ICS stands for Industrial Control Systems. ICS is a generic term used to describe various control systems and their instrumentation, used for controlling and monitoring industrial processes. ICS basically integrates hardware, software and their network connectivity for running and supporting critical infrastructure. ICS systems get data from remote sensors and send commands to the machinery for the appropriate actions to take.
For example, ICS systems may get data from remote sensors to check whether a particular piece of machinery is overheating. If it is, then it may send commands to the machinery to shut down. Thus, ICS systems ensure industrial operations run smoothly and give the operator an easy way to monitor, control and manage industrial processes remotely.
Components of ICS
A typical ICS system is made up of the following components:
Note: The terms “ICS” and “SCADA” are used interchangeably in media. This is misleading and inaccurate. SCADA is a small component of ICS.
IT versus ICS
IT systems basically focuses on the development, maintenance and use of computer systems, software and networks for the processing and sharing of data. On the other hand, ICS systems focus more on detecting, monitoring and controlling physical equipment and processes using sensors, actuators, controllers, PLC (Programmable Logic Controllers), PCD (Process Control Dynamics), BAS (Building Automation System) and more. Thus, IT and ICS systems are altogether different and pose their own challenges in terms of maintenance, security and operations.
Communication protocols used in ICS systems
As described above, due to ICS being different from IT systems in many aspects, traditional IT protocols cannot be used in ICS systems. All the systems, interfaces and instruments in an ICS system use different protocols for real-time communication and data transfer. These protocols were first designed for serial connection but, with time, have evolved to support and run on TCP/IP protocols over Ethernet networks.
In a typical ICS system, the following protocols are widely used: RS-232 and RS-485, Modbus, DNP3, HART, TASE 2.0 and ICCP, CIP, PROFIBUS and PROFINET, FOUNDATION Fieldbus, BACnet and more.
Let’s discuss each one of them in detail.
RS-232 and RS-485: Among all the serial interfaces on the market, RS-232 and RS-485 are the oldest ones and are still widely used. RS-232 is primarily used for low speed over short-distance requirements. Due to low cost, simple design and enough space for multiple receivers, varieties of connectors are available to connect to its interface.
RS-232 supports full duplex transmission method and allows only one transmitter and one receiver to communicate at a time. The maximum data rate supported by RS-232 is 20 Kbits/s.
RS-485 has been designed primarily for high speed over long distances or for duplex network connectivity requirement. Unlike RS-232, RS-485 allows 32 devices to communicate at a time, i.e., 32 transmitters can communicate to 32 receivers at a time. The maximum data rate supported by RS-485 is Mbits/s.
Prior to the development of Ethernet, security wasn’t a large concern for RS-232 and RS-485 systems. Even now, they are rarely connected to the internet, and that provides a buffer from attack. RS-485 systems running Modbus TCP/IP are connected more often, but the added risk is minimal.
Modbus: Modbus is the oldest and most widely deployed serial communication protocol. It is open-source and freely distributed and can be built by anyone into their equipment.
Modbus communicates raw messages without authentication or any overhead. Modbus is a request-response protocol and operates at the application layer of the OSI model.
In a typical Modbus network, there are 247 slaves and one master. Master/slave is a communication model in which one device (master) controls other devices (slaves).
Modbus has several security concerns – lack of authentication, lack of encryption, lack of message checksum and lack of broadcast suppression.
DNP3: DNP3 stands for Distributed Network Protocol. It was developed in 1993 and is widely used in the USA and Canada. It operates at the application, data link and transport layers; thus, it is a three-layer protocol.
DNP3 design focused more on maximizing system availability and less on confidentiality and integrity. At the data link layer, it has the ability to detect any errors in data transmission by means of CRC check. Efforts have also been made to provide safe authentication at the application level. DNP3 has another variant named secure DNP3, which takes care of secure authentication and other security features at the application level and is always recommended instead of DNP3.
HART: HART stands for Highway Addressable Remote Transducer. HART is an open-source and hybrid (analog+digital) ICS protocol. It is mostly used in automation. HART operates in two modes:
Point-to-point mode: Single master and a single slave
Multi-drop mode: Multiple masters and multiple slaves
The benefits of using HART include reduced cost, simplified design, simple implementation and flexible operation. However, HART is vulnerable to spoofing attacks, lack of authentication and XML injection attacks.
ICCP/TASE 2.0: ICCP is Inter-Control Center Protocol and is also known as TASE 2.0. ICCP is designed for bi-directional WAN communication between two or more control centers, power plants, substations and other utilities within ICS. ICCP is vulnerable to session hijacking, spoofing, encryption and lack of authentication vulnerabilities.
FOUNDATION Fieldbus: FOUNDATION Fieldbus was designed to replace analog connections in the refining, petrochemical and nuclear industries.
As per the requirement, FOUNDATION Fieldbus can be implemented in two ways: FOUNDATION Fieldbus H1 and HSE (High Speed Ethernet), HSE being more advanced and faster than FOUNDATION Fieldbus H1. The FOUNDATION Fieldbus data link layer offers no opportunities for security. The application layer, however, can be secured by defining access groups and granting those groups usage rights and passwords.
CIP: CIP stands for Common Industrial Protocol and is designed for automating industrial applications. CIP encompasses a set of messages and services for security, control, control and synchronization. CIP is widely used in industry, since it can be easily integrated into other networks.
CIP has been designed specifically for intercommunication and integration with other networks. CIP is vulnerable to remote attacks and “may result in a denial-of-service (DoS) condition, controller fault, or enable a Man-in-the-Middle (MitM) attack, or Replay attack.” (Source)
BACnet: The BAC in BACnet stands for Building Automation and Control. As the name suggests, it is used for communication for building automation and control systems and finds its application in ventilating, heating, access control, lightning, air-conditioning and fire detection systems. BACnet systems not connected to the WAN have limited vulnerabilities, such as human error and physical break-ins. BACNet systems connected to the WAN are vulnerable to remote attacks and data breaches.
PROFIBUS and PROFINET: PROFIBUS and PROFINET were created and designed by the same organization. PROFIBUS is a serial protocol, while PROFINET is an Ethernet-based protocol. PROFINET is an advanced version of PROFIBUS, as it works on an Ethernet-based protocol and provides more speed, more bandwidth and larger message size than PROFIBUS. Profibus lacks authentication and allows spoofed nodes to impersonate master nodes.
ICS and SCADA systems have been on the market since the 1970s, but not much development has taken place in this field. This is due to the higher cost and risk involved.
These systems need urgent attention, since security was not given much priority while these systems were being developed. Also, due to high risk and lack of exposure, maintaining and providing security to these systems is of prime importance and poses a big challenge.