Abstract
Protocol standards, particularly those for critical control systems in the petroleum and power industry, have traditionally been designed to address a specific application with little regard for security. At best, there has been only passing concern for security issues that may arise in deployment; at worst, protocol designers assume a closed (and therefore secure) environment, which, in many cases, no longer exists. Where security has been a consideration, there has been no clear methodology to assess the security risks in the protocol specification. This paper describes the application of the attack tree methodology to SCADA communication systems based on the common MODBUS protocol stack. The authors identify eleven possible attacker goals and identify security vulnerabilities inherent in both the specification and in typical deployments of SCADA systems. These are then used to suggest possible best practices for SCADA operators and improvement to the MODBUS standard.
1. SCADA protocols and security
Supervisory Controls and Data Acquisition (SCADA) protocols are communications protocols designed for the exchange of control messages on industrial networks. Over the past three decades, several hundred of these protocols have been developed for both serial, LAN and WAN based communications in a wide variety of industries including petrochemical, automotive, transportation and electrical generation/distribution. Approximately 10 protocols currently dominate the industrial marketplace and include systems such as MODBUS, DNP3, EtherNET/IP, PROFIBUS and Foundation Fieldbus. The choice of protocol is typically a function of the operating requirements, industry preference, vendor and the design history of the system. For example, in an oil refinery an operator workstation might use the MODBUS/TCP protocol to communicate with a control device such as a Programmable Logic Controller (PLC). Alternatively, in power utility’s SCADA system, a master located in a central facility could use the DNP3 protocol to query and control slave Remote Terminal Units (RTU) distributed in remote sub-stations.
Most SCADA protocols were designed long before network security perceived to be a problem. The traditional SCADA system was a closed serial network that contained only trusted devices with little or no connection to the outside world. As control networks evolved, the use of TCP/IP and Ethernet became common place and interfacing to business systems became the norm. The result was that the closed trust model no longer applied and vulnerabilities in these systems began to appear [1]. In particular, network security problems from the business network and the world at large could be passed onto process and SCADA networks, putting industrial production, environment integrity and human safety at risk [2].
One of the primary weaknesses exploited in attacks against the Internet and business information systems are vulnerabilities in the communications protocols and their implementations. SCADA systems are no exception to this rule, but little is known about the specific vulnerabilities in SCADA protocols. To address this, the Group for Advanced Information Technology (GAIT) at BCIT and the Cisco Systems’ Critical Infrastructure Assurance Group (CIAG) chose to investigate possible vulnerabilities in SCADA systems based on MODBUS and MODBUS/TCP. These systems were selected as a starting point since their underlying application layer protocol is both one of the simplest and most widely used of all SCADA protocols in critical infrastructures.
Eric J. Byres
Group for Advanced Information Technology, British Columbia Institute of Technology
eric_byres@bcit.ca
Matthew Franz and Darrin Miller
Critical Infrastructure Assurance Group, Cisco Systems Inc.
mdfranz@gmail.com darrimil@cisco.com
No comments:
Post a Comment