Professional Documents
Culture Documents
Rajesh Kalluri
Associate Director
C-DAC, Bangalore
Agenda
• Entry points to ICS
• Defense in depth Architecture
• Asset management – Security Monitoring
• SCADA Testbed with Demo
Entry points to ICS
Purdue Architecture
Typical Attack Routes
Some typical SCADA attack routes are listed here:
• Internet connections
• Business or enterprise network connections
• Connections to other networks that contain vulnerabilities
• Compromised virtual private networks (VPNs)
• Back-door connections through dial-up modems
• Unsecured wireless connections discovered by war-driving laptop users
• Malformed IP packets, in which packet header information conflicts with actual packet data
• IP fragmentation attacks, where a small fragment is transmitted that forces some of
the TCP header field into a second fragment
• Through vulnerabilities in the simple network management protocol (SNMP), which is used to gather network information
and provide notification of network events
• Open computer ports, such as UDP or TCP ports that are unprotected or left open unnecessarily
• Weak authentication in protocols and SCADA elements
• Maintenance hooks or trap doors, which are means to circumvent security controls during SCADA system development,
testing, and maintenance
• E-mail transactions on control network
• Buffer overflow attacks on SCADA control servers, which are accessed by PLCs and SCADA HMI
• Leased, private telephone lines
Accessing Industrial Networks
C-DAC, Bangalore
What is a security incident
● An incident can be described as an occurrence of an event with a potentially undesirable
or harmful outcome.
● What makes a security-related event a security incident is context
○ Malicious code execution on a system
○ Malicious or damaging interaction with computing or production resources
○ Unauthorized changes to a programmable logic controller (PLC) or human machine interface (HMI)
○ Unauthorized access to a building or restricted area of a building
○ Unauthorized access of computer systems
○ Unauthorized use or abuse of software or data
○ Unauthorized changes to production systems, software, or data
○ Loss or theft of equipment storing production-related data
○ Distributed Denial of Service (DDoS) attacks
○ Interference with the proper operation of Operation Technology (OT) or production resources
○ Excessive failed login attempts
C-DAC, Bangalore
Risks without asset management solution
Tactical risks associated with lack of an asset management solution
● lack of knowledge of an existing asset, including its configuration and intended
behavior
● lack of knowledge of the asset’s physical and logical location
● lack of a near-real-time comprehensive asset inventory
● lack of knowledge of asset vulnerabilities and available patches
● lack of data visualization and analysis capabilities that help dispatchers and a
security analyst view device security events
C-DAC, Bangalore
Benefits of asset management
Benefits of the asset management tool
● Maintain the inventory of devices
○ Any new device/ rogue device will be identified
○ Non-operating existing device will be reported
● Gain control systems network visibility
○ Manage devices and their configurations
● Improve compliance and policies
○ Monitored against policy and compliance guidelines
● Reduce downtime
○ downtime costs can be reduced
○ Mitigation time can be improved
C-DAC, Bangalore
Asset Inventory
● List of all hardware systems in the environment – both on and off the network – including IP, serial and other devices.
This should include make/model as well as key statistics such as memory, storage, etc.
● Comprehensive software inventory including operating system, firmware, application software, etc.
● List of all users and accounts on each asset, including those that are dormant, shared, local, admin, etc.
● Patch status of OS and application software
● Known vulnerabilities and their CVSS scores, attack vectors, and potential remediation
● Configuration settings to determine whether the device is securely configured for ports, services, passwords, etc.
● Network connections and possible paths, as well as network protections in place
● Antivirus and other protection software status such as whether they’ve been updated
● Backup status
● Location information such as rack, cabinet, building, etc. to enable rapid physical discovery of assets
● Criticality information to judge the importance of the asset to the process
C-DAC, Bangalore
Security monitoring
Security monitoring systems processes and activities to detect, record, and alert on
security-related events and incidents
C-DAC, Bangalore
● Passive security monitoring is the preferred method for ICS network security
monitoring as it doesn't place additional strain on the already resource-restricted
industrial controls and automation equipment. Passive network monitoring doesn't
require additional software to be installed on end devices, which is often neither
possible nor feasible with ICS equipment.
