Two Decades of SCADA Exploitation
Two Decades of SCADA Exploitation
A Brief History
Simon Duque Antón, Daniel Fraunholz, Christoph Lipps,
Frederic Pohl, Marc Zimmermann and Hans D. Schotten
Intelligent Networks Research Group
German Research Center for Artificial Intelligence
DE-67663 Kaiserslautern
Email: {firstname}.{lastname}@dfki.de
arXiv:1905.08902v1 [cs.CR] 21 May 2019
Abstract—Since the early 1960, industrial process control has an industrial company is unique and very hard to get around
been applied by electric systems. In the mid 1970’s, the term in [9]. As recent events, many of which are explained in
SCADA emerged, describing the automated control and data section V, show, both assertions do not hold true anymore,
acquisition. Since most industrial and automation networks were
physically isolated, security was not an issue. This changed, if they ever did. Many recent examples show that industrial
when in the early 2000’s industrial networks were opened networks can and will be breached. It needs to be highlighted,
to the public internet. The reasons were manifold. Increased that, as in consumer electronics, the user plays a crucial
interconnectivity led to more productivity, simplicity and ease role in securing a system. Many of the newer botnets, such
of use. It decreased the configuration overhead and downtimes as Hajime or Mirai, try to gain access by using default
for system adjustments. However, it also led to an abundance of
new attack vectors. In recent time, there has been a remarkable credentials, with a tremendous success. This behaviour has
amount of attacks on industrial companies and infrastructures. been analysed, among others, in our previous works [10], [11].
In this paper, known attacks on industrial systems are analysed. Many industrial systems use credentials for means of config-
This is done by investigating the exploits that are available on uration. For reasons of ease of use, however, the passwords
public sources. The different types of attacks and their points of are often weak and shared among many users. Attackers that
entry are reviewed in this paper. Trends in exploitation as well
as targeted attack campaigns against industrial enterprises are try standard configurations to gain access will succeed if the
introduced. system credentials have not been altered. This kind of threat
is also common in the exploits examined in section IV. It is
I. I NTRODUCTION very hard for intrusion detection systems to discover abuse
that is performed with valid credentials. Changing default
In the 1970’s, the third industrial revolution took place [1].
credentials is therefore a vital step in order to enable security in
During this phase, computers were introduced into industry
a system. The remainder of this work is structured as follows.
in order to automate tasks that, until then, had to be done
In section II, surveys and analyses of attacks are listed. After
by hand or by application-tailored solutions. Since then, the
that, a statistical analysis of the Common Vulnerabilities and
computer technology has taken huge steps. Reconfigurable
Exposures (CVE) list is performed in section III. This is
Programmable Logic Controllers (PLCs) took the place of
followed by an in-depth analysis of available Supervisory
hard-wired relay logic circuits [2]. Domain-specific, propri-
Control And Data Acquisition (SCADA)-system based exploits
etary fieldbuses, like CAN [3] and Modbus [4], [5], have been
in section IV, as well as a breakdown of attack campaigns
replaced by TCP/IP-based solutions, such as ModbusTCP [5],
against industry in section V. The lessons learned are listed
[6], ProfiNET [7] and OPC UA [8], that make use of the vastly
in section VI. This work will be concluded in section VII.
available internet infrastructure and its network hardware.
