Embed Size (px)
Citation preview
Mapping Industrial Control Systems
S2ERC Showcase, Washington, D.C.
Murat Kuzlu1, PhD., T. Charles Clancy2, PhD., Kevin Heaslip2, PhD., Saifur Rahman1, PhD., Aditya Nugur1
Virginia Tech - Advanced Research Institute1/Hume Center2May 2017
2
Project Overview
• BACnet, Modbus and DNP3 devices are widely used in industrial control networks found on US military installations.
• Detecting the presence of BACnet/Modbus/DNP3 devices in a network is crucial in terms of security concerns.
33
3
To develop a mapping tool which
• Can discover all BACnet, Modbus and DNP3 devices in both modern industrial control networks, in addition to legacy systems found on US military installations.
• Can be used from a single TCP/IP network access point within a local/remote network.
• Can provide early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems.
To develop a user interface
• that initiates discovery and inspect discovered devices.
To develop a test-bed
• that includes BACnet/Modbus/DNP3 devices
Project Goals
44
Related Work
4
• Under the DOE-funded project "Building Energy Management Open Source Software (BEMOSS)", Virginia Tech - Advanced Research Institute (VT-ARI) has developed a software platform for building energy management that is capable of discovering limited types of BACnet and Modbus devices without DNP3 support.
• Leveraging this existing work, the mapping tool being developed will enable the discovery of all BACnet, ModBus and DNP3 devices.
TCP/IP Network
Serial-RS485 Network
The mapping tool is capable of:
• discovering all BACnet, Modbus and DNP3 devices in a network
• providing early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems.
This is beyond commercially available products available in the market.
5
Novelty of Our Approach
DNP3 Gateway
Modbus Gateway
BACnet Gateway
DNP3 Devices
BACnetDevices
ModbusDevices
Controller
Data Flow
3. Party System
3. Party System
Mapping Tool
Communication Link
Device types for the mapping tool• Discoverable devices• Known devices• Unknown devices
Technical Approach
Device Discovery Approach• The mapping tool seeks to “see through” IP gateways, i.e., BACnet, Modbus and
DNP3, to discover protocol adhered slave devices, by using the protocols indigenous to those networks.
DNP3 Gateway
Modbus Gateway
BACnet Gateway
Mapping Tool
Discovery & Monitoring
Discoverable
Serial RS-485 Network
KnownDiscoverable
Unknown
Discoverable Known
Unknown
TCP/IP Network
Known
Unknown
• Improved the source code to discover DNP3/Modbus devices-Added group 0 support to opendnp3 stack-Incorporated comprehensive Modbus slave scan along with Device Identification
• Developed a User Interface (UI) for users and operators-User Login Page-Dashboard Page-Discover Page-Approval Page-Approved Device Page-Inspect Device Page-Device Status Page-Manage User Page
• Extended the lab setup -Added new Modbus devices-Added new DNP3 devices
Project Progress
User Interface – Discover Page
9
Potential Benefits and Contributions
• Provide a platform, that supports the discovery of all BACnet, Modbus and DNP3 devices and detects unknown devices in a network.
• The mapping tool being developed can be used to detect and provide early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems.
• Serve as a test-bed that allows testing of security claims and other security related testing evaluation.
• The tool being developed can be used to discover devices supporting other protocols, such as KNX, Lonworks as well as wireless protocols including WiFi and ZigBee.
10
Extended Lab Setup
DNP3 Device
DNP3 Gateway
BACnet Devices
BACnet Gateway
Modbus Devices
Modbus Gateway
DNP3 Device
Modbus Device
Deliverables:• A software mapping tool for discovering BACnet, Modbus and DNP3 devices• The lab set-up consisting of BACnet, Modbus and DNP3 gateways/devices• Final technical status discussions with DoD• Field demonstration discussions with DoD• S2ERC Final Report.
Affiliate Support:• Department of Defense (DoD) provides technical advising
11
Deliverables and Affiliate Support
Technical Approach
Flowcharts of BACnet, Modbus and DNP3 device discovery process
Broadcast Scan Device Addresses
Scan Device Addresses
Initiates Modbus discovery API with Slave_id = 1 on port 502
YesSend a Read Request with Slave_id,
function code 43 and object id
End of discovery process
Queried over all
the range ids
Slave_id <=254
No
Yes
Display Response
Response is not Illegal functionNo
Store Slave id count
Slave_id= Slave_id
+1No
Count is number of unknown Modbus
devices
Received response
Initiate discovery process
Initiates BACnet discovery API
Broadcasts Who-Is request
Received I-am response Yes No
Collect MAC address of responded devices and Query for device model and vendor
Check if received response is valid response
Display vendor name and model
name
Yes
End of discovery process End of discovery process
NoDisplay
unknown device discovered
End of discovery process
Display no
devices found
Initiate discovery process Initiate discovery process
Initiate discovery API with slave_id 1 and port 20000
Yes
No
End of discovery process
Queried over all range ids
Slave_id <=65536
Send a standard DNP3 application layer request with slave_id, group
0
Yes
Display Response
Response has IIN exception
No
YesStore
Slave id count
Slave_id= Slave_id
+1No
Count is number of unknown DNP3
devices
Received response
User Interface – Discover Page
• The Discover page provides 2 types of scanning viz., scanning for known devices and a generic scan.
• Known devices can be added into the database. Multiple known devices can be searched simultaneously.
• Generic discovery has a privilege to select a port on which the scan is to be established.
• When no port number is plugged in, a default port scan is performed. Again these default ports can be configured on the settings page.