● Active security monitoring is all about interrogating the environment to reveal
security-related issues or incidents.
● With threat hunting, you are not relying on passive or active detection systems to
report security incidents, but rather you go find signs of malicious activity.
C-DAC, Bangalore
Security monitoring data collection methods
● Recording packets on the network (packet capturing)
● Collecting event logs generated by the operating system, network, and automation
devices, or the software and applications
● Security monitoring solutions often use a combination of these two collection
methods to aggregate the necessary data, to help them find security incidents
C-DAC, Bangalore
Passive Security Monitoring
Forms of passive security monitoring include the following:
C-DAC, Bangalore
Network packet sniffing
By inspecting every network packet that passes by the sniffing interface, we can look for
anomalies, patterns, Internet Protocol (IP) addresses, interesting packet data, or other
relevant information.
SPAN ports: A SPAN port is often assigned for a port we connect a NIC in promiscuous mode
on, which is used to feed packets into a passive security monitoring solution. This effectively
extends the visibility of the solution from a single network segment to an entire switch.
Choke points: Choke points are strategic locations in the network architecture where we
tunnel inter-zone network traffic through, with the intent of being able to conveniently and
effectively sniff that network traffic.
Choke points, SPAN ports, and promiscuous NICs go hand in hand to deliver a solid feed of
network traffic for our passive security monitoring tools to use.
C-DAC, Bangalore
Collection and correlation of event logs
Event logs can contain information about the state of a system, changes made to it, users
logging in, or operational information such as anomaly detection, discovery of malicious
code or actions, blocked network connections etc
Correlating events: The formatting and standardization process can be done as logs come
in (as part of the syslog event logging process) or after the fact (on a database level), or a
combination of the two, depending on the setup and types of event log sources we are
dealing with.
C-DAC, Bangalore
Host-based agents
Its main function is to (periodically) grab relevant information or monitor the system for
relevant actions, changes, or activities, and then send any discoveries to a central server
to be processed by the security solution that deployed the agent.
C-DAC, Bangalore
Common passive security monitoring tools
C-DAC, Bangalore
● Network-based IDS (NIDS) is used to inspect traffic that traverses the network and it
can be a standalone device (standalone appliance), or NIDS technology can be baked
into another appliance such as a firewall
● Integrated into firewalls, the added NIDS capability is often called deep packet
inspection (DPI). DPI refers to the capability to look beyond (deeper) than the
Network and Transport layers of a network packet
● Monitoring the environment for intrusions
○ On the IT side of the ICS environment (Level 3 – Site Operations), we use an IT-oriented IDS (IT-IDS)
○ On the industrial side of the ICS network (Levels 2 – Area Supervisory Control and 1 – Basic Control),
we use an OT-oriented IDS (OT-IDS)
C-DAC, Bangalore
Event log collection and correlation tools (which includes SIEM)
● These types of tools allow us to collect, store, and aggregate event logs, alerts, and
other interesting data into a single, shared database
● Tools can help us correlate events and data from these dispersed sources and can
help detect anomalies, either in an automated way or manually
C-DAC, Bangalore
Active scanning
● Active scanning on a live (operational) ICS network, things can – and often will – go
wrong.
● Though the resiliency of industrial equipment has significantly improved over recent
years, most ICS environments still have legacy equipment running.
C-DAC, Bangalore
Active monitoring
Active security monitoring is aimed at actively interrogating the monitored environment
for security incidents and other relevant security-related information.
• Host-based agents that can scan the host for security-related issues and malicious
content
C-DAC, Bangalore
Network scanning - IP and port scanning
Knowing what IP addresses are live (present and running) on your network is valuable
information for figuring out all your assets or to see whether any new assets have
appeared on your network since the last time you scanned it.
• Nmap (https://nmap.org/)
• Netcat (http://netcat.sourceforge.net/)
C-DAC, Bangalore
Network mapping
Scan is aimed at discovering the topology of a network. Typically, this comes down to mapping out what is
connected to network switches by interrogating those switches over Simple Network Management
Protocol (SNMP), but other methods do exist.
