about us

who we are

SCADACS is an organizational unit of the Secure Identity Research Group (AGSI) at Freie Universität Berlin, led by Prof. Volker Roth. It comprises research assistants and students of AGSI and student volunteers, some of which are also part-time employees of security consulting firms.


Our research is directed at measuring and visualizing the attack surface of cyber-physical systems, detecting and analyzing attacks on these systems, developing interim protection mechanisms, and designing architectures for secure cyber-physical systems.


We educate ourselves about the technology and best practices of industrial automation so that we can help securing cyber-physical systems against attacks. Through teaching courses and training we pass our experience to students and future security professionals.


All SCADACS members work on internal projects meant to expand our capability to analyze and modify industrial protocols and systems. Through collaboration and joint projects with industry and security consulting firms, we strive to transfer our experiences into practice.

the risk

Unseen and unnoticed by most, cypher-physical systems enable much of our modern society. From manufacturing to utilities to modern building management, all of these systems are combinations of computers, sensors and actuators that have a concrete impact on the world we perceive and live in. Many of these systems are accessible over the Internet and they are targets of attacks [1, 2]. The trend towards interconnecting these systems will grow as we move towards greater integration and “smart” production. In rushing towards “Industry 4.0”, there is a clear risk that, once again, technology is put into place without proper design of protection mechanisms. However, the future consequences will likely be more severe than they are already today.

TR-069: Before and after the 2016/11 botnet attack that caused the Telekom AG outage in Germany.

Using data from censys.io and our data enrichment and analysis framework from the RiskViz project, we are able to show the distribution off all TR-069 devices in Europe before and after the attack. It is very easy to see that the Telekom attack has blocket the TR-069 TCP-Port 7547.

Reachable TR069 devies in europe (30.11.2016)

Reachable TR069 devices in Europe (23.11.2016)

The Analysis of our university darknet shows that the most scan traffic was originated by Brazil, UK and Ireland.

Outcome of our darknet analysis: Chronological sequence of all botnet participants sorted by their origin. (23.11.2016)

new attack vector published on Black Hat 2015

attack surface

Industrial Risk Assessment Map (IRAM)

Internet search engines often stumble upon cyber-physical systems not meant to be accessible to unauthorized parties. Left shows a particular flavor of industrial systems, geo-located on a map of European countries. The data was obtained from the SHODAN search engine. However, contemporary search engines miss part of the story because they do not speak industrial protocols such as modbus and s7comm.

We have developed a versatile high-speed scanner and search engine for industrial systems which is able to uncover and query industrial systems that are under the radar of contemporary public search engines. Systems found in this fashion are particularly vulnerable because industrial protocols typically do not enforce access controls. Consequently, adversaries can often obtain full control over these systems and other devices connected to them.

anatomy of an attack

Equipped with the rights tools to find and access ICS, adversaries can download and analyze the code on a programmable logic controller (PLC). Adversaries can then analyze and modify the code and load it back onto the PLC in order to perform sabotage. This process can be performed online or it can be automated by means of malware that infects engineering workstations, similar to Stuxnet.

attack proliferation

An old NSA quote says “Attacks only get better, not worse.” And so do tools that support attacks. It would be foolish to assume that sophisticated attacks will remain the privilege of a few skilled people or state actors. Criminal markets have emerged that leverage economies of scale. Where there is a demand for tools to attack cyber-pysical systems, someone will eventually provide the tools and services to monetize them.

Our Industrial Risk Assessment Map project is meant to visualize the attack surface based on the input of search engines for cyber-physical systems (CPS) and to communicate the threats of attack automation. Cyber-physical systems can be selected according to various geographic and system-specific criteria. Individual systems can be matched against vulnerability databases and if an exploit is available, it is conceptually easy to launch an attack with a single press of a button.

interim defenses

Companies are often oblivious to the fact that their ICS are Internet-facing. We have seen cases were ICS were reachable behind firewalls. Companies need to re-architect their networks to adapt to the risk. In order to protect TIA engineering workstations (EWS) against PLC malware, we have developed a Trusted Guard system. The Guard is plugged in between an EWS and the industrial network, and it intercepts PLC code en route from the EWS to the PLC. Using a trusted display, engineer can verify independently that the code is free of malicious modifications, by comparing it visually to a prior version. Turning a key while holding a button allows the upload to proceed whereas just turning the key aborts the upload. The Guard would have been effective against Stuxnet.


education and training

Practical course in our hacking lab

SCADACS runs a hacking lab equipped with EWS, PLCs and miniature models of industrial production systems. All members have access to the lab so that they can continuously educate and train themselves. We offer interested students a practical introductory course on SCADA/ICS systems on an annual basis. At the beginning participants learn how to program these systems from the perspective of an engineer. Then we show how ICS systems can be compromised and develop countermeasures to prevent this.

