What to do when you find others PLC/SCADA internet security breach?

goghie

Lifetime Supporting Member
G
Join Date
Jan 2008
Location
Belgrade
Posts
800
I need an advice.
I was doing some check of my previous projects for internet penetration, and I have found out that there are a lot of "neighbouring" IP addresses with mostly Modbus or Omron communication fully opened (not my projects). I can access to some PLCs and even some GenSets freely. I would like to send them info, with best intention possible, about problems they have, but I'm afraid that I could have some potential problem.
Opinions? Advice?
 
If you think they may get upset thinking YOU were hacking into their systems then what I would do is:


1. Not tell them now
2. Suggest to them you can do a scan into their network to see if there are any security problems, and THEN 'find' them after you get a PO and approval.
 
Aabeck said:
If you think they may get upset thinking YOU were hacking into their systems then what I would do is:


1. Not tell them now
2. Suggest to them you can do a scan into their network to see if there are any security problems, and THEN 'find' them after you get a PO and approval.
Click to expand...
I'm not interested in selling them my services, I just would like to warn them. Some of this sites are infrastructure! I think that I have enough knowledge to protect my product, but it is not something I do for living. And yes I'm afraid that someone would get me wrong.
 
You could tell them you used WireShark to check the network traffic on the system you were working on and noticed it showed unsecure openings that could be breached.


Then, you were not snooping, just trying to get all the data on what you were actually working on. Then if they ask you can point out the specifics.
 
In fact I was using combination of Nmap + routine that reads first Modbus Holding register + routine that reads the clock on Omron + MELSEC specific routine.
 
Sure that connection attempts to PLCs are tiny part of all the hundreds of connection attempts that any device with a public IP connected to de Internet receives every day.

People would have to be much more aware of this.

Fortunately now a majority of devices are behind a firewall within a private network, but about 17 years ago, when Windows XP came out, many PCs and devices were directly connected to the internet each with their public IP, they were quite security chaotic years in a big part thanks to the large security holes in Windows.
 
If you walk past a hole in a physical fence you would find the security person for the company and let them know. Sure, if the fence was in a strange location, the security person might question what you were doing sneaking around.
So if you don't mind the consequences of being asked why you were sneaking around, just call their cyber security department and let them know.

Although it sounds like you saw an open fence and crawled through it to find out what was on the other side first. Technically trespassing. I think in some countries what you did could be considered "unauthorized access to a computer." In fact, the increase load on the controller or network may have caused problems for them, so in a way what you did could have been dangerous. I would read up on "grey hat hacker" and make sure you are comfortable with the risks associated with admitting that you hacked a genset. Way the risk with the benefit of the genset not being remotely accessible.
 
AustralIan said:
If you walk past a hole in a physical fence you would find the security person for the company and let them know. Sure, if the fence was in a strange location, the security person might question what you were doing sneaking around.
So if you don't mind the consequences of being asked why you were sneaking around, just call their cyber security department and let them know.

Although it sounds like you saw an open fence and crawled through it to find out what was on the other side first. Technically trespassing. I think in some countries what you did could be considered "unauthorized access to a computer." In fact, the increase load on the controller or network may have caused problems for them, so in a way what you did could have been dangerous. I would read up on "grey hat hacker" and make sure you are comfortable with the risks associated with admitting that you hacked a genset. Way the risk with the benefit of the genset not being remotely accessible.
Click to expand...

I walk past holes in fences all the time, if they don’t care, I don’t care.

Shame on them for allowing a control system to be on a direct internet facing port.

FYI there is a search engine that will exploit this.

Shodan.io , just search Rockwell and your jaw will drop.
 
Maxkling said:
FYI there is a search engine that will exploit this.

Shodan.io , just search Rockwell and your jaw will drop.
Click to expand...

I know for Shodan, and previously I have used it. The problem is that Shodan uses our queries to identify ICS problems and later makes it available for all audience - so it uses out know-how for its own marketing. In order to make problem in our business, you need to have know-how we do have plus hacking knowledge which regular hacker does not have.
Also because Shodan is making logs I do not believe that real black hacker will use it.
 
goghie said:
I know for Shodan, and previously I have used it. The problem is that Shodan uses our queries to identify ICS problems and later makes it available for all audience - so it uses out know-how for its own marketing. In order to make problem in our business, you need to have know-how we do have plus hacking knowledge which regular hacker does not have.
Also because Shodan is making logs I do not believe that real black hacker will use it.
Click to expand...

Shodan is for a professional audience not hackers. Hackers can EASILY script exactly what Shodan is doing and get results without being logged or paying.

Shodan is for industry and government professionals looking for potential security issues. It’s just an example of how many are vulnerable out there. Now lots are schools and labs.

Also regular hackers are being introduced to PLCs. They have even been on shows like Mr. Robot. Rockwell software is all over the internet to download for free and a simple work around gets by their licenses. Also there is a modbus exploit that just trolls around and writes zeros to all registers.
 
Hi Goghie,


I think you should let the highest up person in charge that you regularly interact with that when checking to ensure the projects you worked on were not accessible from the internet you found other assets at the company that are which puts the company's equipment and processes at risk as anyone in the entire world can easily operate or reprogram them. Hopefully the person in charge will contact the supplier of that equipment and get them to fix it, and you can stay out of it.


I found a hydro electric power plant PLC connected directly to the internet but there was no identifying information other than the IP address, which did provide some geolocation. I let the utilities in the nearby areas know about the issue and they were able to identify the plant from the IP address.
 

Similar Topics

S
Hi , Where i can find Mitsubishi PLC Card end of line & replacement model details. i am looking for Q02CPU replacement model. Please advice. thanks
Hi , Where i can find Mitsubishi PLC Card end of line & replacement model details. i am looking for Q02CPU replacement model. Please advice. thanks
Replies
2
Views
126
Sundar4163
S
S
Can Not Find Tag
I have tested every screen and no single screen individually has this fault pop up, but when I compile and send to the PanelView it comes up. If I...
Replies
4
Views
172
CageFreeBMW
C
A
Unable to find IC AD7501KN of an old controller.
Hi, One of my customers has an old fabric tensile testing machine. The IC # AD7501KN of its controller has malfunctioned. This IC is related to...
Replies
1
Views
75
comicon
C
A
HMI Building - Where to find FactoryTalk or similar?
Hello everyone, I am a student and would like to take the next step and learn FactoryTalk (Batch preferably) and how to create HMIs etc. Would...
Replies
4
Views
489
Bering C Sparky
Bering C Sparky
Mas01
S7 TIA Portal: How can I find out the memory address of a tag?...
Hi, Have a look at this picture... How can I find out the memory address of this tag? It was created by adding it to DB "Data_block_1", but I...
Replies
6
Views
1,032
parky
P
Back
Top Bottom