Introduction

Industrial Control Systems (ICS) are different from conventional IT systems. ICS typically source data from remote sensors and transmit commands to machines for the relevant action to take. As such, conventional IT protocols cannot be applied to ICS. Every instrument, interface and system in the ICS landscape now support and run on TCP/IP protocols over the industrial Ethernet.

What is industrial Ethernet?

Industrial Ethernet comprises the IP-enabled versions of commonly serial industrial protocols — basically serial comms compressed in TCP/IP packets. The non-proprietary array of different communication protocols used by several manufacturers for SCADA/ICS tend to change over the industrial Ethernet. Below are a few examples:

  • Modbus turns into Modbus TCP
  • HART changes to HART-IP
  • DNP3 becomes DNP3 over TCP/IP

Structure of serial comms in TCP/IP packets

Modbus TCP

Just like the serial versions, Modbus TCP has a client/server architecture, including a master & slave. It also removes the “Checksum” requirement in Modbus. For Modbus over TCP, the Checksum is present in the payload (just like it is for Modbus RTU). Dual master/slave configurations are also available, and the default TCP port is 502. 

A Modbus TCP packet is encapsulated in TCP/IP. The start code is 0×0000. It uses the same request and response path, the same function codes and the same data limit of 253 bytes as its serial counterpart.

Modbus Application Protocol or MBAP, on the other hand, consists of 7 bytes. 2 bytes for the transaction header or message ID, 2 bytes contain the protocol identifier (whereas 0 is Modbus), and 2 bytes of length plus 1 byte of address. 

It’s worth mentioning that Modbus TCP or Modbus over TCP/IP has no native security capabilities as part of the feature set. 

HART-IP 

HART-IP is managed by the FieldComm Group. It’s essentially a standardized plant-wide deployment protocol and gives remote access to device level from any location in the world. Intelligent device management via Wi-Fi or Ethernet can also be achieved through HART-IP. Moreover, the protocol offers easy integration into automation systems.

In a traditional ICS network, there will be a HART-IP implementation of several networks operating below the core Ethernet network. Multiple protocols can also live on the same physical medium as in IP networking.

The benefits of HART-IP are not one but many. It allows for enterprise-wide access to critical device measurement and condition-based diagnostic data as well as process-related information. It also connects to the current plant networking infrastructure and removes the need to set up communication paths. HART-IP leverages standard networking supported and understood by plant IT resources without the requirement for specialized communication equipment.

Other benefits include quick and simple access to large-scale integration of information to a proactive maintenance strategy and compatibility with robust industry-standard security techniques.  

However, with all its complexity and flexibility, HART-IP also suffers the same fate as Modbus TCP with no native security capabilities built into the protocol.

DNP3 over TCP/IP

The standard DNP3 is a client/server architecture encapsulated in TCP/IP. Its start code is 0×0564. DNP3 supports unsolicited response and has a 20000 default TCP port. The IP-enabled DNP3, on the other hand, supports Report by Exception (RBE) and uses SCADA server polls for change events. It also supports unsolicited response where slave transmits updates without active polling. Moreover, transport, application and data link layers are defined within the TCP/IP implementation of DNP3.

The control byte of the implementation is managed by a control function code; transport layer is managed by first-final and sequence number; application layer control byte is first final, confirm and sequence; and data chunking is CRC DNP and 2 CRC bytes every 16 bytes of data.

However, DNP3 has no native security capabilities within its implementation or original construct.

The most secure implementation of DNP3 is Original Secure DNP3. It’s essentially application layer security based on IEC 62351-1. The secure implementation uses the construct of a shared secret key. The key needs to be manually applied, contain no key management standard and should not be widely used across the industry.

Another secure implementation of DNP3 is DNPSec v5. It utilizes IEEE 1815-2012. The security threats that it hopes to address include modification, replay, spoofing and eavesdropping (just on the exchanges of cryptographic keys). Versions 1-4 of this implementation were dropped because of their ineffectiveness, while version 5 isn’t widely adopted.

But even with all of these implementations, DNP3’s security capabilities remain questionable.

Conclusion

The industrial Ethernet has been in operation since the development of ICS and Supervisory Control and Data Acquisition (SCADA) systems in the 1970s. However, few security developments have taken place in this area because of the risks and costs involved.

The IP-enabled versions of serial industrial protocols require immediate attention, since security wasn’t given much thought when the industrial Ethernet was being development. Moreover, the lack of exposure and high risk makes it critical to provide and maintain security to this aspect of the industrial Ethernet.

 

Sources

  1. What Is the Difference Between Ethernet and Industrial Ethernet?, Analog Devices
  2. DNP3 Tutorial Part 5: Understanding DNP3 Layered Communication., DPS Telecom
  3. Modbus TCP/IP Unplugged – An introduction to Modbus TCP/IP Addressing, Function Codes and Modbus TCP/IP Networking, Real Time Automation
  4. HART/IP, Control Global

Be Safe

Section Guide

Dan
Virgillito

View more articles from Dan

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Dan
Virgillito

View more articles from Dan