Professional Documents
Culture Documents
Abstract— Industrial control systems (ICS) are highly distributed this usually includes the security functions and features such
information systems used to control and monitor critical infra- as authentication and encryption which expose the protocol
structures such as nuclear plants, power generation and users to a security threats. Another source of vulnerabilities is
distribution plants, Oil and Gas and many other facilities. The the convergence of the protocols to run over IP networks to
main architecture principles of ICS are; real time response, high
meet the evolving needs of the business. The most used
availability and reliability. For these specific purposes, several
protocols has been designed to ensure the control and supervision protocols in the ICS are DNP3 and Modbus. DNP3 is widely
operations. Modbus and DNP3 are the most used protocols in the used in the energy sector where the control system is
ICS world due to their compliance with real time needs. With the monitoring and controlling geographically dispersed
increasing of the connectivity to the internet world for business outstation. Modbus protocol is used for the communication
reasons, ICS adopted Internet based technologies and most of inter- controller or between controller and field devices where
communication protocols are redesigned to work over IP. This the real time operations are required.
openness exposed the ICS components as well as communication Both protocols are specified to be easy to use but without any
protocols to cyber-attacks with a higher risk than attacks on security awareness. This lack of security in DNP3 and Modbus
traditional IT systems. In order to facilitate the risk assessment of
motivated us to conduct an investigation on the different
cyber-attacks on ICS protocols we propose a taxonomy model of
different identified attacks on Modbus and DNP3.the model is attacks on both protocols and build a generic taxonomy model
based on the threat origin, threat type, attack type, attack for attacks on communication protocols in general and
scenario, vulnerability type and the impact of the attack. We industrial control protocols in particular in order to simplify
populate this Taxonomy model with identified attacks on Modbus the risk analysis. Our study takes into account only attacks on
and DNP3 from previous academic and industrial works. IP based protocols, since all the field protocols are converging
to be integrated to the IP stack.
Keywords—ICS, Modbus, DNP3, Attack Taxonomy This paper is structured as the following; in section II, we
start with an overview of industrial control protocols in typical
I. INTRODUCTION control system architecture with a deep focus on Modbus and
DNP3. In section III, we follow by proposing the attack
Industrial control systems is a large term used to describe taxonomy model and several attack on Modbus TCP and
several types of systems such as, DCS (Distributed Control DNP3 identified in academic and industrial works. In section
systems), SCADA (Supervisory Control and data Acquisition), IV, we populate the taxonomy model by identified attacks. We
IAS (Industrial Automation system), IACS (Industrial conclude by discussing our perspectives and future works.
Automation and Control Systems) or even PLC(Programmable
Logic Controller). ICS are typically used in industries such II. OVERVIEW ON INDUSTRIAL CONTROL PROTOCOLS
Power plants, Water and waste water facilities, Oil and Gas
In ICS architectures the communication protocols are used in
refineries and distribution, Nuclear plants …etc. These control
the different architecture layers; corporate network, operation
systems are critical to the operation of critical infrastructures
network (Control Room), and control network respecting the
that are often highly interconnected and mutually dependent
operational constraints of each network. Corporate network
systems. It is important to note that approximately 90 percent
protocols are similar to ones used in the IT systems where in
of the critical infrastructures operate many of the industrial
Operation and control networks, customized and proprietary
processes mentioned above [13] SCADA systems are a set of
protocols are used to guarantee the required performances,
Software and hardware used generally in the control and
reliability and precision in Control and supervision operations.
monitoring of geographically dispersed assets and process (Ex:
Figure 1 is illustrating the different protocols most used in ICS
Gas Distribution) where the centralization of data acquisition
layers. The critical part in automation system architecture is
and control are critical to System Operation. Where the DCS is
the communication between the Control room and Control
generally focused on the automatic control of a process usually
network Devices, as well as inter-communication between
within a closed area (Ex: Gas Refineries).
control devices (PLCs, RTUs) . The most used protocols for
Understanding how ICS work requires a basic understanding
those communications are; DNP3 and Modbus that we detail
of the underlying communication protocols and their semantic.
in the following subsections.
In the Industrial automation and control sector, many
specialized protocols are used today for different purposes, A. Modbus Protocol
control commands, Monitoring, real time data exchange. Modbus is an application layer protocol commonly used in
Those Protocols are designed to ensure efficiency, Reliability control systems. It was published initially by Modicon in
and precision real time operation. Therefore, any other 1979, and the protocol standards are now managed by the
inefficient functions are taken off the protocol. Unfortunately,
Authenticate Bypass,Spoof
Attacker, Criminal group, ,Insiders, Data tampering, elevation of Lack of integrity, Lack
D6 Execute,M odify,delete Server 9.2
Spammer Author privileges,Spoofing of availability
Attacker, Criminal group, ,Insiders, Data tampering, elevation of Lack of integrity, Lack
D7 Execute, M odify Server 9.2
Spammer Author privileges,Spoofing of availability
Probe,Scan, Flood,
Spoofing, Data tampering, Authenticate bypass, Spoof, Lack of integrity,lack of
Attacker, Criminal group, Botnet Cient , server,
D8 Data disclosure,Elevation of Eavesdrop, M isdirect, confidentiality, lack of 10
operator,Insiders, Spammer authors communication link
privileges Read/Copy, Terminate, availability
Execute, M odify,Delete
[1] Nicolas Falliere, Liam O Murchu, and Eric Chien, W32. Stuxnet Dossier
, Symantec Security Response, Version 1.4 February 2011,
[2] Simon Hansman, Ray Hunt, A taxonomy of network and computer
attacks, Computers & Security,DTD5, 2004.
[3] John D. Howard, An Analysis Of Security Incidents On The Internet
1989 - 1995, dissertation, Carnegie Mellon University, April 1997.
[4] Kevin S. Killourhy, Roy A. Maxion and Kymie M. C. Tan,A Defense-
Centric Taxonomy Based on Attack Manifestations, Proceedings of
International Conference on Dependable Sys-tems & Networks:
Florence, Italy, 28 June - 01 July 2004.
[5] Daniel Lough, A Taxonomy of Computer Attacks with Applications to
Wireless Networks, Ph.D Thesis, Virginia Polytechnic Institute and State
University, 2001
[6] MO Chun Man and Victor K. Wei, A taxonomy for attacks on mobile
agent; EUROCON’2001, Trends in Communications, International
Conference on. Volume 2, 4-7 July 2001 Page(s):385 - 388 vol.2