Portcullis has been conducting paid research for a number of years and we have performed studies across all aspects of our industry, often with interesting and thought provoking results. The motivations behind our passion for research stem from a number of areas: our long standing commitment to making contributions to the hacking community, as a whole, in the form of technical blogs and tools, our own curiosity as to how far we can push the limits of our industry and the desire to answer the technical questions that we encounter through the daily activities of ourselves and our clients.
Portcullis was provided with an opportunity to use our skills and expertise when approached by a major UK SCADA (Supervisory Control and Data Acquisition) vendor, with a view to performing research on their in-house developed, bespoke software package and hardware devices. Similar to many other companies Portcullis has come across, this vendor was undertaking their own software development but their resources were limited and could not provide a dedicated security team. Despite this, they were keenly aware of their security interests and proved passionate about improving the security of their products for the benefit of their existing client base.
This project has been an exciting opportunity for Portcullis to use our skills and the work has been undertaken by a large group of our technical team at Portcullis HQ, with many of our recent wave of graduates getting involved with various areas of the research. A small group of the technical team also got together one evening to participate in a “SCADA Hacking Evening”, which allowed some of the more senior members of the team a chance to dig deeper into the product and identify potential avenues of attack. This project has proven useful, and the Team look forward to building upon this initial research in the near future.
In the coming months, Portcullis will further develop this research project . Our findings will be delivered to the vendor and the Information Security community via our website and mailing list. The results presented to the wider community will discuss various aspects of the research; including the positive elements of the software and discussions of higher level topics covering the potential attack vectors and vulnerabilities found.