Opening networks to the outside enables easier management II. R ELATED W ORK
of production capabilities. Remote maintenance, simpler ad-
Even though there are a lot of survey papers, as well
justment of machines and a constant flow of information
as taxonomies that present an overview of different kinds
are but a few of the advantages. There are, however, some
of attacks, there has not yet been a systematic analysis of
downsides. Two of the main reasons why security is inherently
all publicly available SCADA exploits to the best of our
absent in virtually every technology and protocol used, are as
knowledge. A very broad and extensive overview over current
follows: Industrial networks were physically separated from
SCADA-based attack-vectors can be found in the works of
the internet, when the technology arose [9] and each set up of
Zhu, Joseph and Sastry [12]. In addition to that, there are
This is a preprint of a publication published at the 1st IEEE Conference other works that give an overview over existing SCADA-
on Application, Information and Network Security (AINS). Please cite as: S. attacks and survey current exploits [9], [13], [14], [15]. Not
D. Duque Anton, D. Fraunholz, C. Lipps, F. Pohl, M. Zimmermann, H. D. only attacks on SCADA-systems are well documented, but also
Schotten, “Two Decades of SCADA Exploitation: A Brief History,” in: 2017
IEEE Conference on Application, Information and Network Security (AINS). countermeasures, as well as means for hardening systems, are
IEEE, IEEE Press, 2017, pp. 98-104. processed in literature [16], [17]. There are also works pre-
senting taxonomies of attacks, also in order to help operators to the distributed nature of production environment and the
assess risks and threats to their systems and implement the fact that machines have hardware interfaces.
according countermeasures [18], [19], as well as works for the
collection of data that allows for insight about the condition of A. Attacks on PLCs
a system [20], [21]. The German Federal Office for Informa- PLCs are resource for industrial applications controlling
tion Security (BSI) periodically releases security advices for Cyber-Physical (Production) Systems. Hence, they interact
industry [22]. Furthermore, there are surveys analysing specific with and operate devices in the physical world. In contrast to
domains, such as automotive and fieldbus-security [23] (some office IT systems which only handle data, they interact with
of the relevant works are in German [24], [25]) and wireless- the real world. Attacks on PLCs therefore have an impact on
security [26]. Many of the exploits we examine in this paper physical entites, be it human workers or production resources.
have already been investigated in literature. The amount of This leads to grave consequences of the successful abuse
works analysing singular attacks is vast, therefore, we only of PLCs. As common computation resources, PLCs usually
reference such works in the according sections. require an underlying operating system. In most cases, this
is a version of Windows, adapted to the specific needs for
III. S TATISTICAL A NALYSIS industrial applications. As there is an abundance of exploits
An exhaustive list of all CVEs can be found online [27]. and vulnerabilites based on flaws in the operating system,
Since it contains over 100 000 entries, manual analysis was we only consider vulnerabilities that specifically derive from
infeasible. We developed a text-processing script in order to the industrial application of the given system. Furthermore,
gain statistical information about the distribution of exploits. only threats that occur in this context are analysed. In total,
A major drawback was that the most specific information was we found about 100 exploits as metasploit [30] modules and
written in natural language, without any form. We searched Proofs of Concepts (PoC). All metasploit-modules are listed in
the document for keywords while using stemming in order the Rapid7-database [31]. The databases we searched addition-
to find any variant of the keyword. Stemming is a technique ally were exploit-db [32], 0day-today [33] and packetstorm-
employed to process natural languages [28]. The word stems security [34]. This number is smaller than the entries found
of keywords are derived, then similar word stems are searched in the CVE list in section III as there is executable code to be
in the target file. We used the python stemming-library [29]. found. As a result, anybody can exploit these vulnerabilities
The results of the statistical analysis are summarised in table I. without much difficulties, rendering them very dangerous
The entry ”Overall categorized entries”, as well as the for operators. The number of CVE discoveries and exploit
”Percentage covered by keywords”, display the number of developments per year is shown in figure 1. Unfortunately,
different attacks that have been classified, after accounting for some exploits could not be attributed to a year; this has been
entries with multiple keywords. That means 65 919 entries (or accounted for by a question mark. The list amounts to a mean
61.87%) in the CVE list can be attributed to at least one of the value of 8.8 and a median of 7 exploit developments per year.
categories. The largest group is Remote Code Execution with A peak of 31 developments per year can be found in 2011. One
28 000 occurrences, closely followed by Denial of Service possible explanation is that it was the year after Stuxnet [35]
(DoS) and Injection attacks. SCADA exploits are relatively was discovered (see table II) and there was a special interest
small, with only 373 entries. This shows that, even though in PLC-exploitation. The trend of CVE-development is also
it is not as present as office IT-based attacks, SCADA-based rising, meaning that the amount of CVEs discovered per year
exploits are becoming more of an issue for manufacturers. has been rising, starting in 2011.
