MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP

The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks

Análisis de vulnerabilidades y securización de protocolo Modbus/TPC

Modbus/TCP es un protocolo de comunicaciones estandarizado de las redes de control industrial, utilizado principalmente en los controladores lógico programables y por sistemas o equipos de supervisión y adquisición de datos (SCADA). Inicialmente, estos sistemas se encontraban en redes aisladas, con lo que la seguridad de los datos no era un factor prioritario ni determinante. Sin embargo, la rápida evolución de la industria y de la tecnología, con la aparición de Internet, ha llevado a estos sistemas a hacer uso del protocolo Modbus en redes abiertas. Esta nueva exposición de la información en los sistemas SCADA ha generado una necesidad de securización de los datos, antes inexistente. Con el objetivo de introducir una herramienta que permita el inicio de la securización del protocolo, en este trabajo se ha desarrollado un entorno de simulación del protocolo Modbus/TCP que permite analizar soluciones de seguridad en este tipo de redes sin necesidad de disponer de un entorno real. Para validar el simulador, se ha dispuesto de un entorno real con una red SCADA que hace uso del protocolo Modbus/TCP. De esta red, se han recogido muestras del tráco de red, analizándolas en detalle. Tras la evaluación del trabajo realizado, se ha obtenido de forma satisfactoria un escenario simulado que reproduce un escenario equivalente al analizado. Además, se han podido reproducir diferentes ataques al protocolo Modbus/TCP en el simulador, lo que permite disponer de un entorno donde se pueden probar diferentes soluciones de seguridad. La realización de este trabajo sirve como punto de partida para nuevos desarrollos orientados hacia la securización del ya estandarizado Modbus/TCP, acelerar la integración de nuevas tecnologías en las redes SCADA o facilitar el estudio, conocimiento y solución de los puntos vulnerables en sistemas similares

Cybersecurity of Industrial Cyber-Physical Systems: A Review

Industrial cyber-physical systems (ICPSs) manage critical infrastructures by controlling the processes based on the "physics" data gathered by edge sensor networks. Recent innovations in ubiquitous computing and communication technologies have prompted the rapid integration of highly interconnected systems to ICPSs. Hence, the "security by obscurity" principle provided by air-gapping is no longer followed. As the interconnectivity in ICPSs increases, so does the attack surface. Industrial vulnerability assessment reports have shown that a variety of new vulnerabilities have occurred due to this transition while the most common ones are related to weak boundary protection. Although there are existing surveys in this context, very little is mentioned regarding these reports. This paper bridges this gap by defining and reviewing ICPSs from a cybersecurity perspective. In particular, multi-dimensional adaptive attack taxonomy is presented and utilized for evaluating real-life ICPS cyber incidents. We also identify the general shortcomings and highlight the points that cause a gap in existing literature while defining future research directions.Comment: 32 pages, 10 figure

