Show Me What You Got: Vulnerabilities of Industrial Components Revealed by Automated Blackbox Testing

Operational Technology Components (OTCs) that control and monitor industrial processes are a valuable target for attackers. Reducing the likelihood of successful attacks requires identifying, assessing, and mitigating vulnerabilities in those components. To achieve this, blackbox penetration testing can be applied. However, traditional approaches to penetration testing do not take the specificities of OTCs, such as their focus on availability and their resource constraints, into account. Thus, we describe a test strategy specifically targeting OTCs, and consequently apply this strategy to ten OTCs. Our experiments reveal findings for all considered OTCs, including crashes, hangs, and information on outdated software. Most crashes or hangs are concerned with SNMP and TCP (6,418 and 2,864 findings in total, respectively). We analyzed some of the more severe crashes and found that they were caused either by overload or unexpected TCP options. Moreover, we identified limitations of the u sed tools with respect to fingerprinting, severity assessment, and crash detection.