Industrial protocols: Security tools

Posted on 11/17/2016
Protocolos industriales: Herramientas de seguridad

Protection of communications: key for the security of all protocols

In industrial control systems, communications play a key role in an environment where millions of packages are exchanged daily, including often critical information on the status of processes and devices. This is why preserving the integrity of information in transit and ensuring it reaches its destination unhindered is of the utmost importance.

Certain tools are useful to verify that communications and implementation of protocols was correctly developed. Some of these tools offer simulation environments where all kinds of tests may be conducted, without interfering with real environments, allowing to draw valuable conclusions which are then applicable to enhance same.

There is a great variety of communication standards and protocols in industrial environments, but there is also a wide range of simulation applications compatible with the said protocols, which are valid to conduct tests.

Among the tools that may be used to verify security of communications in control systems, those dealing with master/slave architecture and traffic analysis simulations are especially useful.

Simulation of master/slave environments

Most industrial communications are based on master/slave architectures. Field devices are usually slave, for this reason several tools may be used to simulate that topology with different protocols, such as MatrikonOPC Explorer for OPC or Mod_RSsim for serial or Ethernet Modbus communications.

MatrikonOPC Explorer is a tool for simulation of a slave device with all typical OPC protocol functionalities. It also provides advanced functions, including the possibility to conduct OPC server load testing, which help finding the most appropriate configuration.

Mod_RSsim includes, for its part, certain functionalities that allow modifying the values of variables in Modbus communications between a RTU and a SCADA/HMI, to add noise to transmissions, etc.

On the other hand, there are certain tools which are defined to work as masters exclusively. For many protocols, these tools are directly the final applications, such as MatrikonOPC Simulation Server or KEPServerEX for OPC; however, there are also other software tools which are only designed for simulation, such as Profibus-DP master simulator for the Profibus-DP protocol or Profinet Master Simulator Plus for Profinet.

Where the purpose is to simulate environments from zero, implementing a master-slave communication, a software providing with both source and destination ends is necessary. Certain tools fulfil this need, such as Modbus tools (comprising the master “Modbus poll” and the slave “Modbus slave), Simply Modbus for serial or Ethernet Modbus; and Opendnp3 for DNP3. They allow to conduct all tests with the same group of tools, which makes the results obtained easier to understand.

Tools for the analysis of traffic

Simulation of specific protocol schemes allows to identify weaknesses when implementing same within the devices and facilitates to spot bugs in the protocol stack, in processing certain messages, etc.

Once the required protocol communication environment has been simulated, or alternatively, traffic captures from real devices have been accessed, the next step is to analyse the information. The value of this analysis lies not so much in knowing the protocol itself and its weaknesses as in looking at the global behaviour in a complete environment and analyse the possibility of integrating them into security mechanisms such as firewalls, IDS, etc.

For these tasks, there are certain tools available, such as MatrikonOPC Analyzer for OPC, which may collect information from important files such as DCOM adjustments, the DEP configuration, the version of the operating system, information on the register of events and network adjustments to check problematic areas, etc; all this information is especially valuable for analysis.

Another tool, also valid to analyse OPC traffic, is MatrikonOPC Sniffer. In this case, its function is to register the activity between client and server to isolate interoperability problems, helping to troubleshoot any problems.

A possibility to analyse other protocols is Aegis, another specialised tool that allows to analyse more than one protocol, in this case DNP3 and Modbus.

Finally, for more general goals, there are tools such as Achilles or the popular Wireshark, which allow to capture information in transit and to analyse communications, focusing on a wide range of protocols, and are really useful for verification of communication security measures.

Use of Wireshark for analysis of the ZigBee protocol

-Use of Wireshark for analysis of the ZigBee protocol-

Discovery and gathering of information

In addition to traffic analysis, it is interesting to analyse the identification of devices and the information that can be obtained through network scanners.

In this sense, there are some tools available such as PLCscan and modscan, which are specific to identify PLC devices or analyse topology in ModBus TCP networks, respectively.

However, using generic discovery tools within industrial environments, such as nmap, is not advisable. Any tool that has not been specifically designed for an industrial environment must be carefully assessed, and be used under direct supervision at all times, since its mode of operation could generate improper behaviours in existing devices (stop in production, malfunctioning of devices, etc.). It is therefore necessary to proceed with caution and review the potential impact on the system, and keep the responsible person and environment operators informed.

Tools for the protection of systems

Regarding the security of devices and systems, there are certain tools available which offer substantial assistance in increasing the level of protection of them.

For Linux platforms, the iptables module modbusfw allows to filter traffic at application layer level to protect systems using the Modbus/TCP protocol against potential networks attacks.

There are also other tools working more actively, such as IDS/IPS (Snort or Suricata) for supervision of protocols such as Modbus/TCP, DNP3, EthernetIP, etc., which allow to recognise the use of prohibited functions or the submission of data packets from uncontrolled IP addresses detecting, for instance, potential DoS attacks.

For wireless communication networks, such as ZigBee, KillerBee is one of the best options. This is a group of tools designed to conduct security tests, such as traffic decoding, frame reinjection or identification of devices.

Other security tools

If the goal is to carry out a comprehensive security audit and assess the potential impact of an attack, there are generic solutions which focus on penetration tests, such as metasploit (an open-source framework to conduct security assessments, trying to test and exploit vulnerabilities) or scapym, the module written in Python language which provide utilities and libraries for the handling of network packets.

Results after searching "SCADA" in the metasploit modules

-Results after searching "SCADA" in the metasploit modules-

Even if the use of this kind of tools is not usual in these environments, their use to conduct comprehensive audits may offer important details to assess and improve the security of a system. Naturally, given the sensitivity of industrial environments, special attention must be paid to assessing the impact and convenience of their use.