Workshop ICS Pentest 101: A Junior’s View

Last month I attended Brucon 2017, the leading Belgian security conference held at the University of Ghent. The conference offers talks by renowned speakers and you can get your hands dirty in a variety of workshops. I attended ‘ICS Pentest 101’ by Arnaud Soullié and Alexandrine Torrents from Wavestone, a French consulting company. Since I had no prior knowledge of SCADA and Industrial Controls Systems (ICS) whatsoever, I was on unfamiliar ground.

I tried to imagine beforehand what pentesting ICS and SCADA systems would look like: some Hollywood style hacker plots came to mind, like scenes from ‘Mr. Robot’. Hackers can easily take control of machine rooms, robots, elevators and ventilation systems with rather unrealistic hacking methods.
I did not realise those scenes weren’t too far from the truth.

First, Alexandrine gave an introduction about how these systems actually work. She showed us how Programmable Logic Controllers (PLCs) of known manufactures, like Siemens and Schneider, function. She provided us with virtual machines to experiment with and we played around with simulated PLC software.
In Mr. Robot, when Elliot wants to take control over a factory or power plant, he simply needs to physically plug in on the network where all the PLCs are placed, to gain control over the machines. Because there is no data encryption or any form of authentication, he can simply intercept the traffic and make changes on the fly to tamper with the network traffic that is being sent to the machines.
This is exactly what we experienced during the workshop. We intercepted network data with Wireshark and edited it to change a machine’s behavior. We also learned to attack the unpatched PLC itself to take control of the system.

If these systems were critical for safety, holy *% !

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *