PLC Security

This morning, at our S4 Conference, Reid Wightman gave a detailed two-hour presentation on the Project Basecamp results. Project Basecamp had six great researchers looking for vulnerabilities in six different PLC’s / field devices, and the PLC’s took a beating. There were backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, overflows galore, TFTP for important files and so much more.

Digital Bond’s S4 has us flat out this week, but we will be blogging in detail on this next week, but here are some of the Basecamp basics.

The Basecamp team:

  • Reid Wightman (project lead)
  • Dillon Beresford
  • Jacob Kitchel
  • Ruben Santamarta
  • Anonymous Researcher 1
  • Anonymous Researcher 2

The devices:

  • Control Microsystems SCADAPack (bricked early on)
  • General Electric D20ME
  • Koyo / Direct LOGIC H4-ES
  • Rockwell Automation / Allen-Bradley ControlLogix
  • Rockwell Automation / Allen-Bradley MicroLogix
  • Schneider Electric Modicon Quantum
  • Schweitzer SEL-2032

The results:

Project Basecamp

The Basecamp Tools:

As we have said in earlier blogs, we are hoping that Project Basecamp will be a Firesheep moment for PLC’s. To that end we are working with Rapid 7 to release Metasploit modules for the Basecamp vulnerabilities. There is a press release out now that announces the GE D20 Password Retrieval module available today, and a number of other Basecamp modules in process and for release soon.

We have also worked with Tenable Network Security to create Nessus and PVS plugins. A joint press release went out today at 11AM and the plugins are available in the Nessus feed.

Thanks to Basecamp team who volunteered many hours, including Reid who seemed to be working about 20 hours a day the last few weeks.