SCADA systems used on oil rigs and other areas of the oil industry are using outdated networking protocols that can easily be compromised, SCADA experts told attendees at the Black Hat security conference.
Attackers can cause an oil tank to nearly overflow by sending spoofed commands to the programmable logic controller, Brian Meixell and Ercik Forner, researchers from Cimation, told attendees on Thursday. In a live demonstration, Meixell and Forner sent commands to a simulated model of an oil well and a pump to switch to “high” and spill the oil. The team also sent fake data using several Python scripts, making the system think the pump was empty when it was actually close to overflowing.
“So you can have the operator seeing something entirely different than what’s happening in the process, causing the pipe to burst and the tank to overflow,” Forner told attendees. “The operator would see the tank levels decreasing, when in fact they were increasing.”
The duo also hacked the remote terminal unit’s HMI and cause a game of Solitaire to appear on the screen at the conclusion of the talk.
Unlike previously disclosed issues in SCADA systems, Forner and Meixell didn’t exploit any specific security flaws of vulnerabilities in the systems for their attack. This hack relies entirely on the fact that there is no security built-in to the serial Modbus/TCP networking protocol. Dating back to the 1970s, Modbus operates on port 502, and has “no authentication or security at all desgigned into it,” Forner said.
The SCADA system is sending packets over the network without any kind of authentication and using scripts to send remote commands to the PLC devices. The researchers were able to disable logic designed to detect the status of the pump and make it work opposite to what it was supposed to do.
Forner and Meixell are familiar with the issues in these systems, as they support and install SCADA systems in oil rigs. “We only had a 24-volt pump in the demo, but this could cause a complete environmental catastrophe” if used against a real oil-drilling operation, Forner said.