SCADA HMI software provides a "control panel" interface to SCADA/ICS systems, allowing system operators and engineers the capability to visually monitor and make changes to parameters in the system. Many HMI packages provide the ability to authenticate users, to allow access to dangerous or sensitive controls and data to specific users, while restricting other users to observation or less sensitive areas of the system.
Microsoft Bob was a failed Microsoft project from 1995: an attempt to make computers easy for end-users by providing a non-technical captive interface of "rooms" that users could move around, use the launch programs, and store files. Cartoon guides helped users with every step of the way. Thanks to an overly-helpful cartoon dog that would offer to change your password for you if you forgot it, it's frequently used as an example of bad security design choices.
In this presentation, Wesley will point out the similarities and differences between Microsoft Bob and SCADA HMI software, and demonstrate previously unpublished vulnerabilities in the HMI systems that are very reminiscent of the problems with Microsoft Bob (which will also be demonstrated!). For penetration testers, the techniques used to quickly identify these vulnerabilities will be discussed, as well as mitigations for those who have to defend such systems.