SCADA Strangelove

Last updated April 27, 2024

SCADA Strangelove is an independent group of information security researchers founded in 2012, focused on security assessment of industrial control systems (ICS) and SCADA.

Activities

Main fields of research include:

Discovery of 0-day vulnerabilities in cyber physical systems and coordinated vulnerability disclosure;
Security assessment of ICS protocols and development suites;
Identification of publicly Internet-connected ICS components and secure it with help of proper authorities;
Development of security hardening guides for ICS software;
Mapping cybersecurity on to functional safety;
Awareness control and delivery of information regarding the actual security state of ICS systems.

SCADA Strangelove's interests expand further than classic ICS components and covers various embedded systems, however, and encompass smart home components, solar panels, wind turbines, SmartGrid as well as other areas.

Projects

SCADA Strangelove team logo

Group members have and continue to develop and publish numerous open source tools for scanning, fingerprinting, security evaluation and password bruteforcing for ICS devices. These devices work over industrial protocols such as modbus, Siemens S7, MMS, ISO EC 60870, ProfiNet.^[1]

In 2014 Shodan used some of the published tools for building a map of ICS devices which is publicly available on the Internet.^[2]

Open source security assessment frameworks, such as THC Hydra,^[3] Metasploit,^[4] and DigitalBond Redpoint^[5] have used Shodan-developed tools and techniques.

The group has published security-hardening guidelines for industrial solutions^{[ buzzword ]} based on Siemens SIMATIC WinCC and WinCC Flexible.^[6] The guidelines contain detailed security configuration walk-throughs, descriptions of internal security features and appropriate best practices.

Among the group’s more noticeable projects is Choo Choo PWN (CCP) also named the Critical Infrastructure Attack (CIA). This is an interactive laboratory built upon ICS software and hardware used in real world. Every system is connected to a toy city infrastructure, which includes factories, railroads and other facilities. The laboratory has been demonstrated at various conferences including PHDays, Power of Community,^[7] and 30C3.

Primarily the laboratory is used for the discovery of new vulnerabilities and for evaluation of security mechanisms, however it is also used for workshops and other educational activities. At Positive Hack Days IV, contestants found several 0-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric, and in specific ICS hardware RTU PET-7000^[8] during the ICS vulnerability discovery challenge.

The group supports Secure Open SmartGrid (SCADASOS)^[9] project to find and fix vulnerabilities in intellectual power grid components such as photovoltaic power station, wind turbine, power inverter. More than 80 000 industrial devices were discovered and isolated from the Internet in 2015.^[10]

Appearances

Group members are frequently seen presenting at conferences like CCC, SCADA Security Scientific Symposium, Positive Hack Days.

Most notable talks are:

29C3

An overview of vulnerabilities discovered in the widely distributed Siemens SIMATIC WinCC software and tools that are implemented for searching ICS on the Internet.^[11]

PHDays

This talk consisted of an overview of vulnerabilities discovered in various systems produced by ABB, Emerson, Honeywell and Siemens and was presented at PHDays III^[12] and PHDays IV.^[13]

Confidence 2014

Implications of security research aimed at realization of various industrial network protocols^[14] Profinet, Modbus, DNP3, IEC 61850-8-1 (MMS), IEC (International Electrotechnical Commission) 61870-5-101/104, FTE (Fault Tolerant Ethernet), Siemens S7.

PacSec 2014

Presentations of security research^[15] showing the impact of radio and 3G/4G networks on the security of mobile devices as well as on industrial equipment.

31C3

Analysis of security architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it.^[16]

32C3

Cybersecurity assessment of railway signaling systems such as Automatic Train Control (ATC), Computer-based interlocking (CBI) and European Train Control System (ETCS).^[17]

China Internet Security Conference 2016

In "Greater China Cyber Threat Landscape" keynote by Sergey Gordeychik an overview of vulnerabilities, attacks and cyber-security incidents in Greater China region was presented.^[18]

Recon 2017

In talk "Hopeless: Relay Protection for Substation Automation" by Kirill Nesterov and Alexander Tlyapov security analysis results of key Digital Substation component - Relay Protection Terminals was presented. Vulnerabilities, including remote code execution in Siemens SIPROTEC, General Electric Line Distance Relay, NARI and ABB protective relays was presented.^[19]

Philosophy

All names, catchwords and graphical elements refer to Stanley Kubrick’s film, Dr. Strangelove . In their talks, group members often refer to Cold War events such as the Caribbean Crisis, and draw parallels between nuclear arms race and the current escalation of cyberwar.

Group members follow the approach of “responsible disclosure” and “ready to wait for years, while vendor is patching the vulnerability”. Public exploits for discovered vulnerabilities are not published. This is on account of the longevity of ICS and by implication the long process of patching ICS. However, conflicts still happen, notably in 2012 when the talk at DEF CON ^[20] was called off due to a dispute of persistent weaknesses in Siemens industrial software.

Related Research Articles

A programmable logic controller (PLC) or programmable controller is an industrial computer that has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, machines, robotic devices, or any activity that requires high reliability, ease of programming, and process fault diagnosis.

SCADA is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

<span class="mw-page-title-main">DNP3</span> Computer network protocol

Distributed Network Protocol 3 (DNP3) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. Usage in other industries is not common. It was developed for communications between various types of data acquisition and control equipment. It plays a crucial role in SCADA systems, where it is used by SCADA Master Stations, Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs). It is primarily used for communications between a master station and RTUs or IEDs. ICCP, the Inter-Control Center Communications Protocol, is used for inter-master station communications. Competing standards include the older Modbus protocol and the newer IEC 61850 protocol.

