Hindawi Security and Communication Networks Volume 2018, Article ID 3794603, 21 pages https://doi.org/10.1155/2018/3794603

Research Article Vulnerability Analysis of Network Scanning on SCADA Systems

Kyle Coffey, Richard Smith, Leandros Maglaras , and Helge Janicke

De Montfort University, Leicester, UK

Correspondence should be addressed to Leandros Maglaras; [email protected]

Received 14 September 2017; Revised 5 December 2017; Accepted 5 February 2018; Published 13 March 2018

Academic Editor: Jianying Zhou

Copyright © 2018 Kyle Cofey et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICSs) have controlled the regulation and management of Critical National Infrastructure environments for decades. With the demand for remote facilities to be controlled and monitored, industries have continued to adopt Internet technology into their ICS and SCADA systems so that their enterprise can span across international borders in order to meet the demand of modern living. Although this is a necessity, it could prove to be potentially dangerous. Te devices that make up ICS and SCADA systems have bespoke purposes and are ofen inherently vulnerable and difcult to merge with newer technologies. Te focus of this article is to explore, test, and critically analyse the use of network scanning tools against bespoke SCADA equipment in order to identify the issues with conducting asset discovery or service detection on SCADA systems with the same tools used on conventional IP networks. Te observations and results of the experiments conducted are helpful in evaluating their feasibility and whether they have a negative impact on how they operate. Tis in turn helps deduce whether network scanners open a new set of vulnerabilities unique to SCADA systems.

1. Introduction SCADA and ICS technologies are prevalent not only within manufacturing industries, but also within the organ- ICS and SCADA systems are an integral aspect of the modern isations responsible for the safety and wellbeing of citizens industrial environment and the Critical National Infrastruc- around the globe [3]. Water treatment facilities, electrical ture (CNI). For many years, SCADA and ICS networks were grids, and nuclear power stations all rely on a combination of a completely independent sector of any business or agency, SCADA and IP networks in order to control the distribution where the feld devices and industrial mechanisms which and regulation of the services they provide [4]. As these interacted with physical assets were separate from the corpo- industries have become greater in both scale and complexity, rate networks or intranet. However, as Internet technologies the automation and upkeep of all the technology within these became ever more integrated into modern society, and as cor- environments must be handled by machines and computers. porations began to grow exponentially around the globe, the Having the ability to remotely monitor and control large demand for remote auditing and control of industrial systems industrial sights allows companies and industries to expand increased. Tis resulted in the merging of Internet Protocol their capabilities in order to provide more services to the (IP) and SCADA/ICS technologies, which in turn exposed general public, whilst at the same time making the data acces- the older feld devices to a new set of attack vectors, leading to sible to the staf responsible for operating and engineering the unprecedented vulnerabilities when integrated with IP [1]. In technologies in question. Half of signifcant security incidents an age where threats from the cyberdomain are ever evolving, that are occurring are due to a particular element, which the tools used to perform security audits and penetration has not been changed since the inception of information tests against IP systems are subsequently being used on the security management, which is people [5]. All the examples older SCADA/ICS networks. Tese tools, without the correct stated above contain resources which not only are essential confguration, could cause substantial damage to the SCADA to the operation of modern-day life but could potentially devices connected to a business’s infrastructure, rather have devastating consequences if any of these systems were than helping to protect and audit them [2]. to malfunction. Tese systems threaten not only the lives of 2 Security and Communication Networks thepeoplewhousethistechnologybutalsotheenviron- 2. Related Work ments and the civilisations which surround these facilities [6]. Tefocusofthissectionistoexploreandcriticallyanalyse Similar to when a cyberattack is launched against a the current research into the issues with conducting asset company’s database or web server, the exploitation or mis- detection or network scans on SCADA systems with the use of the devices found on a SCADA network can have same tools used on conventional IP networks. Emphasis will negative efects on both the clientele and the corporation be on identifying the diferent types of network scanning [7]. However, unlike the IP networks in abundance today, methods and the tools which are currently available to SCADA systems are threatened not only by hackers wishing security auditors, penetration testers, and black hat hackers. to exploit vulnerabilities in sofware or frmware but also by ReferencewillbemadetothebespokeelementsofSCADA the tools commonly associated with monitoring, auditing, systems, specifcally the types of devices used to monitor and securing networks. Using tools which have not been and control feld equipment such as sensors and valves. confgured to interact with the bespoke devices that reside on Discussion will then be targeted at how the current tools SCADA networks could cause the devices to become unre- areusedonthesebespokedevicesandwhethertheyhave sponsive[2]oralterthedatabeingreceivedbythedeviceor a negative impact on how they operate. Te intention is being stored on the device [7]. In such an event, feld devices toidentifyhowmuchknowledgethereisabouthowthese including water pumps, electricity generators, or pneumatic two technologies interact with each other and where the instruments could either stop functioning or begin to behave signifcant vulnerabilities may lie. erratically, causing damage to either the devices themselves, Te analysis of sources within this document suggests the products they interact with, or the customers who use that a better understanding is needed about how network their facilities. Whereas IP networks can cause signifcant scanners interact with SCADA networks. Te lack of under- damage to intellectual property and personal privacy, there standing of how SCADA devices react to being scanned and is evidence that malfunctioning SCADA systems have caused the subsequent consequences this may have is a signifcant physical damage [8], all of which could be an efect of using factor which underlines the analysis in this document. It is thewrongsecuritytoolsonincompatiblenetworks. clear that network scanners must be directly tested against Although there has been recognition within the industry nonoperational SCADA devices in order to report on how the that the improper use of IP scanners has caused failures two technologies interact and whether they are compatible. within an industrial control process, there has been a lack of Tis will then allow the owners of these systems to better resources directed at educating people on exactly why these understand the consequences of using newer, IP-based tools IP scanners cause issues and whether there are any alternative on older SCADA networks. Tis knowledge will inform the methods which can facilitate a stable scan of a SCADA users of SCADA how to adapt or develop new ways of system. Te existing literature highlights that IP scanners performing asset detection without having damaging impacts are being used to gain information about SCADA systems on not only the devices themselves but the millions of [9], the types of devices that are potentially vulnerable when civilians who rely on the integrity and consistency of these scanned [10], and the consequences of performing scans on systems on a daily basis. live systems [7]. Reconnaissance, whether passive or active, lawful or mali- Te key aim of this article is to identify how network cious, remains one of the most important parts of any strate- scanners interact with SCADA devices and whether or not gic cybersecurity operation [11]. Network scans help visualise they cause signifcant disruption to the way these devices the confguration of a communications infrastructure and operate. Also, the results of this research aim to enhance the help identify possible methods of entry or exploitation. understanding of reconnaissance technologies when applied Reconnaissance can be achieved through service detection to SCADA networks. To do this, experiments need to be and operating system fngerprinting, two key features of conducted in order to monitor how a range of network many network scanning tools [12]. Conducting reconnais- scanners execute their asset/service detection scans and to sancewithinthecyberdomainhasbecomeevenmorevital see if this causes the normal operation of SCADA networks as the CNIs of various countries are now governed and con- to change or malfunction. Once this has been achieved, trolled using computer networks. Tese systems are respon- suggestions and a proof of concept will be made in order to sible for the auditing and control of national grids, power provide an alternative method of scanning SCADA systems stations, water treatment plants, and industrial production withoutdamagingthenetworkitself. lines. As the technology and communication networks that Te following list details the main contributions of the runthesesystemshavebecomeoutdatedandconsequently article: less secure, the question must be asked about how volatile are these devices when conducting network scans? Systems (1) Researching the diferent methods of detecting assets which have a direct impact on the wellbeing of human on a wide variety of diferent networks civilisationarefallingvictimtothesametoolsusedtoaudit (2)Evaluatingthefeasibilityofperformingscanson or attack corporate networks and Internet-based services. SCADA networks and how the results difer from IP Unlike traditional networks which utilise TCP/IP technology, networks ICSs face numerous unique vulnerabilities due to the bespoke (3) Designing and developing a network scanner which devices they use and the confguration of the services and facilitates the requirements of a SCADA network. functionality they provide [13]. IP-based networks can take Security and Communication Networks 3 advantage of Intrusion Detection Systems, frewalls, and anti- explain the technologies and processes behind scans in much malware tools to identify and prevent snooping or open-port greater detail. Collating the information from all the papers, attacks that target a node or network. Te operating systems focussing on the descriptive breakdown of both passive and which have been installed on SCADA/ICS devices such as active scanning methods, and with reference to the tools programmable logic controllers (PLCs) and Remote Terminal and technologies used within SCADA environments, the Units (RTUs) may not have this capability. Furthermore, the following deductions can be made about the two methods of ports which control the transfer of SCADA/ICS data run network scanning. on insecure protocols [14], where even a single unexpected packet could cause a system overhaul and could stop the 2.1.1. Passive Scanning. Passive scanning methods use the normal function of the equipment entirely. As these devices monitoring of network trafc to identify services, hosts, are the interface between networks and industrial assets such and clients. An observation point is set up on the network, as pumps, turbines, and sensors, this could have signifcantly requiring assistance from network administrators or network damaging consequences. Te purpose of this study is to engineers to confgure these systems for optimum results. As investigate the vulnerabilities which are created by the use referenced in Xu et al. [17] passive scanners can be run con- of asset-detection tools on SCADA networks and whether tinuously for large periods of time without disrupting regular they pose a signifcant threat to the integrity of these systems. network trafc or interacting with the devices themselves, as Could the process of scanning a network for assets cause the input data for passive scanning tools is a direct feed of the damage on a national scale? If so, what are the causes? network’s trafc. Tis means that algorithms can be created in order to dissect each protocol. Tis has the potential to extract 2.1. Methods of Network Scanning. Network reconnaissance important information and identifers from each packet. An is an essential stage in any cyberauditing or penetration independent passive scanner designed by Gonzalez and Papa testing operation. Whether using passive scanning systems [18] demonstrates how a simple algorithm can be created to or active probing tools, service discovery and asset detection extract Modbus trafc from a network and gain information are paramount towards assessing the overall vulnerability about master and slave devices as well as monitoring the of a corporate network or industrial infrastructure [15]. status of Modbus transactions. Although the algorithms Te fndings highlighted in [13] give a concise breakdown presented in this article demonstrate the versatility of passive of the diferences between these two methods of network scanners, the tools are still only limited to analysing a single reconnaissance. Details of how each method is executed SCADA protocol. Te validity of the algorithms could also be and how diferent conditions may impact the monitoring challenged as this system was designed and implemented in process give an insight as to which is most benefcial 2007.Tere is a signifcant chance that changes may have been within diferent political, technological, and time-sensitive made to this particular protocol which makes the extraction environments. Tis information, however, fails to address and parsing system redundant [19]. Trough inspection of how either of these techniques would perform on SCADA these papers it is evident that passive systems seem to satisfy systems and gives little detail on the current tools available one of the main criteria of this research, compliance with to facilitate the diferent network scans. Jaronim [16] focuses regular network trafc and the avoidance of interacting with on outlining the current tools that are available within the the volatile feld devices. public domain which can provide full network monitoring and scanning features. Te key tools that are mentioned 2.1.2. Active Probing. Te process of active probing has within this publication are Nmap and Nessus. Although the one signifcant diference to passive snifng: live interaction description and analysis of these tools are not as thorough with the devices. Bartlett et al. [13] defne active probing as the information provided within Bartlett et al. [13], the as “attempting to contact each service at each host. Sending crucial advantage is that the application and suitability of packets to each host and monitoring the response.” Tis is these technologies are directed towards SCADA systems. Tis then contradicted within Deraison and Gula [20], where information is highly advantageous as it helps highlight any it is stated that “any use of a network scanner to fnd signifcant pitfalls in the understanding of how SCADA reacts hosts, services and vulnerabilities is an active assessment.” tonetworkscans,aswellaswhichtechnologiesprovidedthe When comparing the justifcation of active scanning from best results. As this paper was published by the Air Force both papers, the comments provided within Deraison and Institution of Technology in 2013, the technologies, tools, and Gula[20]seembiasedandirrationalonthebasisthatthe scientifc methods they used to conduct their research are organisation publishing this paper has a large investment in more modern than those of Bartlett et al. [13]. A more modern active scanning tools. However, both papers agree regarding approach to assessing the diferent methods of scanning is the pitfalls of active techniques, this method produces data highlighted within Samtani et al. [9]. Like Bartlett et al. [13], for the current state of the system. Tis information could the aim is towards evaluating and understanding scanning become obsolete as time passes, or indeed when repeating the methodologies on SCADA systems. Although this source of same scan at a later date. information is far more modern than that of Bartlett et al. In evaluating the information given in the previous [13], there is a lack of detail when it comes to explaining sources, the process of passively scanning a network seems to howeachmethodofscanningisachieved,aswellashaving be far more applicable to gaining information about devices a very limited scope when identifying the tools used to on an ICS or SCADA network. As referenced in both Bartlett conduct scans. Bartlett et al. work [13], though older, is able to etal.[13]andDeraisonandGula[20]activemethodsrequire 4 Security and Communication Networks some form of interaction with the devices on the network, one of the only research documents to directly relate the which could be one of the potential ramifcations of using sensitivity of SCADA technology to a documented report active tools against SCADA devices, as opposed to the passive of a damaging incident. Although the description of how methodologies discussed in Xu et al. [17] which run for scanning tools operate lacks in sophistication, Jaronim is able alongerperiodatan“observation point” on the network, to link the pitfalls of active scanning to real-world examples removing the need to send or receive data from any devices of SCADA disruption, an area which has been neglected in that are connected. previous sources.

