Theory To Start With
Understanding of real threats is the core for any information security project. To ease this task, Positive Technologies experts assisted by the community http://asutpforum.ru undertook a large-scale study of the ICS systems (ICS/SCADA), the results of which are available here: http://ptsecurity.com/download/SCADA_analytics_english.pdf
Two Stories Of The Same Pentest
One of the problems of modern ICS is large-scale integrated projects related to MES construction and integration with business systems such as ERP. The report \”From ERP to SCADA. Back and Forth. Two Stories of the Same Pentest\” [ru] exemplifies what such projects can result in if they do not comply with security requirements.
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
Statements that industrial control systems are available via the Internet are usually taken with skepticism. A tool, which allows estimating a threat by yourself, has been published recently. Take notice that devices and systems provided in this list are all enterprise-level systems and will hardly be used to control fridges and microwaves.
The following video demonstrates what ICS availability via the Internet can result in:
Attention! Do not try to repeat it at home. A vulnerable system can control a very important object, and if it is handled carelessly it may cause damages. If all of a sudden you have detected an ICS available via the Internet, contact its owner or Computer Emergency Response Team, who can eliminate this flaw.
Anonymous, judging by their Twitter, have already considered this tool, and it scares a little bit.
This open-code utility allows detecting devices interacting via the S7comm or Modbus protocols in a system. When a device is detected, PLCScan tries to obtain information about its vendor, type, installed modules, and etc.
The utility is available here: https://code.google.com/p/plcscan/.
Metasploit WinCC Harvester can be used when access to SCADA WinCC has been obtained to collect additional information about a project, users, and controllers connected to a system.
The utility is available here: https://github.com/nxnrt/wincc_harvester.
Siemens SIMATIC WinCC 7.X Security Hardening Guide
A checklist can be used for WinCC configuration in accordance with security requirements and for system security assessment in the course of audits.
If a lot of systems are assessed, the procedure can be automated as in case of MaxPatrol.
Siemens WinCC / S7 Under The X-ray
SCADA Security Scientific Symposium held in Miami on January 16-17 saw the report of Positive Technologies experts related to the results of Siemens WinCC/S7 security research. The report also covered SIMATIC WinCC/WinCC Flexible/TIA Portal and S7 PLC; from a network stack to an application, from a system architecture review to firmware reverse engineering. Sergey Gordeychik, Gleb Gritsay, and Denis Baranov considered almost 50 zero-day vulnerabilities and released a checklist for the configuration of WinCC Flexible 2008.
S7 password offline bruteforce tool
During the report the experts of Positive Technologies provided also a utility, which can be used to test S7 password strength in the course of audits and pentests.
The utility is available here: http://pastebin.com/0G9Q2k6y.