Supervising the Supervisor: Reversing Proprietary SCADA Tech

SCADA (Supervisory Control And Data Acquisition) can be found in the core of many critical infrastructures, such as nuclear plants, water distribution circuits or alarm systems.

This presentation is a security study on recent, proprietary and state-of-the-art SCADA technologies. We will focus on the methodology we followed to reach our goals, as well as on some techniques we used covering fuzzing, black-box and white-box reverse-engineering.

We chose to focus on proprietary products from one specific vendor which are meant to be secure. In particular, the industrial protocol used. Our aim was both to validate the robustness of the security mechanisms offered and to retrieve the protocol’s specification. The protocol we will be talking about has two versions: an older, insecure one, whose specification is partly known, and the newer spec, offering enhanced security features, whose specification is not publicly known.

This study is still on going, but has already raised two vulnerabilities in the supervision program, including one allowing an attacker to steal any authenticated session of the proprietary industrial protocol used. Our talk will also cover obfuscated cryptographic algorithm analysis and an in-depth look at the PLC firmware itself.