Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7

From: Patrick Coomans (Patrick.Coomans@4all.be)
Date: 09/28/01


Message-Id: <sbb4ceb2.077@mail.4all.be>
Date: Fri, 28 Sep 2001 19:25:32 +0200
From: "Patrick Coomans" <Patrick.Coomans@4all.be>
To: <PEN-TEST@SECURITYFOCUS.COM>
Subject: Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7


 
Have you already tried launching a DOS attack against an Allen Bradley PLC? I only have Siematic PLC's here with me to play with.
 
 
Thx,
Patrick

>>> "Nasir Farhat Khan" <nasir@instecdigital.com> 28/09/01 07:52 >>>
If the PLC is on TCP/IP you can check whether it supports SNMP. Some of the
PLCs use SNMP for management. We have seen Allen Bradley
devices popping up with SNMP management turned up on of our pentests.

One more possiblity is that you can get hold of the PC programs that are
used to program the PLCs i.e. the Loader or Ladder Logic/Graphic programming
since most of the PLCs have little or no authentication barriers in terms of
login names and passwords you can get hold of the running configuration etc.

IMPORTANT:

DO NOT TO TRY this in a production environment. PLCs are used to control
production equipment (machinery) and consequences can be very dangerous and
life
threatenting.

Nasir Farhat Khan
nasir@instecdigital.com
Instec Digital Systems - PAKISTAN

www.instecdigital.com

----- Original Message -----
From: "Patrick Coomans" <Patrick.Coomans@4all.be>
To: ">" <@securityfocus.com <pen-test@securityfocus.com>
Sent: Tuesday, September 25, 2001 11:14 PM
Subject: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7

I have a project for which I will have to pen-test Siemens PLC's that drive
production processes and do data aquisition.

Is there anyone who has literature on this or done this before?

The PLC's use TCP/IP so that will be the first thing I will go for, but most
of the PLC's are simply connected to a propriary bus system (e.g. Interbus)
which in turn is connected to a PC. So attacking the "Data Aquisition and
Visualisation PC" as a backdoor to the PLC would be my second option.

Thanks,
Patrick

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7
    ... Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7 ... If the PLC is on TCP/IP you can check whether it supports SNMP. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 or S7
    ... Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 or S7 ... I have a project for which I will have to pen-test Siemens PLC's that drive production processes and do data aquisition. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7
    ... Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7 ... I think that ISS released a security advisory in 1998 about Allen Bradley ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)