2.2. Existing Tools. From discussing the key advantages 2.2.3. Passive Vulnerability Scanner (PVS). Maintained by and disadvantages of each scanning methodology, attention thesameorganisationresponsibleforNessus,PVSisa can then be brought to the current technologies and tools passive accompaniment to the suite of network scanning tools available in the public domain. provided by Tenable Network Security. Deraison and Gula [20] defne a passive tool to be a mechanism which “snifs 2.2.1. Nmap. Bartlett et al. [13] discuss the use of Nmap network trafc to deduce a list of active systems.” What is as an example of active network probing. Te conditions interesting within this paper is that PVS and passive scanning on which Nmap is used are confned to a very limited asawholeareassociatedwiththe“snifng of a network, as set of network technologies. Te main focus seems to be opposed to scanning.” Both Xu et al. [17] and Gonzalez and standard corporate networks with services such as HTTP, Papa [18] fail to elaborate on this underlying detail. Contrary SSL, MySQL, and SMTP. Te application of Nmap against to initial expectations, Deraison and Gula [20] fail to discuss these services demonstrates how active probing works in a howPVSoranyotherpassivesystemachievesitsgoalsasan TCP/IP environment; however, it fails to address how Nmap unobtrusive scanner. No breakdown of technology is given is used on more bespoke networks such as SCADA and ICS. and there is little evidence of PVS being used successfully Bodenheim [10] gives a more relevant example of Nmap on a range of networks. Seeing as this source is provided being used on the networks of interest. Tis paper provides by Tenable, the validity of the claims in this paper could be explanations behind specifc Nmap commands and how it considered biased, whereas Xu et al. [17] and Gonzalez and achieves the desired output. Tere is, however, no reference to Papa [18] and Myers et al. [22] clearly identify how passive Nmap being an active and intrusive scanning type; therefore technology works and give examples of live experiments. no information is supplied about how this could impact the From the information provided within these sources it seems operation of a SCADA or ICS network. Jaronim [16] supports that the use of passive network snifers over a longer period the information presented in Bartlett et al. [13], enforcing the of time is the most benefcial and nonintrusive way of fact that Nmap is an active probing mechanism. Again it is performing reconnaissance on SCADA systems. evident that there is little understanding as to how probes such as Nmap impact the ordinary functions of SCADA and 2.2.4. ZMap. With similar functionality to Nmap, ZMap is ICS networks. an open-source active network prober designed to perform Internet-scale scans. Te probing of Large Area Networks 2.2.2. Nessus. Nessus is a tool developed by Tenable Network (LANs) is achieved using TCP-SYN and ICMP echo scans. Security. Peterson [21] discusses how Nessus can be used to Tis is addressed in Durumeric, Wustrow, and Halderman scan for vulnerabilities within a control system environment [23].NotonlyistheactivetechnologybehindZMapdis- with reference to “a vulnerability scan that takes down a key cussed in detail, but also each element of the ZMap function- controlsystemserverorcomponent.”Tere is also reference ality is dissected and explained at a substantial technical level, to the damaging efect this could have. Te general opinion including its modular framework for dissecting diferent is that SCADA systems should not be scanned. With this protocols. Amongst these pieces of information, reference is attitude presented at the beginning of the paper, Peterson made to limitations of certain networks which may result in goes on to explain how Nessus works and how it can be thetoolnotworkingcorrectly,particularlywhenthescan tailored to facilitate SCADA networks. Te information that rate of the probing packets being sent is too high for the follows seems to disregard the damaging impact Nessus target infrastructure. Although an experiment was conducted couldhaveonanICS/SCADAsystembystatingthat,due to investigate whether there is a correlation between “scan to the number of plug-ins associated with the tool, some rate” and “hit rate” when probing a network, the results of the extended functionality may cause control systems to are more concerned with the efciency and success of the crash. Tis suggests that there is still a lack of understanding tool itself, not the potential damage this may cause to the as to why these crashes happen, as the remedies in this targetnetwork.Tisisanissuewhenlinkingthisresearchto paper suggest trial and error with the Nessus tool until ICS and SCADA systems, where the focus is on protecting the cause is found. Jaronim [16] acknowledges the Nessus the normal operation of the system rather than evaluating tool and again highlights its potential to cause signifcant thesuccessofthetool.Noreferenceismadetotheuseof disruptions when used on SCADA networks. Tis paper ZMap against SCADA or ICS systems. Li et al. [24] also still fails to specify why Nessus, or even the wider range make reference to ZMap and its ability to probe a multitude of active probing tools, causes this disruption. However, of diferent protocols through the use of plug-in modules. Jaronim brings attention to a report justifying how active Tere is evidence to suggest that ZMap can be used to probe techniques can have damaging consequences. Tis report is protocols such as DNP3, Modbus, and Siemens S7. Although Security and Communication Networks 5

Table 1: A summary of the existing active and passive network scanning tools.

