Urja

GrassMarlin maps an entire OT network from one packet capture. Every device. Every protocol. Every connection. Zero packets sent. Nothing for an IDS to catch, nothing was sent. Feed it a 30-min pcap, get the topology operators lack. #OTSecurity #GrassMarlin #OTPentesting

Full Wireshark/GrassMarlin OT recon walkthrough on Medium medium.com/bugbountywrite…

Recon isn't the boring prologue to the exploit. On an unauthenticated bus, understanding the traffic *is* the exploit and it's also the only baseline that ever catches one. The attacker and the defender run the same capture.

Ukraine, 2015. Attackers opened breakers, 230,000 lost power. Commands were valid, sent through normal operator interfaces. Only way to catch that: knowing what "normal" Modbus looks like before the attack. That's Wireshark. 🧵 #OTSecurity #Wireshark #Modbus #OTPentesting

I built a working OT security lab for $0. OpenPLC + Ubuntu + Kali. GRFICSv3 reactor sim. pymodbus. Wireshark. Register mapping. Documented end to end, setup to passive recon to enumeration. urjasec.medium.com #OTSecurity #OTPentesting #OpenPLC #ICSsecurity

OT Fact Friday: OpenPLC defaults: openplc / openplc Full PLC access via the web UI. Upload any ladder logic. Default creds on HMIs, historians, and EWS are the top OT finding. Attackers try it first. Defenders check it last. #OTSecurity #DefaultCredentials #OTFactFriday

I wrote a full ICS components breakdown, PLCs, RTUs, HMIs, and why the remote devices are often the most exposed layer in the entire architecture. medium.com/meetcyber/insi…

I've worked around these systems as an electrical engineer. The RTU at a remote pump station might have been installed before the current operations team was born. Nobody knows the password. Nobody knows the firmware version. But it's controlling water flow for a city.

Communication exposure: Most RTUs communicate over public cellular or satellite links. No physical air-gap. Traffic often unencrypted. DNP3 Secure Authentication (SA) exists but requires firmware updates on legacy devices. Most units will never see it.

The age problem: RTUs in pipeline and utility infrastructure are commonly 20–30 years old. Firmware vendors may be out of business. No patch supply chain. "If it's not broken, don't touch it" is the operating philosophy. The install date is the last security review.

RTUs monitor and control physical processes at remote sites, pipelines, substations, pump stations which are often miles from anyone. Firmware from the 1990s. Talk over cellular or satellite. Patched via technician truck roll. 🧵 #RTU #OTSecurity #SCADA #PipelineSecurity

What RTUs do: Convert analog sensor signals (4–20mA, digital I/O) to digital data. Transmit to SCADA master stations via DNP3, Modbus, or proprietary protocols. Execute automated control actions with no human in the loop. That's the whole point of deploying them.

I wrote a full modern industrial protocols about OPC-UA, security profiles, and the attacks that exploit the configuration gap. @urjasec/modern-industrial-protocols-profinet-ethernet-ip-opc-ua-and-iec-61850-9bea660d9c1d" target="_blank" rel="nofollow noopener">medium.com/@urjasec/moder…

The gap between "the protocol supports security" and "the deployment uses security" is where most OT vulnerabilities live. Havex exploited OPC-DA. PIPEDREAM exploits misconfigured OPC-UA. Same gap. Different decade. The lesson hasn't landed.

OPC-DA (2000): no auth, no encryption. Havex RAT exploited it across EU energy in 2014. OPC-UA (2008): auth, encryption, PKI certs. PIPEDREAM's MOUSEHOLE still exploits it in 2022. The protocol got fixed. The deployments didn't. 🧵 #OPCUA #OTSecurity #PIPEDREAM #HavexRAT