ICS SCADA Security Analysis of a Beckhoff CX5020 PLC

Explore a conference talk on ICS SCADA security analysis of the Beckhoff CX5020 PLC, presented at nullcon Goa 2015. Delve into the vulnerabilities of this modern PLC, which runs on a customized Windows CE 6.0 and uses Industrial Ethernet (EtherCat) for communication. Discover how rights to control the PLC program and operating system can be obtained without extensive penetration testing knowledge. Examine the challenges of securing ICS systems as standard platforms and TCP/IP-encapsulated SCADA protocols introduce hidden features and potential risks. Learn about the design and structure of SCADA systems, TwinCAT devices, and system control on the CX5020. Investigate security analysis results, including vulnerabilities in Telnet, webserver virtual directory, and SCADA services. Understand the ADS search process for devices, creation of ADS routes, and complete message flow. Explore possible attacks, including those on mschapv2, and gain insights into advisory recommendations for suppliers in the industrial control systems sector.

Introduction
Security of SCADA devices
Design and Structure of a SCADA system
Operating system
TwinCAT Devices
System Control on CX5020
Security Analysis Results
Telnet
Webserver: Virtual Directory
SCADA Service
Test Setup
ADS Search for Devices
Search Devices
Creation of an ADS route
Complete Message Flow
Possible Attacks
Attack mschapv2
Advisory for Suppliers