Tool Summary (i) Open source, active (ii) Uses a combination of ping sweeping, SYN scanning, and TCP connecting to determine which hosts reside on a network and which services they are operating. Nmap + ZMap (iii) Version detection or full TCP connection could cause legacy systems to misbehave. (iv) Nmap Scripting Engine has allowed for bespoke modules to be created for SCADA protocols such as Modbus. (v) Could potentially threaten the operation of a ICS/SCADA system. (vi) ZMap has an almost identical capability but can scan Large Area Networks. (i) Commercial, active (ii) Working on a “policy” framework, Nessus allows users to conduct host discovery and vulnerability analysis Nessus in a similar way to Nmap, again using ICMP, TCP, and ARP scanning. (iii) Unlike Nmap, Nessus has the ability to actively probe each service to report on potential vulnerabilities, which could cause accidental DoS on SCADA systems. (i) Commercial, passive (ii) Uses interface packet snifng to dissect and analyse the data being sent over the network in order to gain Passive Vulnerability information about the assets and services being deployed. Scanner (iii) Although it does not require any form of direct probing with nodes, PVS must be continuously ran in order to gain a better understanding of the network it is monitoring. (iv) It is not intrusive, but the time it takes to analyse trafc is signifcantly higher than the active alternatives. (i) Open source/membership based, active (ii) Uses similar techniques to Nmap, ZMap, and Nessus to fnd the services that are running on internet-facing devices. Shodan (iii) All results are then stored in a database for users of the Shodan search engine to query against. (iv) As this tool uses the same technology as other active scanners, it too poses the risk of afecting ICS/SCADA systems, especially as it has the capability to scan globally, meaning any CNI running legacy sofware could be at a signifcant risk. (v) Shodan has the potential to bring unwanted malicious attention to ICS/SCADA networks through the storing and reporting of information about ICS infrastructures. this information shows that ZMap can be used on these researchisthetypeofnegativeimpactthatoccursafer networks, there is no evaluation of the success or the efects a Shodan scan. Whereas the key focus of this research is this tool has on the devices themselves. Unlike the paper by to fnd how the physical devices are afected, this source Durumeric et al. [23], there is no information present within wishes to answer the question of whether or not an ICS this research which highlights potential performance issues or SCADA system will become more vulnerable because that could be linked to the network type. On the other hand, oftheirpresenceontheShodandatabase,whichinturn neither paper addresses the potential impact this tool could may convince malicious minds or state programs to attack have on the physical devices being probed. thesesystems.Teaimhereisnottodeducethephysical consequencestothefelddevicesbutratherdoesaShodan 2.2.5. Shodan. Shodan is a service which acts as a search scan encourage attacks? Jaronim’s work [16] remains to be the engine to identify and index Internet-facing devices. Shodan only paper to directly acknowledge potential physical damage has become of signifcant interest as many ICS and SCADA thatcanbedonebyactivescannerssuchasShodan.Tis systems are identifable via this tool. Bodenheim [10] directly paper, however, lacks the hypotheses and experimentation explores how the technology behind Shodan impacts the with active tools which run throughout Bodenheim [10]. devices connected to ICS. Te level of detail supplied about Tis study provides a summary of each of these tools. howShodanobtainsitsdataisnotasthoroughastheprevious Table 1 gives a concise breakdown of the key information sources discussing the other scanning tools. However, the about each of the tools referenced within this section. general premise of the paper is diferent as it focuses on the possible harmful nature of network scanning techniques 2.3. Te Impact on SCADA Systems. Afer consulting numer- from its start. As the potential harms that scanners could ous sources to gain information about the current network cause are only briefy discussed in previous sources, Boden- scanners, their methods of execution, and whether they heim [10] addresses research hypotheses relevant to the show any sign of harming the physical network devices, negative impact of using Shodan against ICS and SCADA it is evident that minimal research has been conducted systems. Where this paper draws signifcant diferences in which emphasizes the potentially devastating consequences 6 Security and Communication Networks of an active scan and whether it causes disruption to ICS how they difer to the more conventional IP-based systems. and SCADA feld equipment. Although the information As most tools for security auditing or ethical/unethical presented within the paper by Jaronim [16] does not conduct hackingweredevelopedforIP-basednetworks,itisvitalto research or experiments into how network scanners afect understand how an ICS or SCADA system difers in terms of physical devices, there is reference made to a report written by the physical devices present on the network, what embedded the Sandia National Laboratory which gives “actual examples or bespoke sofware is installed on those devices, and how of negative behaviour in response to network scans.” Following that may cause defects or irregularities when faced with the the references made within both Jaronim [16] and Bodenheim existing scanning tools. Chromik et al. [25] give an extensive [10], the report of Duggan et al. [7] discloses the details of review as to how SCADA systems work on the physical multiple failed asset-detection operations performed on an layer of networking. programmable logic controllers (PLCs), active Process Control Systems (PCS) and SCADA systems. Remote Terminal Units (RTUs), and Intelligent Electronic A ping sweep being used to gain information about the Devices (IED) are all referenced within this paper, with details devices connected to the network caused a robotic arm to about how data from feld devices is acquired or monitored by move 180 degrees, despite being in a standby state before one of these physical machines. SCADA servers, historians, the sweep was initiated. A similar ping sweep was conducted and Human Machine Interfaces (HMIs) are also mentioned on a PCS network causing a circuit fabrication machine to as part of an informal system description, where the basic hang on operation, resulting in m50k worth of damage to the hierarchy and control fow of SCADA are outlined at a high production line. Lastly, a penetration test was conducted on a level. Although this paper is able to highlight the main devices SCADA system responsible for gas utility. As a result of using which are both unique and essential to SCADA and ICS, the penetration testing equipment, the system froze, meaning no amount of detail given as to how each device functions and gas could be distributed outside of the plant, causing a loss of communicates, in particular focussing on layers 3–7 of the service to the customers of the plant for 4 hours. Tis source Open Systems Interconnection (OSI) model, is signifcantly then goes on to describe possible remedies for some of these lacking in content and depth. Having knowledge of how failures. Despite suggesting alternate methods of gaining the each device utilises its data through each one of the OSI same data as the failed network scans, the report does not layers would be highly advantageous towards developing a elaborate on how these scanners afected the devices in great clear understanding of how the process and services present detail or whether there has been any successful deployment on these SCADA nodes could potentially compromise the of the replacement methods. As the report was submitted whole system. Tis paper fails to provide details in this in 2005, there may be the possibility that the technology area. National Communications System (2004) is much more once afected by scanning and probing tools may have been descriptive about not only the physical devices which form patched or secured since then. However, relating this report aSCADAsystembutalsotheprotocolstheyuse.Here, to the more modern sources referenced within this section, SCADA data fow is explained using examples of the devices there is no evidence to suggest that there has been signifcant mentioned in Chromik et al. [25]. However, the description development within the area of cybersecurity and SCADA of each devices’ responsibility is more elaborate, referring technology. It is clear from these documents that to how RTUs act as interfaces which convert electronic signals from the feld devices into a protocol which can (i) there exist a lot of related work that discuss how then be utilised by the extended network. Tis information network scanners can be used for conducting vulner- is then extended to PLCs, demonstrating how the two ability analysis in SCADA systems, technologies link together, and provides details about the (ii)basedontheanalysisoftherelatedworkthatwassur- history and evolution of these devices. Te details this paper veyed, it is evident that some have identifed negative is providing about Distributed Network Protocol (DNP3) are behaviours of physical devices that are caused from very thorough and cover all areas of discussion around this network scans, protocol, for example, the relationship between DNP3 clients (iii) there is still a lack of understanding as to exactly how and servers, as well as showing a typical design diagram scanners disrupt ICS and SCADA devices, for a DNP3 network architecture. However, the paper fails to address the wider range of SCADA technologies and (iv) there is a lack of alternate methods of execution and protocols which are still utilised in today’s systems, that examples of their success. is,Modbus,SiemensS7,andsoforth.Tecontentofthis paper seems to skip the details about the higher levels of 3. SCADA and ICS Technologies the SCADA infrastructure, such as the HMIs and SCADA servers, something which was explained within Chromik et Tis section identifes the technologies which are bespoke to al. [25]. ICS/SCADA systems and the potential vulnerabilities which Complementing the information provided within the could be exploited by the use of a network scanner. previous two sources is the work of Samtani et al. [9]. Although this paper is aimed at fnding vulnerabilities within 3.1. SCADA Network Devices. In order to understand how SCADAthroughtheuseofpassiveandactiveassessment penetration testing and network scanning interrogate ICS techniques, the description of the SCADA specifc devices and SCADA devices, research must be conducted into the supportsthestatementsmadeinthepreviouspapers.As types of technologies which reside on these networks and this is a modern report, the information that is provided Security and Communication Networks 7 not only gives an up-to-date representation as to the devices by Wiberg [32] still lacks depth and only gives a high-level that are used within SCADA networks but it also gives overview of both the technologies underlying one particular a brief comparison between old SCADA technology and network scanner (Nmap). Later on in the paper, Wiberg goes how the Internet has caused changes to how SCADA and on to describe some of the false-positives generated when ICS are controlled and confgured to facilitate the needs executing a network scan on SCADA systems. Although this of a modern organisation or industry. Refecting on the shows how fngerprinting SCADA devices can be difcult as information provided from a range of diferent sources, the some of the “commonly known” ports are used for bespoke devices that are bespoke to ICS and SCADA systems should protocols, no examples have been given to show a network be the focal point of experimentation and research, which scanner interfering with an old or volatile service causing the are Human Machine Interfaces (HMIs), programmable logic device to crash. controllers(PLCs)[26],RemoteTerminalUnits(RTUs)[27], In order to protect SCADA systems a lot of methods and Intelligent Electronic Devices (IED) [26, 28, 29], and Master mechanisms were recently proposed [33, 34], including Intru- TerminalUnits(MTUs)[9,24,25].Fromthislistitcanbe sion Detection Systems (IDS) for embedded platforms or confrmed that the devices that are closest to the feld are the Distributed IDS for SCADA, device-level anomaly detection ones which will need examining in more detail in respect of [35] and classifcation [36], IDS solutions combining network how network scanners could possibly afect them. Here, RTUs traces and physical process control data [37], and detection and PLCs appear to be the most critical devices to analyse. A basedontrafcandprotocolmodelsorapproachesbasedon diagram (see Figure 1) shows the typical confguration of a semantic analysis [38]. Cruz et al. [39] present a distributed corporate and SCADA network, detailing where each of the intrusion detection system (DIDS) for Supervisory Control devices operates in respect of the entire SCADA system. and Data Acquisition (SCADA) Industrial Control Systems. In [40] Cook et al. conduct a thorough analysis of IT security 3.2. Te Fragility of SCADA Devices. Attention must be methods and how they could be applied within an ICS. All drawn to the vulnerabilities associated with the diferent scan methods may induce additional privacy issues that must SCADA devices listed above, as well as the constraints of be addressed [41] when designing secure SCADA systems. each diferent type of SCADA network. Wood et al. [30] present a holistic end-to-end view of the requirements and 3.3. Diferences between SCADA and Commercial IP Net- medium-to-high severity risks and propose a generic security works. Afer developing an understanding of the unique architectural pattern to address them. Wedgbury and Jones devices and protocols used within an ICS/SCADA system, [31] identify that the components of a SCADA or ICS network key distinctions can be made between SCADA and TCP/IP- could hold signifcant vulnerabilities when being targeted based networks, such as corporate infrastructures and the by a network scanner. Tis source explains that SCADA infrastructures which provide the underlying technology and equipment, and the services they provide, has been designed functionalitybehindICSandSCADAsystems.Gallowayand and implemented with little attention having been paid to Hancke [42] review the key diferences between “industrial the operational security of these devices and their ability to and conventional networks,” detailing areas in SCADA such handle errors or unexpected events. Tis has been referred to as implementation, real-time requirements, failure severity, as having “poor network robustness.” Wiberg [32] also iden- and ruggedness. Tis source seems to suggest that the most tifes that SCADA devices are inherently vulnerable as they notable diferences between the two network types are as have not been designed or built to provide basic information follows: security attributes of confdentiality, integrity, and availability (CIA). Wiberg also references the lack of standardisation (i) Te implementation of the network within the automation manufacturing industry and implies (ii) Te architecture which structures each node and that this may also be a signifcant reason why SCADA devices subnet are vulnerable. A signifcant issue identifed by Wiberg is (iii) Te severity of the consequences if the network fails. that using active network scanners, such as Nmap, presents a weakness when attempting port recognition or service Tese attitudes are shared within Stoufer et al. [43]. detection on SCADA devices. Wiberg states that active tools However, this source highlights the signifcant diference in such as Nmap can use unusual TCP segment data to try and system operation and resource constrains. Here, information fnd available ports. Furthermore, they can open a massive is given about how SCADA and ICS devices run on legacy sys- amount of connections with a specifc SCADA device but tems(defnedasanoldmethod,technology,oranoutdated then fail to close them gracefully. computer system), meaning they are prone to vulnerabilities Identifying the fatal faws between the network scanning such as “resource unavailability and timing disruptions.” Tis tools and the devices themselves and being able to present is then supported by the research within Duggan et al. [7], a technical example is where Wiberg [32] triumphs over referring to the collateral damage caused by the ping sweep Wedgbury and Jones [31]. Although both sources acknowl- of an operational ICS network. Although this source of edge that SCADA devices could compromise a system due information predates the research of Galloway and Hancke, to the bespoke or legacy services they run, Wiberg [32] [42],itisabletoanswertwosignifcantquestionsinsupport provides an explanation as to how the network scanning of the research into the potential volatility of SCADA devices technologies confict with these devices and the possible when being scanned: the use of legacy systems correlates with consequences. However, the level of technical detail provided the idea that legitimate system resources could be directly 8 Security and Communication Networks

Group WAN/Internet

Extranet firewall Corporate infrastructure

Corporate workstations Additional non-PC network nodes

Private IP network

Web servers, email servers, Enterprise routing planning corporate business services and maintenance systems/databases

Routing switching internal firewall Supervision network/SCADA control centre

Central SCADA control centre

Data connection and SCADA servers

Maintenance, engineering or supervision control network

Connection to local or remote production network Industrial control Production system network/feld sites

