3. SCADA
• Supervisory Control and Data
Acquisition
• Platform used to monitor and control all
the variables of a real-time process
• Several variables to monitor
– Pressure inside a water tube used for
distribution
– Flow speed of oil
– Amount of electric charge passing inside an
electricity transmission line
5. Components of SCADA platform (2)
• Remote Terminal Unit (RTU):
– This is a communication device within the
SCADA system and is located at the remote
substation.
– The RTU gathers data from field devices in
memory until the MTU request that
information. It also process orders from the
SCADA like switch off a transmission line
– It process the commands ordered by the
HMI to the field devices
6. Components of SCADA platform (3)
• Data Acquisition System (DAS):
– Gathers information from the MTU
– Generates and store alerts that needs
attention from the operator because it
can cause impact on the system
• Master Terminal Unit (MTU):
– The MTU is defined as the heart of a
SCADA system and is located at the
main monitoring center.
7. Components of SCADA platform (4)
• Master Terminal Unit (MTU):
– MTU initiates communication with
remote units and interfaces with the
DAS and the HMI.
• Human Machine Interface (HMI):
– Interface where the operator logs on to
monitor the variables of the system.
– Gathers information from the DAS
– Sends commands to the MTU and wait
for response
8. Electrical process
• Three big steps
– Generation
– Transmission
– Distribution
• Energy is created using any of the
following methods
– Thermoelectrical plans
– Nuclear plants
– Hydro electrical plants
9. Electrical process (2)
• SCADA platform is vital to perform
the following when generation takes
place:
– Ensure turbines are not having
revolutions more than supported
– Generators are not working overloaded
– Energy being generated matches the
amount of energy that the transmission
line can handle
10. Electrical process (3)
• Transmission
– Energy being generated needs to be
distributed to reach the final users
– 115 KV is the power used to transmit in
the wire lines
– Final destination are the substations
that handles energy of a specific
amount of instalations
– Large number of blocks in a city
11. Electrical process (4)
• SCADA platform is vital to perform
the following when transmission
takes place:
– Monitoring of voltage in transmission lines
looking for high amount of electricity
flowing
– None of them can get overloaded because
protections get activated and a blackout
appears in all the installations that are
controlled by the affected substations
12. Electrical process (5)
• Distribution
– Energy being generated needs to be
distributed to reach the final users
– 115 KV is the power used to transmit in
the wire lines
– Final destination are the substations
that handles energy of a specific
amount of instalations
– Large number of blocks in a city
13. Electrical process (6)
• SCADA platform is vital to perform
the following when distribution takes
place:
– Monitoring of voltage in transmission
lines looking for high amount of
electricity flowing
– Monitoring of voltage in user meters
looking for high amount of electricity
flowing
16. Modbus
Source: Practical Industrial Data
Communications
17. Modbus (2)
• Client/server protocol which operates in a
request/response mode
• Three variants:
– Modbus serial RS-232/RS-485: Implemented on
serial networks
– Modbus TCP: Used for SCADA platforms where
delay is not an issue (Water supply)
– Modbus UDP: Used for SCADA platforms where
delay is a big issue (Energy)
18. Modbus (3)
Source: Practical Industrial Data
Communications
19. Modbus (4)
• Modbus protocol structure
– Address field:
• Request frames: Address of the device being targeted
by the request
• Response frame: Address of the device responding to
request
20. Modbus (5)
• Modbus protocol structure
– Function field
• Function requested by the HMI to be performed by the
field devices
• In response packets, when the function performed is
succeeded, the field device echoes it. If some exception
occurred, the most significant bit of the field is set to 1
21. Modbus (6)
Function
Function Name
Type of access Code
Physical Discrete Inputs Read Discrete Inputs 2
Read Coils 1
Bit access Internal Bits or Physical
Write Single Coil 5
Coils
Write Multiple Coils 15
Physical Input Registers Read Input Register 4
Read Holding Registers 3
Write Single Register 6
Data Access
16-bit Write Multiple Registers 16
Internal Registers or
access
Physical Output Registers Read/Write Multiple
23
Registers
Mask Write Register 22
Read FIFO Queue 24
Read File Record 20
File Record Access
Write File Record 21
22. Modbus (7)
Function
Function Name
Type of access Code
Read Exception Status 7
Diagnostic 8
Get Com Event Counter 11
Diagnostics Get Com Event Log 12
Report Slave ID 17
Read Device
43
Identification
Encapsulated Interface
Other 43
Transport
23. Modbus (8)
• Modbus protocol structure
– Data field
• In request paquets, contains the information required
to perform the specific function
• In response packets, contains the information
requested by the HMI
24. Modbus (9)
• Modbus protocol structure
– Error check Field
• CRC-16 on the message frame
• If packet has errors, the field device does not process it
• Timeout is assumed, so the master sends again the
packet to attempt again a function execution
25. IEC 104
• Standard for power system monitoring,
control and communications for telecontrol
and teleprotection for electric power systems
• Completely compatible with:
– IEC 60870-5-1: Transmission frame formats for
standard 60870-5
– IEC 60870-5-5: Basic application functions
26. IEC 104 (2)
• It has the following features:
– Supports master initiated messages and
master/slave initiated messages
– Facility for time sinchronization
– Possibility of classifying data being transmitted
into 16 different groups to get the data according
to the group
– Cyclic and spontaneous data updating schemes
are provided.
