Getting started with ICS Security(Part 1 — Introduction)

Picture of ICS generated by DALL-E AI

About ICS

Industrial control system is a collective term used for describing the different types of control systems, and its related instrumentation which also include the devices , systems, networks and controls used to run and/or automate the industrial processes.

Each ICS works differently depending on the industry and tasks it is designed to handle well. Some of the ICS technologies are —

Supervisory control and data acquisition (SCADA) , Distributed Control system (DCS), Industrial Automation and Control Systems (IACS), Programmable Logic Controllers (PLCs), Programmable Automation Controllers (PACs), Human-Machine Interface (HMI), Remote Terminal Units (RTUs), control servers, Intelligent Electronic Devices (IEDs) and sensors.

Types of Industrial Control Systems

Industrial control systems can be categorised into various types based upon the functionality and complexity of the control action. Some of the most commonly used control systems are —

• Programmable Logic Controllers (PLCs) — A Solid-­state control system which has a user-programmable memory for storing instructions to implement particular functions such as I/O control, logic, timing, counting, three modes (PID) control, communication, arithmetic, and data and file processing.
• Distributed Control System (DCS) — It is an Industrial control system which is deployed in a distributed manner, such that various processes are controlled individually.
• Supervisory Control and Data Acquisition (SCADA) —It is a computerized system which is capable of gathering and processing data and applying controls on the operations from a remote location. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.
• Remote Terminal Units (RTUs) — A remote terminal unit (RTU) is an electronic device based on microprocessor used in Industrial Control Systems (ICS) for connecting different hardware to Distributed Control Systems (DCS) or SCADA. RTUs are also known as remote units of telemetry or remote units of telecontrol. RTUs pass sensor data from input streams in the control loop to an output stream to be transmitted to ICS centralized command. RTUs negotiate links to local or remote controls.
• Industrial Automation and Control Systems (IACS) — Industrial automation control system solutions involve safe infrastructure to allow information transfers and communications as well as smart devices for information collection. Sensors on machines and machinery usually achieve this. Industrial automation control systems also involve hardware, software and communication alternatives to transform sensor information into information
• Programmable Automation Controllers (PACs) — It is a term which is loosely used to define any automation controller that comprises of higher-level instructions. The systems are used for equipment in a broad spectrum of sectors, including those engaged in critical infrastructure, in industrial control systems (ICS).
• Intelligence Electronic Devices (IEDs) — An intelligent electronic device is an electronic component (such as a regulator and circuit control) that has a microprocessor and can communicate, typically digitally using Fieldbus, real-­time Ethernet, or other industrial protocols.

Different communication protocols used in Industrial Control Systems

As ICS is completely different from traditional IT systems, it uses a different suite of protocols altogether as traditional IT protocols cannot be used in ICS systems. All the systems, instruments in an ICS system use different protocols for Real time communication and Data transfer These protocols also support TCP/IP over Ethernet networks.

Some of the widely used protocols in a typical ICS system are: RS-232 and RS-485, Modbus, DNP3, HART, TASE 2.0 and ICCP, CIP, PROFIBUS and PROFINET, FOUNDATION Fieldbus, BACnet and many more.

• RS-232 and RS-485: Among all the serial interfaces on the market, RS-232 and RS-485 are the oldest ones and are still widely used. RS-232 is primarily used for low speed over short-distance requirements. Due to low cost, simple design and enough space for multiple receivers, varieties of connectors are available to connect to its interface. RS-232 supports full duplex transmission method and allows only one transmitter and one receiver to communicate at a time. The maximum data rate supported by RS-232 is 20 Kbits/s. RS-485 has been designed primarily for high speed over long distances or for duplex network connectivity requirement. Unlike RS-232, RS-485 allows 32 devices to communicate at a time

Prior to the development of Ethernet, security wasn’t a large concern for RS-232 and RS-485 systems. Even now, they are rarely connected to the internet, and that provides a buffer from attack. RS-485 systems running Modbus TCP/IP are connected more often, but the added risk is minimal.

• Modbus: Modbus is the oldest and most widely deployed serial communication protocol. It is open-source and freely distributed and can be built by anyone into their equipment.

Modbus communicates raw messages without authentication or any overhead therefore making it vulnerable to MiTM attacks. Modbus is a request-response protocol and operates at the application layer of the OSI model.

• DNP3: DNP3 stands for Distributed Network Protocol. It was developed in 1993 and is widely used in the USA and Canada. It operates at the application, data link and transport layers; thus, it is a three-layer protocol.

DNP3 design focused more on maximizing system availability and less on confidentiality and integrity.DNP3 has another variant named secure DNP3, which takes care of secure authentication and other security features at the application level and is always recommended instead of DNP3.

• HART: HART stands for Highway Addressable Remote Transducer. HART is an open-source and hybrid (analog + digital) ICS protocol. It is mostly used in automation. HART operates in two modes:
  - Point-to-point mode: Single master and a single slave
  - Multi-drop mode: Multiple masters and multiple slaves

The benefits of using HART include reduced cost, simplified design, simple implementation and flexible operation. However, HART is vulnerable to spoofing attacks, lack of authentication and XML injection attacks

• ICCP/TASE 2.0: ICCP is Inter-Control Center Protocol and is also known as TASE 2.0. ICCP is designed for bi-directional WAN communication between two or more control centers, power plants, substations and other utilities within ICS. ICCP is vulnerable to session hijacking, spoofing, encryption and lack of authentication vulnerabilities.
• FOUNDATION Fieldbus: FOUNDATION Fieldbus was designed to replace analog connections in the refining, petrochemical and nuclear industries.
• CIP: CIP stands for Common Industrial Protocol and is designed for automating industrial applications. CIP encompasses a set of messages and services for security, control, control and synchronization. CIP is widely used in industry, since it can be easily integrated into other networks.

CIP has been designed specifically for intercommunication and integration with other networks. CIP is vulnerable to remote attacks.

• BACnet: The BAC in BACnet stands for Building Automation and Control. As the name suggests, it is used for communication for building automation and control systems and finds its application in ventilating, heating, access control, lightning, air-conditioning and fire detection systems. BACnet systems not connected to the WAN have limited vulnerabilities, such as human error and physical break-ins. BACNet systems connected to the WAN are vulnerable to remote attacks and data breaches.
• PROFIBUS and PROFINET: PROFIBUS and PROFINET were created and designed by the same organization. PROFIBUS is a serial protocol, while PROFINET is an Ethernet-based protocol. PROFINET is an advanced version of PROFIBUS, as it works on an Ethernet-based protocol and provides more speed, more bandwidth and larger message size than PROFIBUS. Profibus lacks authentication and allows spoofed nodes to impersonate master nodes.

This pretty much concludes ICS and its various types and protocols used. Now that we have basic understanding about ICS systems , we can now move towards setting up a vulnerable ICS virtual lab and exploiting it.

In the next part of this blog series we will start setting up Virtual lab. The lab setup includes —

1. Windows 10 workstation VM
2. Kali Linux Attacking VM
3. Debian VM running SCADA LTS
4. Pfsense Firewall VM