B. Attacks on Fieldbus-Level
Due to the proprietary nature of industrial networks, a vast
landscape of fieldbus protocols has emerged. Protocols such as
Modbus [4], Profinet [7], CAN [3], Local Interconnect Network
Fig. 3. Distribution of Categories for Local Exploits (LIN) [36], Media Oriented System Transport (MOST) [37] and
FlexRay [38]. These protocols have inherent security flaws.
Furthermore, we grouped all exploits into remote and local. Since there are no means of authentication, identities are
Local exploits allow an attacker to execute an exploit on a not assigned to the participating entities [12]. That means
an attacker with access to the bus can appear as a valid problem in wireless networks are relay attacks. Using those, an
communication partner and thus extract and inject messages. attacker can capture a communication packet, transport it over
This results in a break of confidentiality and integrity. Due a different protocol, and inject it into the network on a different
to these security flaws and the lack of encryption [39], an place. This is commonly done with Bluetooth or RFID. An
attacker can monitor the systems and even deploy attacks. attacker can use this method to get a response to a challenge,
Examples for such attacks are Man in the Middle (MitM) and even though the key is not near a key reader. This method has
DoS. In systems using Modbus, malicious adversaries can read already successfully been applied to break the Passive Keyless
all messages to discover active controllers and used function Entry and Start (PKES) of different car manufacturers [50].
codes as well as inject commands themselves. Additionally, Spoofing and impersonation are other common attack concepts
they can send incorrect messages or error flags to eliminate on wireless protocols. Spoofing means the disguise of an
single controllers or even the entire system. Many industrial attacker as a valid entity to participate in a communication,
systems have a remote maintenance interface that can be impersonation describes an attacker that claims to be an entity
accessed via internet [14]. Often, this interface is secured she is not. Bluetooth is vulnerable to attacks with Rogue
poorly, or not at all [14]. This means that an attacker with Access Points (APs) [26], among others. Those are APs that
access to the same network as the interface can change system are set up by an attacker and imitate valid APs. Because
settings and read system conditions. Gateways are used in of the ad-hoc nature and the frequency hopping properties
order to connect several fieldbus networks. Oftentimes, these of Bluetooth, rogue APs are hard to detect [26]. The same
gateways are not configured securely, allowing an attacker that concept can be applied to RFID, where fake tags or readers
has access to one fieldbus network, to traverse to different can read or manipulate entries [51]. Furthermore, wireless
networks [24]. As a counter example, OPC-UA [8] needs to channels are inherently prone to jamming attacks. Since there
be mentioned. It is a very modern fieldbus-protocol that allows is no access control, an attacker can flood the channel with
definition of entities, including authentication and encryption. packets, or simply jam it with noise [52]. This prevents the
The shell model allows for encapsulation of functional units valid users from communicating with each other. There are
and the definition of interfaces. also more sophisticated approaches that exploit protocol flaws
to prevent communication or that do not jam constantly to
C. Attacks on Wireless Systems make discovery harder [52].
Driven by the fourth industrial revolution, wireless commu-
nication finds its way into industrial systems. There are some D. Physical-Layer Attacks
protocols that are commonly used in industrial applications,
such as Bluetooth Low Energy [40], ZigBee [41] and Z- Physical, or hardware attacks, are among the most dif-
Wave [42], Radio Frequency IDentifier (RFID) [43] and the ficult ones. An adversary with physical access to a device
Long Range Wide Area Network (LoRa) [44]. Wireless Local or system has more possibilities of inflicting damage and
Area Network (WLAN) [45] is also often used in industry, but abusing services than one on a remote location. Industrial
since it was originally developed for classical office-IT, it is not companies, therefore, put a strong emphasis on obstruction of
considered in this work. RFID is commonly used by industry physical access by perimeters such as, walls, gates and guards.
to tag entities and materials and account for them in storage Given access, an adversary can, with enough force, always
or production. The other protocols are commonly used for destroy a system rendering it unusable and creating a DoS.
