We have already explored how to attack the Bottle Filling system. This article follows up on that analysis but in a significantly more compl

We have already explored how to attack the Bottle Filling system. This article follows up on that analysis but in a significantly more complex scenario.

Reconnaissance phase

The Bottle Filling system operated automatically. However, this system requires supervision by an operator who interacts with it via an HMI. Specifically, the operator determines when to transition from one processing phase to another.

We will analyze how the PLC registers change while interacting with the HMI.

For this purpose, I developed a small tool that continuously monitors Modbus registers to determine which ones are in use. The tool is available in my GitHub repository .

We acknowledge that a real attack would be much more complex, as the attacker does not have visual feedback from the HMI or the system itself.

To continuously monitor the PLC behavior, we execute:

./modbus_monitor.py -i 172.26.104.22 -p 502 -t holding

System Idle: when the system is idle, all registers report a value of 0.

Filling Tank: as soon as the feed pump is activated, register 1 is set to 1. When the crude oil level reaches the sensor, register 1 returns to 0, and register 2 is set to 1.

From this, we deduce:

• Register 1:  Actuator, defines the state of the feed pump (open/closed)
• Register 2: Sensor, detects if the tank is full (tank level sensor)

Continue reading the post on Patreon .