Академический Документы
Профессиональный Документы
Культура Документы
Eric J. Byres
Group for Advanced Information Technology, British Columbia Institute of Technology
eric_byres@bcit.ca
Identify MODBUS
Device
Following the construction of the attack trees the 6.1. Underlying security issues
study team commenced to test out the feasibility of the
various attacks in a lab setting. The first (and perhaps Five security issues underlie each the path of least
most unfortunate) observation was that the trees resistance in achieving each of the attack goals:
significantly improved other lab members’ ability to • Lack of Confidentiality: All MODBUS
find new exploits in a SCADA system. For example, messages are transmitted in clear text across
one researcher was able to create an original and very the transmission media.
successful DoS attack against a brand of PLC with a • Lack of Integrity: There are no integrity
virus-sized piece of software. Another was able to checks built into the MODBUS application
exploit paths in the “Compromise Master” tree that protocol, and as a result it depends on lower-
were later independently confirmed to exist in the field layer protocols to preserve integrity.
by a major energy company. • Lack of Authentication: There is no
authentication at any level of the MODBUS
On the other hand, the trees were also useful for protocol, with the possible exception of some
selecting the most appropriate mitigation for cutting undocumented programming commands.
off an avenue of attack. For example, the importance • Simplistic Framing: MODBUS/TCP frames
of identifying and securing network access that existed are sent over established TCP connections.
in addition to the usual connection to the corporate While such connections are usually reliable,
network became very apparent to SCADA operators they have a significant drawback for the
MODBUS application: TCP does not preserve 6.2. Implementing near term best practices
record boundaries.
• Lack of Session Structure: Like many Based on our analysis of SCADA threats and
request/response protocols (i.e. SNMP, HTTP, vulnerabilities, we recommend the following steps to
etc.) MODBUS/TCP consists of short-lived reduce risk of intrusion to SCADA systems:
transactions where the master initiates a • All external SCADA connections leaving the
request to the slave that results in a single physical protection of the plant site (including
action. When combined with the lack of serial links) should be considered as insecure
authentication and poor TCP initial sequence and connections should be encrypted wherever
number (ISN) generation in many embedded possible.
devices, it becomes possible for attackers to • All gateway devices that communicate with
inject commands with no knowledge of the devices outside the immediate physical
existing session. protection of the plant site should be
The first three issues are fairly obvious and have considered “bastion-hosts” and susceptible to
been noted in other unpublished SCADA research. direct attack. As such they should be hardened
The later two were initially less obvious, but were and isolated from other SCADA devices on the
show in the lab tests to have devastating effects on a PCN.
SCADA system. Combined, these shortcomings mean • All connections to trusted 3rd parties should be
that there is limited security inherent in the SCADA considered as insecure. Protection through
system once its outside defences are breached. All firewalls or VPNs should be deployed.
successful attacks are dependent on the ability of the • Intrusion Detection should be deployed on the
attacker to gain network access. Once inside the SCADA system, either through commercial
attacks become relatively trivial. IDS products, transaction logging or traffic
monitoring.