Data receiving/network hub

Programmable logic controller remote terminal Human machine interface units

Programmable logic controller remote terminal units

Field devices Field devices

Figure 1: A network diagram showing the link between corporate and SCADA networks. Security and Communication Networks 9 impacted by the use of conventional network auditing/pen- investigating is because a large majority of SCADA systems testing tools. Tis is supported by referencing the work of are fully operational, meaning either reverse-engineering Franz [44]. Within this source, an experiment is conducted to these incidents or testing tools against these systems is not survey vulnerabilities in Ethernet-enabled ICS devices. Tis practical as it could cause severe disruptions to the wellbeing experiment was conducted using active TCP/UDP scans and of citizens on a national or global scale. Tis proves that, OS fngerprinting. Te information within this source could in order to understand and protect against possible network be seen as irrelevant, not only because of the date it was scanning vulnerabilities, the tools mentioned within this published but also because of the fact that it is directly stated document need to be directly tested against nonoperational that an objective of the experiment is to “Avoid automation SCADA devices. With this taken into consideration, the protocolssuchasModbus/TCP,Ethernet/IP,FieldbusHSE,etc.” sources highlighted the signifcant threat of using reconnais- and to only focus on TCP/IP protocols. Although this was sance tools on these types of systems as they cannot be tested stated, the results of the experiment seemed to compliment in the current environment. the attitudes displayed by Jaronim [16], Bodenheim [10], Despite this there is very little information to suggest how and Duggan et al. [7], stating that “Simple” port scans (of active scans can be tailored to better facilitate the needs of 200–300) ports did cause some devices and applications to SCADA networks. It is apparent that adjusting the current become unresponsive. Although this report may be outdated method of asset detection or creating a bespoke piece of and tailored towards the research and development of Cisco’s sofware will be a more benefcial solution to reducing the technologies, it provides evidence to support previous spec- risk of damaging networks with snifers or probers, rather ulations or ideas portrayed in the previous sources. On the than trying to restructure or redesign the current systems and other hand, even though the experiment bared results which devices implemented across the globe. Much information has supported the hypotheses made by others, the protocols been provided about the diferent types of network scanning that are of particular interest were not the centre of Franz’s tools and techniques. From the information within each of research, meaning that further investigation must be done to thesources,itcanbeconcludedthat,fromthetwomethods determine the potential vulnerabilities these services could of network scanning, active probing has the potential to hold. pose a much greater threat to ICS/SCADA devices rather Tere is evidence to suggest that although network than the passive snifng alternatives. Tis research also scanners have the ability to disrupt SCADA equipment, this provided thorough detail about the current tools available having been acknowledged in many of the papers referenced, to pen-testers and how they can be applied to a range of there is still a lack of understanding as to what aspect of diferent networks, but there has been little discussion on thescanningprocesscausesthesedevicestomalfunction how successful these methods are against SCADA systems or behave erratically. Te information which has been pre- and whether they are an appropriate way of conducting sented has helped identify where more research needs to vulnerability analysis on ICS/SCADA systems. be conducted, as well as how to formulate experimentation on nonoperational SCADA devices. Troughout the analysis 4. Method of Research of papers and reports, it became evident that although the awareness of potential vulnerabilities is there, few have gone SCADA devices will continue to become integrated within IP to elaborate on why vulnerability scans may be unsuitable networks regardless of the evident security vulnerabilities and for use on SCADA networks, meaning there is a limited the signifcant diferences between the two communications technical explanation as to why exactly these systems fail technologies. Te difculty with replacing every ICS/SCADA or malfunction. Tis coupled with the fact that most papers device with a newer, more secure alternative is not a feasible failed to enforce their opinions or claims due to having a option as these types of devices are responsible for controlling lack of examples or references. Tis meant that proving the CNIs of countries around the globe. Tis in turn means direct correlation between the use of network scanning tools that in order to ensure that these devices can be monitored and the damage of SCADA services or devices is difcult. A and secured, whilst being connected to, and accessible by small subset of the sources within this document referenced corporate IP networks, the current security tools must be a real-life example of an asset-detection incident that caused compatible with both SCADA and IP. Research and exper- signifcant disruption to a couple of ICS networks. Tis was imentation are needed in order to evaluate the efects of very insightful as it was able to detail what type of technology using existing network scanning tools on ICS and SCADA was used and what the consequences were. Although this part equipment in order to justify the suitability and potential of the research benefted the understanding that ICS/SCADA dangers on doing so. systems can react negatively to scans, the research failed to directly satisfy a majority of the question areas, such as why When conducting a network audit or security scan or a device or service behaved diferently when a certain action during the process of a malicious cyberattack, network was performed. Overall technical detail was hard to obtain. scanners and snifers are used in order to gain information However, this did allude to further discussion which could aboutthedevicespresentonthetargetnetwork,aswell potentially commend the reasoning for the current research. as gathering data about the types of services they ofer. As most of the sources simply implied that network scan- Tese tools have been successful in gathering information ners would have a negative impact on SCADA devices, this about IP systems in numerous cybersecurity cases; however, suggests that the reason for the lack of technical detail when this technology has not been adapted to facilitate scans on 10 Security and Communication Networks

SCADA networks. Experimentation and testing are needed in via an Ethernet cable and would conduct active scans against order to fully understand how network scanners and snifers the SCADA equipment. Te network and equipment were function and how these technologies could impact SCADA observed in order to identify any changes in activity. Similar in a negative way. Being able to identify exactly how these to the IP experiments, the trafc between the SCADA system two technologies interact will educate people on how to and the host machine was captured so that the scanners properly perform asset discovery or vulnerability scans on packets could be analysed and discussed. networks which hold ICS and SCADA devices. Research into During the SCADA experiments, another hypothesis was the networking technologies present on both IP and SCADA formed as a result of the data being provided by the execution networks is needed in order to understand the diferences of active network scanners; Do adding more devices to the between them. Te focus here was to dissect and analyse the PLC and thus executing more complex code have a signifcant waydataiscarriedacrosseachnetworksothatwhenthe impact in the systems behaviour when being targeted by a IP and SCADA experiments commence, any anomalies or network scanner? To investigate this hypothesis, the active signifcant results can then be cross-referenced with the facts scans were repeated against a new SCADA system which held drawn from the research. a larger amount of feld devices and subsequently had to run Alongside the research into the diferent network proto- a more complex set of logic codes. cols and technologies, the network scanning tools also need All the data obtained throughout aim to help highlight to be executed and analysed in order to determine how they the dangers of using globally renowned security tools on use specially confgured protocols and packets in order to the networks responsible for the production of goods and gain information about a network. Te tools should be run the regulation of our CNI. Understanding the technologies on an IP network initially, before they are deployed against behind network scanners, as well as the diferences between a SCADA environment. Tis will ensure that each scan is IP and SCADA networks, forms a platform on which new deployed, and they will all be executed successfully, meaning network scanning technologies can be created which do not that the entirety of the scanning process can be witnessed and damage the functionality of ICS/SCADA networks but also analysed without unexpected errors. Tis in turn will help deliver the same verbose and security-critical data generated broaden the understanding of how the technologies operate by the existing tools used today. Tis data also aims to provide in order to gain information, and this can then be combined alternate methods of performing asset detection on SCADA with the previous network technologies research in order to systems, as well as enhancing knowledge on the subject. make assumptions and hypothesise about the application of scanners on SCADA systems such as SCADA. In order to achieve this, a Netkit lab was created in order to provide 5. Research into SCADA Protocols a virtual testing environment which replicated a small IP and Networks network. Once a Netkit network had been created, a series of passive and active network scanners were executed against Tis section explores the diferent protocols used by SCADA the virtual machines which resided on that network. Te networks in order to transmit data between its bespoke packets sent between the scanning system and the virtual devices. Using the information provided by the literature machines were captured and saved into a packet capture review, 3 common SCADA/ICS protocols have been dissected (.pcap) fle format. Here, the trafc could be analysed and and explained in order to fully understand the technology explained in detail, allowing for statements to be made which controls SCADA communication. Each one of the about the suitability of running these scans on SCADA protocols has been explained and compared against each equipment/systems. other; a discussion highlights the potential issues which may Te same tools must then be executed against SCADA arise when scanning these networks with an IP-based tool. devices following the premise set by the previous research In order to understand the diferences between the tech- and experiments. Tese experiments will test the hypothesis nologies used on IP-based networks and SCADA networks, “Does the use of current active or passive IP network probers research was conducted into the protocols used by SCADA andsnifershaveanegativeefectonthenormalbehaviourof and IP systems. As a result of the information provided by SCADA specifc devices?” Tis demonstrates how the network the literature review, Ethernet, Modbus, and DNP3 appeared scanners and snifers function on SCADA networks, how tobethemostcommonlyusedprotocolsinbothIPand they interact with each of the devices, and what impact SCADA networks. Te data yielded from this research aims to this has on the overall function of the SCADA network. highlight the dissimilarities between each network protocol Te technical research and testing of each scanning tool which could impact the way the SCADA devices react when accompany the data obtained from the SCADA experiments subject to a network scanning or snifng tool. Te results of with the purpose of highlighting the risks associated with this research will help evaluate the feasibility of performing running network scanning tools on networks which do not network scans on SCADA devices and how the results difer run via an IP-based system and also highlighting the potential from IP networks. threat to the wellbeing of citizens and businesses when When considering the use of IP scanning tools on operational feld devices are impacted by these scans. To SCADAnetworks,themainareaofconcernisthetypeof facilitate this aspect, two SCADA networks were constructed packets the scanning tools use in order to gain information which contained two diferent PLCs, as well as diferent sets of from each device. Tools such as Nmap, ZMap, and Tenable feld devices. A host machine was then connected to the PLCs Nessus all use Ethernet frames to transfer data between the Security and Communication Networks 11 host machine and the target devices. Tis is referenced within Tis would be an example of a denial-of-service attack Bartlettetal.[13]andsupportedbySamtanietal.[9].As achieved through overloading the network connections with stated within Galloway and Hancke [42] (see Section 3.3), the incompatible data. protocolsusedtotransmitdataonIPnetworksandSCADA Te most notable discoveries made from the protocols networks have a varying amount of diferences. Tese difer- and networks research can be summarised as follows: encescouldprovetobeaninfuencingfactorwhendiscussing (i) Te data held within the diferent protocols may not the impact of executing some of the aforementioned IP correspond with the instruction-set of the recipient scanners. device. Although an Ethernet packet may successfully Te research shows that Ethernet and traditional TCP/IP reach a Modbus or DNP3 device, the information protocols focus on embedding data within the payload of present within each packet may not solicit a correct multiple frames so that Internet technologies such as routers, response from the SCADA device. Tis means that web servers, proxies, and email servers can correctly send, any information transmitted back to the scanning receive, and utilise that data. DNP3 and Modbus have device may not be useful in managing assets or very few data abstraction mechanisms as they are strictly diagnosing security vulnerabilities on the network. master/slave communications channels. Tis means that Ethernet packets are far larger and more sophisticated than (ii) Te diferences between how Ethernet, Modbus, and the SCADA/ICS protocols discussed above. Scans targeted DNP3 synchronise and delimit the data traveling at SCADA must be a lot more specifc to the technologies across the network could impact the operation of present on those types of network, meaning the data being SCADA devices. If the data being received is too large sent across the wire must be the same length, the same data or is being received too quickly, the on-board CPUs structure, and the same frequency as the existing trafc. Te within SCADA equipment may struggle to parse the commands within each message must be adapted to match incoming data, meaning less time is spent performing each specifc slave device which resides on the network in their original, logical tasks. order to gain valid responses or successful data transfer. (iii) Te data being transmitted by the scanning tool Usingthismethodofscanninghasagreaterchanceof may not be able to travel through that particular providing information relevant to a reconnaissance scan or medium being used by the network. Although this asset-detection sweep of a SCADA/ICS network. may not have an impact on the devices themselves, As Ethernet frames are the underlining mechanism used thescanwillreturnwithnoresults.Ifusedincorrectly, by network scanners, any device with an Ethernet interface executing IP scanners on serial networks could either should experience little to no changes when being scanned, cause a denial of service, connection disruption, or unless the data being received is too great for the processing false negative scan results. power of that device. As SCADA devices are ofen set up on older, legacy systems, the rate at which Ethernet All the information provided by this research has helped packets are processed may be too great for SCADA and ICS aid the understanding of how IP and SCADA networks could devices. Te most crucial aspect of these protocols is the way behave when subject to a network scan, as well as evaluating that they distinguish between individual packets. Whereas the feasibility of performing scans on SCADA networks. Ethernet uses a block of data to separate packets, Modbus uses physical breaks in time in order to achieve the same 6. Testing the Network Scanning Tools: result. If connected to a Modbus RTU network, the Ethernet IP Network Experiments delimiter will not be valid. Terefore, if the trafc from the scan is received directly afer a legitimate Modbus message, Tis section provides details about the network scanning the receiving device may drop the data packet or continue experiments conducted against the virtual IP network. A list to try and process the data as if it is a continuation of the oftheequipmentusedandanoverviewofthemethodology last packet it received. Tis could result in bottlenecks being used in order to test both passive and active network scanners formed at specifc parts of the network, meaning none of the are all contained within this section. In addition to covering data destined for the SCADA devices will be received and the prerequisites and processes of the IP experiments, this the data fowing from multiple devices or subnets could be sectionalsoanalysestheresultsprovidedwithinthenetworks disrupted. and protocols report. Each tool is critically analysed and Running foreign protocols on networks such as Modbus reviewed against their suitability to conduct scans on a or DNP3 may be completely dropped and disregarded before SCADA network. being received by intended device. Te way asynchronous Once a thorough understanding of the common SCADA packets are formed and sent across the network means andIPprotocolshadbeenestablished,thenextphasewas that if an Ethernet packet were to be sent through a serial to analyse how network scanners function on a familiar connection, the data would not correspond to the agreed network hosting machines and services typically found on transfer speed and would not be encapsulated correctly. an IP system. In order to do this, a set of experiments were Although this means that the devices themselves will not conducted, on which each network scanning/snifng tool get compromised, attempting to send large Ethernet packets was executed. Te decision to run a series of both active through a DNP3 or Modbus serial port could obstruct and passive network reconnaissance tools on an IP network the legitimate SCADA trafc from reaching its destination. was made in order to give a clear indication as to how 12 Security and Communication Networks

Table 2: Table of Tools Executed against the IP Network.

