In the realm of industrial cybersecurity, understanding potential attack vectors is crucial for developing robust defense strategies. This article examines how normal IT hacking methods are used to recon and then exploit web based and internal HMI's.

Here are some of the steps involved

Firstly use Shodan to look for web based HMI's, if not then leaked VPN credentials can be used to access the targets OT Jump server, this happens surprisingly often. Use a system like Cyolo to cover this threat vector. These are only a few published HMI web frontend's I found with www.shodan.io .

Once you have the target look for open ports using NMAP (Note this is a TEST Machine for this article, DO NOT TEST LIVE SYSTEMS, it is against the law in most countries.)

Good old VNC!! There are over 154 know exploits for VNC on Metasploit

After the exploit is done the attacker will most likely try and extract password, move latterly on the system or worst case deploy destructive ransomware. Depending on what network, security and server topology lays behind the HMI, attackers can use this to pivot to many areas of your network. Advanced attackers will find a quick way to pivot to un monitored areas like Building Management, CCTV, Access Control and iIOT/IOT networks so they can enjoy longer recon time in the network.

Here are some Real-World Implications:

In real-world scenarios, unauthorized access to SCADA/ICS systems could have severe consequences, including:

• Disabling critical systems
• Manipulating industrial processes
• Potential physical damage or danger

As industry professionals, our focus should be on:

1. Regular security assessments of industrial systems, don't be happy with only IT to OT traversal testing. Test your OT, iIOT, IOT, BMS, CCTV, Access Control, PLC Code (Backup and restorability Software Defined Automation )
2. Implementing robust network segmentation according to IEC 62443 or your framework of choice.
3. Keeping systems updated (within operational constraints) and make sure of OT EDR's, IPS and IDS systems, TXOne Networks has a great line up of tech in this space.
4. Developing incident response plans that include restorability of HMI's, PLC code, Historian, Engineering Workstations and other "IT" services around your production line.
5. Fostering a culture of cybersecurity awareness within your shop floor workforce, partner ecosystem and OEM's.
6. Test your HMI's in pre-production staging using offline security devices like the TXOne Networks Portable Inspector. Datacentrix offers this offline scanner as a service and we offer 3de party security certificates to confirm at that time and at that place, the HMI was malware, virus and supply chain safe.

By understanding potential vulnerabilities, we can work proactively to secure our critical infrastructure and industrial processes against cyber threats.

Keep Cyber safe out there.

Andre Froneman

OT Solutions Specialist

Datacentrix - South Africa