type: guide
title: "SCADA - analisis de debilidades"
source: "Inbox import"
tags:
  - topic/techint
  - topic/osint
  - method/review
processed: true
status: seedling

SCADA - analisis de debilidades

Nota importada desde Inbox durante consolidacion bulk.

1. Understand the Security Model

"Security Triad: availability, integrity, confidentiality"

SCADA/EMS systems prioritize availability, which implies:
- Systems may prioritize uptime over strict security.
- You can explore denial of service vectors as they often cause panic.
- Security patches may be delayed due to fear of downtime — hunt for known unpatched CVEs.

2. Infrastructure Clues to Explore

“VPN connections should terminate in the DMZ zone”

If VPNs terminate in DMZ:
- Look for poorly segmented DMZs — lateral movement is possible.
- Misconfigured firewall rules could allow pivoting into internal zones.
- Misuse of split tunneling could allow external access to internal services.

“Connection via proprietary protocols to Purdue Level 2 (OT) DCS systems”

Proprietary protocols = often underprotected or poorly monitored.
Target those protocols for fuzzing or MITM.
Check for insufficient authentication or encryption on OT communications.

“Encrypted transmission via SSL”

What version? SSL 2.0/3.0? TLS 1.0? ➜ Try downgrade attacks or cipher suite enumeration.
Could be vulnerable to Heartbleed, POODLE, etc.

3. Potential Control Weaknesses from the Requirements List

Look for "must" or "should" language — it hints at aspirational controls rather than guaranteed enforcement:

`OC-23`: “Identification of local accounts not centrally managed”

Look for orphaned local accounts — ideal for persistence.
Suggests that local accounts still exist → brute-force, pass-the-hash, or password spraying potential.

`OC-25`: “Accounts must be centrally managed by an IdP”

Centralized IdP implies SSO/SAML/OAuth2 in place — possibly exploitable.
Check for SSO misconfig, token replay, ID token manipulation (JWT-related).

`OC-61`: “Sensitive and personal information from production must not be used in test environments without treatment”

Translation: sensitive data probably exists in test environments — maybe anonymized poorly or not at all.
Test environments = less monitoring + weaker controls → great for Red Team pivoting.

4. Operational Weaknesses to Test

`OC-15`: “Audit event logs must be immutable”

Is immutability enforced with WORM, secure logging, or not at all?
Tamper with logs silently to test effectiveness.

`OC-187`: “Credential management procedure”

Procedures ≠ enforcement.
Password policy enforcement can be tested: weak passwords, password reuse, etc.
Is password rotation actually happening?

`OC-189`: “Change management procedure”

Opportunity to simulate insider or admin-like activity and see if it goes unnoticed.
E.g., modify services or scripts under the radar.

5. Artifact Recon: Logs, Backups, and Recovery

“Backups should be stored offline…”

Are they really offline?
- Look for network-accessible "offline" shares.
- Target backups with ransomware simulation or file destruction scenarios.

“All platforms must be hardened”

Challenge: determine if hardening is consistent across all environments (test/dev/staging/prod).
Compare banner grabs, default services, open ports — any inconsistency = attack surface.

6. Next Steps for Red Team Engagement Planning

🔧 Recon / OSINT Phase

Look for exposed systems in DMZ using Shodan, Censys, etc.
Identify OT-related ports/protocols (e.g., 102 for Siemens S7, MODBUS on 502).
Grab SSL certs — analyze for weak ciphers or self-signed.

Attack Planning

Phishing campaigns targeting IT/OT operators — likely undertrained in SCADA.
Lateral movement testing: once in DMZ or lower-level zone, pivot upward to SCADA or IdP.
Privilege escalation: abuse local admin accounts (OC-23 hint).
Data exfiltration testing: simulate accessing test environments with real production data.

Tools

BloodHound for identity mapping (especially for IdP-based environments).
Responder/NTLM relay for network-based attacks if SMB/LDAP in use.
Impacket, CrackMapExec, SharpHound for Active Directory abuse.
Nmap NSE or SCADA-specific tools (like modscan, S7comm-reader) for OT targeting.

PART 1: Threat Modeling Map (STRIDE-Based)

Category	Threat	Target Asset	Possible Weakness	Red Team Focus
Spoofing	Identity impersonation	IdP, SSO tokens (SAML/JWT)	Weak or misconfigured identity federation	JWT tampering, token replay
Tampering	Log manipulation	Centralized log repository	Weak log integrity or immutability	Modify or delete logs post-exploit
Repudiation	Undetectable actions	Admin actions, test data usage	Weak audit trail or lack of alerting	Simulate insider threat
Information Disclosure	Leak of sensitive data	Test environments, backups	Production data reused in dev/test	Exfiltrate test environment data
Denial of Service	Loss of availability	SCADA/EMS, VPN, IdP	Prioritization of availability over security	Flood DMZ, disable VPN endpoints
Elevation of Privilege	Lateral escalation	Local accounts, OT protocols	Orphaned local users, default credentials	Privilege escalation & pivot to OT

PART 2: Red Team Checklist / Playbook

Pre-Engagement Recon

Identify exposed systems in DMZ (VPN, Web, SSH, etc.)
Enumerate SSL/TLS versions and cipher suites
Search for Siemens Spectrum Power fingerprints (e.g., via Shodan)
Fingerprint OT protocol endpoints (MODBUS, S7Comm, DNP3)

