Abstract
The majority of network traffic in process control networks is generated by industrial communication protocols, whose implementation represents a considerable part of the code that runs in process control systems. Consequently a large number of attack techniques that apply to process control systems can be conducted over industrial communication protocols. In this chapter we provide a technical discussion of possible vulnerabilities in industrial communication protocols, with specific reference to the IEC 61850 and ModBus protocols. We provide technical background on IEC 61850 and ModBus, and thus proceed with a description of possible vulnerabilities in those protocols. We also elaborate on how those vulnerabilities are exploited, and thus describe various techniques that leverage such exploitations to maximize physical damage to digitally controlled physical infrastructures such as power plants and electrical substations. The main goal behind this chapter is to provide the reader with technical insight that is workable in researching and engineering a better cyber defense for process control systems.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
International Electrotechnical Commission. IEC 61850: Communication Networks and Systems in Substations, part 1 through 9 (2004)
International Electrotechnical Commission. IEC TS 62351: Power Systems Management and Associated Information Exchange - Data and Communications Security (2007)
ModBus Organization. ModBus Application Protocol Specification, http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
ModBus Organization. ModBus Messaging on TCP/IP Implementation Guide, http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf
ModBus Organization. ModBus Application Protocol Specification, http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
DNP3 Users Group. DNP3 Protocol, http://www.dnp.org
Williams, R.D.: Fieldbus Link-Layer Configuration Vulnerabilities with Latent Response. Submitted to IEEE Transactions on Industrial Informatics (February 2010)
Krutz, R.L.: Securing SCADA Systems. Wiley Publishing (2006)
Idaho National Laboratory. Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program. Technical report prepared for the U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability, Under DOE Idaho Operations Office (2008), http://www.oe.energy.gov/DocumentsandMedia/31-INL_Common_Vulnerabilities_Report.pdf
Peck, D., Peterson, D.: Leveraging Ethernet Card Vulnerabilities in Field Devices. In: Proceedings of SCADA Security Scientific Symposium, Miami, USA (2009)
Anonymous. DATAC RealWin 2.0 SCADA Software - Remote PreaAuth Exploit, http://www.securityfocus.com/archive/1/archive/1/496759/100/0/threaded
C4. ABB PCU400 4.4-4.6 Remote Buffer Overflow, http://www.securityfocus.com/archive/1/496739
C4. GE Fanuc Cimplicity 6.1 Heap Overflow, http://www.securityfocus.com/archive/1/archive/1/487076/100/0/threaded
Bellettini, C., Rrushi, J.L.: Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness. In: Proceedings of the 2007 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, USA (2007)
MuDynamics. IEC 61850 Communications Networks and Systems in Substations, http://www.mudynamics.com/resources/collaterals/IEC61850-v2a.pdf
Roxey, T.: Nuclear Sector Mitigation Experience - An Aurora Experience. In: Process Control Systems Forum Annual Meeting (August 2008) http://csrp.inl.gov/pcsf/2008/d/nuclear_sector_mitigation-roxey.pdf
Larsen, J.: Breakage. Blackhat Federal (2008), http://www.blackhat.com/presentations/bh-dc-08/Larsen/Presentation/bh-dc-08-larsen.pdf
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Noncontrol-data Attacks Are Realistic Threats. In: Proceedings of the 14th USENIX Security Symposium, Baltimore, USA, pp. 177–192 (2005)
Pincus, J., Baker, B.: Mitigations for Low-level Coding Vulnerabilities: Incomparability and Limitations, http://research.microsoft.com/users/jpincus/mitigations.pdf
Aleph. Smashing the Stack for Fun and Profit. Phrack Magazine, 7(49) (1996)
Anonymous. Once Upon a free(). Phrack Magazine, 9(57) (2001)
Conover, M., w00w00 security team: w00w00 on Heap Overflows, http://www.w00w00.org/files/articles/heaptut.txt
Kaempf, M.: Vudo - An Object Superstitiously Believed to Embody Magical Powers. Phrack Magazine 8(57) (2001)
Bulba and Kil3r. Bypassing Stackguard and Stackshield. Phrack Magazine 10(56) (2000)
Scut and Team Teso. Exploiting Format String Vulnerabilities, http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
Gera and Riq. Advances in Format String Exploitation. Phrack Magazine 11(59) (2002)
Blexim. Basic Integer Overflows. Phrack Magazine 11(60) (2002)
Dobrovitski, I.: Exploit for CVS Double free() for Linux Pserver, http://www.securiteam.com/exploits/5SP0I0095G.html
Huitsing, P., Chandia, R., Papa, M., Shenoi, S.: Attack Taxonomies for the Modbus Protocol. International Journal of Critical Infrastructure Protection 1, 37–44 (2008)
Edmonds, J., Papa, M., Shenoi, S.: Security Analysis of Multilayer SCADA Protocols: A ModBus TCP Case Study. In: Proceedings of the 2nd Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Arlington, Virginia, USA (2008)
Dutertre, B.: Formal Modeling and Analysis of the Modbus Protocol. In: Proceedings of the 1st Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA (2007)
de Moura, L., Owre, S., Shankar, N.: The SAL Language Manual. Technical Report SRI-CSL-01-02, SRI International, Menlo Park, California, USA (2003)
Byres, E.J., Hoffman, D., Kube, N.: On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols. In: 5th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology. American Nuclear Society, Albuquerque (2006)
Iwanitz, F., Lange, J.: OPC - Fundamentals, Implementation and Application. Huthig Fachverlag (2006) ISBN 3-7785-2904-8
International Electrotechnical Commission. IEC 60870-6-503 Telecontrol Equipment and Systems, part 6-503, Telecontrol protocols compatible with ISO standards and ITU-T recommendations - TASE.2 Services and Protocols. 2nd edn. (2004)
Mora, L.: OPC Server Security Considerations. In: Proceedings of SCADA Security Scientific Symposium, Florida, USA (2007)
Franz, M.: ICCP Exposed: Assessing the Attack Surface of the Utility Stack. In: Proceedings of SCADA Security Scientific Symposium, Florida, USA (2007)
Zhivich, M.: DEADBOLT: Automated Testing for PCS Software Robustness and Security, http://www.thei3p.org/docs/research/deadbolt200904.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Rrushi, J.L. (2012). SCADA Protocol Vulnerabilities. In: Lopez, J., Setola, R., Wolthusen, S.D. (eds) Critical Infrastructure Protection. Lecture Notes in Computer Science, vol 7130. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28920-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-28920-0_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28919-4
Online ISBN: 978-3-642-28920-0
eBook Packages: Computer ScienceComputer Science (R0)