[SCADASEC] Setting up SCADA in a lab for testing

Jake Brodsky ab3a at comcast.net
Mon Feb 18 10:08:44 CST 2008 

Some of the problem is knowing what your target is using.  Lots of older 
PLC and RTU gear is readily available on e-bay.  The ancient D20 RTUs 
are a classic, they were often emulated by other manufacturers.  The 
Siemens S7 is popular as are the Allen Bradley Control Logix PLC gear.

But to really attack these things it helps to know what release of 
firmware the target is using.  AB in particular releases major firmware 
changes at a rate of roughly one or more major versions per year.

The later releases of AB Control Logix firmware are reputed to be much 
tighter for security purposes.  However, if you know the field has an 
earlier release, then the attack vectors could be very different.

Generally manufacturers and utilities hate to upgrade the firmware 
because it requires a substantial validation check.  So unless there is 
a daily functionality reason to upgrade the firmware, they'll leave it 
right where it is.

The GE-Fanuc line is another favorite as are the Modicon PLC gear.  Some 
older and probably more vulnerable versions are still available from 
alternate manufacturers.  For example, the TI 505 series stuff had a 
second source from CTI.  CTI now makes a processor for that line.  You 
can find all you want and much more from them either in new or in older 
formats.

However, this begs the question:  While it's good to study these things, 
do you know the I/O list?  Because if you don't you really don't have 
much chance if you randomly screw around with the I/O.  There is still a 
fair amount of self protection cutoffs in older gear.

Now if you do have an I/O list, and you know about a process, then you 
can do real damage.  But unless you have that much, you're just stabbing 
in the dark.  It would be like trying to subvert a PC by pushing random 
stuff to the inputs and outputs.

Jake Brodsky

Matthew Franz wrote:
> No, you can't know -- that would be arming hackers. And the list would
> have to be shut down. :(|)   (yeah that is a monkey)
> 
> Speaking of arming hackers, this reminds me...
> 
> During a heated discussion on vulnerability disclosure at PCSF San
> Diego a few years back,  a SCADA vendor that starts with a  T  (or
> maybe it was an S) swore only customers (or maybe govt research labs
> that don't disclose)  have gear to evaluate and discover
> vulnerabilities  (this surrounded the argument about whether or not
> only folks with legitimate support contracts should get vulnerability
> inreports)
> 
> Of course a representative from the hacking community in San Diego
> argued otherwise that hackers do build out "research labs")
> 
> Then the vendor went back to their hotel room and checked on Ebay,...
> 
> Ooops...
> 
> - mdf
> 
> On Feb 17, 2008 4:26 PM, James Kelly <macubergeek at comcast.net> wrote:
>> Can anyone give me suggestions, or lessons learned about setting up SCADA in
>> a lab setting for testing purposes?
>> I understand one can buy some of this stuff on ebay. Can you suggest which
>> devices I might wish to purchase?
>>
>> Jim
>>
>>
>>
>>
>> "\x64\x65\x63\x69\x6d\x61\x6c"
>>
>> "\x20\x69\x73\x20\x66\x6f\x72"
>>
>> "\x20\x6c\x6f\x73\x65\x72\x73"
>>
>>
>> _______________________________________________
>> To unsubscribe from this mailing list, please visit:
>> http://news.infracritical.com/mailman/listinfo/scadasec
>>
>> To review our privacy statement, please visit:
>> http://www.infracritical.com/privacy.html
>>
>> scadasec at news.infracritical.com
>> http://news.infracritical.com/mailman/listinfo/scadasec
>>
> 
> 
>

More information about the scadasec mailing list