Rapid7’s Metasploit to get SCADA Exploits

On Thursday, Rapid7 announced that a new Metasploit module, designed to target the GE D20 PLC, was ready for use. The SCADA focused addition is part of Project Basecamp, which seeks to prove the flexibility of the Metasploit framework.

Programmable Logic Controllers (PLCs) are devices in SCADA networks used to control critical infrastructure, including power plants, pipelines, chemical manufacturing, water treatment facilities, etc.

“The Basecamp modules show the flexibility of the Metasploit Framework,” said HD Moore, Metasploit Chief Architect and CSO of Rapid7.

“While most Metasploit modules exploit traditional workstations and servers, these modules are exploiting special purpose devices and will even demonstrate the ability to provide interactive control of a critical system, turning things on and off.”

The Project Basecamp news and module for exploiting the GE D20 PLC were announced at the S4 Conference in Miami.

It was there that a team of six researchers from Rapid7 and SCADA security consulting firm Digital Bond, assessed the security of six widely used PLCs in critical infrastructure in front of an audience of leading SCADA security researchers from around the world.

In addition to GE’s D20 PLC offering, there are other SCADA exploits in the works. Additional GE D20 modules are already in QA, and there are plans to move the Basecamp exploits of Rockwell Automation, Schneider Modicon, and Koyo/Direct LOGIC exploits into Metasploit modules as well.

“We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results. These attacks have existed in theory for a while, but were difficult to demonstrate to a Plant Manager,” explained Digital Bond’s founder Dale Peterson.

“By creating exploit modules for the most widely used exploit framework – Metasploit – we hope that security professionals in critical infrastructure companies, consultants, and penetration testers will prod vendors to add basic security measures to PLCs after decades of neglect.”

In an interview with Wired, Peterson added that he hoped the research and S4 presentation would serve as a “Firesheep moment” for the SCADA community. Additional information on the SCADA vulnerabilities themselves can be found in Wired’s interview with Peterson.

It’s interesting to note that from a security perspective, the Department of Homeland Security isn’t pleased about the SCADA research. In their view, the Basecamp project is only going to cause more harm than good.