Presentation on Research Plan

for Cyber Security of Industrial

Control System (ICS)
By

Tausif Nazim
ID - 66132400050
Modbus Protocol
- Introduced by Schneider Electric

- Uses Master / Slave Architecture

- Supports both serial communication

(RS-232, RS-485) and Ethernet
communication (Modbus TCP/IP)

- Supports various data types,

including binary (Coils), discrete
inputs, input registers, and holding
registers.
 Structure of the Modbus/TCP
Protocol Data Packet Structure
PDU = Protocol Data Unit = Function Code + Data

MBAP Header = Modbus Application Header

ADU = Application Data Unit = Application Header + PDU +

Error Check

As evident from the data packet structure, we there is no encryption in the header portion. Also the protocol
lacks identity authentication of sender and access control authorization.
 HART Protocol
- It is a hybrid Analog+Digital industrial automation open protocol.

- HART Protocols work in 4-20mA Current Loop.

- Used for Sensor and Actuators

- Can be Wired or Wireless

Structure of the HART Protocol
Data Packet Structure
- Preamble Bytes for
Synchronization and Detection.

- Start byte indicates Master

Number and Launch of
Communication.

- Checksum is XOR of all bytes from

Start Byte to Last Byte of Data

- No Encryption for Data Packet

 Types of Distributed Denial of
Service(DDoS) Attack in
Industrial Control System
- Volumetric DDoS Attack
* Flooding the server of the industrial control system with request.
* Focus is to slow the process of production and monitoring.
* Aims to consume CPU resources and bandwidth.
* ICMP floods, TCP flooding generally used for such attack.
 Types of Distributed Denial of
Service(DDoS) Attack in
Industrial Control System
- Protocol DDoS attack
* Most common type of DDoS attack in ICS.
* Synchronization flooding is the most used DDoS attack for TCP.
* Aims to consume CPU resources and bandwidth.
* ICMP floods, TCP flooding generally used for such attack.
 Types of Distributed Denial of
Service(DDoS) Attack in
Industrial Control System
- Application Layer DDoS Attack
* Targets the SCADA software
* Open source softwares are the most vulnerable .
* Targets to stop access to system control and monitoring.
* Can mimic generic traffic pattern in the network.
Man in the Middle (MiTM) Attack
- Focuses on intercepting data packets between PLCs and SCADA
software
- Exploits the vulnerabilities of no-encryption protocols.
- Can get access to sensitive industrial intellectual property by
intercepting communication between software and peripherals.
- Data can be tampered.
Programmable Logic Controller
Memory/Register Attack
Types of PLC Memory Attack

- Control Logic Injection Attack

- Variable Memory Tampering Attack

- Configuration Tampering Attack

- Firmware Modification Attack

PLC Memory Map

 Proposed Methods on
Cybersecurity for Industrial
Control System
- Deep Packet Inspection by Industrial Firewall
- Implementing Advanced Encryption Standard (AES) in Hardware Level
and Transmission Level.
- Implementing Hash Authentication by External Device.
- Security Process Unit (SPU) for Encrypting and Decrypting Data Packets.
- Modifying Existing Modbus Protocol with Encryption.
- Using MAC Address of PLCs for Encryption Algorithm.
- Packet Filtering for DDoS Attack Detection.
- Digital Signature Based on Identity.
Security Process Unit (SPU)
- Based on Xilinx's ZYNQ series FPGA

- Supports Communication Protocols like Modbus-TCP,

OPC UA, Profinet, IEC60870-5-104 and DNP3.

- Based on Linux.

- Can be used for existing PLC in industry.

SPU Prototype
Proposed AES Encryption Implementation in
Software
AES Encryption/Decryption
Algorithm
PLC for Research Purpose

Arduino Opta RS485