Securing Critical Infrastructures through SCADA Security ... - SERSC

보안공학연구논문지 (Journal of Security Engineering), 제 6권 제 6호 2009년 12월

SCADA Network Insecurity: Securing Critical Infrastructures through SCADA Security Exploitation Giovanni A. Cagalaban 1) , Yohwan So 2), Seoksoo Kim 3) Abstract SCADA networks and its protocols are developed based on reliability, availability, and speed but with no or little attention paid to security. In particular, SCADA network using Modbus protocol is designed to be inherently insecure and vulnerable to attacks. The lack of common security mechanisms in the protocol such as authentication, confidentiality and integrity must be addressed. In this paper, SCADA networks insecurity will be studied through security exploitation and monitoring. A detailed analysis of the Modbus protocol message frame formats being sent between master and slave will be discussed to expose the insecurities by design. This will enable SCADA users to find ways to fix the security flaws of the protocol and design mitigation strategies to reduce the impact of the possible attacks. This paper will also provide security mechanisms on how to protect the SCADA critical infrastructures. Keywords : SCADA, Security, Modbus, Infrastructures

1. INTRODUCTION A SCADA (Supervisory Control and Data Acquisition) system generally refers to an industrial control system: a computer system monitoring and controlling a process. The process can be industrial, infrastructure or facility based [1]. SCADA networks have traditionally used combinations of radio and direct serial or modem connections to meet communication requirements. Communication protocols are designed to be very compact and many are designed to send information to the master station only when the master station polls the Remote Terminal Unit (RTU). Over the past several decades, hundred of both proprietary and non-proprietary protocols have been developed for serial, LAN and WAN based communications in a wide variety of industries including automotive, transportation, and electrical distribution. Among the protocols that currently dominate the industrial Received(May 15, 2009), Review request(May 16, 2009), Review Result(1st:June 15, 2009, 2nd:June 30, 2009) Accepted(December 31, 2009) 1

306-791 Department of Multimedia, Hannam University, 306-791. email: [email protected]

2

306-791 Professor, Department of Multimedia, Hannam University, 306-791. email: [email protected]

3

(Corresponding Author) Professor, Department of Multimedia, Hannam University, 306-791. email: [email protected]

473

SCADA Network Insecurity: Securing Critical Infrastructures through SCADA Security Exploitation

marketplace include protocols such as Modbus, Ethernet, Profibus, IEC 60870 and DNP3. Among the protocols, Modbus has become a de facto standard communications protocol in industry, and is now the most commonly available means of connecting industrial electronic devices. It emerged because it is good, simple to implement and are adapted by many manufacturers. The main reasons for the extensive use of Modbus over other communications protocols are the following: Modbus is openly published and royalty-free; it is relatively easy industrial network to deploy, and it moves raw bits or words without placing many restrictions on vendors. Despite the fact that Modbus standard is flexible and easy to implement, it has some inherent protocol vulnerabilities that SCADA users must be concerned with. There are ssecurity weaknesses that are built into the protocol specification and not the result of programming or design errors. The SCADA attackers can easily discover these security weaknesses and begin to exploit them. As such, there is a need to discover these security flaws before critical devices containing them are deployed in the field where they are sometimes expensive to fix and maintain. Once we understand our vulnerabilities, we can fix the security flaws and design mitigation strategies to reduce their impact of the possible attacks. This paper will study the network insecurity of SCADA systems based on Modbus protocol by using a rigorous analysis of specifications. This study will focus on understanding the protocol specification and how message frames are sent through Modbus based devices. Using the function codes to modify a master or slave program, an attacker can take advantage of the security flaws in the design of Modbus protocol. The inherent lack of security in the message frames specifies the security flaws of Modbus which will be discussed in this paper. The succeeding chapters will discuss the Modbus protocol configuration as well as the simplistic message frame formats of Modbus. The paper will then expose the vulnerabilities of Modbus and an attack scenario will also be given. Then security measures will be presented to address the security weaknesses of Modbus-based SCADA systems.