Network scanning tool Method of information gathering Scan type TCP-SYN Scan, Service Detection Scan, HTTP Nmap 7.40 Active Banner Grab Zmap 2.1.0 Active ICMP Ping Sweep, TCP SYN Scan, NTP Scan Tshark 2.0.5 Passive Promiscuous-mode Packet Capture Ettercap 0.8.2 Passive Man-in-the-middle Trafc Intercept

these technologies function in a controlled environment. obtained from the networks and protocols research task. Observing and analysing the tools in this environment allow Both Nmap and ZMap rely on the TCP/IP protocol suite in assessments to be made about the types of data the tools order to gain information about networked devices. As the send and receive and how this could possibly translate on main underlying technology of TCP/IP is Ethernet, either this a SCADA network. Once all the network scans have been couldcausetheSCADAdevicestobecomeoverloadedwith completed and all the data has been captured and analysed, foreign trafc or the serial system may drop or freeze because a discussion of the results is done in order to evaluate the of the inability to process the Ethernet trafc. Although there potential discrepancies between IP scans and SCADA scans. are other technologies which can facilitate TCP/IP communi- cationsuchasWiFi802.11andmobile3Gtelecommunication, 6.1. Materials and Methodology. To conduct the IP scanning these fall out of the scope of the current research and will experiments a virtual network was created and confgured not be assessed. Te passive tools were selected because of in order to simulate the functionality of a common IP their ability to capture network trafc in order to deduce network. Details on the design, setup, and confguration a list of active systems. As Tenable’s Passive Vulnerability of this network can be found within the Supplementary Scanner (PVS) was unavailable for these experiments, using Materials (available here). Te tools and equipment used a combination of both Tshark and Ettercap would ensure within these sets of experiments were as follows: that the full functionally of such tool could be replicated and analysed on the IP network. (i) Ubuntu 16.04 LTS virtual machine: it is a Linux- Executing these experiments required a virtual network based virtual machine capable of running the Netkit to be created on the Ubuntu virtual machine. Te choice network simulator in an isolated and repeatable envi- to run a virtual network was based on the ability to restore ronment. and run the network from a clean install each time a new (ii) Netkit 2.8: it is a lightweight virtual IP network experiment was conducted. Tis ensured that each tool was simulator used for training and academic purposes. exposed to the exact same environment and that any changes (iii) Tcpdump 4.7.3: it is a command line packet analyser made by the previous experiment would not jeopardise future which comes preinstalled with Unix-based operating results. A virtual network can provide the same functionality systems. It is used for capturing trafc from a network as a physical IP network; however, setup and administration interfacecardandsavingthedatainthe.pcapformat. are simpler and the ability to reset the network was highly advantageous. Tese features made the IP experiments both (iv) Nmap 7.40: it is a “network mapper,” an open- repeatable and reproducible. Once the virtual network had source network scanning tool used for asset discovery, been created, a series of active and passive network scanners service detection, and security auditing. were executed against each virtual host. Table 2 details the (v) ZMap 2.1.0: it is an open-source network scanning scans which were conducted against the network in order to tool optimised for conducting Internet-wide scans understand the technologies behind them. quickly and efciently. Tese methods of network scanning and trafc snifng (vi) Tshark 2.0.5: Tshark is the command line interface wereselectedbasedonseveralfactors,thefrstbeingthat provided by Wireshark. It is a packet analyser used to both Nmap and ZMap are tools currently being used against capture trafc from any network interface present on both SCADA and IP networks. Te combined capability of a machine. thesetwotoolscoversarangeofscanningandreconnaissance (vii) Ettercap 0.8.2: it is a tool which allows users to methods used against modern SCADA systems. Being able perform man-in-the-middle attacks on local area to replicate the functionality of SCADA specifc threats such networks. Tis allows for the snifng, interception, as Shodan and intrusive network scanners is crucial towards and logging of network trafc. understanding how these tools work and how they could pose a potential threat to SCADA and ICS systems. Being able (viii) Wireshark 2.0.5: it is a full graphical interface which to test each of the scans provided data which was used to allows users to dissect and analyse network trafc evaluate the feasibility of performing the active and passive contained within .pcap fles. scansonaSCADAnetwork.TedataobtainedfromtheIP Te decision to use these tools was based on both the experiments allows comparisons to be made once data has information presented by the literature review and the results been generated from the SCADA experiments. Security and Communication Networks 13

Each scan was executed against the individual subnets other types of serial frames, the ports receiving the scan data present on the network. For each active scan run against the may not be able to interpret or handle the IP headers or virtual network, several observation points were set up in Ethernet frames. Te same issues are presented when using order to capture both the probing trafc as well as the host’s TCP-SYN scans. Unless the SCADA device supports TCP responses. Te tool responsible for capturing this trafc was connections through select ports, there is no guarantee that Tcpdump. Once each scan had been executed, the network when the active tools send data to each port on that device, capturefleswereopenedandanalysedinWireshark,apacket thedatawillbeacceptedandparsed.ZMapmaybethemore analyser, which gave an insight into how the diferent tools advantageous scanner to use in this scenario, as it ofers obtained information from the remote targets. minimal interaction with the target devices and requires users For the passive snifng experiments, the Tcpdump tool to be specifc about the services, addresses, or ports that they was replaced by Tshark. On executing each passive tool, wish to interrogate. trafc would then be generated between the IP machines in Active scanners appear to reveal more details about the order to test whether the tool was able to capture the data. network than the passive alternatives. Troughout all the When testing Ettercap, a MITM intercept tool, the previously experiments conducted on the IP network, none of the referenced Tshark observation points were removed and two passive scanners or packet capture devices were able to additional machines were added to the network. Tese new prove the identity of the gateway machines which connected machines allowed for trafc to be intercepted between two between each subnet. From analysing the packet capture fles, endpoints.Tedatawasthencapturedandrelayedontoits it could be suggested that the observation points for each original destination. Te results from these experiments were passive tool could have been adjusted in order to give a displayed in the form of packet capture (.pcap) fles, as well as broader perspective on the entire network. However, when the output displayed on the physical machines. considering the ramifcations of modern SCADA networks, it is not practical to have passive scanners placed at every 6.2. Results and Discussion. As a result of the experiments signifcant point of the network. Tis is due to both the conducted against the virtual IP network, as well as the devices inability to run such sofware as Tcpdump or Tshark data provided through the use of packet captures taken and also the fact that as physical feld devices can be located at throughout both the active and passive experimentation, the sights which are huge distances from the central control units, following conclusions can be made with reference to the it then becomes very difcult to coordinate and synchronise future experiments to be performed on a SCADA network. a passive scan. It could be suggested that, given more time, Firstly, running a series of diferent asset discovery and thepassivescannerswouldbeabletoobtainasmuchdata service detection scans using Nmap revealed a number as the active alternatives; however the results obtained from of facts to take into consideration when discussing using these experiments, under the specifed circumstances, do not scanners on SCADA systems, the frst being that Nmap support this statement. utilises the TCP protocol in a variety of diferent ways in As the active tools require interaction with the target order to gain diferent amounts of information from the target network and rely on sending data to each machine, the networks. An unexpected result from these experiments was choice to use a MITM machine could be benefcial towards that Nmap uses TCP-SYN and ACK packets in order to gaining information about a network, specifcally networks establish whether a particular address is active on a network. containing SCADA/SCADA devices. Tere are however two A standard ICMP echo request (or ping) is used to send a concerns with this methodology, the frst being that it small amount of data addressed to a raw socket, meaning that sufers from the same practicality issues as the other passive ICMP bypasses TCP and communicated directly with IP.Tis scanners. MITM requires machines to be placed around the could prove as both an advantage and a disadvantage when network which, as discussed in the previous statement, is replicating this scan on the SCADA devices. Although Nmap impractical on a SCADA system. Another signifcant factor is does not open raw sockets when using TCP pings, which being able to replicate the functionality of ARP poisoning on could cause the target machine to behave unexpectedly, the systems which do not use the Address Resolution Protocol. method of using TCP requires the utilisation of the TCP Combining the results from the networks and protocols protocol. research, as well as executing both active and passive net- Te data from both the Nmap and ZMap experiments worksscannersonanIPnetwork,itappearsthatthetypeof shows that host discovery can be achieved using both ICMP network a SCADA system is running may not be the predom- echo requests as well as sending solitary TCP-SYN packets to inant issue when being scanned by the tools referenced within all the ports on target machines. Te issue with both of these the previous section. It has been identifed that the type of methods is that they have been tailored to work specifcally packets used by network scanners are not suited towards with IP devices. ICMP works directly above the IP layer, devices communicating via a serial protocol. However, there relying on raw sockets being opened in order for data to is no data present to suggest that the active scanning tools be sent back and forth between hosts without the need for are able to send data through any other interface besides a TCP connection. Te ability to open and communicate Ethernet. Tis has signifcant infuence on the direction of with raw sockets may not be possible when applying the the current research as SCADA and ICS systems being used same approach to SCADA devices which reside on SCADA today continue to run serial protocols. Tis implies that if networks. Issues also arise from the payload of the Ethernet active scanners are unable to communicate with SCADA frames themselves. If these active scanners do not support devices through serial ports, the issues facing SCADA and 14 Security and Communication Networks