data transmission and communication. There are several flaws There are, however, more sophisticated and subtle approaches
and fixes for WLAN, but they are out of scope for this work in tampering with devices. There are attacks on embedded
for the reasons named above. As there is no physical access devices, particularly PLCs, that falsify sensor values. This,
control to the wireless channel, an adversary can listen to the in turn, creates, inapt reactions from the devices, leading to
communication, given he is within the range of the wireless undesired behaviour. In literature, there is the ”Ghost in the
signal. Therefore, most wireless communication protocols are PLC”-attack, that alters the input-pins of a PLC, as described
encrypted. Still, some encryption schemes can be broken, by Abbasi and Hashemi [53]. Another work on falsifying input
rendering the content unprotected. If there is no, or weak, values and creating improper responses from the system is
encryption, an attacker can listen to the communication and shown by Urbina, Giraldo, Tippenhauer and Cardenas [54]. In
extract information to perform a MitM [46] attack. Further- addition to tampering with sensor-values, an attacker can read
more, he can inject messages into the network with the purpose or update the code on a PLC. Such an attack is described by
of launching DoS attacks. A famous example is Wireless Basnight, Butts, Lopez and Dube [55]. In order to stealthily
Equivalent Privacy (WEP) [47], that is broken [48] but still in deploy malware on a PLC, Garcia, Brasser, Cintuglu, Sadeghi,
use. Another example is ZigBee whose encryption key, in its Mohammed and Zonouz propose a method to read system
default configuration, can easily be recovered by an attacker. information and create a fitting rootkit [56]. Even though it
Due to poor manufacturer implementations, the secret key is is not the most relevant attack vector in practice, securing
often transmitted in plain text if a new device advertises to physical access is a vital task for industry, since adversaries
the network, for example after restarting [49]. An attacker can with direct access have many opportunities with a potentially
obtain this key and gains full access to the network. Another high impact.
V. ATTACK C AMPAIGNS • 3: The malware targets software related to ICS projects
The exploits that have been introduced in section IV have • 4: The malware targets PLCs and other native devices
been used for attack campaigns against industrial players. We and protocols
found that there were two noteworthy kinds of attacks: In addition to that, the presumed purpose, the affected ICS
• Spearphishing campaigns against employees and CVEs that were used in the exploit are listed. Slam-
• Attacks on the industrial infrastructure mer and Conficker were computer worms that also infected
Phishing and spearphishing are common practices for mali- nuclear power station [65] respectively air force stations in
cious adversaries intending to gain insight on company secrets France and Germany [66]. Stuxnet [35] is one of the most
by gaining access to the office IT infrastructure and stealing renowned industrial malwares. It was aimed at Iranian nuclear
data. A timeline of known spearphishing campaigns with an enrichment facilities, but, due to programming errors, also
industrial background is shown in figure 5. In phishing, un- infected other systems and therefore was found. It used several
suspecting victims are sent emails with malicious content, of- different 0-day exploits, depending on the operating systems it
tentimes a link to a website that is infected with malware [57]. encountered, and showed a deep understanding of Siemens S7-
Attachments with malicious content are another common form 300 PLCs. Duqu and Duqu 2.0 [67], [68] were used for spy-
of phishing [57]. The chances of an attacker to get a victim to ing on industrial project documents. Shamoon and Shamoon
follow the link can be increased by personalizing the email. 2.0 [69] were intended on sabotaging the Saudi-Arabian oil
This is called “social engineering” [57], the application of industry. Stuxnet 0.5 [70] was aimed at sabotaging Iranian
phishing to selected targets with highly adapted content is nuclear enrichment facilities, also by infecting Siemens S7-300
called “spearphishing”. PLCs. It was employed before Stuxnet, but was found later
due to a different propagation mechanism. Havex [62] was
a malware infecting the European energy industry and spying
on confidential information. BlackEnergy and Industroyer [71]
were aimed at Ukrainian power plants. Major blackouts in
December of 2015, respectively December of 2016 in the
Ukraine are said to result from BlackEnergy and Industroyer.