• Zenmap (https://nmap.org)
• LanTopoLog (https://www.lantopolog.com/)
C-DAC, Bangalore
Vulnerability scanning
vulnerability detection is the process of comparing a system's services and application's
patch level against a list or database of known vulnerable revisions of the service or
application in question
These types of scanners can interrogate systems, find out the system's patch level, see
what services are running, and see what applications are installed to figure out the
revisions of all of them.
The following are examples of vulnerability scanning tools:
• Nmap (https://nmap.org)
• Nessus (https://www.tenable.com/products/nessus)
• Acunetix (https://www.acunetix.com/)
• Rapid7 Nexpose (https://www.rapid7.com/products/nexpose/features/)
• Nikto, which is mostly aimed at web server vulnerabilities (https://cirt.net/nikto2)
• Qualys
C-DAC, BangaloreVMDR (https://www.qualys.com/subscriptions/vmdr/)
Endpoint inspection with host-based agents
An agent is an executable that runs on an end device and collects events, data, and
information or scans the endpoint for security-related issues on behalf of a security
monitoring solution.
● The depth of inventory and details are more extensive with the use of an agent
● Agents tend to use less network bandwidth. This is particularly convenient in ICS
environments where network bandwidth is often not a luxury we can afford. The
agent will only transmit the data required, nothing more.
C-DAC, Bangalore
Differences between active and passive scanning
● Assets discovery
● Properties of assets
● Timeliness (continuous vs scheduled)
● Deployment considerations
C-DAC, Bangalore
References
● Industrial control systems security, Pascal Ackerman
● SANS, “ICS Asset Identification: It's More Than Just Security”. Online; https://www.sans.org/reading-
room/whitepapers/riskmanagement/ics-asset-identification-it-039-s-security-39650
● https://www.solarwinds.com/netflow-traffic-analyzer/use-cases/network-protocol-analyzer
● http://www.apnoms.org/2005/technical/8_4.pdf
● Ref:https://verveindustrial.com/resources/blog/what-is-ot-ics-asset-inventory-and-why-is-it-the-foundation-of-a-cyber-security-
program/#:~:text=A%20robust%20OT%2FICS%20asset,as%20memory%2C%20storage%2C%20etc.
C-DAC, Bangalore
SCADA Test bed
Simulation of attacks like DoS, Phishing,
Malware injection in IT systems
and SCADA Systems are not same …
WHY ?
Need of SCADA Testbed
• Targeted attacks on critical infrastructures pose a high risk to society: an
important difference in Industrial Control Systems (ICS) malware is the
ability to intervene in physical processes
• Data Communication on standard protocols like IEC 870-5
• Organizations needs specific initiatives and policies to address ICS security.
• SCADA systems are not IT systems, each system having its own
functionality.
• SCADA testbed is required for simulation of various attacks
• Security Information and event management tools is used for collection of
information and visualization using dash board.
SCADA Testbed – Live, Virtual, Constructive
• Testing on operational systems or on test beds is effective in
determining system level impacts.
• Testing on operational systems in most cases is not possible
because of the risk to the operational system and its mission.
• The methodology enables building models of both the SCADA
system and the physical system.
• The model of the SCADA system may include its connectivity to the
various business networks and, in cases, its connectivity to the
Internet.
• This methodology enables the creation of a SCADA system using
simulated, emulated, and real devices in a single hybrid experiment
SCADA Testbed – Live, Virtual, Constructive
• SIMULATED: Network simulation tools such as OPNET Modeller are
designed in part to allow analysts, engineers and researchers to
understand how network protocols perform under various traffic
loads and device configurations
• EMULATED: In order to represent authentic network services,
virtual machines (VMs) are utilized as surrogate systems functioning
as hosts and servers supporting the various applications.
• PHYSICAL: Physical devices are also included in hybrid cyber
experiments. The devices are connected to the experiment in the
same way that the device is connected to an operating system
Thank You
rajeshk@cdac.in
C-DAC, Bangalore
ICS Incident Response
Niriksha T.K.