ICS may be through the adoption and utilisation of Ethernet resourcestobedirectedattheSCADAtestingphase.Te communications. Both Nmap and ZMap were successful in main issue was the amount of time spent designing and identifying hosts on the virtual network, through the use of confguring the virtual network. A preconfgured Netkit mass port scanning and applying probes which are specifc to lab could have been downloaded and executed in order to services found on common IP devices. Tis implies that if a minimise the amount of time spent improving and adjusting SCADA device has been confgured to use Ethernet but does the virtual network. However, choosing to install a virtual not ofer any of the services used within the IP experiments, network from beginning to end meant that the nodes, thedevicemaynotbeabletoparsethedatacorrectlyorelicit services, and scale of the network could be tailored to suit a valid response. Tis could potentially cause the SCADA the objectives of the research. Knowing the confguration device to crash or behave unexpectedly, not because of the in great detail allowed for a better analysis of the network unfamiliar trafc that its receiving but from being unable to scanners and their ability to obtain crucial information about process unfamiliar requests for services it does not provide. the network. Tis however did not warrant the time spent Te data provided by the Ettercap and Tshark experi- creatingthetestenvironmentandshouldbereevaluatedfor ments shows that passive scanners do not directly interact future experiments. with the hosts connected to a network. Tis in turn suggests that running passive tools at multiple points on a network could provide a stable method of gaining information about 7. Testing the Network Scanning Tools: a SCADA network. Te issue with passive tools is that SCADA Network dataabouteachhostonthenetworkisnotimmediately accessible, as the packets captured need to be analysed in Te following section provides an overview of the experi- order to identify hosts and services. Another issue with ments conducted against a SCADA system. Details about the passive scanners is compatibility. Ettercap requires the target equipment used as well as an explanation of the methods hosts to utilise the ARP protocol. If the SCADA device used to test the active scanning tools are also contained in question is running on a serial network, this method within this section. Once all the specifc details about the of information gathering would not function correctly. As SCADA experiments have been presented and explained, the the hosts used in these experiments communicated via IP, results obtained from the SCADA tests are then discussed Ettercap was successful in obtaining data from the network. andanalysedagainstthemainobjectiveofthecurrentarticle; Te last signifcant drawback to passive tools is the need to does the execution of an active network scan have a negative distribute them across the network in order to gain a wide efectonSCADAsystems,andifso,whatcauseditandwhy? coverage. Modern SCADA systems can span across multiple Each of the tools is critically analysed and reviewed against sites located across continents, therefore being unable to their suitability to conduct scans on a SCADA network. A remotely execute asset and service detection scans would not critical analysis of this part of the research has also been be suitable in that scenario. provided which aims to address strengths and weaknesses. Understanding how each of these asset discovery and Following the testing of both passive and active network network reconnaissance tools function within an idealistic scanners on the virtual IP network, the active scanning tools environment has been a key exercise which helped identify are needed to be executed against devices exclusive to SCADA the ramifcations and the possible consequences of using networks. Tese experiments allowed for assessments to be these tools on SCADA networks. Te fndings from these made about the impact of using the network scanning tools experiments assisted in understanding how each of these against devices found within modern ICS/SCADA systems. tools performs its scans, and it has helped to create hypotheses Executing the active scanners on a SCADA network will which will create an all-encompassing platform on which help determine whether the conclusions formed from the IP to conduct the SCADA experiments. Without the results experiments were correct, as well as determining whether supplied by these tests, any signifcant fndings or datasets executing scans against SCADA equipment causes them to which may appear in the forthcoming SCADA experiments crash or divert from their normal operations. would lack a comprehensive justifcation as to why that result has occurred. Furthermore, setting up and executing these 7.1. Materials and Methodology. In order to observe and experiments have satisfed two of the core objectives of the assess the impact of running a network scanning operation current article: an IP network has been replicated using the against SCADA devices, a small SCADA system was con- Netkit environment and the Netkit machines have been used structed and confgured to replicate the functionality of a to conduct extensive tests on network scanning tools in order PLC, HMI, and operational feld devices. To achieve this, the to analyse their functionality. following tools were acquired and confgured to provide a Te IP experiments provided insightful data which SCADA testing environment: helped enhance the understanding of both active and passive network scanners. Te use of a virtual network and packet (i) Siemens SIMATIC S7-1200 PLC: it is a compact pro- capture sofware was successful in facilitating the network grammable logic controller with an Ethernet-enabled scanningtestsaswellascapturingthedatainaform interface. which could be easily analysed and presented. Improvements (ii) Siemens SIMATIC KTP400 basic HMI: it is a 4-inch couldhavebeenmadetothesetupandexecutionofthese touchscreendevicewhichcanbeusedtocontroland experiments which would have allowed for more time and monitor devices connected to the S7-1200 PLC. Security and Communication Networks 15

Table 3: A table showing the types of tools and scans to be run against the SCADA system.

Network scanning tool Method of information gathering Scan type Nmap 7.40 Active TCP-SYN scan, service detection scan, UDP, and script scan Zmap 2.1.0 Active ICMP ping sweep Python UDP DoS.py Active UDP denial-of-service attack

(a) Te Siemens S7-1200 PLC with the motor and HMI (b) Te S7 PLC and HMI screen connection outlined Figure 2: Te Siemens S7-1200 PLC and HMI setup.

(iii) ASEA brown boveri (ABB) PM564 PLC: it is a experiments send data via Ethernet communications. Tis compact programmable logic controller produced by suggested that once each active scanner has been deployed, ABB.TisPLChasbothEthernetandSerialinterfaces there will be no connectivity issues and that the network as standard. scanners will be able to probe the PLCs as desired. As a result of this, the activity of both the PLC and the feld devices (iv) IKH didactic systems PLC trainer 1200: it is a custom will be monitored in order to deduce whether the process of PCB with components which allow PLCs to be con- scanninghadcausedtheSCADAsystemtodivertfromits nected to small, modular feld devices. original functions. (v) On-board modular motor: it is a bidirectional motor Table 3 details the diferent scans which were executed attached to the IKH Didactic Systems PLC Trainer against the SCADA system. 1200. Tese types of active network scanning were chosen (vi) Compact fexible process line: it is a small replica because of the results provided from the IP experiments. of a conveyor-driven production line which can be Firstly, the range of Nmap scans covers asset discovery, service detection, and UDP probing. Tese three methods connected to the aforementioned PLC Trainer. of scanning utilise diferent techniques in order to gain (vii) Windows 7 64 bits with Siemens totally integrated information about a target. To facilitate the execution of automation (TIA): a sofware suite which allows code each of these scans, the PLCs stated above were connected tobecreatedandranonSiemensS7devices. to the host machine. Tis machine was running Windows (viii) Windows 7 64 bits with ABB control builder plus and 7 as well as the two sofware suites needed to interact with CoDeSys 2.2.0: it is a sofware suite which allows code each device. Once this connection had been made, the logic tobecreatedandranonABBAutomationdevices. code corresponding with each PLC was downloaded and run. Once the code had been downloaded and run, each (ix)AlaptoprunningaLinux-basedoperatingsystem scan was executed against the network. During each scan, a (Ubuntu 16.04 LTS): it is a platform which supports packetcapturewastakenonthehostmachineusingTshark. the ZMap active scanning tool. In addition to the packet captures, each SCADA system (x) Nmap 7.40 and ZMap 2.1.0: see Section 6.1. was physically observed in order to determine whether the (xi) Tshark 2.0.5: see Section 6.1. operationofthePLCortheconnectedfelddeviceschanged (xii) UDP DoS.py: it is a custom-written Python script during each scan. which sends large UDP packets to each port available Firstly, each Nmap scan was executed against the Siemens on a target IP address. S7 PLC (see Figures 2 and 3) with a singular motor connected. Afer all of the Nmap scans had been executed against this Both of the two PLCs being tested come with on-board smaller setup, the Compact Flexible Process Line was added Ethernet interfaces. As referenced within the Supplementary to the SCADA system. Tis was done in order to test an Materials, the active network scanners used within these additional factor which is associated with the scanning of 16 Security and Communication Networks

SCADA Network 1

SIEMENS KTP400 Basic HMI

PCB connection Windows host machine SIEMENS S7-1200 PLC

CAT 5 Ethernet connection

On-board motor

M PCB connection

Figure 3: A topology showing the Siemens S7-1200 PLC network setup.

(a) Te ABB PM564 PLC with an Ethernet connection

Wed 08 Mar 2017 12:39:04 RUN

MANUAL MODE AUTOMATIC MODE

AUTOMATIC MODE ON RIGHT LEFT RIGHT TIMER 1 T0260 ms

LEFT TIMER 2 T0630 ms

(b) Te HMI interface confgured to run on the host machine

Figure 4: Te ABB PLC and HMI setup.

SCADA equipment: Do adding more devices to the PLC and Two methods of network scanning were added to the thus executing more complex code have a signifcant impact SCADA experiments which were not executed on the IP in the systems behaviour when being targeted by a network network. Tese are Nmap’s “UDP and Script Scan” and the scanner? Once each network scan had been executed against “Python UDP DoS.py Attack.” Tese scans utilise the User this larger system, the host machine was disconnected and Datagram Protocol (UDP), rather than TCP and ICMP which reconnected to the ABB PM564 PLC (see Figures 4 and 5). were present in the previous IP experiments. Te reason for Once connected, the same scans were then executed against running these scans on the SCADA network was because this new PLC setup. these methods of network scanning were neglected during Security and Communication Networks 17

