Skip to main content
SpringerLink
Log in
Book cover

Critical Infrastructure Protection pp 150–176Cite as

SCADA Protocol Vulnerabilities

  • Chapter

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7130))

Abstract

The majority of network traffic in process control networks is generated by industrial communication protocols, whose implementation represents a considerable part of the code that runs in process control systems. Consequently a large number of attack techniques that apply to process control systems can be conducted over industrial communication protocols. In this chapter we provide a technical discussion of possible vulnerabilities in industrial communication protocols, with specific reference to the IEC 61850 and ModBus protocols. We provide technical background on IEC 61850 and ModBus, and thus proceed with a description of possible vulnerabilities in those protocols. We also elaborate on how those vulnerabilities are exploited, and thus describe various techniques that leverage such exploitations to maximize physical damage to digitally controlled physical infrastructures such as power plants and electrical substations. The main goal behind this chapter is to provide the reader with technical insight that is workable in researching and engineering a better cyber defense for process control systems.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   69.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. International Electrotechnical Commission. IEC 61850: Communication Networks and Systems in Substations, part 1 through 9 (2004)

    Google Scholar 

  2. International Electrotechnical Commission. IEC TS 62351: Power Systems Management and Associated Information Exchange - Data and Communications Security (2007)

    Google Scholar 

  3. ModBus Organization. ModBus Application Protocol Specification, http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf

  4. ModBus Organization. ModBus Messaging on TCP/IP Implementation Guide, http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf

  5. ModBus Organization. ModBus Application Protocol Specification, http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf

  6. DNP3 Users Group. DNP3 Protocol, http://www.dnp.org

  7. Williams, R.D.: Fieldbus Link-Layer Configuration Vulnerabilities with Latent Response. Submitted to IEEE Transactions on Industrial Informatics (February 2010)

    Google Scholar 

  8. Krutz, R.L.: Securing SCADA Systems. Wiley Publishing (2006)

    Google Scholar 

  9. Idaho National Laboratory. Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program. Technical report prepared for the U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability, Under DOE Idaho Operations Office (2008), http://www.oe.energy.gov/DocumentsandMedia/31-INL_Common_Vulnerabilities_Report.pdf

  10. Peck, D., Peterson, D.: Leveraging Ethernet Card Vulnerabilities in Field Devices. In: Proceedings of SCADA Security Scientific Symposium, Miami, USA (2009)

    Google Scholar 

  11. Anonymous. DATAC RealWin 2.0 SCADA Software - Remote PreaAuth Exploit, http://www.securityfocus.com/archive/1/archive/1/496759/100/0/threaded

  12. C4. ABB PCU400 4.4-4.6 Remote Buffer Overflow, http://www.securityfocus.com/archive/1/496739

  13. C4. GE Fanuc Cimplicity 6.1 Heap Overflow, http://www.securityfocus.com/archive/1/archive/1/487076/100/0/threaded

  14. Bellettini, C., Rrushi, J.L.: Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness. In: Proceedings of the 2007 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, USA (2007)

    Google Scholar 

  15. MuDynamics. IEC 61850 Communications Networks and Systems in Substations, http://www.mudynamics.com/resources/collaterals/IEC61850-v2a.pdf

  16. Roxey, T.: Nuclear Sector Mitigation Experience - An Aurora Experience. In: Process Control Systems Forum Annual Meeting (August 2008) http://csrp.inl.gov/pcsf/2008/d/nuclear_sector_mitigation-roxey.pdf

  17. Larsen, J.: Breakage. Blackhat Federal (2008), http://www.blackhat.com/presentations/bh-dc-08/Larsen/Presentation/bh-dc-08-larsen.pdf

  18. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Noncontrol-data Attacks Are Realistic Threats. In: Proceedings of the 14th USENIX Security Symposium, Baltimore, USA, pp. 177–192 (2005)

    Google Scholar 

  19. Pincus, J., Baker, B.: Mitigations for Low-level Coding Vulnerabilities: Incomparability and Limitations, http://research.microsoft.com/users/jpincus/mitigations.pdf