Knowledge Associate
C-DAC Banglore
nirikshatk@cdac.in
C-DAC Banglore 1
Contents
➔ What is an Incident
➔ References
C-DAC Banglore 2
What is an Incident ?
C-DAC Banglore 3
What is incident response
● Goal: Effectively manage incidents to the point where the damage and
impact of the incident is limited, and both the recovery time and costs, as
well as collateral damage, which includes the organization's reputation,
are kept to a minimum.
C-DAC Banglore 4
SANS Incident response
procedure Preparation
Lessons Learned 01
06
02 Identification
Recovery 05
03 Containment
04
Eradication
C-DAC Banglore
5
Incident response process
Incident response
preparation Incident response
handling
Occurs periodically
without any
identified incident.
Triggered when an
incident is detected.
C-DAC Banglore 6
1. Incident response preparation
C-DAC Banglore 7
Incident response preparation
C-DAC Banglore 8
1. Incident response preparation
1
2 3 4 5 6 7
C-DAC Banglore 9
Incident response preparation process flow
C-DAC Banglore 10
Incident response preparation
1
C-DAC Banglore 12
Incident response preparation
➔ Restoring from a backup usually allows for a faster and smoother recovery.
➔ Ensure that recent online and offline backups are available for each asset.
➔ Each Technology Owner should review the available backups for the assets in
their area of responsibility.
C-DAC Banglore 13
Incident response preparation
5
➔ Review alerts and indicators relevant to the assets in their area of responsibility, as
well as the status of the tools.
C-DAC Banglore 14
Incident response preparation
6
➔ The Technology Owners are the most knowledgeable about the risks that
exist within their areas of responsibility.
C-DAC Banglore 15
Incident response preparation
7
➔ Review the reports from the Technology Owners about backups, automated
tools, known risks and reviewing the results of the incident simulation exercise.
C-DAC Banglore 17
2. Incident response handling
2.1
Incident
identification
2.5
2.2
Lessons
Incident Containment
Learnt
Response
handling
2.3
2.4 Eradication
Recovery
C-DAC Banglore 18
Incident response handling
➔ The incident handling process is triggered when an incident is detected.
➔ By predefining a process with actions to be carried out by role holders, the chaos
surrounding an incident can be managed with a systematic response.
➔ Inputs:
◆ Blank incident response form
➔ Outputs:
◆ Completed incident response form.
◆ Normally operating OT environment.
◆ Closed incident status is communicated.
C-DAC Banglore 19
C-DAC Banglore 20
Incident
identification
C-DAC Banglore 21
Incident reporting procedure
Communications procedure
C-DAC Banglore 22
Incident
identification
C-DAC Banglore 23
Incident
identification
Analysis procedure
➔ Goal is to try to understand the nature and scope of the incident and report the
findings as inputs to further steps.
C-DAC Banglore 25
Incident
identification
C-DAC Banglore 26
Severity levels
Suspicion of ransomware
Risk of exposing sensitive Threatens to impact a small
number of employees,
data
contractors, vendors, or OT
Displays terroristic threat
resources(non-production).
Communications procedure
C-DAC Banglore 28
Containment
Goal: limit damage from the current security incident and prevent any further
damage.
There are two distinct containment procedures:
• Short-term containment, with the goal of limiting the amount of damage that
the incident is causing.
C-DAC Banglore 29
Short term containment
Limiting damage before the incident gets worse, usually by isolating network segments,
taking down hacked production server and routing to failover.
The immediate need is to limit damage and stop any incident spread.
Typically, the short-term containment task action that's performed for each affected asset is
one of the following:
C-DAC Banglore 30
Long term containment
Long-term containment picks up where short-term containment leaves off.
Includes the following tasks:
• Verifying the nature and scope.
• Determining the minimum change necessary to stop the incident.
• Collecting evidence of the incident occurring and incident are no longer present.
• Take a forensic image and forensic copy.
• Undoing short-term containment actions that are more than the minimum change
necessary.
• Verifying that incident symptoms have ceased occurring.
● Primary goal : Is to get rid of the affected assets of security incident artifacts.
C-DAC Banglore 32
Note: it's important that we do not go to recovery phase until a
root cause has been identified and the scope is understood;
otherwise, there is a significant risk of this or a related security
incident occurring again.
33
Recovery
Recovery Procedure:
● If an asset was restored using a clean backup or was rebuilt from source media,
additional effort may be required for syncing data and copying files.
● Also, all approved application and operating system security patches should be
installed per the antivirus, operating system patching, and application updates policy
before you return the asset to normal operations.
C-DAC Banglore 34
Recovery
C-DAC Banglore 35
Lessons
Learnt
Primary goal: Is to identify what could be improved in the incident response process, and what could be
improved in the network and systems' defenses.
Secondary goal: Is to reach an agreement on, and complete the documentation of, the facts of the security
incident.
Lessons learned procedure:
● Once recovery is deemed successful, the Incident Lead gathers notes from all the involved incident
response team members and develops a factual narrative including a timeline of how the incident
unfolded.
● Lessons learned" meeting is scheduled with the incident lead, OT administrator, and involved
technology owners as required participants.
● The Incident Lead should present the incident narrative and timeline.The presentation should
conclude with the root cause being identified and the evidence that supports that conclusion.
● The meeting should conclude with a summary of the points of agreement and identified action items.
C-DAC Banglore 36
After the presentation, the discussion should focus on answering the following
questions:
Lessons • Is there a way that this incident could have been detected faster?
Learnt
• How efficient was the incident reporting process?
• In general, was the incident handling process followed?
• Was in-scope/out-of-scope determination a bottleneck?
• What could be done differently to improve the incident handling process next
time
a similar incident occurs?
• Were communications regarding incident status timely and clearly understood?
• Should external parties have been involved, or involved sooner?
• What could have prevented this incident from occurring?
• Do we need to gather tools or resources to detect, analyze, and mitigate future
incidents better?
C-DAC Banglore • What worked well? 37
Lessons
Learnt
C-DAC Banglore 38
References
[2] https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
[3] https://www.sans.org/white-papers/33901/
C-DAC Banglore 39
Thank You !
C-DAC Banglore 40
ICS Risk Assessment
Niriksha T.K., Knowledge Associate, C-DAC Banglore
nirikshatk@cdac.in
C-DAC Banglore 1
Contents
● Introduction
● Risk assessments
● Asset identification
● System characterization
● Vulnerability identification
● Threat modeling
● Risk calculation
● Risk mitigation prioritization
Abbreviations : SUC (System under consideration), IOC (Indicator of compromise) , CVSS
(Common Vulnerability Scoring System), NIST (National Institute of Standards and
Technology )
C-DAC Banglore 2
Introduction
ICS attacks are often divided into two phases, as illustrated in the following figure:
Phase 1 Phase 2
C-DAC Banglore 3
Introduction
Stage 1:
➔ Involves gaining access to the ICS network in any way possible
➔ Objectives:
◆ Gaining a foothold in the enterprise network
◆ Pivoting into the industrial network from enterprise network
Stage 2 :
➔ Involves ICS exploitation part of the attack
➔ Objectives:
◆ Stealing sensitive data
◆ Disrupting production
C-DAC Banglore 4
Introduction : Example
A spear-phishing campaign targets the business users of VictimCorp Inc. to try to have them click on a
malicious link that results in their PC being infected with a remote access trojan (a backdoor malware).
Pivoting through the infected business system, the adversary scans the enterprise network for ICS
workstations that could provide access to the ICS network. By exploiting a discovered vulnerability on an ICS
workstation, the attacker gains access to the ICS network and starts attacking the turbine control to have it
spin out of control and fail.
C-DAC Banglore 5
Risk ● Threat source: The attacker or threat actor.
vector, due to a potential ● Likelihood: The chance of the vulnerability found becoming a
threat event.
vulnerability in a target, and
● Target: Target is the SUC.
what the resulting consequence
and impact will be." ● Consequence: The direct result of a successful threat event
C-DAC Banglore 6
Risk Assessment
Risk Assessment :
"The identification, evaluation, and estimation of the levels of risks involved in a situation, their
comparison against benchmarks or standards, and determination of an acceptable level of risk."