publications and current events

ACM Internet Measurement Conference 2016, Santa Monica, California, USA:
“Towards Better Internet Citizenship: Reducing the Footprint of Internet-wide Scans by Topology Aware Prefix Selection”, (slides), Johannes Klick, Stephan Lau, Matthias Wählisch and Volker Roth
23rd ACM Conference on Computer and Communications Security, Vienna, Austria:
“Towards Highly Interactive Honeypots for Industrial Control Systems”, (poster), Stephan Lau, Johannes Klick, Stephan Arndt and Volker Roth
Internet Security Days 2016, Cologne, Germany:
“Risikolagebild der industriellen IT-Sicherheit in Deutschland”, Jan-Ole Malchow and Stephan Lau
1st IEEE Workshop on Security and Privacy in Cybermatics, Florence, Italy:
“Internet-facing PLCs as a Network Backdoor”, Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow and Volker Roth
IEEE Conference On Communications And Network Security 2015, Florence, Italy:
“PLC Guard: A Practical Defense against Attacks on Cyber-Physical Systems”, Jan-Ole Malchow, Daniel Marzin, Johannes Klick, Robert Kovacs and Volker Roth
Blackhat USA 2015, Las Vegas, USA:
“Internet-Facing PLCs - A New Back Orifice”, (slides, PLCinject tool), Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow and Volker Roth
IHK Technologieforum 2014, Cottbus, Germany:
“Erreichbarkeit von digitalen Steuergeräten – ein Lagebild”, Jan-Ole Malchow and Johannes Klick
DFN-CERT Talk, Hamburg, Germany:
“Erreichbarkeit von digitalen Steuergeräten – ein Lagebild”, (slides), Jan-Ole Malchow and Johannes Klick
2. IT Security Industrial & Automation, Essen, Germany:
“Industrial Risk Assesment Map (IRAM) – Ein graphisches Werkzeug zur Bedrohungsanalyse”, Johannes Klick and Jan-Ole Malchow
Positive Hack Days III - on either side OF A FENCE, Moscow, Russia:
“Find Them, Bind Them – Industrial Control Systems (ICS) on the Internet”, Johannes Klick and Daniel Marzin

discovered vulnerabilities

DoS of Siemens SIMATIC S7-300 via crafted ISO-TSAP packets
DoS of Siemens SIMATIC S7-1200 via crafted ISO-TSAP packets

press coverage

Frankfurter Allgemeine Online:
“Telekom-Störung: Immer auf Empfang ”, Piotr Heller
Frankfurter Allgemeine Sonntagszeitung – Page 70:
“Im Gespräch: Immer auf Empfang”, Piotr Heller
“Hacker-Angriff auf Telekom-Geräte Lagebild der betroffenen Geräte”, Christina Deinhardt
Elektrohandwerk 19/2015:
“»Cyberterror« gegen die Gebäudetechnik”, Wolfgang Schmid
Spiegel Online:
“Erpressung durch Hacker: Cyberattacke in der Keksfabrik”, Uli Ries
“Scada-Sicherheit: Siemens-PLC wird zum Einbruchswerkzeug”, Uli Ries
“Cyberattacke auf Fabriken – Wenn Hacker den Hochofen übernehmen”, Christof Kerkmann
FORUM – Das Wochenmagazin:
“Einladung für Langfinger”, Michael G. Schmidt
Heise Security:
“Freier Zugriff auf Fernsteuerungen für Industrieanlagen”, Michael G. Schmidt
Berliner Morgenpost – Page 3:
“Der Computer-Hacker, dein Freund und Helfer”, Jürgen Stüber
Die Welt:
“Cyber-Gangster bedrohen deutsche Industrieanlagen”, Jürgen Stüber
Berliner Morgenpost:
“Cyber-Gangster bedrohen deutsche Industrieanlagen”, Jürgen Stüber
“Attacken übers Internet – Der Feind in meiner Fabrik”, Christof Kerkmann
The Sydney Morning Herald – itpro:
“Why hacking is way too easy”, Thomas Rid
silive.com (Powered by: Staten Island Advance):
“Digital sabotage is way too easy (Commentary)”, Thomas Rid
“Wetenschappers tonen kwetsbaarheid Scada”, Richard Keijzer
“Kwetsbare SCADA-systemen in kaart gebracht”, René Schoemaker
cyber arms – computer security:
“Worldwide Map of Internet Connected SCADA Systems”, Daniel Dieterle
Foreign Policy:
“The Great Cyberscare – Why the Pentagon is razzmatazzing you about those big bad Chinese hackers.”, Thomas Rid
“Cyber Fail – The Obama administration's lousy record on cyber security”, Thomas Rid
7. Security Forum 2013:
“ICS: Funktionsweise und Risiken”, Adrian Hehl