Penetration testing

Pentesting ICS Systems

Kondah Hamza
December 12, 2016 by
Kondah Hamza

Security of ICS systems is one of the most critical issues of this last year.

In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Industrial control system (ICS) is a term that includes many types of control systems and instrumentation used in industrial production, such as supervisory control and data acquisition systems (SCADA), distributed control systems (DCS) and other components like programmable logic controllers (PLC).

ICS typically used in industries such as electrical, oil, or gas.

Figure 1: Illustration of a control panel of an ICS

Components of an ICS

The most important components of an ICS are:

  • Sensors and Actuators: Communication with the physical world
  • Local HMI (Human Machine Interface): Supervision and Control
  • RTU: Remote Terminal Unit
  • PLC: Programmable Logic Controller
  • IED: Intelligent Electronic Device
  • Supervisor: Process Supervision
  • Data Historian: Recording of all information at the production / SCADA level

What is a PLC?

A programmable logic controller (PLC), is an industrial (digital) computer which has been adapted for the control of manufacturing processes. It is one of the most important components of pentesting ICS.

Figure 2: Example of a PLC - Siemens s7-1200

Why ICS are the perfect target?

Industrial control systems are one of the most favorite targets of the hackers because of many points:

  • Easy targets: Lack of security training = Easy social engineering
  • No security measures
  • Out-dated OS
  • No security policy
  • Default passwords
  • Default configuration
  • No patch management policy
  • Perfect target for hacktivists

Risks of ICS

There are many risks of ICS the most critical ones are:

  • Social Engineering
  • Hacking & Cracking
  • Denial of Service
  • Virus & Malware
  • Weak policies
  • Physical risk
  • Vulnerabilities in OS/APP

Pentest methodology of ICS

Figure 3: Methodology of pentesting ICS

The first step in pentesting ICS is the reconnaissance. In this step, we will try to gather the maximum information about the target from public resources and search engines (Google Hacking, …) that will help us to perform our attack on the target.

The second step consists of scanning the target to gather the services and open ports on the target to exploit potential vulnerabilities present in this ones.

The third step is the enumeration, which is the process to gather information about usernames, groups, machines and servers name, network resources and shares on the targeted network.

Then we can start disrupting our target with attacks like Denial of service, or infect the target with techniques such like:

  • Inject Malware
  • Escalate Privileges
  • Open Backdoors
  • Persistence

Tools to pentest ICS


Shodan is a powerful search engine that use bots to find specific types of computers (CCTV, routers, PLC, Servers, etc.) connected to the internet (With the option to use filters).

Shodan provides very useful information (easily) for hackers, like banners, metadata, and testing default passwords.

Figure 4:

Diggity tools

SearchDiggity is the attack tool of the Google Hacking Diggity Project which contains many modules that exploit search engines to find useful information.

Figure 5: Modules of SearchDiggity

You can also check this article present on InfoSec Institute:


Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.

It's considered as the most powerful scanner in the market due to he's multitude of options.

Figure 6: Nmap

You can also check this article present on InfoSec Institute:


PLCScan is python script that checks the availability of two interesting ports, TCP 102 and TCP 502, then, it will call other scripts based on the port. By example, if it discovers the TCP 502 open, it will call the Modbus functions, to collect information like the device identification.

Figure 7: PLCScan


The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Its best-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. It also includes many exploit-oriented ICS.

Figure 8: PLCScan

You can also check this article present on InfoSec Institute:


In this article, we had a brief introduction about pentesting Industrial Control Systems.

ICS security is real issue and a big question mark nowadays that need to be improved to avoid critical attacks.

The most significant attack that we can note is the Stuxnet malware, which attacked the Iranian Nuclear facilities and caused the explosion of many centrifuges.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In the next articles, we will go deeper into ICS/SCADA Security,

Kondah Hamza
Kondah Hamza

Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with