SCADA Network 2

Windows host machine/ human machine interface ABB PM564 PLC

CAT 5 Ethernet connection

Figure5:AtopologyshowingtheABBPLCnetworksetup. the IP experiments. Troughout the process of conducting when conducting the scan against both the Siemens and the IP scans, the ability to use the UDP protocol was present; ABB PLCs, Nmap utilised the ARP protocol in order to however, due to the services confgured to run on the virtual determine which hosts were active, rather than sending TCP- network, there was no requirement to run UDP scans as all SYN packets to common services ports such as web server oftheservicesusedTCP.OnexecutingmultipleTCP-based ports(80)orSSLports(443).Althoughthismethodofscan scans on the SCADA devices, the behaviour of the SCADA proved to be successful against this SCADA environment, system did not change. Terefore the need to experiment it cannot be stated that the same level of success would be using another scanning vector became paramount. achieved on other SCADA devices or networks. Te frst Although the passive scanning tools were deployed reasonforthisisthatbothofthePLCsusedwithinthese against the virtual IP network, they will not be used within experiments communicated with the host machine via an the SCADA experiments. Te decision to exclude these tools Ethernet connection. As a result of this, each interface has from the SCADA experiments was made because of the a MAC address. Te ARP protocol is used to associate an results provided by the previous IP experiments. Although IP address with these MAC addresses. If this same scan the passive tools were able to successfully obtain data about was executed against another Ethernet-enabled device, the thehostsandservicespresentontheIPnetwork,the embedded Ethernet interface will be able to handle the ARP testing of these tools would not give a valid representation trafc being sent from the scanning tool. However, the data of the data traveling across a large SCADA system. Te obtained from this experiment does not clarify whether this SCADA environment used to facilitate the network scanning method of scan would be stable on a serial-enabled device. experiments contains only a singular Ethernet-enabled PLC Executing Nmap’s service detection scan against both the with a single HMI. As a result of this, the environment used Siemens and ABB PLCs did not alter the behaviour of the within this set of experiments would be unable to thoroughly SCADA system. Tis shows that if communicating with a test the functionality and capability of the passive tools used remote component using Ethernet, the TCP-SYN trafc used within the IP experiments. More information regarding the to obtain information about the two PLCs did not have a tests that were conducted can be found in the Supplementary negative impact on the operation of the system. Tis was Materials. supported by the creation of two output fles which contained correct information about both devices. A notable aspect of 8. Discussion both of the aforementioned output fles was a line stating that1000portsoneachdevicewerefltered.Tiscouldhave From the experiments conducted on both the Siemens S7- had an impact on the stability of both the SCADA devices 1200PLCandtheABBPM564PLC,thefollowingresults during each active scan. However, further research needs to contain information which details how SCADA equipment be conducted into how ports can be fltered on a SCADA behaves when subject to a range of active network scanners. device and how Nmap can be confgured to avoid such Te information within this section focusses on evaluating obstacles in the future. the efect of using active scanners on SCADA systems, as When performing a UDP scan using Nmap, neither of the well as identifying potential methods of network scanning two PLCs tested showed any indication that the active scan which will facilitate the requirements of a SCADA network was being performed, as normal operation was maintained and successfully perform asset detection without disturbing throughout the duration of the scan. On analysis of the data normal network functionality. provided within the Nmap output fle for the Siemens PLC, Te results yielded from the Nmap scans showed that the UDP scan appeared to provide more in-depth data about both of the PLCs used within these experiments remained the device than the previously executed TCP scans. However, stable during a TCP-SYN scan. However, the network trafc replicating the same UDP scan on the ABB machine yielded captured from the host machine during that scan shows that diferent results. Te UDP scan was unable to reveal the same Nmap does not use the same method of asset detection as information, such as CPU model and frmware version, as shown within the IP experiments. Te diferences are that gained from scanning the Siemens PLC. Tis means that, 18 Security and Communication Networks asaresultofthescanbeingabletoexecuteandcomplete script supports the claim that SCADA devices may alter without altering the behaviour of the SCADA system, service when congested with massive amounts of network trafc, the detection scans must be specifcally tailored to facilitate the Python UDP scanner does not represent a usable network unique setup of each individual PLC in order to gain specifc scanner. Te tool was created in order to send a large amount details about a device. However, although it can be seen ofUDPdataacrossanetwork,whereasnetworkscannersuse from the results obtained from the SCADA experiments a variety of protocols to gain information about the devices that running a UDP scan against a Siemens S7-1200 can connected to a network. Terefore, the results of this scan reveal device specifcation information, evaluating the risks prove that SCADA systems can be afected by mass amount associated with gaining this information is out of the scope of of data fooding the network, and it does not prove that the thisresearch,andthereforenocommentcanbepassedabout same result could be achieved with any of the aforementioned how signifcant this data is or whether it exposes another network scanners. Furthermore, the Python script was only attack vector towards the Siemens PLC. successful against one of the two PLCs tested. Terefore, the On attempting to run an ICMP ping sweep against both data from these experiments cannot suggest that running the theSiemensandABBPLCs,thepacketswereunabletoreach same scans or scripts on a variety of other SCADA devices their intended destinations. Te tool ZMap was used in order wouldyieldthesameresults. to facilitate these scans. Te reason for this was due to how From the information presented by Duggan et al. [7] as ZMap conducts asset-discovery scans. As seen within the IP well as the results of the SCADA experiments it is suggested experiments, ZMap utilises ICMP echo requests which run that although network scanners may be a viable option on top of IP packets, rather than the ARP broadcast method onsometypesofSCADAsystemsordevices,thereisno used by Nmap. In order to assess why the ICMP scan failed to universal solution to performing asset discovery or service run against both SCADA devices, the output packet capture detection on SCADA systems. Every device and network are fle was opened and analysed. Te data held within this fle unique; therefore scanning technology must be adapted to was unable to diagnose why the ICMP packets failed to gain facilitate the confguration of each unique device. Performing a response from the SCADA devices. As a result of this, no a network scan on a SCADA system with an all-purpose tool safe conclusions can be made about the impact ICMP packets such as Nmap or ZMap is not feasible. However, conducting mayhaveonSCADAsystems. researchintoallSCADAdevicesandhowtheyfunction From the results of the TCP, UDP, and ICMP scans, it would allow for a tool or framework which could provide was evident that running active tools against the SCADA a solution to the issue of bespoke technologies and the networks did not have an impact on the operation of either uniqueness of devices. the PLCs or feld devices used within these experiments. From the results generated by the SCADA experiments, When comparing these results to the outcomes of the IP the following conclusions can be made: if executing either experiments, there appears to be little diference between an asset-discovery scan or service detection scan against an scanning on a SCADA network. Although the PLCs displayed Ethernet-connected Siemens S7-1200 or ABB PM564 PLC diferent sets of data to the machines used on the IP network, using Nmap, the trafc generated by the scan does not have a the PLC devices were able to respond to a range of scans as negative efect on the operation of any of the SCADA devices well as remaining to maintain normal operation throughout present on the network. Using such protocols as ARP, TCP, the entire duration of the scan. Te information displayed and UDP, Nmap was able to locate both of the PLCs on the within the literature review suggests that these results do not small SCADA network. On scanning the Siemens S7 PLC correspond with previous cases involving network scanners using UDP, Nmap was able to gain information about the and SCADA equipment. In order to understand why these system’s specifcation, such as the model of the CPU and the results had occurred, more research had to be done into current frmware being run as well as the manufacturer and the fragility of SCADA equipment as well as the network IP address. Nmap was able to detect both PLCs using the constraints which are exploited by active scanners. Tis ARP protocol. Although this method of asset detection did further research implies that the trafc being sent across a not afect the normal operation of the target system, the ARP SCADA network must be carefully controlled to ensure that technology can only be used against devices communicating the network does not become congested with unused data. In via Ethernet. Tis is because the underlying concept of order to test this, a Python script was created which would ARP uses MAC addresses, which are only contained within sendahighervolumeofnetworktrafctoeachportonthe Ethernet frames. Tis means that although this method of target PLCs. scan was successful within these experiments, there is no On execution of the Python script, the Siemens PLC guarantee that running the same scan against another type remained stable and continued to function as normal. How- of PLC would produce the same results. ever,onexecutingthesamescriptagainsttheABBPLC,the On attempting an asset-discovery scan, ZMap was unable connection between the host HMI and the PLC was prema- to provide any information about either of the two PLCs turely terminated. On analysis of the packet capture taken tested in these experiments. Although ZMap was unable to during that scan, it appears that, due to the mass amount of disclose the hosts connected to the target network, there UDP packets being sent from the host machine, the latency was no data to suggest that the SCADA devices had been of the trafc containing the status of the feld devices caused afected by the scan or that they had received the data from the HMI to terminate the connection and present an error to thehostmachine.Tiswasanunexpectedresultforanumber the user. Although retesting the ABB PLC with the Python of reasons. Firstly, from the research conducted within the Security and Communication Networks 19 literature review, there has been an example on which a highlights how unique each SCADA device can be. Te data similar method of asset detection had caused a SCADA from these experiments show that when conducting either an system to malfunction. Secondly, as both the PLCs were asset discovery or service detection scan on a SCADA system, connected to the host machine via Ethernet cable and had each device must be targeted on a case-by-case basis. As only been confgured to have a local IP address, there were no two diferent types and manufacturers of SCADA equipment discrepancies with the setup of the network which would were tested during the course of these experiments, the data result in ZMap not functioning correctly. Lastly, in order obtainedfromthisresearchcannotsuggestthatitisfeasibleto to check that the network had been confgured correctly, a scan a SCADA system with any of the active tools which were singular ICMP packet was sent to each PLC from the host tested, despite the successes and failures of certain tests. Te machine. Tis method of ICMP communication was able to resources required to conduct active scanning experiments identify each PLC on the network, despite using the same against all possible SCADA devices are beyond the scope of technology as ZMap. On the other hand, these results are not this article; however, it does emphasize a key point when substantial enough to comment on the suitability of using assessing the suitability of using active scanners on SCADA ZMap to scan for hosts on a SCADA system. As referenced networks. From the select range of tools and devices used earlier in this section, the setup and confguration as well as within these experiments, there were diferences when being the tools used within these particular experiments cannot be scanned. Te two PLCs provided diferent information when applied unanimously to all SCADA devices available today. subject to the same scan as well as reacting diferently Although ZMap was unable to gain information about any when attacked by the Python UDP script. Tis means that devices connected to the SCADA network, it did not cause there is not a universal solution which can facilitate the the PLC or the feld devices to malfunction, opposing the requirements of every SCADA system being used within information provided within the literature review. In addition modern society. Further research would be needed in order to this, if the ZMap scan conducted within these experiments to detect similarities between bespoke SCADA protocols and had succeeded in identifying hosts on the network, there is manufacturers in order to fully understand the most efective no data present which suggests the results could be repeated way of conducting remote scans without compromising the on a diferent SCADA system. integrity of the system. Performing multiple experiments using the UDP pro- Te experiments conducted against the SCADA systems tocol to conduct scans against each PLC has emphasized provided a set of results which identifed that, using the how unique each SCADA device is and how scans must be network scanning tools and SCADA devices selected for these carefully targeted and controlled in order to gain the correct experiments, executing an active scan against a SCADA sys- information without disturbing the operation of the network. tem does not afect the normal operation of the system. Tis When executing Nmap’s UDP scan against both of the PLCs suggests that, for the devices used within these experiments, it tested within these experiments, both scans were able to would be feasible to run all of the asset discovery and service gain information about each device without compromising detection scans against SCADA devices. Te results obtained or disturbing the network. However, despite the success of from conducting these experiments did not answer a range of using Nmap to perform UDP scans, the same protocol could questions which still apply to the use of scanners on SCADA pose a serious threat to the integrity of a SCADA system if ill- networks. confgured or misused. Tis was demonstrated through the Firstly, the SCADA experiments only focused on two dif- use of the Python UDP script. Tis script demonstrated how ferenttypesofPLC,bothofwhichcommunicatedusingthe the two PLCs coped when faced with a large number of UDP same networking technology, Ethernet. Choosing to conduct packets carrying a large amount of data. Te most signifcant the network scanning tools on an Ethernet-enabled network data came from the execution of the Python script against the wouldensurethatthepacketssentfromthescanningtools ABB PLC. As a result of the script being executed, the ABB would reach the target devices, meaning any changes made PLC lost connection with the HMI, which in this case was an to the system would most likely be a result of vulnerabilities interfacepresentonthehostmachine.AlthoughthePython within the individual devices, rather than through constraints scripthadnotbeendesignedtogatherinformationabout ofthenetwork.Althoughthisgaveagoodinsightintothe networked devices, it demonstrated that SCADA networks capability of the scanning tools and the type of information can sufer a DoS attack from one host running a single Python that can be gained from PLCs, the experiments did not script. Not only does this emphasize the ideas drawn from address the issues of scanning on a serial network, therefore the revisited literature review, but these results also suggest leaving a large ICS/SCADA demographic unaccounted for. that if confgured incorrectly, or if there are multiple remote Te complexity of the SCADA systems used within these usersscanningthesamenetwork,activescanningtoolscould experiments did not give a true representation of the critical possibly replicate the same results as the Python script. operation of a modern SCADA system. Also the amount of On the other hand, despite the results obtained from time-critical processes loaded onto the PLC did not match running the UDP DoS experiment against the ABB PLC, the that of a true SCADA system. Having the opportunity to Python script appeared to have no efect on the SCADA net- experiment on larger, more complex networks would be work controlled by the Siemens S7 PLC. From analysing the benefcial towards validating the results and conclusions packet capture fles from both experiments, it can be stated drawn from this research. that the script used the same protocol equipped with the Finally, the creation of the Python UDP scanner provided same payload when sending trafc to each PLC. Tis again results which brought the focus of the experiments back to 20 Security and Communication Networks network constraints rather than device vulnerabilities. Tis MITM: Man-in-the-middle in turn gave the experimentation phase a broader coverage MTU: Master Terminal Unit of the possible ways network scanners could afect SCADA Nmap: Network mapper systems. Te Python script used to perform the UDP DoS- PLC: Programmable logic controller style attack is not an ofcial application or tool. Terefore, PVS: Passive Vulnerability Scanner itcouldbearguedthattheresultsgainedfromthePython RTU: Remote Terminal Unit script experiments do not meet the criteria of the research, as SCADA: Supervisory Control and Data Acquisition it is not an ofcial “scanning tool.” Although this statement SSL: Secure Sockets Layer is correct, no research had been conducted into the tools ZMap: Internet-wide scanner. capable of performing DoS attacks on a SCADA network. Instead,thePythonscriptdemonstratedtwokeyfactsabout SCADA systems. Firstly, as the UDP attack was only success- Conflicts of Interest ful on one of the PLCs, it proves that every SCADA device is diferent. Terefore, each device requires its own bespoke set Te authors declare that there are no conficts of interest of technologies in order to complete a network scan without regarding the publication of this paper. causing a malfunction. Lastly, the UDP scanner shows that, without the correct confguration, a tool such as Nmap or Supplementary Materials ZMapcouldbemisusedorconfguredincorrectlyandcause an accidental DoS on a SCADA network. Tis shows that Information regarding the tests that were conducted can be SCADA scans must be specifcally targeted and executed on found in the Supplementary Materials. Tis fle includes the a case-by-case basis, adapting and adjusting the scanning SCADA Network and Protocols Report, the Tests of Network methodology as needed. Tese results would not have been Scanners Against IP Devices, and the Tests of Network Scan- revealed without the use of the Python script. ners Against SCADA Devices. (Supplementary Materials) In order to fully understand how SCADA devices are frag- ile, rather than the constraints of SCADA networks, further References research should be conducted into the internal workings of a wide range of diferent PLCs, RTUs, and HMIs. Tis research [1] D. Kalbfeisch, SCADA Technologies and Vulnerabilities,2013, shouldelaborateontheinformationpresentedbyWedgbury http://www.cs.tufs.edu/comp/116/archive/fall2013/dkalbfeisch and Jones [31] and Wiberg [32] (see Section 3.2). Focussing .pdf. on the diferences between the SCADA devices rather than [2] CPNI and Homeland Security. (2010) “Cyber Security the types of network would provide a deeper understanding Assessments of Industrial Control Systems”, Control Systems about why certain scans succeed or fail when being executed Security Program & National Cyber Security Devision, against specifc hardware. https://scadahacker.com/library/Documents/Assessment Gui- Te active network experiments conducted within this dance/DHS. document were only executed against 2 diferent PLCs, [3]A.Nickolsonetal.,“SCADASecurityInTeLightOfCyber- both of which used Ethernet to communicate with the host Warfare,” Computers & Security,vol.31,no.4,pp.418–436,2012. machine, testing network scanners against a larger sample of [4] M. Franz, “Vulnerability Testing of Industrial Network Devi- PLCs, as well as other SCADA specifc devices such RTUs ces,”in ISA industrial network security conference, Critical Infra- and HMIs. Tis would provide more of an insight into structure Assurance Group (CIAG), Cisco Systems Inc., 2003. the possible vulnerabilities present within modern SCADA [5]M.Evans,L.A.Maglaras,Y.He,andH.Janicke,“Human systems. Testing a larger range of devices could inform the behaviour as an aspect of cybersecurity assurance,” Security and users of SCADA about the specifc devices in their systems Communication Networks,vol.9,no.17,pp.4667–4679,2016. which could be vulnerable to a network scan and what [6] N. Ayres and L. A. Maglaras, “Cyberterrorism targeting the gen- eral public through social media,” Security and Communication collateral efects this may have on the rest of the network. Tis Networks,vol.9,no.15,pp.2864–2875,2016. further research would also assist in the creation of a SCADA [7] D. Duggan, M. Berg, J. Dillinger, and J. Stamp, Penetration Test- network scanner. Tis extra information could assist in the ing of Industrial Control Systems, Sandia National Laboratories, creation of a network scanner which can gain information 2005. from both serial and Ethernet devices. [8] P. Kerr, J. Rollings, and C. Teohary, Te Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability,Congres- Abbreviations sional Research Service, 7-5700, 2010, http://www.crs.gov. [9]S.Samtani,S.Yu,H.Zhu,M.Patton,andH.Chen,“Identifying ARP: Address Resolution Protocol SCADA vulnerabilities using passive and active vulnerability CIA: Confdentiality, integrity, and availability assessment techniques,” in Proceedings of the 14th IEEE Inter- CNI: Critical National Infrastructure national Conference on Intelligence and Security Informatics, ISI CPNI: Centre for Protection of National Infrastructure 2015, pp. 25–30, USA, September 2016. DNP3: Distributed Network Protocol Version 3 [10] R. C. Bodenheim, Impact of the Shodan Computer Search Engine DoS: Denial of service on Internet-Facing Industrial Control System Devices, Air Force HMI: Human Machine Interface Institute of Technology, 2014. ICS: Industrial Control System [11] N. R. Rodofle, K. Radke, and E. Foo, “DNP3 network scanning IED: Intelligent Electronic Device and reconnaissance for critical infrastructure,” in Proceedings Security and Communication Networks 21

