Beruflich Dokumente
Kultur Dokumente
Applied Security
Executive Summary
SCADA Devices are used world wide. Security for these devices is necessary for these devices to work
properly.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Contents
1
SCADA Security
What is SCADA?
SCADA Networks
MODBUS
RTAC
Problem Statement
News
10
Tutorial
10.1 Our Setup . . . . . . . . .
10.2 TCP Injection . . . . . . .
10.3 Network Monitoring . . . .
10.4 Craft TCP Data to Inject
10.5 Inject Traffic . . . . . . . .
10.6 Inject Traffic #2 . . . . . .
10
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
12
13
14
15
16
17
11
Conclusion
18
12
Quiz
19
13
Ansers
20
14 Revisions
21
1 SCADA Security
In this presentation we will discuss:
1. Introduction
2. Problem Statement
3. News
4. Tutorial
5. Conclusion
2 What is SCADA?
Supervisory Control And Data Acquisition (SCADA) system
SCADA
Data aggregation
Monitoring
Logging
Infrastructure
Network
Power
Mechanical
2
SCADA is used in many different types of systems. Some the most common uses include:
Power Plants
Manufacturing
Food Production
Utility Systems
Waist Water Treatment
Telecom Systems
Programmable Logic Controllers are the heart of the SCADA system. PLCs are used in collecting data
from Remote Terminal Units and sending new data based on the old data. The Supervisory Computer is
used in creating the logic that a PLC follows. Computers are also used for collecting statistical data on the
SCADA network or on the system the SCADA network controls.
More features
Inter-connectivity
Originally, ICS & SCADA systems were extremely complex mechanical then analog electronic circuits.
As electronics advanced, this began to change.
With advances in digital electronics, more highly featured systems were created with re-programmable
settings, then software settings, remote settings through serial, then finally settings accessible through Ethernet. Up through serial networking, the range of the networks was such that communications rarely left
the building. But once Ethernet was added, everything began changing.
Once people started realizing they could potentially use modems, wireless, or wired network connections
to check/repair systems remotely all sorts of security problems arose. This mainly stems from the fact that
power engineers are not typically well-versed in IT security, and the IT guys are typically not well-versed in
ICS/SCADA system protocols & infrastructure.
4
4 SCADA Networks
Control room
This is a managerial network whose purpose is to interconnect with the process-control networks.
This is where the entire system can be monitored. These typically receive data from multiple process
masters.
Legacy Networks
This normally means a slower serial protocol. This could be analog, digital, or serial (point-topoint RS232 connections or multi-drop RS485) connections. Typically there is at least one master
device. Each master is typically controlling a single process with at least one slave device under its
control. These slaves do the actual work unaware of other slaves. The master is the only device that
knows anything about the process as a whole.
Ethernet networks
These are typically implemented using upgrades to the legacy network devices. The concepts are
the same, but newer protocols and hardware layers are used. Fiber optics and wireless are possible in
these networks.
6 MODBUS
Developed by Modicon in 1979
Open protocol
The MODBUS protocol we will be using today has a format in its data transfer:
For Serial:
+----+----+----------------+-------+
| ID |CODE|
DATA
| CRC |
+----+----+----------------+-------+
The unit ID is 2 bytes
The Function CODE is also 2 bytes
The DATA sent is 8 bytes
The CRC is 4 bytes
For TCP:
+--------+--------+--------+----+----+----------------+
| T ID
| P ID | LENGTH | ID |CODE|
DATA
|
+--------+--------+--------+----+----+----------------+
The Transaction ID is 4 bytes
The Protocol ID is 4 bytes
The LENGTH is 4 bytes
The ID CODE and DATA are the same
7 RTAC
The RTAC is a industrial computer designed by SEL
Used as a Programmable logic control (in our experiment)
8 Problem Statement
SCADA is everywhere
SCADA Security is not cut and paste security
SCADA security is not build into the hardware
Relies on secondary security methods
9 News
Hackers gain full control of critical SCADA systems (2014)
Stuxnet (2010)
Georgia Tackles Critical Infrastructure Attacks (2015)
10
10 Tutorial
Modbus TCP frame-crafting & injection
Read / Write Coils (bits)
Read / Write Registers (2 bytes)
Username:
Password:
11
What can be done at this point? If it was was a typical control system, this network might be contained
in a single room. It is probably not realistic that this traffic would be on a network hub and that we have
access to it. It is more likely that we would have access to an engineering PC connected to a single PLC or
a few master devices.
But what if there was a distributed control system connecting several different individual control networks
in different rooms or buildings. What if it was connected to a corporate network for ease of management?
This scenario is a bit closer to what our network resembles.
12
XXD
Binary ->ASCII or ASCII ->Binary
Run by typing xxd into the console
-p source port
-s source ip
xxd [OPTIONS] [IN FILE]
-h help
-r hex to binary
-p plain / continuous hex
13
14
Sequence # (2 bytes)
Protocol # (2 bytes
Length of remaining portion in bytes (2 bytes)
Slave address (1 byte)
Function code (1 byte)
Data (varies by function code / request / reply)
F1 Example:
012300000006030100020001
source: http://www.simplymodbus.ca/
Common Modbus Function Codes & Data Sections
Function 1: Read Coils (bits)
Request Data: coil # (2 bytes) 0xFF00 for ON / 0x0000 for OFF (2 bytes)
Reply Data: coil # (2 bytes) written value (2 bytes)
Function 6: Write Holding Register (2 bytes)
15
Keep in mind that this bit could represent the on/off switch for
power in a city.
Inject the crafted TCP data in a TCP connection
16
Keep in mind that this could represent a setting for the process
which might impact functionality or safety.
Inject the crafted TCP data in a TCP connection
17
11 Conclusion
SCADA is everywhere
Many industrial sites rely on working networks
SCADA security is not copy paste
Personal around SCADA networks need security training
A compromised SCADA network can be catastrophic
18
12 Quiz
1. Give an example of where a SCADA network would be found.
2. Why is SCADA security so difficult?
3. What is the protocol used by the SCADA network in this presentation?
19
13 Ansers
1. industrial sites, power plants, manufacturing plants
2. Security is not build into SCADA systems, it has to be added.
3. MODBUS
20
14
Revisions
Revision #
1.0
Comments
Matt B.
21