When I described the setup to a friend in the business, he said, "I would pay for access to that."
A major problem with finding security issues in industrial controllers is cost. You can find backdoor accounts and service stupidity easily enough with firmware analysis, but sometimes the more fun stuff (such as ladder logic upload over the normal 'SCADA' protocol) is a bit more tricky to find via straight binary analysis. If you spend just a few minutes with a live device, a lot of these issues fall out quite quickly.
So I am giving it some thought: would anyone be interested in access to a PLC VPN? It would have a few industrial ethernet switches (one currently has some 0-day that needs to be coordinated), multiple PLCs, and I guess a small server which ran a Windows Terminal Server and Linux VM for running configuration software and running hacking tools. It would also (of course) have a relay board for rebooting PLCs and RTUs when they inevitably crash. I could even wire it up to some real world stuff, like have PLCs connected to some lights and stepper motors, plus a webcam, so that you could watch what happens to the PLC in its various failure modes.
Is anyone interested in such a thing, to be used as a hacking playground? Would you be willing to kick in a few dollars to make it happen?
Image by epsos