SECURITY ANALYSIS OF INDUSTRIAL IoT SYSTEMS

Magistrsko delo obravnava varnostne vidike sodobnih industrijskih sistemov, ki so namenjeni avtomatizaciji proizvodnje in jih najdemo pretežno v proizvodnih podjetjih. V uvodnem poglavju so izpostavljene tehnološke spremembe, ki so v zadnjih letih pripeljale do povečanja varnostnega tveganja v takšnih sistemih. Čeprav so omenjene spremembe na prvi pogled med seboj zelo različne, je njihov skupni imenovalec en sam – tehnologije izhajajo iz poslovnih okolij, prirejene pa so uporabi v sistemih, ki zahtevajo delovanje v realnem času in pri katerih je zanesljivost ključnega pomena. Uporaba omenjenih tehnologij, pa naj gre za operacijske sisteme, komunikacijske protokole ali aplikacije, seveda zahteva uporabo ustreznih mehanizmov za zmanjšanje tveganj. Uvodnemu poglavju sledi podrobnejša predstavitev samih industrijskih sistemov, njihovih gradnikov in topologij. Ker so industrijski krmilniki danes najpomembnejši gradniki takšnih sistemov, so ti posebej izpostavljeni. Predstavljena je njihova zgradba, funkcionalnosti posameznih elementov ter način njihovega programiranja. Posebej so v tem kontekstu izpostavljeni varnostni sistemi, ki jih v IT okoljih ne poznamo. Glede na to, da je večina današnjih industrijskih sistemov porazdeljenih in je posledično varnost samih sistemov močno odvisna od varnostnih mehanizmov, ki jih ponujajo komunikacijski protokoli, so v tem poglavju predstavljeni tudi protokoli, ki jih danes uporabljamo za izmenjavo podatkov. Razvoj interneta, mobilnih tehnologij in senzorjev je omogočil vse pogostejšo izmenjavo podatkov med najrazličnejšimi napravami. Internet stvari, ki je na ta način nastal, je opisan v tretjem poglavju, kjer so predstavljene ključne tehnologije, ki so za uspešen zajem, prenos in obdelavo velikih količin podatkov potrebne, ter primeri uporabe na različnih področjih gospodarstva in vsakdanjega življenja. Prav tako so v tem poglavju opisani novi poslovni modeli, ki jih internet stvari omogoča. Večina napovedi glede ekonomskih učinkov uvedbe interneta stvari si je edina v predpostavki, da bo ta imel največji vpliv na področju gospodarstva v najširšem pomenu besede. Industrijski internet, ki bo na ta način nastal, bo omogočil povečanje učinkovitosti proizvodnje in upravljanja virov. Industrija 4.0, kiber-fizični sistemi in pametne tovarne, v katerih bodo izdelki sami sodelovali v proizvodnem procesu, so skupaj z referenčnimi modeli industrijskega interneta podrobneje opisani v četrtem poglavju. Poglavja, ki sledijo, so v celoti posvečena varnosti industrijskih internetnih sistemov. V njih so najprej opisane varnostne storitve in mehanizmi, ki jih za zagotavljanje razpoložljivosti, celovitosti in zasebnosti v takšnih sistemih uporabljamo. Predstavljeno je varnostno tveganje in načini modeliranja groženj ter izpostavljene nekatere najpogostejše grožnje, s katerimi se bomo v takšnih sistemih srečevali. Kot izhodišče so pri tem vzeti obstoječi industrijski sistemi na eni strani ter internet stvari na drugi. Šesto in sedmo poglavje sta namenjeni predstavitvi mehanizmov za zmanjšanje varnostnih tveganj in upravljanju z varnostjo. Da bi ugotovili kakšno je dejansko varnostno tveganje, ki ga prinaša uporaba sodobnega industrijskega krmilnika, smo v osmem poglavju pod drobnogled vzeli modularen a cenovno relativno dostopen krmilnik Beckhoff CX8090, v katerem sta uporabljena procesor ARM in operacijski sistem Windows Embedded CE 6.0. Metodologija varnostnega pregleda krmilnika je bila povzeta po metodologiji, ki jo uporabljamo v poslovnih okoljih in ustrezno prilagojena. Ključne grožnje, ki smo jih v tem primeru želeli v praksi preveriti, so bile pridobitev administrativnega dostopa ter onemogočanje delovanja Modbus/TCP strežnika in spletnega administrativnega vmesnika. Prav tako smo v praktičnem delu preverili kako učinkoviti so mehanizmi za zaščito intelektualne lastnine.This thesis deals with security aspects of modern industrial control systems that are used in process automation and manufacturing. As these systems have changed considerably in the past decade, the introductory chapter gives an overview of these changes and explains why these systems are more vulnerable to cybersecurity threat than ever before. To be able to address those threats more and more security related technologies from IT are used in OT environments. In the second chapter industrial control systems, their operating principles, main building blocks and topologies are presented. Programmable logic controllers (PLCs) as their core component are presented in more detail including hardware and software. Special attention is given to the communication protocols used to exchange data in distributed industrial control systems since they play a critical role preserving their security and safety. Ubiquitous connectivity made possible by the development of wireless and mobile technologies, miniaturisation of sensors of all kinds and virtually unlimited analytic capabilities using cloud infrastructure enabled the development of the Internet of Things (IoT). How these technologies will change our daily life as well how they will affect process automation and manufacturing is the main topic of the third chapter. Reference architectures, specific communication protocols and new business models that will be enabled by the IoT are presented as well. Although different estimates about the economic impact of the IoT exist, they all share a common denominator. Manufacturing will benefit the most with the rise of the Industrial Internet of Things (IIoT) that will enable increased operations and inventory efficiency. Industry 4.0 concepts, cyber-physical systems and smart factories that will allow products to take part in an interactive manufacturing process are presented in detail in the fourth chapter. The following chapters are exclusively dedicated to the security of the industrial internet. Following a general introduction to IT/OT security, various ways of threat modelling are presented. A detailed overview of the most common threats in industrial internet systems and possible ways to mitigate them is given in the sixth chapter, while the seventh chapter deals with security management. A security assessment of a Beckhoff CX8090 controller, based on an ARM processor and Windows Embedded CE 6.0 operating system, was performed and described in detail in the eight chapter. The methodology used was based on the methodologies usually used in IT environments with appropriate adaptations to suite specific industrial internet environments. Special attention was given to the possibility of obtaining administrative access to the controller or disrupting its service