In the tables below I have put together a list of signatures(i.e search strings) that appear in the HTTP meta-data for 15 Supervisory Control and Data Acquisition(SCADA) systems. An additional list of 29 signatures is available in this paper by Cambridge University Master's student E P Leverett, the paper also has a great introduction to SCADA systems.
In the following analysis I follow the same engagement rules as E P Leverett which are from the joint US DHS & UK CPNI good practice guide.
- I will not interact with any system except to view a publicly accessible HTTP interface.
- I will not attempt to login to any system.
Wastewater overflow management pumping station, Boncourt, Switzerland
The SCADA system on this pump is a Schneider Electric FactoryCast system. According to the user manual.
"FactoryCast is a software package that allows you to customize a Web site on the Embedded Web Server module. The site can be accessed via a browser to view and modify data from a Quantum or Premium programmable logic controller (PLC)."
System home page
Found on Google maps
This small pumping station is used to manage wastewater overflow in the Basse-Allaine region of Switzerland. Wastewater from the town of Boncourt flows through a pipe down to the treatment plant in Grandvilliars,France. But what happens if there is heavy rain? Along the pipe's path are overflow stations which consist of a large underground basin, a pump and a overflow pipe leading to the Allaine river. When it rains the overflow first runs into the basin and the pump returns it to the pipe reducing the flow down the pipe and lessening the chance of overflow to the river. Of course if the rains are heavy enough then the basin will fill and wastewater will overflow into the river.
The installers of the Schneider system, Swiss firm Stebatec, have customized the embedded web site.
1.9MW solar power plant, Mysliv, Czech Republic
This system is running Schneider Electric FactoryCast.
"On October 7, Solar Park Mysliv, located in the south-western part of Bohemia, 20 kilometers east of the city of Klatovy, started producing solar electricity. This is the first solar power plant Gehrlicher Solar AG has built in the Czech Republic. The plant has a peak performance of 1.99 MWp and comprises an area of 3.8 hectares. It will be producing 1.79 million kilowatt hours of green electricity and covering the electricity requirements of 510 three-person households. 8.844 Yingli modules and two SMA inverters were used in the construction."
Biomass boiler systems
Unknown HVAC system in Germany
This small HVAC system, running a Saia-Burgess PCD allows anyone level 0 access(the least privileged) which allows viewing of measurements.
Solar power plant, Coppola S.p.A, Scafati, Italy
Coppola is company located in Scafati, it's solar power system was installed by group magaldi.The system allows anyone to view solar plant measurements. It is running a SpiderControl system.
The security of some of these systems can be very weak. I have seen cases of the system login password being shown directly within the HTML source code of the publicly accessible device home page(anyone can view this source code using a browser's view HTML source button).
| SCADA systems | |||
| System | Signature | Shodan count | Comments |
|---|---|---|---|
| Siemens building automation energy management | Siemens Switzerland Ltd | 449 | http://www.buildingtechnologies.siemens.com |
| Beck IPC embedded controller | IPC@CHIP | 4038 | For example used by Solar plant energy monitor solar-log.net,beck-ipc.com |
| SMA Solar remote solar plant monitoring/maintenance | Sunny webbox | 6675 | SMA Solar Sunny webbox |
| Kieback&Peter Bus Module Controller | BMR/0.09 | 85 | kieback&Peter BMC. Controller for controlling,monitoring & operating HVAC systems. |
| Saia-Burgess Process Control Device(PCD) | Saia PCD | 839 | saia-pcd.com,control devices for remote monitoring and machine control |
| Schneider Electric energy management/monitoring | Schneider-WEB | 197 | Schneider FactoryCast system |
| Sciopta system software | sciopta Webserver | 2 | System Software for Safety-Critical Embedded Applications, sciopta.com |
| Phoenix contact system running SpiderControl | Phoenix-Contact | 155 | phoenixcontact.com,spidercontrol.net |
| Moxa industrial systems | MoxaHttp | 4734 | moxa.com |
| Trihedral SCADA software | "Server: VTS" | 102 | Trihedral VTS |
| Electro Industries/GaugeTech | EIG Embedded Web Server | 118 | electroind.com |
| clearSCADA integrated SCADA host platform | clearSCADA | 13 | www.clearscada.com |
| Delta enteliTOUCH | DELTA enteliTOUCH | 22 | Delta entelitouch system |
| TAC Xentra control systems | TAC/Xentra | 53 | Old systems,TAC now owned by Schneider Electric |
| Loxone home automation system | Loxone | 165 | Home automation web control system |
Links to further reading
SCADA security news and consulting, http://scadahacker.com/
SCADA security analysis, www.reversemode.com
SCADA security consulting firm, www.digitalbond.com
SCADA security consulting firm, www.tofinosecurity.com
US government ICS-CERT, www.us-cert.gov/control_systems/ics-cert
SCADA security consulting firm, www.scadahacker.com
SCADA security consulting firm, www.redtigersecurity.com
Some interesting articles on problems with Moxa systems in the Netherlands.
www.tofinosecurity.com/blog/cyber-security-nightmare-netherlands
The following are in Dutch.
webwereld.nl/nieuws/109526/zeeuwse-gemalen-te-hacken-via-scada-lek---update.html
webwereld.nl/nieuws/109565/scada-bedrijf-xylem-ontkent-kwetsbaarheden.html
Thanks for sharing, its really nice to read this.
ReplyDeleteSMA Inverters
SCADA is a system operating with coded signals over communication channels so as to provide control of remote equipment . The control system may be combined with a data acquisition system by adding the use of coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions.It is a type of industrial control system.
ReplyDelete