ICS/SCADA Security

A secure and reliable critical infrastructure is a concern of industry and governments. SCADA systems (Supervisory Control and Data Acquisition) are a subgroup of ICS (Industrial Control Systems) and known to be well interconnected with other networks. It is not uncommon to use public networks as transport route but a rising number of incidents of industrial control systems shows the danger of excessive crosslinking. Beckhoff Automation GmbH is a German automation manufacturer that did not have bad press so far. The Beckhoff CX5020 is a typical PLC (Programmable Logic Controller) that is used in today’s SCADA systems. It is cross-linked through Ethernet and running a customized Windows CE 6.0, therefore the CX5020 is a good representative for modern PLCs which have emerged within the last years that use de facto standard operation systems and open standard communication protocols. This paper presents vulnerabilities of Beckhoff’s CX5020 PLC and shows ways to achieve rights to control the PLC program and the operation system itself. These vulnerabilities do not need in-depth knowledge of penetration testing, they demonstrate that switching to standard platforms brings hidden features and encapsulating SCADA protocols into TCP/IP might not always be a good idea – underlining that securing ICS systems is still a challenging topic.