While i was in Dubai, i got a chance to visit one of our customers who was using SCADA. Back then, it was so new to me and i have no idea of how to actually audit it. Back here in Singapore, i got another chance to actually test and audit SCADA systems and this time round, i found a way to actually break the application and network apart. However, i have to be very careful during the audit, as one wrong move may affect the whole of Singapore.
So what is SCADA? SCADA stands for Supervisory Control and Data Acquisition and they are the systems that deliver water, power supply, gas and some other items to your home. Check out http://en.wikipedia.org/wiki/SCADA if you would love to read more about it. There had been incidents where SCADA systems had been hacked and information was stolen by terrorist. Also, internet worms like the Slammer worm also affected the systems and cause a total DoS. Why is all these happening? All i can say is either because those systems are exposed to the internet or they are using proprietary protocols and they think that they are safe from hackers and doesnt care about it. Those people working in SCADA are so wrong, they doesnt bother about security at all, and i guess its because something disturbing might have happen and only then they start to panic and need people like us to audit their systems.
SCADA uses their own proprietary protocols like DNP3, OPC, Modbus, DCS, etc, and its possible to use Wireshark to actually monitor the traffic and see how the handshaking process work. By observing the handshake, i realised that it was possible to perform man in the middle attacks, but of course would require developing of some tools to perform the job. Some other attacks that are possible include DoS, capturing of username and password, injecting worms and virus and many other old school techniques.
The problems with SCADA:
1. Windows & Linux Vulnerabilities
2. Not patched regularly – maximum uptime needed
3. Denial of Service Attack
4. Continuous string of reboot command
5. No Authentication
6. No Accounting
7. Traffic sent in clear text (username & password)
8. No encryption
To Pentest on SCADA systems, you can do the following:
1. Port Scanning
2. OS Fingerprinting
3. Vulnerability Scanning
5. Credentials Guessing
Of course there are many other possibilities for pentesting SCADA systems. I for sure want another session with SCADA because it is so fun having to touch on mission critical systems that can affect the whole country. There are tons and tons of possibilities and problems with SCADA and i have just outline a few obvious ones. Of course, you got to be in the SCADA environment if you actually want to discover more possibilities, but then again, do we have such chances everyday?
The Hacka Man