Pentesting ICS Systems
Security of ICS systems is one of the most critical issues of this last year.
In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems
FREE role-guided training plans
Introduction
Industrial control system (ICS) is a term that includes many types of control systems and instrumentation used in industrial production, such as supervisory control and data acquisition systems (SCADA), distributed control systems (DCS) and other components like programmable logic controllers (PLC).
ICS typically used in industries such as electrical, oil, or gas.
Figure 1: Illustration of a control panel of an ICS
Components of an ICS
The most important components of an ICS are:
- Sensors and Actuators: Communication with the physical world
- Local HMI (Human Machine Interface): Supervision and Control
- RTU: Remote Terminal Unit
- PLC: Programmable Logic Controller
- IED: Intelligent Electronic Device
- Supervisor: Process Supervision
- Data Historian: Recording of all information at the production / SCADA level
What is a PLC?
A programmable logic controller (PLC), is an industrial (digital) computer which has been adapted for the control of manufacturing processes. It is one of the most important components of pentesting ICS.
Figure 2: Example of a PLC - Siemens s7-1200
Why ICS are the perfect target?
Industrial control systems are one of the most favorite targets of the hackers because of many points:
- Easy targets: Lack of security training = Easy social engineering
- No security measures
- Out-dated OS
- No security policy
- Default passwords
- Default configuration
- No patch management policy
- Perfect target for hacktivists
Risks of ICS
There are many risks of ICS the most critical ones are:
- Social Engineering
- Hacking & Cracking
- Denial of Service
- Virus & Malware
- Weak policies
- Physical risk
- Vulnerabilities in OS/APP
Pentest methodology of ICS
Figure 3: Methodology of pentesting ICS
The first step in pentesting ICS is the reconnaissance. In this step, we will try to gather the maximum information about the target from public resources and search engines (Google Hacking, Shodan.io …) that will help us to perform our attack on the target.
The second step consists of scanning the target to gather the services and open ports on the target to exploit potential vulnerabilities present in this ones.
The third step is the enumeration, which is the process to gather information about usernames, groups, machines and servers name, network resources and shares on the targeted network.
Then we can start disrupting our target with attacks like Denial of service, or infect the target with techniques such like:
- Inject Malware
- Escalate Privileges
- Open Backdoors
- Persistence
Tools to pentest ICS
Shodan
Shodan is a powerful search engine that use bots to find specific types of computers (CCTV, routers, PLC, Servers, etc.) connected to the internet (With the option to use filters).
Shodan provides very useful information (easily) for hackers, like banners, metadata, and testing default passwords.
Figure 4: Shodan.io
Diggity tools
SearchDiggity is the attack tool of the Google Hacking Diggity Project which contains many modules that exploit search engines to find useful information.
Figure 5: Modules of SearchDiggity
You can also check this article present on InfoSec Institute: https://resources.infosecinstitute.com/search-engine-hacking-manual-and-automation/
NMAP
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
It's considered as the most powerful scanner in the market due to he's multitude of options.
Figure 6: Nmap
You can also check this article present on InfoSec Institute:
https://resources.infosecinstitute.com/nmap-cheat-sheet/
PLCSCAN
PLCScan is python script that checks the availability of two interesting ports, TCP 102 and TCP 502, then, it will call other scripts based on the port. By example, if it discovers the TCP 502 open, it will call the Modbus functions, to collect information like the device identification.
Figure 7: PLCScan
Metasploit
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. It also includes many exploit-oriented ICS.
Figure 8: PLCScan
You can also check this article present on InfoSec Institute: https://resources.infosecinstitute.com/metasploit-cheat-sheet/
Conclusion
In this article, we had a brief introduction about pentesting Industrial Control Systems.
ICS security is real issue and a big question mark nowadays that need to be improved to avoid critical attacks.
The most significant attack that we can note is the Stuxnet malware, which attacked the Iranian Nuclear facilities and caused the explosion of many centrifuges.
FREE role-guided training plans
In the next articles, we will go deeper into ICS/SCADA Security,
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Pentesting ICS Systems
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness