Pwning OT: Going in Through the Eyes presented at CODEBLUE2020 2020

by Ta-lun Yen,

Summary : Two years after the release of our paper regarding SCADA HMI security , SCADA systems are still a challenge to secure. This is not only due to their rigid connection requirements (hence "control and data acquisition"), but also the burden of needing to interface with legacy systems. Such legacy systems are so foundational to OT configurations that SCADA systems are frequently difficult to modernize. As a result of recent stories in the media, the potential devastation of a successful SCADA attack is well-known. As adversaries only have to successfully penetrate through one of many potential weaknesses in a system, these potential weaknesses and attack surfaces must be carefully considered and safeguarded.HMIs are a common target, since they're usually installed in a configuration that enables connection to both the OT network and the Internet (or Intranet), meaning they can easily be made to function as a sort of gateway. This runs contrary to the common assumption that HMIs should only be installed in an air-gapped or otherwise isolated configuration.Despite a lack of public information regarding OT network infiltration via HMI, our research reveals that HMIs are frequently a soft and easily accessible vector for attacks. In a large percentage of OT setups, the consequences of HMI compromise could be disastrous -- allowing theft of operational information, property damage, and the creation of a foothold for infiltrating the infrastructure.In the past, vendors have been able to assume that older technology would support stable operation and that they could rely on 'security through obscurity'. In recent investigations we found that in some devices, "security" is merely an illusion created by limited and inconsistent data of the legacy systems which are still used actively today. In this submission, we introduce our in-progress research regarding security in HMI devices, and show how we totally pwn one such device. The research presented here shows only a small amount of the insecurities that we've uncovered.