SCADA Hacking: Monitoring SCADA Sites with Splunk

SCADA Hacking

SCADA sites are among the most vulnerable sites on the planet. These sites include industrial control systems, water treatment facilities, nuclear power plants, the electrical grid and just about any other industrial facility. These sites are likely to be the targets in any cyber war, or worse, targets of a cyber terrorist attack.

Although we have seen some horrendous terrorist attacks in recent weeks and months, the scale of cyber terror attack against a SCADA site dwarfs those attacks in terms of potential deadliness. Remember the Bhopal disaster in 1982 in India? That industrial accident reportedly killed over 16,000 people and injured over 500,000 more. If cyber terrorists can attack, disable, DoS, manipulate such a plant, the death toll could be staggering.

Securing the SCADA site

There are many ways to secure a SCADA site. The two cardinal rules of securing such a site are;

(1) isolate the SCADA system from the corporate or ANY other network

(2) patch all the systems

As simple as those two rules seem, they are much harder to do than say. I’ll do subsequent tutorials on securing these sites.

Using Splunk in SCADA

Splunk is a wonderful tool for monitoring your IT network as it gathers all your machine data into a single repository that you can search and monitor. Unfortunately, out of the box, it will not do the same for your SCADA system. The problem is that the protocols in SCADA are unique and in some cases proprietary and Splunk is not built to access that machine data. These protocols include modbus, Profinet, DNP3, and many others

Fortunately, a company named Kepware has developed a plug-in for Splunk to enable us to use Splunk in a SCADA environment. One of the protocols common in SCADA is OPC. The Kepware server, plug-in to Splunk is capable of pulling the machine data from your SCADA/ICS environent, convert it to ASCII data pairs and feed it to Splunk.

In OPC terminology, the Kepware server/plug-in is a OPC client as it polls the SCADA devices for data. Since they contain the data, they are referred to as the “servers”.

The key to using Splunk with SCADA/ICS is the data gathering. Before we advance an furthering we must set up Splunk to receive data from a TCP port. Start Splunk and go to AddData -> Monitor and then Click on TCP/UDP in the left side menu and it opens a screen like below.

Select a port for Splunk to listen on. What port doesn’t really matter, but avoid commonly used ports. This is where Splunk will receive your SCADA/ICS data from the Kepware plug-in.

Now, to do the data gathering we will need a plug-in for Splunk called the IDF or Industrial Data Forwarded by Kepware. We can get the plug-in at

https://info.kepware.com/opc-foundation-kepserverex-download as seen below.

After registering, download the IDF for Splunk now.

Follow the steps from this Kepware wizard.

For demonstration purposes, let’s select the “Oil and Gas” Vertical Suite. By choosing this Vertical Suite, Kepware will load the appropriate drivers for devices commonly used in that industry.

Then, Click Next.

Then, Click Next and Next and Install.

And finally, Click Finish.

To start the KepwareServer, click on the Kepware Server icon or click on the Kepware icon at the Start Button and programs and it will open the Kepware Server like below.

Now, click on Help –> Support Information –>Versions. When you do so, you will see all the installed drivers and plug-ins with their version number.

Kepware uses OPC or Open Productivity and Connectivity (this is a protocol developed by Microsoft in the 1990’s based upon DCOM and is now open source) to gather device information. It is a client/server technology where one application serves as the server and another acts as the client.

An OPC server can communicate data continuously among PLC’s on the shop floor, RTU’s in the field, HMI workstations and software applications on desktop PC’s. This configuration allows for continuous real-time communication even when the hardware and software are from different vendors.

We can open the OPC Quick Client in Kepware by going to Tools –> Launch OPC Quick Client.

It opens the OPC “client” like that below.

This is how Kepware collects the information that can then be used with Splunk for analysis. Once KepwareServer has collected the information and converted into ASCII pairs, this data can then directly imported into Splunk and analyzed like any other, including the Splunk Processing Language.