A unidirectional network is a network appliance or device that allows data to travel in only one direction. Data diodes can be found most commonly in high security environments, such as defense, where they serve as connections between two or more networks of differing security classifications. Given the rise of industrial IoT and digitization, this technology can now be found at the industrial control level for such facilities as nuclear power plants, power generation and safety critical systems like railway networks.

An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems (DCSs) with many thousands of field connections. Control systems receive data from remote sensors measuring process variables (PVs), compare the collected data with desired setpoints (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

CPLINK and Win32/CplLnk.A are names for a Microsoft Windows shortcut icon vulnerability discovered in June 2010 and patched on 2 August that affected all Windows operating systems. The vulnerability is exploitable when any Windows application that display shortcut icons, such as Windows Explorer, browses to a folder containing a malicious shortcut. The exploit can be triggered without any user interaction, regardless where the shortcut file is located.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which is metadata that the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.

Positive Hack Days (PHDays) is an annual international cybersecurity forum. It has been held by Positive Technologies since 2011. PHDays brings together IT and infosec experts, government officials, business representatives, students, and schoolchildren. The forum hosts talks and workshops on the most interesting information security topics, The Standoff cyberexercises, practical competitions in which participants analyze the security of industrial control systems, banking and mobile services, and web apps.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

LogicLocker, is a cross-vendor ransomware worm that targets Programmable Logic Controllers (PLCs) used in Industrial Control Systems (ICS). First described in a research paper released by the Georgia Institute of Technology, the malware is capable of hijacking multiple PLCs from various popular vendors. The researchers, using a water treatment plant model, were able to demonstrate the ability to display false readings, shut valves and modify Chlorine release to poisonous levels using a Schneider Modicon M241, Schneider Modicon M221 and an Allen Bradley MicroLogix 1400 PLC. The ransomware is designed to bypass weak authentication mechanisms found in various PLCs and lock out legitimate users while planting a logicbomb into the PLC. As of 14 February 2017, it is noted that there are over 1,400 of the same PLCs used in the proof-of-concept attack that were accessible from the internet as found using Shodan.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

IntegraXor is a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) software system developed by Ecava and first released in 2003.

SIMATIC is a series of programmable logic controller and automation systems, developed by Siemens. Introduced in 1958, the series has gone through four major generations, the latest being the SIMATIC S7 generation. The series is intended for industrial automation and production.

Overview

Raheem Beyah is an American computer engineer, researcher, and educator. As of January 15, 2021 he is the Dean of the College of Engineering and Southern Company Chair at the Georgia Institute of Technology. Prior to becoming the Dean, he was the vice president for Interdisciplinary Research and the Motorola Foundation Professor and the executive director of Georgia Tech's online masters in cyber security program. Beyah is also the co-founder and chair of industrial security company Fortiphyd Logic, Inc.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

References

↑ GitHub: scada-tools (in English)
↑ Shodan ICSmap Archived 2015-02-21 at the Wayback Machine
↑ Changelog for hydra
↑ GitHub: wincc_harvester
↑ Redpoint Release: Siemens S7 Enumeration
↑ Siemens Simatic WinCC Flexible 2008 Security Hardening Guide
↑ [POC2013-TV] 실제 스카다 시스템, 2시간 만에 해킹당해
↑ Smart City Hacked at PHDays IV
↑ Secure Open SmartGrid (SCADASOS) Project
↑ Could hackers turn the lights out?
↑ SCADA STRANGELOVE or: How I Learned to Start Worrying and Love Nuclear Plants
↑ Positive Hack Days III
↑ Positive Hack Days IV
↑ SCADA deep inside: protocols and security mechanisms Archived 2014-12-19 at the Wayback Machine
↑ Root via SMS
↑ CCCTV: Too Smart Grid in da Cloud
↑ The Great Train Cyber Robbery
↑ Greater China Cyber Threat Landscape
↑ Vulnerable industrial controls directly connected to Internet? Why not?
↑ Siemens industrial software targeted by Stuxnet is still full of holes

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] GitHub: scada-tools (in English)

[2] Shodan ICSmap Archived 2015-02-21 at the Wayback Machine

[3] Changelog for hydra

[4] GitHub: wincc_harvester

[5] Redpoint Release: Siemens S7 Enumeration

[6] Siemens Simatic WinCC Flexible 2008 Security Hardening Guide

[7] [POC2013-TV] 실제 스카다 시스템, 2시간 만에 해킹당해

[8] Smart City Hacked at PHDays IV

[9] Secure Open SmartGrid (SCADASOS) Project

[10] Could hackers turn the lights out?

[11] SCADA STRANGELOVE or: How I Learned to Start Worrying and Love Nuclear Plants

[12] Positive Hack Days III

[13] Positive Hack Days IV

[14] SCADA deep inside: protocols and security mechanisms Archived 2014-12-19 at the Wayback Machine

[15] Root via SMS

[16] CCCTV: Too Smart Grid in da Cloud

[17] The Great Train Cyber Robbery

[18] Greater China Cyber Threat Landscape

[19] Vulnerable industrial controls directly connected to Internet? Why not?

[20] Siemens industrial software targeted by Stuxnet is still full of holes

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]