  20. Aleph. Smashing the Stack for Fun and Profit. Phrack Magazine, 7(49) (1996)

    Google Scholar 

  21. Anonymous. Once Upon a free(). Phrack Magazine, 9(57) (2001)

    Google Scholar 

  22. Conover, M., w00w00 security team: w00w00 on Heap Overflows, http://www.w00w00.org/files/articles/heaptut.txt

  23. Kaempf, M.: Vudo - An Object Superstitiously Believed to Embody Magical Powers. Phrack Magazine 8(57) (2001)

    Google Scholar 

  24. Bulba and Kil3r. Bypassing Stackguard and Stackshield. Phrack Magazine 10(56) (2000)

    Google Scholar 

  25. Scut and Team Teso. Exploiting Format String Vulnerabilities, http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf

  26. Gera and Riq. Advances in Format String Exploitation. Phrack Magazine 11(59) (2002)

    Google Scholar 

  27. Blexim. Basic Integer Overflows. Phrack Magazine 11(60) (2002)

    Google Scholar 

  28. Dobrovitski, I.: Exploit for CVS Double free() for Linux Pserver, http://www.securiteam.com/exploits/5SP0I0095G.html

  29. Huitsing, P., Chandia, R., Papa, M., Shenoi, S.: Attack Taxonomies for the Modbus Protocol. International Journal of Critical Infrastructure Protection 1, 37–44 (2008)

    Article  Google Scholar 

  30. Edmonds, J., Papa, M., Shenoi, S.: Security Analysis of Multilayer SCADA Protocols: A ModBus TCP Case Study. In: Proceedings of the 2nd Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Arlington, Virginia, USA (2008)

    Google Scholar 

  31. Dutertre, B.: Formal Modeling and Analysis of the Modbus Protocol. In: Proceedings of the 1st Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA (2007)

    Google Scholar 

  32. de Moura, L., Owre, S., Shankar, N.: The SAL Language Manual. Technical Report SRI-CSL-01-02, SRI International, Menlo Park, California, USA (2003)

    Google Scholar 

  33. Byres, E.J., Hoffman, D., Kube, N.: On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols. In: 5th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology. American Nuclear Society, Albuquerque (2006)

    Google Scholar 

  34. Iwanitz, F., Lange, J.: OPC - Fundamentals, Implementation and Application. Huthig Fachverlag (2006) ISBN 3-7785-2904-8

    Google Scholar 

  35. International Electrotechnical Commission. IEC 60870-6-503 Telecontrol Equipment and Systems, part 6-503, Telecontrol protocols compatible with ISO standards and ITU-T recommendations - TASE.2 Services and Protocols. 2nd edn. (2004)

    Google Scholar 

  36. Mora, L.: OPC Server Security Considerations. In: Proceedings of SCADA Security Scientific Symposium, Florida, USA (2007)

    Google Scholar 

  37. Franz, M.: ICCP Exposed: Assessing the Attack Surface of the Utility Stack. In: Proceedings of SCADA Security Scientific Symposium, Florida, USA (2007)

    Google Scholar 

  38. Zhivich, M.: DEADBOLT: Automated Testing for PCS Software Robustness and Security, http://www.thei3p.org/docs/research/deadbolt200904.pdf

Download references

Author information

Authors and Affiliations

  1. Faculty of Computer Science, University of New Brunswick, 550 Windsor St., Fredericton, New Brunswick, E3B 5A3, Canada

    Julian L. Rrushi

Authors
  1. Julian L. Rrushi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Malaga, 29071, Málaga, Spain

    Javier Lopez

  2. Complex Systems & Security Lab, University CAMPUS Bio-Medico, Via Alavro del Portilla, 21, 00128, Roma, Italy

    Roberto Setola

  3. Information Security Group, Department of Mathematics, University of London, Royal Holloway, Egham Hill, TW20 0EX, Egham, Surrey, UK

    Stephen D. Wolthusen

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Rrushi, J.L. (2012). SCADA Protocol Vulnerabilities. In: Lopez, J., Setola, R., Wolthusen, S.D. (eds) Critical Infrastructure Protection. Lecture Notes in Computer Science, vol 7130. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28920-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-28920-0_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28919-4

  • Online ISBN: 978-3-642-28920-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation