SCADA Hacking: Monitoring SCADA Pages with Splunk

SCADA pages are among the most vulnerable pages out there. These pages include industrial control systems, water treatment plants, nuclear power plants, the power grid, and almost every other industrial facility. These pages are likely to be targets in any cyber war, or even worse, targets of a terrorist attack.

scada

Although we have seen a few terrorist attacks in recent years, the scale of a cyber terrorist attack against a SCADA network site overshadows these attacks in terms of their potential significance. Remember the 1982 Bhopal disaster in India? That industrial accident reportedly killed over 16.000 people and injured over 500.000 others. If cyber terrorists are able to attack, disable, DoS, manipulate such a factory, the death toll could be staggering.

Page SCADA security

There are many ways to secure a SCADA page. The two basic rules for securing such a location are as follows,

(1) isolate the SCADA system from the corporate or any other network;

(2) patch all systems

As simple as these two rules seem, they are much harder to do than to say.

Using Splunk in SCADA

Splunk is a great tool for monitoring your IT network, as it aggregates all of your machine data into a single repository that you can search and monitor. Unfortunately, it won't do the same for your SCADA system. The problem is that the protocols in SCADA are unique and in some cases proprietary, and Splunk is not built to access this machine data. These protocols include modbus, Profinet, DNP3 and more

Fortunately, a company called Kepware has developed a plug-in for Splunk that allows us to use Splunk in a SCADA environment. One of the protocols common to SCADA is OPC. Kepware's server, plug-in to Splunk is able to pull the data from the SCADA/ICS environment, convert it to ASCII data pairs and feed it to Splunk.

spl

According to OPC terminology, the Kepware server/plugin is an OPC client as it requests data from SCADA devices. Since they contain the data, they are referred to as “servers”.

The key to using Splunk with SCADA/ICS is data collection. Before proceeding with a further process we need to configure Splunk to receive data from a TCP port. Start Splunk and go to AddData -> Monitor and then click TCP / UDP in the left menu and it opens a screen like the one below.

slp1

Select a port on which Splunk will listen. Which port doesn't matter, but avoid frequently used ports. From there Splunk will receive the SCADA/ICS data from the Kepware plugin.

Now, to do the data collection we will need a plug-in for Splunk called IDF or Industrial Data Forwarded by Kepware. We can get the plugin at

https://info.kepware.com/opc-foundation-kepserverex-download όπως φαίνεται παρακάτω.

spl1

After signing up, download IDF for Splunk.

spl2

Follow the steps of the Kepware wizard.

spl3

For demonstration purposes, let's select the suite “Oil and gas". By selecting this suite, Kepware will load the appropriate drivers for devices commonly used in this industry.

spl4

Then click the button Newer posts.

spl5

Then click on Newer posts and Newer posts and Installation.

spl6

And finally, click the button End.

To start Kepware Server, click the icon Kepware Server or click the Kepware icon on the button Startup and programs and Kepware Server will open as below.

spl7

Now, click on Help –> Support Information –> Releases. When you do this, you will see all installed drivers and plugins with their version number.

spl8

Kepware uses OPC or Open Productivity and Connectivity (this is a protocol developed by Microsoft in the 1990s based on DCOM and is now open source) to collect device information. It is a client/server technology, where one application acts as a server and another as a client.

An OPC server can communicate data continuously between PLCs in the factory, RTUs in the field, HMI workstations and software applications on desktop computers. This configuration enables continuous real-time communication, even when the hardware and software are from different vendors.

We can open the OPC Quick Client in Kepware by going to Tools -> Launch OPC Quick Client.

spl9

It opens the OPC “client” as below.

spl10

This way Kepware collects the information that can then be used with Splunk for analysis. Once Kepware Server has collected the information and converted it to ASCII pairs, this data can then be imported directly into Splunk and analyzed like any other, including the Splunk processing language.

iGuRu.gr The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.113 registrants.
SCADA Hacking, SCADA

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).