Risk assessments are about discovering all the things that can go wrong in a certain
situation, such as the setup of a system, and the likelihood that things will go wrong and
what the impact will be when things do go wrong.
C-DAC Banglore 7
Risk Score ● Severity:
○ Range : 0 to 10
○ Given by CVSS
● Criticality:
○ Range : 1 to 5
○ Reflects importance of SUC to the
overall process
● Likelihood:
○ Range: 1 to 5
○ Reflects chances that the
vulnerability will be successfully
exploited.
● Impact
○ Range : 1 to 5
○ Reflects financial impact, damage to
the image of the company, impact on
environment, risk to employee and
public health and safety.
C-DAC Banglore 8
Risk Assessment Activities
C-DAC Banglore 9
● Identifies Potential Target
● Input: An ICS network
● Output: List of potential targets
C-DAC Banglore 10
1.1 Asset Identification
Goal : Find all the assets of SUC.
12
C-DAC Banglore
“Active scanning techniques
must be avoided in OT
environment”
Alternative: Passive scanning
13
1.1 Asset Identification
14
1.2 System characterization
C-DAC Banglore 15
1.2 System characterization : Data sources
Documentation
review
Asset owner
interviews
Discussion with
supervisor and
Round managers
table
exercise
C-DAC Banglore 16
1.2 System characterization
17
● Identifies potential vulnerabilities and threat vectors/sources/events, and
estimates likelihood and consequences
● Input : Asset list with characteristics
● Output : Risk scenario
C-DAC Banglore 18
2. Vulnerability Identification & Threat Modeling
➔ Find all relevant vulnerabilities and associated threats for the list of IP addresses.
➔ Threat modeling is the process of turning threat information into actionable threat
intelligence by means of threat events and risk scenarios.
➔ Process of collecting threat information ,threat sources along with their :
◆ Motivations
◆ Capabilities
◆ Activities.
C-DAC Banglore 19
IOC Sources
https://csrc.nist.gov/publications/detail/itl-
bulletin/2017/05/cyber-threat-intelligence-and-
information-sharing/final
NIST
https://www.cvedetails.com/
https://us-cert.cisa.gov/
CVE US - CERT
C-DAC Banglore 20
Vulnerability Identification & Threat Modeling
C-DAC Banglore 21
There are two methods to achieve this:
○ Comparison
○ Scanning
Comparison:
Discover This method takes all the running software, firmware, and
vulnerabilities OS versions and compares those to online vulnerability
databases,searching for known vulnerabilities.
Advantage: Minimum or no risk to ICS network
Disadvantage: Very labor-intensive
Gather Scanning:
Gather
Information This method involves running a vulnerability scan with an
information
automated scanning tool like Nessus or OpenVAS.
Advantage: Faster and much less labor-intensive.
Disadvantage: Introduce lots of traffic to the ICS network.
C-DAC Banglore 22
Discover Vulnerabilities: Comparison
● https://cve.mitre.org
● https://us-cert.cisa.gov/ics
● http://www.securityfocus.com
● http://www.exploit-db.com
C-DAC Banglore 23
Threat Event
For a threat event to be feasible, the following elements must be present, a threat source to
carry out the event, a threat vector to exploit the vulnerability, and a target with a vulnerability.
24
C-DAC Banglore
Threat Event
C-DAC Banglore 26
● Calculates potential impact
● Input : Risk scenario
● Output : Risk score to every risk scenario
C-DAC Banglore 27
Risk calculation & mitigation prioritization
C-DAC Banglore 29
Thank You !
C-DAC Banglore 30
INTRODUCTION
• The MODBUS protocol defines a simple Protocol Data Unit (PDU) independent
of the underlying communication layers.
• The mapping of MODBUS protocol on specific buses or networks can introduce
some additional fields on the Application Data Unit (ADU).
