Operational zone: the unintended filing cabinet¶
The operational zone holds the infrastructure that moves electricity and heat around the city. Three primary systems sit here: the historian that records what is happening, the SCADA console that manages distribution, and the engineering workstation that bridges down to the control equipment.
The historian exists to answer the question “what was the value of X at time Y?” The answer lives in a SQLite database on the host. An unauthenticated path traversal on the /export endpoint walks the directory tree and serves that database file directly. No credentials required. The same question can also be answered via SQL injection in the /report endpoint, marked as won’t-fix in a ticket closed in 2019. Two separate routes to the same information.
What the database contains is the real finding. The config table holds the complete credential set. The alarm_config table holds the protection thresholds for every asset: at what RPM the turbine overspeed alarm fires, what voltage causes an undervoltage trip, which combinations of readings constitute a sustained fault versus a nuisance trip. That information is the working knowledge that operators use to understand the process. It is also exactly what an attacker needs to manipulate readings without triggering alarms.
The SCADA console, designed to manage the distribution network from a central location, was integrated with a monitoring system years ago. The integration required credentials; they were hard-coded in a /config endpoint for operational convenience and never removed. Accessing that endpoint returns not just the monitoring credentials, but the historian read credentials and the SCADA web credentials themselves. An engineer attempting to solve an immediate problem created a secondary credential dump that nobody thought to clean up.
The stunnel gateway at 10.10.2.50 authenticates clients using a certificate pair. The certificates sit on the SCADA server at C:\SCADA\Config\certs\. They were set world-readable so the monitoring system could read them. The permission was never tightened. In 2020 this was noted, risk was accepted, a ticket was filed (HEX-5103) and closed. The files are still world-readable.
Possession of those certificates is possession of an authenticated path into the control zone through the stunnel gateway, the only sanctioned route for Modbus traffic from the operational zone into the control network. The gateway verifies the certificate; the PLC sees plain Modbus TCP and has no further authentication.