ICS/SCADA Security - Analysis of a Beckhoff CX5020 PLC

Gregor Bonney, Hans Hoefken, Benedikt Paffen, Marko Schuba

2015

Abstract

A secure and reliable critical infrastructure is a concern of industry and governments. SCADA systems (Supervisory Control and Data Acquisition) are a subgroup of ICS (Industrial Control Systems) and known to be well interconnected with other networks. It is not uncommon to use public networks as transport route but a rising number of incidents of industrial control systems shows the danger of excessive crosslinking. Beckhoff Automation GmbH is a German automation manufacturer that did not have bad press so far. The Beckhoff CX5020 is a typical PLC (Programmable Logic Controller) that is used in today’s SCADA systems. It is cross-linked through Ethernet and running a customized Windows CE 6.0, therefore the CX5020 is a good representative for modern PLCs which have emerged within the last years that use de facto standard operation systems and open standard communication protocols. This paper presents vulnerabilities of Beckhoff’s CX5020 PLC and shows ways to achieve rights to control the PLC program and the operation system itself. These vulnerabilities do not need in-depth knowledge of penetration testing, they demonstrate that switching to standard platforms brings hidden features and encapsulating SCADA protocols into TCP/IP might not always be a good idea – underlining that securing ICS systems is still a challenging topic.

References

  1. Beckhoff Information System, Scenario: ADS connection through a firewall, viewed 5 November 2014, from http://infosys.beckhoff.com/english.php?content=./con tent/1033/tcremoteaccess/html/tcremoteaccess_firewal l.html&id=.
  2. Beckhoff Information System, TcWebAccess: Web based diagnostic and configuration interface, viewed 5 November 2014, from http://infosys.beckhoff.de/ english.php?content=./content/1033/sw_os/html/CX10 00_TcWebAccess.htm&id=.
  3. European Network and Information Security Agency, 2011a, Protecting industrial control systems: Annex V, Heraklion, from https://www.enisa.europa.eu/act/res/ other-areas/ics-scada/annex-v.
  4. European Network and Information Security Agency, 2011b, Protecting industrial control systems, Heraklion, from https://www.enisa.europa.eu/act/res/ other-areas/ics-scada/protecting-industrial-controlsystems.-recommendations-for-europe-and-memberstates.
  5. European Network and Information Security Agency, 2011c, Protecting industrial control systems: Annex I, Heraklion, from https://www.enisa.europa.eu/act/res/ other-areas/ics-scada/annex-i.
  6. Knapp, E., 2011, Industrial network security: Securing critical infrastructure networks for Smart Grid, SCADA , and other industrial control systems, Elsevier/Syngress, Amsterdam.
  7. Krutz, R.L., 2006, Securing SCADA systems, Wiley Pub, Indianapolis, IN, from http://site.ebrary.com/lib/ alltitles/docDetail.action?docID=10305459.
  8. Marlinspike, M., 2013, Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate, viewed 5 November 2014, from https://www.cloudcracker.com/ blog/2012/07/29/cracking-ms-chap-v2/.
  9. SHODAN, 2014, Computer Search Engine, viewed 4 November 2014, from http://www.shodanhq.com/.
  10. Trend Micro Incorporated, 'The SCADA That Didn't Cry Wolf: Who's Really Attacking Your ICS Equipment? (Part 2)78, viewed 4 November 2014, from http://apac.trendmicro.com/cloudcontent/apac/pdfs/security-intelligence/whitepapers/wp-the-scada-that-didnt-cry-wolf.pdf.
  11. ZMap, 2014, The Internet Scanner, viewed 4 November 2014, from https://zmap.io/.
Download


Paper Citation


in Harvard Style

Bonney G., Hoefken H., Paffen B. and Schuba M. (2015). ICS/SCADA Security - Analysis of a Beckhoff CX5020 PLC . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 137-142. DOI: 10.5220/0005330101370142


in Bibtex Style

@conference{icissp15,
author={Gregor Bonney and Hans Hoefken and Benedikt Paffen and Marko Schuba},
title={ICS/SCADA Security - Analysis of a Beckhoff CX5020 PLC},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2015},
pages={137-142},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005330101370142},
isbn={978-989-758-081-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - ICS/SCADA Security - Analysis of a Beckhoff CX5020 PLC
SN - 978-989-758-081-9
AU - Bonney G.
AU - Hoefken H.
AU - Paffen B.
AU - Schuba M.
PY - 2015
SP - 137
EP - 142
DO - 10.5220/0005330101370142