Hackers of India

How I Pwned the ICS data during my internship

 Shail Patel 



As part of my summer graduate internship, I was hired by NREL as a cybersecurity intern to perform security evaluations on a grid based ICS network. There was a need to develop, validate and deploy a unique and innovative architecture that comprehensively addresses the challenges associated with the proliferation of high penetration of distributed PV systems such as reverse power flows, feeder load balancing and voltage stability. Having considering this type of architecture which includes Advanced Distributed Management System (ADMS), a Beaglebone pi controller, Real-Time Automation Controller (RTAC), Grid Edge Management System (GEMS), a local python script that communicates between these devices, and unencrypted communication protocols like Modbus and DNP3 being used, there was a need to perform vulnerability assessments on these devices to test the confidentiality and integrity of the data being flowed between these devices. Thus, I performed packet capture analysis, vendor device analysis and local NREL device analysis on them and observed interesting results.

Pentesting disclosed various bugs and loopholes as a result of the use of insecure protocols like Modbus and DNP3. Some of the classic examples I discovered are Default credentials for the Inverter, LFI in BeagleBone image, lots of open network ports, capacitor bank statuses, and lots of plaintext values in the communication model. I also devised measures to protect the DNP3 and Modbus data in transit which I will introduce in this talk. Thus, the purpose of this talk would be focused on need to secure the ICS/SCADA data which has no built-in security and possess challenges.