PART-1 / Exploring the Efficacy of Custom Scripts on ICS/SCADA: OT Security&Pentest

Hbayram-cyberianLogs
4 min readMay 12, 2024

--

Many devices are executable without authentication. With enumeration, it can be mapped on the network to gather info such as PLC type, model number, and firmware details.

According to Dragos Yearly OT Security Report: Ransomware attacks against industrial organizations increased 50 percent over last year. %70 of all ransomware attacks targeted 638 manufacturing entities in 33 unique manufacturing subsectors.

Industrial ransomware is currently in trend and exploiting well-known vulnerabilities. The primary method is to gain initial access, phishing, and targeting publicly accessible network assets: VPN, RDP.

One of them is Pipedream (designed by Chernovite Threat Group). It is a collection of tools for reconnaissance, manipulation, and disruption of PLCs. It has high capability of offensive attack to ICS structures. Pipedream utilities differentiated from remote shell capability with Omron PLCs to manipulate and disable the Schneider PLCs, enumerate the OPC UA PLCS and OT Network to exploiting the vulnerable ASRock driver. It can execute more than 30 known ICS attack techniques as it’s shown on the MITRE ICS Matrix.

APT actors are targeting the ICS/SCADA Devices; establishing initial access in an OT network to scan, compromise, and control the certain devices.

By the end of 2023, we can scan to map out the mostly used protocols/applications that have automatically critical severity-level:

- BACnet (port 47808/udp)
- CODESYS (port 1200/tcp, port 2455/tcp)
- Rockwell Automation/Allen-Bradley (port 44818/tcp)
- EtherCAT (port 34980/udp)
- EtherNet/IP (port 44818/tcp)
- ICCP (port 102/tcp)
- MELSEC-Q (port 5007/tcp)
- Modbus (port 502/tcp)
- OMRON FINS (port 9600/udp)
- PC Worx (port 1962/tcp)
- ProConOS (port 20547/tcp)
- Siemens S7 (port 102/tcp)
- Tridium Niagara Fox (port 1911/tcp)

If the critical assets are discoverable on the internet, they can be an open-target for APTs. Let see together several of them for reconnaissance. I will use ShodanQuery by brand/Vendor/applications; for instance PC Worx (the common programming, debugging and operating software for PLC) application uses port 1962/tcp. There are thousands of discoverable ports, many of them are not filtered too.

port:1962, pcworx
sudo nmap — script=pcworx-info -p 1962 <host/s>

port:1911, product:”Niagara Fox”
sudo nmap — script=fox-info -p 1911<host/s>

port:502, Schneider
sudo nmap — script=modicon-info -p 502 <host/s>

port:102, Siemens S7
sudo nmap — script=s7-enumerate -p 102 -sV <host/s>
sudo nmap — script s7-info.nse -p 102 <host/s>

port:44818, product:”Rockwell Automation/Allen-Bradley”
sudo nmap — script=enip-info -p 44818 <host/s>

Technologies at industries must be in accordance with IEC standardizations and follow prominent reports such as SANS’s Reports for ICS Cybersecurity Critical Controls.

According to CISA, SANS, Phoenix Contact, and Dragos reports, some actions could be taken to protect OT Security — ICS/SCADA Devices. Here are several critical recommendations for devices and solutions to mitigate the risk, especially for those who operate the devices in a public network:

  • do not integrate components and systems into public networks, otherwise use a VPN
    - set up a firewall not only for against external influences, but also to segment a network or to isolate a controller
    - use a secure communication protocol: HTTPS (port 443)
    - deactivate unneeded communication channels
    - take Defense-in-Depth strategies into consideration when planning systems to protect your components, networks, and systems
    - restrict access right to those individuals for whom authorization is strictly necessary
    - use the latest firmware version with up-to-date security software
    - perform regular threat analyses
    - conduct multifactor authentication for all remote access to ICS networks and devices
    - update all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords
    - leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors
    - restrict the workstation from making outbound network connections, especially to internet services

Read PART-2: PART-2 / Exploring the Efficacy of Custom Reconnaissance on ICS/SCADA: OT Security&Pentest | by Hbayram-cyberianLogs | May, 2024 | Medium

OR on website: PART-2 / Exploring the Efficacy of Custom Reconnaissance on ICS/SCADA: OT Security&Pentest (bayramh.wixsite.com)

PART-1 on website: PART-1 / Exploring the Efficacy of Custom Scripts on ICS/SCADA: OT Security&Pentest (bayramh.wixsite.com)

--

--