How Industrial Control Systems are easily Hacked?
NOTE: This tutorial only focuses on the Exploration, Exploitation and Attack Vectors carried out using MODBUS Protocol. Some of the networks described in this article are accessed only for EDUCATIONAL PURPOSES and left untouched, causing no harm to the accessed network.
With the adoption of the Internet in the 1980s, many of the complex tasks paved the way for digitization and nearly every piece of daily work began to witness the presence of Computer & Internet, hence becoming an inevitable factor. Industrial Control Systems were not an exception to this and made its progress a few decades ago. Several systems like Power Supply & Generation, Water Treatment, Industrial Manufacturing, Uranium Enrichment etc are some of real time case studies that rely on SCADA Systems.
ICS is an umbrella term that refers to various control systems such as SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), PLC (Programmable Logic Controller, BMS (Building Management System) etc. Most of the strenuous tasks were being carried out with the help of a few keyboard clacks, which resulted in greater optimization of scheduled tasks with utmost precision.
In order to manage different appliances and create a customized workforce in the task list, a seamless communication protocol is necessary to pass on the values in order to self-adjust the automated works.There comes invention of MODBUS Protocol. As the primary aim of “Information Passage” had been successfully taken care of, but the SECURITY element was missing/skipped. Over the years, when the Targeted Cyber Attacks began to gain more traction; this loophole began to expand which ultimately resulted in various Cyber Attack Campaigns.
MODBUS is an open communication protocol developed by Modicon (later acquired by Schneider Electric) in 1979. It became a means to connect industrial electronic devices based on a Master/Slave Architecture. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard MODBUS network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247.
The MODBUS protocol can be implemented on top of several different communication networks including serial TCP/IP and UDP.
Note:- We are not detailing the functionalities or Implementation of MODBUS Protocol, as you may refer Wiki or Modbus.org to know more!
Let’s inspect the main MODBUS Protocol Vulnerabilities:-
>As all MODBUS communication occurs in plaintext, ultimately lacking Confidentiality.
>There are no Integrity checks built in MODBUS protocol as anyone can snoop into the network and trigger desired instructions.
>There is no Authentication at any level of MODBUS Protocol, which allows a remote attacker to access the session and cripple the infrastructure by crafted packets.
>The attacks like Denial of Service (DoS) or Buffer Overflow are effective as it brings the entire infrastructure to a halt.
From the points listed above, it is evident that the critical infrastructure is an easy target for an attacker to compromise. This is one of the prime reasons for Ransomware Attacks instigated by popular gangs like SNAKE (ekans) or MAZE in order to get profiteered. In worst case scenarios, backup systems are also taken down by the attackers in order to eliminate the chances of making the system alive by sysadmins.
The first and foremost reason to get it infected is due to the maximized visibility of the control systems, which can be accumulated effortlessly by attackers via Reconnaissance using Wireshark or Fiddler. This is primarily achieved by scanning the target endpoints with querying various services.
Following are some of the examples of exposed network which I had gained access (did not alter anything as the intention is legit):-
CASE 1:
This is a Control Panel of a Service Provider based in the US. One of the notable things to note here is : Sensitive fields like Encryption, Terminal Server Relay, SNMP, MODBUS, Network Stats etc are subjected to change. An attacker who gains access to such a network can inspect the incoming request that includes the company’s intranet or Telnet Servers etc which can be leveraged for lateral movement to expand attack vectors and data breach.
In the same network, Upload File functionality is also enabled without implementing proper security; an attacker can easily attach any ransomware programs that are sifted through the corporate network, immobilizing the targeted Control Plants.
User Data is also available in the same network which helps the attacker to orchestrate the attack like observing the IPs and weaponizing it for Proxy Attack, Configuration file to track the measurement changes, sell access stealthily on underground networks etc.
CASE 2:
This is another SCADA network located in Thailand. Like other control panels, various options like Routing, Firewall, VPN, Serial Server etc are available for anyone who gains access to this internal network.
Another interesting fact is the existence of System Logs which are generally sold on Dark Web Marketplaces. As the “Download” option is available, an attacker can download the same and learn the network behavior for a larger infection rate covertly.
Note: These logs are (often) catalogued in Botnet Attacks and are supplied to various like minded geeks underground. Access to a larger network would help the adversary to launch any Cyber Attack Campaigns which are eventually exposed by security researchers after months of its activation.
CASE 3:
This is another major SCADA (Electrical) System located in Japan. From the image, it is evident that it is a Cluster Controller with various instances and sensitive controls can be accessed like Temperature, Voltage or Pressure.
All the measurements can be exported to the XML file from the panel without any security features.
This specifies the maximum and minimum limit of Radiations set on the Electrical Control Cluster, which can be subjected to change by the adversary.
MODBUS Controls and files are also hosted here.
This is the Event Log of the Cluster where instruction sets are sent to respective Port Numbers.
It is also found the administrative privileges are also listed in the network where anyone can change and alter the Electric Plant measurements. There are more controls like State Measures, FTP Access and other sensitive exposures, not delving deep at this moment.
CASE 4:
Another Broadcasting OT System from South Korea got exposed due to the faulty MODBUS implementation.
These readings are usually passed via MODBUS protocol to various appliances to perform various scheduled tasks.
SSL Information is configurable which enables attackers to select obsolete SSL Versions in order to make the system vulnerable for future attacks. For say, checking SSL v2 would downgrade the SSL versions and attacks like DROWN (Decrypting RSA using Obsolete and Weakened Encryption) is possible.
From the above listed case studies, it is observable that the Industrial Control Systems (from MODBUS Protocol Point of View) are highly vulnerable to exploitation with its default setting. This opens innumerable attack vectors such as Data Breach, Access Selling on Dark Web Marketplaces, Adding compromised network to an existing malicious Botnet to orchestrate future attacks such as DDoS or Disrupt the Functional Plants, Ransomware Attack, Cryptomining within industrial controls for greater profit etc.
Note: All the major PLC makers like Siemens, Schneider Electric, ABB, Rockwell, Emerson, etc create MODBUS-compatible hardware. Hence the vulnerabilities of MODBUS automatically makes new devices vulnerable, if the default setting is not purged.
OUTDATED PROTOCOLS IN ICS
There are various outdated/less secure protocols which are in use on various ICS plants. Some of them are:-
DNP3: Distributed Network Protocol Set of protocols used for electrical grid automation. Designed for SCADA applications, the protocol optimizes the transmission of data acquisition information and control commands between master(Control Centers) and outstations (Remote Terminals) using event-driven data reporting. A malformed frame can crash the receiving process or drive it into an infinite loop, rendering the entire device inoperable.
HART-IP: Highway Addressable Remote Transducer — devices over Ethernet. HART can run over 4–20mA analog wiring, making it a popular transition protocol for organizations that had previously deployed analog wiring. HART is often used in the field as a means to provide configuration and diagnostic information to remote devices. This protocol has no built-in security.
BACnet: The BACnet protocol defines a number of services that are used to communicate between building devices. The protocol services include Who-Is, I-Am, Who-Has, I-Have, which are used for Device and Object discovery. Services such as Read-Property and Write-Property are used for data sharing. There are many online platforms for BACnet reconnaissance such as BACnet Explorer
KEY TAKEAWAYS
>Do not publicize your sensitive network to appear on a Shodan/Censys Search
>Not to run MODBUS service on Port #502 to make it easy discoverable
>Change the default password set of the panel
>Implement password protection in internal networks such as while downloading reports
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere in any form without the Author’s consent.
