|
|
@@ -91,8 +91,36 @@
|
|
|
The honeypot architecture design used a combination of high-interaction and pure-production honeypots. A total of three honeypots were created to ensure as much of the target surface as possible. All three honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States.
|
|
|
|
|
|
\subsection{SCADA ICS}
|
|
|
+
|
|
|
+SCADA is an industrial automation control system at the core of many indutries today including Energy, Oil and Gas, power, Water and Recycling , Manufacturing and many more. They are used by both private sector industries and the public sector service providers. It provides the benefit of simple configuration and usability.
|
|
|
+
|
|
|
+The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. SCADA systems usually involve the following componenets:
|
|
|
+
|
|
|
+RTU(Remote Terminal Units):These units connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. RTUs often have embedded control capabilities in order to accomplish boolean logic operations.
|
|
|
+
|
|
|
+Programmable logic controller (PLCs): These devices connect to sensors in the process and convert sensor signals to digital data. PLCs have more sophisticated embedded control capabilities than RTUs. PLCs do not have telemetry hardware, although this functionality is typically installed alongside them. PLCs are sometimes used in place of RTUs as field devices because they are more economical, versatile, flexible, and configurable.
|
|
|
+
|
|
|
+Telemetry system: It is typically used to connect PLCs and RTUs with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.
|
|
|
+
|
|
|
+Data and Control Server: A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as RTUs and PLCs. It allows clients to access data from these field devices using standard protocols.
|
|
|
+
|
|
|
+Human–Machine Interface or HMI: It is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server.
|
|
|
+
|
|
|
+Historian software: A software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.
|
|
|
+
|
|
|
+
|
|
|
+SCADA applications help in monitoring, analysing the data to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile honeypot.
|
|
|
+
|
|
|
+
|
|
|
|
|
|
\subsection{MODBUS}
|
|
|
+
|
|
|
+MODBUS is a serial communications protocol published by Modicon for using in its PLCs. It is now a standard that connects industrial devices together. The basic configuration involves connecting a SCADA supervisory control system to a PLC or RTU. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
|
|
|
\subsection{Mobile Honeypots}
|
|
|
|
|
|
@@ -128,8 +156,12 @@
|
|
|
|
|
|
|
|
|
\subsection{Architecture of Siemens SIMATIC s7 200}
|
|
|
+
|
|
|
+The Siemens S7 200 is a micro-programmable logic controller which can control a wide variety of devices to support various automation needs. The S7-200 monitors, inputs and changes outputs as controlled by the user program, which can include Boolean logic, counting, timing, complex math operations, and communications with other intelligent devices. It can control and communicate with devices like automatic pressure controllers, centrifuge pumps, water cooling systems. The STEP 7--Micro/WIN programming package provides a user-friendly environment to develop, edit, and monitor the logic needed to control the application that monitor devices. The Siemens Simatic S7 PLC's use PROFINET which is based on Ethernet for communication. There are over 3 million PROFINET devices deployed worldwide.
|
|
|
|
|
|
\subsection{Understanding MODBUS}
|
|
|
+
|
|
|
+
|
|
|
|
|
|
\subsection{Vulnerability Analysis of SIMATIC s7 200}
|
|
|
|