2. RELATED STUDY SCADA system operation involves real time data exchange from the field devices as well as with other control systems such as Distributed Control System (DCS) and Plant Information (PI) systems. Protocols allow these data exchanges to occur as well as the RTU/SCADA units to communicate with each other. Understanding the network architecture of SCADA systems is critical to effectively evaluate their security status. At the lowest level, the field devices are proprietary devices running embedded operating systems. These devices originally used serial communications to report to the centralized control center utilizing field bus protocols like Modbus. Given the low bandwidth connections, these devices reported on a polling basis or a report-by-exception basis to minimize network traffic. The SCADA controller is responsible for managing all of 474

보안공학연구논문지 (Journal of Security Engineering), 제 6권 제 6호 2009년 12월

these communications, analyzing the data, and displaying the alerts and events on the human machine interface (HMI) systems. SCADA system insecurity is not fully understood. There are a lot or reasons why they occur. One reason is that there are numerous market pressures to offer a number of communications options which are typically based on multiple commercial or industrial specifications. Another is that supporting many specification results in very complex systems and the primary focus of devices is control functionality. So, understanding their vulnerabilities is imperative in providing security and improving their overall performance. Byres [2] analyzed SCADA protocol vulnerabilities, specifically the Modbus protocol, and he suggested the use of attack trees to define a series of attacker goals, determine possible means to achieve that goal and identify the weak links of the system. He identified some robustness issues the lack of command and session structure as well as simplistic framing technique. Currently, Modbus-based SCADA systems have no existing solutions that address specifically the Modbus protocol over Ethernet links. Despite the inherent lack of security in the design of Modbus, no security tools exist that are geared toward the detection of malicious Modbus traffic.

3. MODBUS Modbus is an application-layer messaging protocol which is situated at level 7 of the Open Systems Interconnection (OSI) model [3]. Considered as a de facto communications protocol in industries since 1979, Modbus continues to enable millions of automation devices to communicate with each other. Modbus is a request/reply protocol and offers services specified by function codes. Function codes are elements of Modbus request/reply protocol data units (PDUs). Besides the standard Modbus protocol, there is another Modbus protocol, called Modbus Plus. Modbus allows for communication between many devices connected to the same network, for example a system that measures temperature and humidity and communicates the results to a computer. It provides a client/server communication between devices connected on different types of buses or networks [4]. Figure 1 shows protocol structure for both serial and TCP/IP communication. Modbus is accessed on the master/slave principle, the protocol providing for one master and up to 247 slaves. Only the master initiates a transaction. SCADA users have the freedom to choose what standard interfaces to use in their system especially in sending binary data signals among devices. Existing standard interfaces to be used are Electronics Industries Association (EIA)-232, EIA-422, EIA-485 or 20mA current loop. However, most Modbus devices communicate over a serial EIA-485 physical layer [5]. Modbus communication interface is built around messages. For serial connections, Modbus RTU and Modbus ASCII are used with different representations of numerical data and slightly different protocol details [6]. The format of these 475

SCADA Network Insecurity: Securing Critical Infrastructures through SCADA Security Exploitation

Modbus messages is independent of the type of physical interface used.

[Fig. 1] Modbus Communication Stack

Modbus RTU format uses binary coding which makes the message unreadable when monitoring but reduces the size of each message which allows for more data exchange in the same time span. When devices communicate on a Modbus serial line using the RTU mode, each 8–bit byte in a message contains two 4–bit hexadecimal characters. The main advantage of this mode is that its greater character density allows better data throughput than ASCII mode for the same baud rate. Each message must be transmitted in a continuous stream of characters. The Modbus RTU message is placed by the transmitting device into a frame that has a known beginning and ending point [7]. This allows devices that receive a new frame to begin at the start of the message, and to know when the message is completed. Partial messages must be detected and errors must be set as a result. Figure 2 shows the format of an RTU-based message.

[Fig. 2] Modbus RTU Frame Format

Modbus ASCII is human readable, and more verbose [7]. They are coded in hexadecimal values represented with readable ASCII characters. Character 0..9 and A..F are used for coding. When devices are setup to communicate on a Modbus serial line using American Standard Code for Information Interchange (ASCII) mode, each 8–bit byte in a message is sent as two ASCII characters. This mode is used when the physical 476

보안공학연구논문지 (Journal of Security Engineering), 제 6권 제 6호 2009년 12월

communication link or the capabilities of the device does not allow the conformance with RTU mode requirements regarding timers management. In ASCII mode, the message is placed by the transmitting device into a frame that has a known beginning and ending point. This allows devices that receive a new frame to begin at the start of the message, and to know when the message is completed. Partial messages must be detected and errors must be set as a result. Figure 3 shows the format of an ASCII-based message.

