Intro
Industrial facilities have always been a desirable target for hackers. Previously, attacks on them could be carried out to obtain a large ransom. Now, due to the geopolitical situation, hacktivists or intelligence services of opposing countries can commit sabotage. And despite the fact that governments and organizations are making significant efforts to protect critical infrastructure from attacks, we can still find industrial devices directly connected to the Internet and accessible from anywhere on the earth.
In this article, I will show you examples of searches that will allow you to detect industrial controllers and SCADA systems using the Netlas.io search engine. Such knowledge will allow specialists working at important facilities to verify their security, and researchers will be able to assess the security of a certain region or even a country.
SCADA systems
SCADA is a “supervisory control and data acquisition” system that is vital in industry. Thanks to them, production specialists can monitor the performance of numerous sensors, control machines, electric generators, and much more in real time. If an attacker gains access to such a panel, this will be the beginning of a sad end for the factory. To prevent this, it is important for a security specialist to know whether his SCADA is accessible from the Internet.
Siemens WinCC
The WinCC system from Siemens is one of the most popular SCADA systems in the world. What makes it attractive to attackers is the fact that it has a convenient web interface. And where there is a web interface, there are potential vulnerabilities.
To find WinCC with Netlas, use the following query in the Responses Search tool:
This will return you several hundred objects, most of which are related to the WinCC OA, WinCC Unified, and WinCC WebUX products.
Of course, all these objects are protected by a login form, which protects enterprises from curious individuals. However, the very fact of discovering such an important object on the global network creates a risk. Information security specialists are strongly recommended to hide even the web interfaces of SCADA systems.
Industrial protocols
WinCC is the most popular, but not the only system. To search for other SCADA, we will not create queries for specific systems, but will simply search by protocol.
To control industrial controllers, in most cases, the modbus protocol is used (exceptions will be discussed a little later). Let’s create a simple query to search for all such objects:
Netlas stores responses for more than twenty thousand devices operating using this protocol:
This is a good result, but the found objects themselves are worth nothing. Let’s try to narrow down the search by finding exclusive products from a specific vendor. As an example, let’s take the company Schneider Electric, which produces industrial controllers and software for them. The request in this case will look like this:
modbus.mei_response.objects.vendor:”Schneider Electric”
In the future, you can refine it further: search for specific countries, products, or companies. All of these will be controllers by Schneider, most likely working via SCADA.
Hardware
I already touched on the topic of industrial devices a little when it came to Schneider Electric controllers. However, in the previous section, we were mainly looking for SCADA systems. This time, the search will focus specifically on machinery and controllers.
Most of the examples in the next section will be related to Siemens systems, since their components are the most common. You are not limited in any way in your research and can search for any controllers from any vendor using Netlas.
Controllers
Let’s start by searching for Siemens devices available from Netlas. To do this, use the following query:
This query will return your devices whose banner mentions Siemens.
In addition to Siemens, Netlas also contains responses to controllers from other vendors, for example, Rockwell Automation:
\*.banner:”Rockwell Automation”
To find a specific product, use a query like:
Where instead of SCALANCE S615 is the name of the product of interest.
Finding factories through controllers
Now let’s narrow the problem even further. Penetration testing of a certain object, possibly related to the critical infrastructure of the state, is being carried out. How to determine whether there are responses from its controllers among the results returned by Netlas?
This case can be solved by Grouping feature. Grouping results is a much-underrated feature of Netlas, which is not the first time that has appeared in my articles. In case someone does not know how to do this, I advise you to read here.
However, before we group the results, we need to select the field about which we will do this. In my example, we will exclusively consider the s7 protocol, since it has a very convenient plant_id field. Here is what the grouped results will look like:
You can see that not all controllers running on the s7 protocol have this field set.
For example, consider this result:
The following query will allow you to view this response (as well as those below it):
Here you can see exactly what Siemens equipment is used at the plant, as well as where it is located. Are you wondering what it is?
Small Romanian hydroelectric power station.
Finding controllers through factories
In the previous example, we found the enterprise by examining responses for specific controllers. However, how to carry out the reverse transformation?
First, let’s create a search that will return results that are most likely to be businesses. It might look like this:
whois.net.name:(factory OR plant)
Next, you need to understand what kind of enterprises were found. To do this, let’s group the results again, this time by the whois.net.description field.
Abracadabra. You may find something interesting by exploring this list. For example, let it be an object with the description “MCCPTA India Corp Private Limited…” After conducting a tiny investigation, you can find out that this is a manufacturer of household chemicals in India. Undoubtedly, an important object related to critical infrastructure.
Let’s see what kind of feedback we can get from it. You have probably already submitted several different queries, but I will be consistent and get the results from the WHOIS description:
whois.net.description:”MCCPTA India Corp Private Limited*”
Among the results obtained in this article, we are most interested in those objects that operate using the snmp protocol. Here is an example of a couple:
As we can see, the plan was a success. Starting from the factory, I was able to discover the hardware used on it. Thanks to these responses, we can draw a conclusion about the degree of security of the equipment used by the enterprise. Even though a Cisco router is not an industrial controller, an attacker can use it as an entry point into the system. We recommend that all readers treat their routers with care.
Conclusion
As I mentioned in the introduction to this article, protecting critical infrastructure has become more important than ever. Extortionists, hacktivists, terrorists — anyone can attack a small factory just because its system administrator left a standard password on the SCADA system. That is why our team strongly recommends that specialists associated with such objects behave carefully and give their best in their work.
