An Introduction to Industrial Control Systems Security Part III: Auditing the Environment

In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.

Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.


On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:

  • Modicon Momentum PLC
  • Rockwell Automation MicroLogix 1100 PLC
  • Siemens S7 1200 PLC
  • Small embedded RTU device

The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.

To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.


If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.


Information systems auditing


Information systems audit do’s:

1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.

Information systems audit don’ts:

1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.

Image courtesy of Michal Marcol /