[Fig. 3] Modbus ASCII Frame Format.

The RTU format follows the commands/data with a cyclic redundancy check checksum, while the ASCII format uses a longitudinal redundancy check checksum. Devices configured for the RTU variant will not communicate with devices set for ASCII. This also holds true their reverse configuration. Today, support for the simple and elegant structure of Modbus continues to grow. The internet community can access Modbus at a reserved system port 502 on the TCP/IP stack. Due to the increasing connectivity of SCADA devices, Modbus has been upgraded to Modbus TCP for connections over TCP/IP. Modbus TCP supports the increasingly prevalent use of Ethernet in Digital Control Systems (DCS) as well as SCADA systems because it allows SCADA personnel to replace or augment data and distance limitations of older serial bus-type architectures. Use of Modbus/TCP also eliminates the need to use a gateway to get to the internal network, and makes it easier to integrate other devices such as security appliances, smart cards and bar code scanners. Connectivity to the IP-based business network also allows remote control of devices without having to issue commands from the control room. See Figure 3 for the communication architecture of Modbus TCP.

4. EXPLOITING THE VULNERABILITIES To perform the exploitation of Modbus security vulnerability, a control function scenario is set up. The hardware configuration is show in Figure 5 where there is one computer that serves as the master, another was assigned as the slave and the third as the intruder (sniffer). In the physical configuration, RS232 to 485 transceivers we set up to connect each computer. While two devices communicate with each other using RS transceivers, a third (sniffer) device monitors messages sent by the master to the slave and perform exploitation of security vulnerabilities of the system. 477

SCADA Network Insecurity: Securing Critical Infrastructures through SCADA Security Exploitation

[Fig. 4] Modbus TCP Communication Architecture

[Fig. 5] Physical Connection

This type of exploitation of security vulnerability is a man in the middle attack. It is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker [8]. Quite often in such cases, the victim parties are made to believe that they remain safe in communicating with each other. The attacker (sniffer) here is able to intercept all messages going between the master and slave. The attacker then sniffed at the data and sends back a modified and erroneous message which will alter the operation of the master and send the system to a halt. A common attack scenario may involve the attacker having insinuated into the communication between a master and a slave. In such scenarios, the attacker often transmits deceitful messages between the master and the slaves to make them feel safe in communicating with each other. The master and slave scenario with the

478

보안공학연구논문지 (Journal of Security Engineering), 제 6권 제 6호 2009년 12월

attacker on the middle is illustrated in Figure 6.

[Fig. 6] Man in the middle attack

The message structure of Modbus protocol comprises of device address of the receiver, function code that defines the message type, data block with additional information and error checking to test for communication errors. Understanding the function codes of the Modbus protocol will allow an attacker to perform a successful attack to the SCADA control systems and devices. A transaction consists of a single request from the host to a specific secondary device and a single response from that device back to the host. Figure 7 shows the function codes and descriptions of Modbus protocol.

[Fig. 7] Modbus function codes [9]

The figure above provides potential attacker important information to use for attacking the SCADA control system. An attacker can change the value of a single coil or input register, or multiple coils or registers at the same time. For instance, he can use the function code 05 to change the value of a single coil. By specifying the function code and the associated data address on the message frames to be sent, the attacker can change the flow of operation of the system. The master operation would then be erroneous and eventually will halt its

479

SCADA Network Insecurity: Securing Critical Infrastructures through SCADA Security Exploitation

operation.

5. SECURITY MEASURES To improve and strengthen the overall security of SCADA system, it is essential to enhance the security features in SCADA protocols [10][11]. It is necessary to analyze existing protocols such as Modbus and understand the vulnerabilities present in the protocols. This will help with the development of security measures that can be added into the protocol specifications. To protect Modbus RTU/ASCII, recommendations are the following: •Intrusion detection deployment, either through commercial IDS products, transaction logging or traffic monitoring. •All possible external SCADA connections leaving the protection of the physical system should be considered as insecure and connections should be encrypted wherever possible. •All connections to trusted 3rd parties should be considered as insecure. Protection through firewalls or virtual private networks (VPNs) should be deployed. •All gateway devices that communicate with devices outside the immediate physical protection of the physical system are susceptible to direct attack. They should be hardened and isolated from other SCADA devices on the control system.

