ICS/SCADA security analysis of a Beckhoff CX5020 PLC

A secure and reliable critical infrastructure is a concern of industry and governments. SCADA systems (Supervisory Control and Data Acquisition) are a subgroup of ICS (Industrial Control Systems) and known to be well interconnected with other networks. It is not uncommon to use public networks as transport route but a rising number of incidents of industrial control systems shows the danger of excessive crosslinking. Beckhoff Automation GmbH is a German automation manufacturer that did not have bad press so far. The Beckhoff CX5020 is a typical PLC (Programmable Logic Controller) that is used in today´s SCADA systems. It is cross-linked through Ethernet and running a customized Windows CE 6.0, therefore the CX5020 is a good representative for modern PLCs which have emerged within the last years that use de facto standard operation systems and open standard communication protocols. This paper presents vulnerabilities of Beckhoff´s CX5020 PLC and shows ways to achieve rights to control the PLC program and the operation system itself. These vulnerabilities do not need in-depth knowledge of penetration testing, they demonstrate that switching to standard platforms brings hidden features and encapsulating SCADA protocols into TCP/IP might not always be a good idea ? underlining that securing ICS systems is still a challenging topic.