OpTech

Walkthrough of discovering and attacking an OT-ICS system using the ModBus protocol.

Introduction to OT/ICS

Operational Technology (OT) is basically a dedicated and tailored mixture of hardware and software to control industrial equipments. There is a wide variety of this type systems like Industrial Control Systems (ICS), Supervisory Control, Data Acquisition (SCADA) and Distributed Control Systems (DCS). Protocols utilized inside industrial control systems are usually rather specific to the application. In many cases, these protocols are built by vendors to require specific software and hardware for proprietary systems. However, irrespective of the origin of the protocol, they have one aspect in common: they were not designed with security in mind and are inherently insecure. This is a significant problem since their convergence with IT networks and the now-dominant Transmission Control Protocol (TCP)/Internet Protocol (IP)-based protocols and as such understanding these security flaws and how they are exploited is crucial for penetration testing and threat modeling. 

Introduction to Modbus protocol

Modbus- developed and published by Modicon in 1979 for use with its PLCs- is an application layer messaging protocol positioned at level 7 of the OSI model. It is for client/server communication between devices connected to buses or networks. The client requesting the information is called the Modbus master, and the server supplying the information is the Modbus slave. In a standard Modbus network, there is one master and up to 247 slaves, each with a unique address from 1 to 247. The connection between master and slave is asymmetric only the masters have write permissions on the slaves. This is most widely used network protocol in the industrial manufacturing environment and most common SCADA protocol. Modbus data is used to read and write “registers” which are 16-bit long. The most common register is called “holding register” which is readable and writable; registry type “input register” is readable only. The registers “coil” and “discrete input” are 1-bit long: coils are readable and writable, discrete inputs are readable only. Most common Modbus functions:

1 – Read Coil

2 – Read Discrete Input

3 – Read Holding Registers

4 – Read Input Registers

5 – Write Single Coil

6 – Write Single Holding Register

15 – Write Multiple Coils

16 – Write Multiple Holding Registers

We need to download the attached script package first and scrutinize them a little bit to answer the first questions.

Which is the function used to read holding registers in the pymodbus library?

Which is the function used to write holding registers in pymodbus library?

Discovery and play

After installing the necessary TCP library for Python (it’s already there for me) we are ready to go to answer the subsequent questions. 

After connecting to the plant using our browser, we can visually inspecting how it works and answer some more questions. The phases are moving the line up to the first bottle after starting the machine, then filling the bottle up, and then moving the line to the next bottle afterwards. The sensors are the red and green dots in the picture. The actuators are responsible for switching on/of the plant, starting on/off the roller and for opening/closing the nozzle (black square).

We can answer the rest of the questions using the discovery.py script or reading the code itself. Note, if we change the “time.sleep(1)” value to 30 sec in line 14 in the script, we receive one probe result for each phase which makes it easier to read.

Now, after starting the script we could easily answer the questions about the number of registers, how many of them keep changing, the minimum/maximum observed value, which one holds its value, which registries how to change during filling/moving the bottles or which registries are associated with the roller and the water level sensor.

Attack

We can do instant and significant damage with the scripts available and with some changes in them. That’s the way it could work in real life at the industrial level.

Thanks for reading and as always, any feedback is most welcome.