MBAP HEADER
MBAP Header is 7 bytes long and contains four blocks.
1. Transaction Identifier
2. Protocol Identifier
3. Length
4. Unit Identifier
FUNCTION CODE
• Function code is a part of PDU and decide what kind of action to
perform.
• The size of function code is 1 byte.
• Valid codes are in the range of 1 ... 255 decimal and function code 0 is not
valid.
MODBUS TRANSACTION
MODBUS DATA MODEL
ADDRESSING MODEL
CODE NAME
01 ILLEGAL FUNCTION
02 ILLEGAL DATA ADDRESS
03 ILLEGAL DATA VALUE
04 SLAVE DEVICE FAILURE
05 ACKNOWLEDGE
06 SLAVE DEVICE BUSY
08 MEMORY PARITY ERROR
0A GATEWAY PATH UNAVAILABLE
0B GATEWAY TARGET DEVICE
FAILED TO RESPOND
PROTOCOL ENCODING EXAMPLE
Header : transaction_id (2) protocol (2) length (2) and unit_id (1)
MODBUS Request: 00 01 00 00 00 06 01 03 00 00 00 01
function code 03
reference 0000
count 0001
Response: 00 01 00 00 00 05 01 03 02 12 34
MODBUS response of 03 02 12 34
function code 03
byte count 02
data value 1234
PROTOCOL ENCODING EXAMPLE
When seen as a TCP data exchange, and assuming a unit identifier of 09, each of
the above messages would be pre ended with the 7 byte sequence consisting of:
transaction_id (2)
protocol (2)
length (2) and
unit_id (1)
resulting in:
Request: 00 00 00 00 00 06 09 03 00 00 00 01
Response: 00 00 00 00 00 05 09 03 02 12 34
MODBUS based ICS vulnerabilities and possible attacks
Fig. phases of Deep Security Scanning MODBUS-TCP frame structure and description
19
ICS Deep Security Scanner
Rule Modbus Packet Fields Deep Protocol White-list Signature White-list DCI based Request –
No. Compliance Rules Signature Rules Response packet data
Check Rules Independent Dependent validation and Flow based
Phase I identifiers identifiers rule matching
1 Server Port 502 Server port:502/503 Master IP-Master Modbus traffic flow rate
2 Server IP Address Any Server IP List MAC pair Slave response time
3 Server MAC Address Any Server MAC List Server IP - Master IP
4 Client Source Port Any ---- pair
5 Master/Client IP Address Any Master IP List Server Port - Master
6 Master/Client MAC Any Master MAC List IP pair
7 MBAP Transaction Response - request TID
Header Identifier Any ---- ---- matching analysis.
8
PID field Value: 0 (Zero) ---- ---- ----
9 Length Value: 03 - 253 ----
10 Unit Identifier Value: 01 - 247 Slave ID List Slave ID- Server pair ----
11 Function Code For Request: White-listed function Master IP - Server IP For Positive Response:
Request Fun codes codes requests list - Modbus function Res. fun code = req. fun
For Positive Response: White- listed code – Register code.
