Common Flaws in Public and Private ICS Network Protocols

Virtual October 21, 2020 10:10 am - 10:50 am Feedback     

Bookmark and Share

Mars Cheng
Selmon Yang

Industrial Control Systems / Supervisory Control and Data Acquisition (ICS/SCADA) are both the lifeblood of any critical infrastructure, and play an important role in any operation’s ability to communicate between various ICS components, relay sensitive data, or manage critical sensors and equipment. Due to the specific and unique needs of the industrial control industry, ICS vendors are forced to choose between using public network protocols or creating private proprietary protocols based on the different needs of programmable logic controller (PLC) vendors. Each protocol has their own potential risk profile that must be considered in relation to security concerns and operational requirements. In our research, we analyze 9 ICS protocols (5 public and 4 private) which are widely used in the critical infrastructure sectors of power, water, transportation, petroleum, and manufacturing. In each of these public and private ICS protocols, we found some common flaws which allow attackers to easily sniff unencrypted traffic and perform ICS protocol-centered attacks. These attacks include T833 – Modify Control Logic, T836 – Modify Parameter, T843 – Program Download, T856 – Spoof Reporting Message – Modbus/TCP and T855 – Unauthorized Command Message which map to MITRE ATT&CK for ICS. Attacker can be accomplished without the intruder needing to acquire authentication or authorization. Also, we provide 5 attack demos which across 1 public and 3 private protocols, to show how these common flaws will cause huge impacts such as T832 – Manipulation of View and T831 – Manipulation of Control to ICS. Finally, we demonstrate how to against ICS network protocols attack.