ICSCorsair: How I will PWN your ERP through 4-20 mA current loop. presented at t2InfoSecCon 2014

by Alexander Bolshev,

Summary : Modern Industrial Control Systems (ICS) are deeply integrated with other parts of corporate network. Plant Asset Management systems, OPC, and SCADA interconnect low-level devices, such as transmitters, actuators, PLCs, with high-level applications, such as MES and ERP. But what will happen if you can connect to the line where low-level network protocols(such as HART (FSK over 4-20 mA current loop), FF H1, Profibus DP, Modbus over RS-485, e t.c.) flow? Almost everyone knows that then you can probably affect industrial processes. But there is something more: from this point, you can attack not only the lowest levels of the network, but also PAS, MES, and even ERP systems!
ICSCorsair is an open hardware tool for auditing low-level ICS protocols. It can communicate with various systems using HART FSK, Profibus, and Modbus protocols. You can control ICSCorsair via USB cable or remotely over Wi-Fi, Bluetooth, or other wireless connection. Different software will be presented to work with ICSCorsair: Metasploit modules, apps for iOS and Android, etc.
In this talk, it will be shown how to trigger such vulnerabilities as XXE, DoS, XSS, and others in SCADA, PAS, ERP, and MES systems using only ICSCorsair and the opportunity to connect to low-level ICS protocol line.
Alexander is the information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. He works on distributed systems, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and industrial protocol security. He spoke at the following conferences:BlackHat USA, ZeroNights, S4. Actively participates in the life of the Russian Defcon Group.