Mapping Industrial Control Systems

Transcription

1 Mapping Industrial Control Systems S2ERC Showcase, Pensacola, FL Murat Kuzlu 1, PhD., T. Charles Clancy 2, PhD., Kevin Heaslip 2, PhD., Saifur Rahman 1, PhD., Aditya Nugur 1 Virginia Tech - Advanced Research Institute 1 /Hume Center 2 November 2016

2 Project Overview The BACnet, Modbus and DNP3 devices are widely used in industrial control networks found on US military installations. Detecting the presence of BACnet/Modbus/DNP3 devices in a network is very crucial in terms of security concerns. Develop a mapping tool by using active mapping techniques to discover all BACnet/Modbus/DNP3 serial devices in a network via Ethernet-connected gateways. Project Period: July 2016 July

3 Project Goals Develop a mapping tool which Can discover all BACnet, Modbus and DNP3 devices in both modern industrial control networks, in addition to legacy systems found on US military installations. Can be used from a single TCP/IP network access point within the network. Can provide early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems. Develop a test-bed Include BACnet/Modbus/DNP3 devices 3 3 3

4 Related Work Under the DOE-funded project "Building Energy Management Open Source Software (BEMOSS)", Virginia Tech - Advanced Research Institute (VT-ARI) has developed a software platform for building energy management that is capable of discovering limited types of BACnet and Modbus devices, and without DNP3 support. Leveraging this existing work, the proposed mapping tool will enable the discovery of all BACnet, ModBus and DNP3 devices

5 Novelty of Our Approach TCP/IP Network The proposed mapping tool provides the capability to discover all BACnet, Modbus and DNP3 devices in the network. It can also provide the early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems at the same platform. This is beyond what is available in a single commercially available platform package. 3. Party System DNP3 Gateway Controller Mapping Tool Modbus Gateway 3. Party System BACnet Gateway DNP3 Devices Modbus Devices BACnet Devices Serial-RS485 Network 5 Data Flow Communication Link

6 BACnet Device Discovery Technical Approach BACnet devices on the network are configured to respond with I-AM and device identifier as response when it receives BACnet standard WHO-IS message. To discover BACnet devices on network, master device broadcasts WHO-IS message on the network. Once it receives all the I-AM responses along with device identifiers, it stores all the device identifiers. Using this device identifier, BACnet master can send device specific read property instance command. Property instance 70 and property instance 120 are defaulted to model name and vendor name attributes. By reading this property instance on each identifier, we can collect number of BACnet devices in our network.

7 Technical Approach Flowchart of BACnet Device Discovery

8 Modbus Device Discovery Technical Approach Poll each host address within the network address of Modbus device. For example, the network address is then host address ranges from to if subnet mask is Each host address can connect up to 247 slave Modbus devices. Hence, slave ID ranges from 1 to 247. Request has function code 43 and object id. Object Id 0x00 gives vendor name and object Id 0x05 gives model name attributes. Modbus supported device are configured to respond function code 43 with respective device attribute. In some cases, if device doesn t support function code 43 it sends illegal function as response. This means device doesn t support device identification feature. Such devices are categorized as unknown Modbus devices in the network. With comparing the properties of discovered unknown Modbus device, we can suggest which Modbus device it can possibly be.

9 Technical Approach Flowchart of Modbus Device Discovery

10 DNP3 Device Discovery Technical Approach DNP3 protocol specifies outstation (slave devices) to respond to a broadcast message. To issue broadcast message data link layer adds destination addresses as 0xFFFD to 0xFFFF. All stations accepts frames when destination is set to these addresses. To query device attributes connected of the DNP3 devices present in the network, application layer issues request with data point type/group 0 in its object header. Variation number decides which device attribute is to be called. Variation number 252 and 250 give vendor and model name respectively. Variation number 255(FF as hexadecimal) can be used to query slave to respond with all the device attributes it possess. AC FC GRP VAR QUAL Range Application Control Code Function Code Group/Data Type Variation Qualifier Total Data Points An example of application layer fragment requesting group 0, variation 255. C FF AC FC GRP VAR QUAL RANGE

11 Technical Approach Flowchart of DNP3 Device Discovery

12 Lab Setup Modbus Devices BACnet Devices DNP3 Device DNP3 Gateway Modbus Gateway BACnet Gateway 12

13 Potential Benefits and Contributions Provide a platform, that supports to discover all BACnet, Modbus and DNP3 devices and detects unknown devices in a network. The proposed mapping tool can be used to detect and provide early warnings of cyber attacks on a building network, the U.S. power grid and its dependent systems. Provide a test-bed that allows testing of security claims and other security related testing evaluation. Proposed platform can be used to discover devices supporting other protocols, such as KNX, Lonworks etc. 13

14 Deliverables and Affiliate Support Deliverables: The initial mapping tool for discovering BACnet, Modbus and DNP3 devices by extending the current Virginia Tech BEMOSS discovery tool. Lab set-up consisting of BACnet, Modbus and DNP3 gateways and devices. S2ERC Status Report. Affiliate Support: Department of Defense (DoD) is providing technical advising. 14

15 15 Murat Kuzlu Web: muratkuzlu.org Phone: