Mapping Industrial Control Systems

Transcription

1 Mapping Industrial Control Systems S2ERC Showcase, Washington, D.C. Murat Kuzlu 1, PhD., T. Charles Clancy 2, PhD., Kevin Heaslip 2, PhD., Saifur Rahman 1, PhD., Aditya Nugur 1 Virginia Tech - Advanced Research Institute 1 /Hume Center 2 May 2017

2 Project Overview BACnet, Modbus and DNP3 devices are widely used in industrial control networks found on US military installations. Detecting the presence of BACnet/Modbus/DNP3 devices in a network is crucial in terms of security concerns. 2

3 Project Goals To develop a mapping tool which Can discover all BACnet, Modbus and DNP3 devices in both modern industrial control networks, in addition to legacy systems found on US military installations. Can be used from a single TCP/IP network access point within a local/remote network. Can provide early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems. To develop a user interface that initiates discovery and inspect discovered devices. To develop a test-bed that includes BACnet/Modbus/DNP3 devices 3 3 3

4 Related Work Under the DOE-funded project "Building Energy Management Open Source Software (BEMOSS)", Virginia Tech - Advanced Research Institute (VT-ARI) has developed a software platform for building energy management that is capable of discovering limited types of BACnet and Modbus devices without DNP3 support. Leveraging this existing work, the mapping tool being developed will enable the discovery of all BACnet, ModBus and DNP3 devices

5 velty of Our Approach TCP/IP Network The mapping tool is capable of: Controller discovering all BACnet, Modbus and DNP3 devices in a network providing early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems. 3. Party System DNP3 Gateway Mapping Tool Modbus Gateway 3. Party System BACnet Gateway This is beyond commercially available products available in the market. DNP3 Devices Modbus Devices BACnet Devices Serial-RS485 Network 5 Data Flow Communication Link

6 Technical Approach Device Discovery Approach The mapping tool seeks to see through IP gateways, i.e., BACnet, Modbus and DNP3, to discover protocol adhered slave devices, by using the protocols indigenous to those networks. Device types for the mapping tool Discoverable devices Known devices Unknown devices Discovery & Monitoring Mapping Tool TCP/IP Network BACnet Gateway Modbus Gateway DNP3 Gateway Discoverable Known Unknown Discoverable Known Unknown Discoverable Known Unknown Serial RS-485 Network

7 Project Progress Improved the source code to discover DNP3/Modbus devices -Added group 0 support to opendnp3 stack -Incorporated comprehensive Modbus slave scan along with Device Identification Developed a User Interface (UI) for users and operators -User Login Page -Dashboard Page -Discover Page -Approval Page -Approved Device Page -Inspect Device Page -Device Status Page -Manage User Page Extended the lab setup -Added new Modbus devices -Added new DNP3 devices

8 User Interface Discover Page

9 Potential Benefits and Contributions Provide a platform, that supports the discovery of all BACnet, Modbus and DNP3 devices and detects unknown devices in a network. The mapping tool being developed can be used to detect and provide early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems. Serve as a test-bed that allows testing of security claims and other security related testing evaluation. The tool being developed can be used to discover devices supporting other protocols, such as KNX, Lonworks as well as wireless protocols including WiFi and ZigBee. 9

10 Extended Lab Setup Modbus Devices BACnet Devices DNP3 Device Modbus Gateway BACnet Gateway DNP3 Gateway DNP3 Device 10 Modbus Device

11 Deliverables and Affiliate Support Deliverables: A software mapping tool for discovering BACnet, Modbus and DNP3 devices The lab set-up consisting of BACnet, Modbus and DNP3 gateways/devices Final technical status discussions with DoD Field demonstration discussions with DoD S2ERC Final Report. Affiliate Support: Department of Defense (DoD) provides technical advising 11

12 12 Murat Kuzlu

13 Technical Approach Flowcharts of BACnet, Modbus and DNP3 device discovery process Initiate discovery process Initiate discovery process Initiate discovery process Broadcast Collect MAC address of responded devices and Query for device model and vendor Check if received response is valid response Yes Display vendor name and model name End of discovery process Initiates BACnet discovery API Broadcasts Who-Is request Received I-am Yes response Display unknown device discovered End of discovery process Display no devices found End of discovery process Scan Device Addresses Slave_id= Slave_id +1 Store Slave id count Count is number of unknown Modbus devices Send a Read Request with Slave_id, function code 43 and object id Received response Yes Response is not Illegal function Display Response Initiates Modbus discovery API with Slave_id = 1 on port 502 Yes Slave_id <=254 Queried over all the range ids End of discovery process Scan Device Addresses Slave_id= Slave_id +1 Store Slave id count Count is number of unknown DNP3 devices Yes Send a standard DNP3 application layer request with slave_id, group 0 Received response Yes Response has IIN exception Display Response Yes Initiate discovery API with slave_id 1 and port Slave_id <=65536 Queried over all range ids End of discovery process

14 User Interface Discover Page The Discover page provides 2 types of scanning viz., scanning for known devices and a generic scan. Known devices can be added into the database. Multiple known devices can be searched simultaneously. Generic discovery has a privilege to select a port on which the scan is to be established. When no port number is plugged in, a default port scan is performed. Again these default ports can be configured on the settings page.