27. IEC 104 (3)
Source: Practical
Industrial Data
Communications
28. IEC 104 (4)
Source: Practical
Industrial Data
Communications
29. IEC 104 (5)
Source: Practical
Industrial Data
Communications
30. IEC 104 (6)
• Link level
Link service
class Function Explanation
Transmit message.
No ACK or answer
S1 SEND / NO REPLY required
Transmit message.
S2 SEND / CONFIRM ACK required
Transmit message.
ACK and answer
S3 REQUEST / RESPOND required
31. IEC 104 (7)
Source: Practical
Industrial Data
Communications
32. IEC 104 (8)
• Control field for unbalanced transmissions
Source: Practical
Industrial Data
Communications
33. IEC 104 (8)
• Control field for balanced transmissions
Source: Practical
Industrial Data
Communications
34. DNP3
• Set of communication protocols used between
components of a SCADA system
• Used for communications between RTU and
the IED (field devices)
• Implements the communication levels
established by the enhance performance
architecture (EPA)
40. Network technologies in SCADA Systems
• Many SCADA networks still use
RS232/RS485 bus to communicate
all components
– But also because of the need to access
data in a fast way, we also have serial-to-
ip gateways to access serial RTU and IED
– Lots of hybrid SCADA networks having
serial and IP components
– Vulnerable from outsiders at the
corporate network
41. Lack of authentication in application
protocol
• The SCADA protocols does not
perform bi-directional authentication
to ensure that all parties are trusted
– Only commands are sent
– Data is sent to the IP address
configured as master
– All the IP spoofing vulnerabilities works
on any MTU or Field device
– Any command can be sent
42. Lack of confidentiality in application
protocol
• The SCADA protocols does not perform
any encryption to protect the
information
– Modbus, IEC 101/104 and DNP3 transmissions
can be checked by any attacker
– Man-in-the-middle can be performed on the
network
– MTU traffic can be intercepted and then
redirected to any IED with any desired change
– No way to know if traffic is trusted
43. What could be done?
• Let’s see how a master station puts
the current timestamp on an IED
• Let’s see how the attacker changes it
• Can issue writable commands and
reading commands
• DEMO TIME!
45. What you cannot do with SCADA
• Protocol delay is usually a BIG issue in
SCADA
– Water supply and Oil SCADA tolerates big
delays because it does not have
consequences in the process
– Power SCADA is critical. A delay higher
than 5 miliseconds could end in a massive
blackout because of failure to open a
breaker in a substation
– Be careful on what you do to protect your
SCADA
47. Monitor your network
• SCADA traffic baseline is mandatory
– You need to know what applications are
doing transit inside your network
– Inside SCADA protocols you monitor
applications that gives you information
on the industrial process being
controlled
– Unauthorized applications could indicate
a breach trying to perform operations or
gather information on IED
48. Monitor your network (2)
• Use Network Intrusion Prevention
System
– You definitely can use conventional IPS if they
are fast enough to avoid delays in your
network
– Not all of them support SCADA protocols
– If you have snort, you can write rules for
Modbus and DNP3. Otherwise, you need to
write your own rules
– Industrial Defender Solution works pretty good
as it includes lots of SCADA signatures
49. Control unauthorized changes to Master
Terminal Unit
• SCADA platforms are designed to
last from 10 to 20 years
– Too many technology changes happens
in that time
– Lots of security issues to deal with
– Need a solution to avoid any changes
inside computers, as intrusions perform
changes in filesystem, configurations
and system process
50. Control unauthorized changes to Master
Terminal Unit (2)
• SCADA platforms are designed to
last from 10 to 20 years
– Too many technology changes happens
in that time
– Lots of security issues to deal with
– Need a solution to avoid any changes
inside computers, as intrusions perform
changes in filesystem, configurations
and system process
51. Control unauthorized changes to Master
Terminal Unit (3)
• Control any changes inside your
SCADA servers
– Mcafee Integrity control works pretty
good
– Defines what can be changed by who
– Lots of custom logs to choose from
– Can send events to any SIEM configured
in the Network
52. Monitor attacks to Master Unit
• Host IPS is definitely needed as any
attack could change the integrity and
stability of a process
• Availability is critical to a SCADA
system and cannot be altered
• Conventional Host IPS performs
extensive use of CPU and can affect
performance inside SCADA
53. Monitor attacks to Master Unit (2)
• Industrial Defender Host IPS works
pretty good
• Works seamless with Siemens
Spectrum Platform
• Does not load the machine or needs
extensive bandwith to perform its
checks
• Central console to perform
operations inside the platform