In Modbus TCP, interconnectivity of the networks encompasses the whole world allowing SCADA attackers to potentially exploit the system regardless of the location. The text format of the protocol makes it especially vulnerable. Monitoring and sniffing of important data can be gathered easily, and passwords may be accumulated from the transmission. To provide security mechanisms and protection, this protocol must encapsulate the message inside an encryption medium. IPsec VPN connection should be used to encapsulate the traffic whenever it is traveling across a vulnerable medium. Some examples of vulnerable mediums include non-SCADA and wireless networks. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host [12][13].

5. CONCLUSION CONCLUSION The interconnectivity of SCADA networks continue to grow which exposes itself to an 480

보안공학연구논문지 (Journal of Security Engineering), 제 6권 제 6호 2009년 12월

increasing risk of cyber attacks and thus there is a critical need to improve the security of these SCADA networks. SCADA systems are developed based on reliability, availability, and speed but with no or little attention paid to security. Specifically in Modbus, there are inherent protocol vulnerabilities in their design. The lack of common security mechanisms in the protocol such as authentication, confidentiality and integrity must be addressed. With the exponential growth of Internet, protocol manufacturers have added the capability of these protocols to include TCP/IP. This resulted into a number of serious robustness issues such as simple framing formats and lack of structure which make attacks to be done in a simple way. SCADA systems are exposed to the same cyberspace threats as any business system because they share the common vulnerabilities with the traditional information technology systems.

As such, it is beneficial to

formulate and enforce security standards to strengthen the cyber security of SCADA networks. Despite many professional organizations involved in the effort to standardize and improve SCADA network security, there still a need a strong effort to perform researches to enhance further the security of these systems especially in the protocols used. For future research on security vulnerabilities of SCADA networks, more in depth SCADA analysis and implementation. Also work on security recommendations and strategies for protecting and securing the currently the security-limited Modbus protocol.

References

[1] http://en.wikipedia.org/wiki/SCADA [2] E. Byres, Understanding Vulnerabilities in SCADA and Control Systems, October 2004 [3] http://www.modbus.org/specs.php [4] http://www.modbus.org/docs/Modbus_Application_ Protocol_V1_1b.pdf [5] http://www.obvius.com/pdfs/TN27-ModbusRS485QandA.pdf [6] http://en.wikipedia.org/wiki/Modbus [7] http://www.Modbus-IDA.org October 2006 [8] http://en.wikipedia.org/wiki/Man-in-the-middle_attack [9] http://www.modbus.org/docs/ MODBUS_Messaging_ Implementation_Guide_V1_0b.pdf [10] R. Carlson. Sandia SCADA program – high-security SCADA LDRD final report. Sandia National Laboratories report, SAND2002-0729; April 2002. [11] J. Pollet. Developing a solid SCADA security strategy. In: Second ISA/IEEE sensors for industry conference, 19–21 November 2002. p. 148–56.

481

SCADA Network Insecurity: Securing Critical Infrastructures through SCADA Security Exploitation

[12] http://en.wikipedia.org/wiki/IPsec [13] S. Kent and R. Atkinson. RFC 2406 IP Encapsulating Security Payload (ESP). Internet Engineering Task Force (IETF). http://www.ietf.org/rfc/rfc2406.txt.

Authors Giovanni A. Cagalaban 2000.3 Computer Science from the University of the Philippines in the Visayas (BS) 2007.3 Computer Science from Western Visayas College of Science and Technology (MS) 2008.2 ～Hannam. Univ. Research Interests : SCADA Security, Context-awere System, Sensor network Yohwan So 1992.2 Hongik Univ. (BS) 1995.2 Hongik Univ. (MS) 1998.2 New York Institute of Technology (MS) 2009.2 Hongik Univ. (Completed Academic Requirement in Ph.D) 2003～Hannam. Univ. Research Interests : 3D animation, 3D rendering, Graphics Seoksoo Kim 1989.2 Kyungnam Univ. (BS) 1991.2 Sungkyun-kwan Univ. (MS) 1998~2000 Gyeongnam Provincial Geochang collage 2000~2003 Dongyang Univ. 2002.2 Sungkyun-kwan Univ. (Ph.D) 2003～Hannam Univ. Research Interests : Multimedia Communication systems, Distance learning, Multimedia Authoring, Multimedia Programming, Computer Networking. Information Security.

482