of scanning the target to gather the services and open ports on the target to exploit potential vulnerabilities present in this ones.
The third step is the enumeration, which is the process to gather information about usernames, groups, machines and servers name, network resources and shares on the targeted network.
Then we can start disrupting our target with attacks like Denial of service, or infect the target with techniques such like:
- Inject Malware
- Escalate Privileges
- Open Backdoors
- Persistence
Tools to pentest ICS
Shodan
Shodan is a powerful search engine that use bots to find specific types of computers (CCTV, routers, PLC, Servers, etc.) connected to the internet (With the option to use filters).
Shodan provides very useful information (easily) for hackers, like banners, metadata, and testing default passwords.
Figure 4: Shodan.io
Diggity tools
SearchDiggity is the attack tool of the Google Hacking Diggity Project which contains many modules that exploit search engines to find useful information.
Figure 5: Modules of SearchDiggity
You can also check this article present on InfoSec Institute:
https://resources.infosecinstitute.com/search-engine-hacking-manual-and-automation/
NMAP
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
It's considered as the most powerful scanner in the market due to he's multitude of options.
Figure 6: Nmap
You can also check this article present on InfoSec Institute:
https://resources.infosecinstitute.com/nmap-cheat-sheet/
PLCSCAN
PLCScan is python script that checks the availability of two interesting ports, TCP 102 and TCP 502, then, it will call other scripts based on the port. By example, if it discovers the TCP 502 open, it will call the Modbus functions, to collect information like the device identification.
Figure 7: PLCScan
Metasploit
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. It also includes many exploit-oriented ICS.
Figure 8: PLCScan
You can also check this article present on InfoSec Institute: https://resources.infosecinstitute.com/metasploit-cheat-sheet/
Conclusion
In this article, we had a brief introduction about pentesting Industrial Control Systems.
ICS security is real issue and a big question mark nowadays that need to be improved to avoid critical attacks.
The most significant attack that we can note is the Stuxnet malware, which attacked the Iranian Nuclear facilities and caused the explosion of many centrifuges.
What should you learn next?
In the next articles, we will go deeper into ICS/SCADA Security,