Credential & Identity Targeting

Enumerate IdP interfaces (AD FS, Keycloak, Okta, etc.)
Attempt token tampering or SSO misconfig attacks (JWT/SAML fuzzing)
Look for orphaned/local accounts on endpoints
Attempt password reuse, spraying, or brute force attacks

Lateral Movement

Pivot from DMZ to internal networks via misconfigured firewall rules
Exploit weak segmentation to reach Purdue Level 2/SCADA
Abuse any shared service accounts between zones
Check for hardcoded credentials in backup/test artifacts

Data Exfiltration / Access

Target test environments likely containing prod data (OC-61)
Identify sensitive files in backup locations (OC-68)
Simulate exfiltration over allowed protocols (HTTPS, DNS tunneling)

Persistence & Defense Evasion

Deploy stealthy services/scripts mimicking legitimate processes
Tamper with logs and test immutability controls (OC-15)
Inject backdoors into systems and mimic regular user behavior

Disruption / Impact Testing

Attempt targeted DoS on DMZ VPN concentrators
Try disabling key monitoring systems
Simulate ransomware-style attack on backup locations

PART 3: Simulated Attack Paths (Example Scenarios)

Path 1: DMZ to Internal Lateral Movement

Initial Access (Phishing / VPN) 
→ DMZ Jump Host 
→ Weak Firewall Segmentation 
→ Internal AD Join 
→ Service Account Compromise 
→ Access to SCADA/OT via proprietary protocol tunnel

Path 2: Sensitive Data Exfil from Test Environments

Dev Environment Web Server (via Shodan) 
→ Directory Traversal or RCE Exploit 
→ Discover reused prod data (OC-61 fail) 
→ Archive & exfil via DNS or HTTPS 
→ Clear logs (OC-15 bypass attempt)

Path 3: Identity Provider Exploitation

Public-Facing IdP Login Portal 
→ Token Replay or JWT Injection (OC-25 weakness) 
→ Admin Panel Access 
→ Privilege Escalation 
→ Local Account Discovery (OC-23) 
→ Dump secrets / Pivot to internal infrastructure

Path 4: Backup Compromise and Persistence

DevOps Share / NFS / SMB Backup Share 
→ Mount + Discover Archive Files 
→ Inject Reverse Shell or Malicious Script 
→ Persistence on Backup System 
→ Trigger During Scheduled Restore / Backup Cycle

No se encontró “Pasted image 20250325163806.png”.

MITRE ATT&CK Tactic Alignment:

Step	Tactic	Technique Example
Initial Access (Phishing/VPN)	Initial Access	[T1078] Valid Accounts, [T1566] Phishing
DMZ Jump Host	Execution	[T1059] Command and Scripting Interpreter
Weak Firewall Segmentation	Defense Evasion	[T1562.004] Disable or Modify System Firewall
Internal AD Join	Persistence	[T1136.002] Create Account
Service Account Compromise	Credential Access	[T1003] OS Credential Dumping
SCADA/OT Access	Impact	[T1499] Endpoint Denial of Service, [T1485] Data Destruction

Themes

tema-curso-ics-pentesting

SCADA - analisis de debilidades

SCADA - analisis de debilidades

1. Understand the Security Model

"Security Triad: availability, integrity, confidentiality"

2. Infrastructure Clues to Explore

“VPN connections should terminate in the DMZ zone”

“Connection via proprietary protocols to Purdue Level 2 (OT) DCS systems”

“Encrypted transmission via SSL”

3. Potential Control Weaknesses from the Requirements List

OC-23: “Identification of local accounts not centrally managed”

OC-25: “Accounts must be centrally managed by an IdP”

OC-61: “Sensitive and personal information from production must not be used in test environments without treatment”

4. Operational Weaknesses to Test

OC-15: “Audit event logs must be immutable”

OC-187: “Credential management procedure”

OC-189: “Change management procedure”

5. Artifact Recon: Logs, Backups, and Recovery

“Backups should be stored offline…”

“All platforms must be hardened”

6. Next Steps for Red Team Engagement Planning

🔧 Recon / OSINT Phase

Attack Planning

Tools

PART 1: Threat Modeling Map (STRIDE-Based)

PART 2: Red Team Checklist / Playbook

Pre-Engagement Recon

Credential & Identity Targeting

Lateral Movement

Data Exfiltration / Access

Persistence & Defense Evasion

Disruption / Impact Testing

PART 3: Simulated Attack Paths (Example Scenarios)

Path 1: DMZ to Internal Lateral Movement

Path 2: Sensitive Data Exfil from Test Environments

Path 3: Identity Provider Exploitation

Path 4: Backup Compromise and Persistence

MITRE ATT&CK Tactic Alignment:

Themes

`OC-23`: “Identification of local accounts not centrally managed”

`OC-25`: “Accounts must be centrally managed by an IdP”

`OC-61`: “Sensitive and personal information from production must not be used in test environments without treatment”

`OC-15`: “Audit event logs must be immutable”

`OC-187`: “Credential management procedure”

`OC-189`: “Change management procedure”