white paper on industrial automation security in fieldbus and

More documents

Recommendations

Info

28Table 4. An overview of a few industrial Ethernet protocols and their properties.Modbus TCPPROFINET IO EtherCAT EtherNet/IPModbus UDPCommunicationschemeMaster-SlaveMaster-Slave (multipleMaster possible)Master-SlaveMaster-Slave(multipleMasterpossible) orPeer-to-PeerAuthentication ofdevices?NoauthenticationInitialization, vendorID and device IDOptional, e.g. vendorID, product code,revision number, serialnumberOptional, e.g.vendor IDSpoofing of datapackets possible?YesYes. If an existingdevice cannot becompromised,specialized hardware isneededYes. If an existingdevice cannot becompromised,specialized hardwareis neededYesRemarksSometimesimplemented inhardware, especially inthe class IsochronousReal-TimeHardwareimplementation inslaves3.4.7.1 Modbus TCP and UDPModbus TCP is a mapping of the Modbusapplication layer protocol onto the TCP/IPtransport layer protocol. Another variant isModbus UDP which maps the same applicationlayer protocol onto the UDP protocol. Thesemappings permit the use of Modbus on theEthernet medium.In Modbus TCP/UDP, the IP addresses are usedto identify devices. A Modbus TCP/UDP devicemay include functionality for both slave andmaster modes. The message framescommunicated in this network do not separatelyidentify a device as a master, which is analogousto the master not having its own address in theModbus RTU protocol. Devices cannotauthenticate a device as a “legitimate” master.The difference between using TCP and UDP liesmainly in the consideration that Modbus on TCPensures that messages are reliably delivered, inorder, while potentially reducing the timelinessof delivery. Using UDP, there is no guaranteethat messages are delivered in the correct order(or delivered at all), but the logic of missingrequests/responses and retry is moved to theModbus application layer. Thus, timingconsiderations are different from the TCP casein which retransmissions are handled by thetransport layer. Data such as setpoint and/oractual values are relevant only for a short spanof time after “sampling”, thus there is little sensein trying to retransmit these packets numerous
29times just because TCP says so. When usingUDP, retransmission of old data can be avoidedin case one cycle of data is missed; the nextcycle with up-to-date data is sent instead.The bridging between Modbus TCP or ModbusUDP into the serial line variants, e.g. ModbusRTU, has become more common as IndustrialEthernet also increases in popularity.3.4.7.2 PROFINET IOPROFINET IO is an Ethernet-based protocoldesigned for real-time communication. Theexperience gained from the PROFIBUS fieldbuswas integrated with the Industrial Ethernettechnology to create PROFINET. The masterdevice in a PROFINET IO system is called the“Controller”, while slaves are referred to as“Devices”. Cyclic data exchange in PROFINETIO takes place directly in the Ethernet layer 2,not involving any transport protocols such asUDP or TCP; the messages are addressed usingthe MAC addresses of the PROFINET IOdevices. Acyclic data is exchanged using theUDP protocol.The cyclic data exchange connections aremonitored using a watchdog time, which isconfigured as a multiple of the update (cycle)time of the network. As an example, if theupdate time is 8 milliseconds and the watchdogtime multiplier is 3, then the watchdog time willbe 24 milliseconds. If the communication is idlefor longer than this period of time, the devicemonitoring the watchdog will detect this eventand execute some reaction; however this isdevice- or user-specific.Because the PROFINET IO real-time dataexchange frames are communicated in theEthernet layer 2, these frames contain only MACaddresses. This means that the real-time framescannot be communicated outside a subnet whichis delimited by a router, because routers formsubnets based on IP addresses as defined in layer3.A hardware implementation is required for themost deterministic class of PROFINET IOdevices, known as IRT (Isochronous Real Time).This is commonly an ASIC with integratedswitch and other functionality needed for thePROFINET IO IRT protocol.A PROFINET IO Controller always needs toconnect to a PROFINET IO Device using anexplicit “Connect” message. After this theController downloads startup parameters to thedevice, following a handshake verifying that thestartup is successful and complete. An intruderwishing to establish a connection to a device, i.e.to act as a second master, has to know how thedevice is structured and how to initialize itproperly at startup. Based on vendor ID anddevice ID it may be possible to find the GSDMLdescription file for the device, however if thedevice is modular then knowing the trueconfiguration likely requires physical access ordocumentation about the system.The PROFINET IO protocol furthermorerequires the same I&M functionality asdescribed for PROFIBUS DP earlier.PROFINET IO devices thus expose the sameinformation to anyone who can access it.At startup the PROFINET IO controller providesthe vendor ID and product ID that is configuredfor the targeted IO device. The device checks themaster’s expected information against its owndata and aborts the connection request if amismatch occurs.Two potential methods of attacking thecommunication in a PROFINET IO system aredescribed in [7]. The authors propose that it maybe possible to modify the outputs of aPROFINET IO Device without being detectedby either the Device or the Controller.
Page 1 and 2: 1WHITE PAPER ON INDUSTRIAL AUTOMATI
Page 3 and 4: 3Table of Contents1 Introduction an
Page 5: 55.1.3 Bluetooth...................
Page 8 and 9: 8professional attackers are able to
Page 10 and 11: 10Table 1. A list of published IEC
Page 12 and 13: 12Information needs to be available
Page 14 and 15: 14Depending on the communication li
Page 16 and 17: 16observed with the purpose of reve
Page 18 and 19: 18Table 2. An overview of a few fie
Page 20 and 21: 20When the bus system starts, maste
Page 22 and 23: 22As with e.g. Modbus RTU, an intru
Page 24 and 25: 24malicious activity. The Physical
Page 26 and 27: 26filtering is another barrier for
Page 30 and 31: 303.4.7.3 EtherCATEtherCAT is a rea
Page 32 and 33: 32devices should be assessed, prefe
Page 34 and 35: 344.4 Embedded devices withgeneral-
Page 36 and 37: 36not intended for the end-user sha
Page 38 and 39: 385 Security in wirelesscommunicati
Page 40 and 41: 40possibilities for a device sniffi
Page 42 and 43: 427 References[1] F-Secure Corporat

white paper on industrial automation security in fieldbus and

Create successful ePaper yourself

Delete template?

Save as template?