Same as req. fun code function codes address combination For Exceptions:
For Exceptions: responses and (Requested Fun code + 0x80)
(Req Fun code + 0x80) associated exceptions
12 Data Base address Coil address list Master IP - Server IP Request packet size Should be
Address count Discrete Input list -Function codes and 12 octets (total packet)
Holding / Input associated address
IEEE TENCON, 7-10 December 2021, Auckland-New Zealand 20
registers List list
ICS Deep Security Scanner
Rule Request /Response Deep Protocol Compliance DPI based DPI based White-list DCI based Request – Response
No. Type Check (data portion of packet) White-list Signature Rules packet data validation and
Phase I Signature Rules Phase IIB Flow based rule matching
Phase IIA Dependent identifiers Phase III
Independent
identifiers
1 Read Coils For Requests: Coils addresses Master IP - Server IP - Request packet size Should be
(Function code 1) Base address range : 0 – 65535 List Function codes and 12 octets (total packet)
And Quantity 0f Coils/Inputs: 1 - 2000 / associated Coils quantity of coils/inputs =N
Read Discrete Base address + Quantity - 1 <= Discrete inputs addresses List / Associated +ve Response size:
Inputs 65535 addresses list discrete inputs addresses Size is 9 + N/8 if N modulo 8 ==
(Function code 2) For Response: combination 0
Success response or Size is 9 + N/8 + 1 if N modulo 8
Exception response with exception != 0
code 01 or 02 or 03 or 04 Exception Response size:
9 octets
2 Read Holding For Requests: Holding Registers Master IP - Server IP - Request packet size: Should be
Registers Base address range : 0 – 65535 addresses list Function codes and 12 octets (total packet)
(Function code 3) Quantity of Registers :0-125 / Holding Registers Quantity of Registers =N
And Base address + count -1 <= 65535 Input registers addresses list / Associated +ve Response size:
Read Input For Response: addresses List Input registers addresses Size is 9 + 2N
Registers Success response or combination Exception Response size:
(Function code 4) Exception response with exception 9 octets with exception code
code 01 or 02 or 03 or 04
3 Write Single Coil For Requests: Coils addresses Master IP - Server IP - Request packet size:
(Function code 5) Base address range: 0 – 65535 List Function codes and Should be 12 octets
For Response: associated Coils Associated +ve Response size:
IEEE TENCON,
Success response (Echo 7-10 December 2021, Auckland-New
the Request) Zealand combination
addresses echo the request 21
or Exception response with exception Exception Response size:
ICS Deep Security Scanner: Learning stage
• RTU – IP
• RTU – MAC
• RTU – PORT
• Master/MTU – IP
• Master/MTU – MAC
• Data Request Traffic
• Data Response Traffic
• Packet – length Min and Max
• Fun codes
• Addresses
22
Attacks on MODBUS Communication
23
Attacks on MODBUS Communication
24
Ettercap filters
----------------------------------------------------------------------------------------------------------------------------------------
Request (Fun code 3 and 4 ) --- data request should be for 1 to 125 parameters (11th and 12th byte)
Request (Fun code 1 and 2 ) --- data request should be for 1 to 2000 parameters (11th and 12th byte)
Request ( Funcode 5 ) – control value is 0x0000(OFF) or 0xFF00 (ON)(11th and 12th byte)
25
Ettercap filters
Request ( Funcode 5 ) – control value is 0x0000(OFF) or 0xFF00 (ON)(11th and 12th byte)
26
Attacks on MODBUS Communication ( Invalid Protocol ID)
DATA.data+2=0xFF;
DATA.data+3=0xFF;
27
Attacks on MODBUS Communication ( Invalid Protocol ID)
If ( DATA.data+ 8 == ox05)
DATA.data+9=0x00;
DATA.data+10=0x0C; // changed to next coil
28
References
https://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf
Mahendra, Lagineni, RK Senthil Kumar, Reddi Hareesh, B. S. Bindhumadhava, and Rajesh Kalluri. "Deep
Security Scanner for Industrial Control Systems." In TENCON 2021-2021 IEEE Region 10 Conference
(TENCON), pp. 447-452. IEEE, 2021.
Hareesh, Reddi, Rajesh Kalluri, Lagineni Mahendra, RK Senthil Kumar, and B. S. Bindhumadhava. "Passive
Security Monitoring for IEC-60870-5-104 based SCADA Systems." (2020).
Kalluri, Rajesh, Lagineni Mahendra, RK Senthil Kumar, and GL Ganga Prasad. "Simulation and impact analysis
of denial-of-service attacks on power SCADA." In 2016 national power systems conference (NPSC), pp. 1-5.
IEEE, 2016.
Kalluri, Rajesh, Lagineni Mahendra, R. K. Senthil Kumar, G. L. Ganga Prasad, and B. S. Bindhumadhava.
"Analysis of communication channel attacks on control systems—scada in power sector." In ISGW 2017:
Compendium of Technical Papers, pp. 115-131. Springer, Singapore, 2018.
29
Thank you