of the Australasian Computer Science Week Multiconference, [29] J. Vico, T. Smith, and R. Hunt, “Fully utilizing the intelligent ACSW 2016,February2016. electronic device capability to reduce wiring in industrial [12] E. D. Knapp and J. T. Langill, Industrial Network Security: electric distribution substations,”in Proceedings of the 2010 IEEE Securing critical infrastructure networks for smart grid, SCADA, Industry Applications Society Annual Meeting, IAS 2010,USA, and other Industrial Control Systems,Syngress,2014. October 2010. [13] G. Bartlett, J. Heidemann, and C. Papadopoulos, “Understand- [30] A. Wood, Y. He, L. Maglaras, and H. Janicke, ASecurity ing passive and active service discovery,” in Proceedings of Architectural Pattern for Risk Management of Industry Control the IMC’07: 2007 7th ACM SIGCOMM Internet Measurement SystemswithinCriticalNationalInfrastructure,2016. Conference, pp. 57–70, October 2007. [31] A. Wedgbury and K. Jones, Automated Asset Discovery in [14] C. K. Q. Nguyen, Industrial control systems (ICS) & super- Industrial Control Systems - Exploring the Problem, Airbus visorycontrol&dataacquisition(SCADA)cybersecurity Group Innovations Quadrant House Celtic Springs, Newport, of power grid systems: Simulation/modeling/cyber defense using NP10 8FZ, UK, 2015. open source and virtualization [Doctoral, thesis], Purdue Univer- [32] K. Wiberg, Identifying Supervisory Control And Data Acquisi- sity, 2014. tion (SCADA) Systems On A Network Via Remote Reconnais- [15]A.Stefanov,C.-C.Liu,M.Govindarasu,andS.-S.Wu,“SCADA sance, Naval Postgraduate School, Monterey, Calif, USA, 2005. modeling for performance and vulnerability assessment of [33] A. Cook, H. Janicke, R. Smith, and L. Maglaras, “Te industrial integrated cyber-physical systems,” International Transactions control system cyber defence triage process,” Computers & on Electrical Energy Systems,vol.25,no.3,pp.498–519,2015. Security,vol.70,pp.467–481,2017. [16] R. Jaronim, Emulation of Industrial Control Field Device Proto- [34] Y. Cherdantseva, P. Burnap, A. Blyth et al., “A review of cols, Air Force Institute of Technology, 2013. cyber security risk assessment methods for SCADA systems,” [17]Y.Xu,M.Baileyetal.,“Canvus:Contextawarenetworkvul- Computers & Security,vol.56,pp.1–27,2016. nerability scanning,” in In Proceedings of the 13th International [35] J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti, AVATAR: Symposium on Recent Advances in Intrusion Detection (RAID), AFrameworktoSupportDynamicSecurityAnalysisofEmbed- November 2010. ded Systems, Firmwares. In NDSS, 2014. [18] J. Gonzalez and M. Papa, “Passive scanning in modbus net- [36] L. A. Maglaras, J. Jiang, and T. J. Cruz, “Combining ensemble works,” International Federation for Information Processing,vol. methods and social network metrics for improving accuracy of 253,pp.175–187,2007. OCSVM on intrusion detection in SCADA systems,” Journal of [19] N. R. Rodofle, K. Radke, and E. Foo, “DNP3 network scanning Information Security and Applications,vol.30,pp.15–26,2016. and reconnaissance for critical infrastructure,”in Proceedings of [37] W. Gao, T. Morris, B. Reaves, and D. Richey, “On SCADA the the Australasian Computer Science Week Multiconference,pp. control system command and response injection and intrusion 1–10, Canberra, Australia, Feburary 2016. detection,” in Proceedings of the 2010 Fall General Meeting and [20] R. Deraison and R. Gula, Blended Security Assessment: Combin- eCrime Researchers Summit, eCrime 2010,October2010. ing Active, Passive and Host Assessment Techniqiues,Revison10, [38] H. Lin, A. Slagell, Z. Kalbarczyk, P.Sauer, and R. Iyer, “Runtime Tenable Network Security Inc, 2011. semantic security analysis to detect and mitigate control-related [21] D. Peterson, “Using the Nessus Vulnerability Scanner on Con- attacks in power grids,” IEEE Transactions on Smart Grid,2016. trol Systems,” Digital Bond Inc,2006. [39] T. Cruz, L. Rosa, J. Proenc¸a et al., “A Cybersecurity Detection [22] D. Myers, E. Foo, and K. Radke, “Internet-wide scanning taxon- Framework for Supervisory Control and Data Acquisition omy and framework,” in Proceedings of the Australasian Infor- Systems,” IEEE Transactions on Industrial Informatics,vol.12, mation Security Conference (ACSW-AISC),AustralianCom- no. 6, pp. 2236–2246, 2016. puter Society, Inc., January 2015. [40]A.Cook,H.Janicke,L.Maglaras,andR.Smith,“Anassessment [23] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Hal- of the application of IT security mechanisms to industrial derman, “ZMap: Fast Internet-wide Scanning and Its Security control systems,” International Journal of Internet Technology Applications,” in Proceedings of the the 22nd ACM SIGSAC and Secured Transactions,vol.7,no.2,pp.144–174,2017. Conference, pp. 542–553, Denver, Colorado, USA, October 2015. [41] M. A. Ferrag, L. A. Maglaras, H. Janicke, and J. Jiang, “A survey [24] F. Li, Z. Durumeric et al., “Youve Got Vulnerability: Exploring on privacy-preserving schemes for smart grid communica- Efective Vulnerability Notifcations,” in 25th USENIX Security tions,” https://arxiv.org/abs/1611.07722. Symposium (USENIX Security 16, USENIX,Texas,USA,2016. [42] B. Galloway and G. P. Hancke, “Introduction to industrial [25] J. J. Chromik, A. Remke, and B. R. Haverkort, “What’s under the control networks,” IEEE Communications Surveys & Tutorials, hood? Improving SCADA security with process awareness,” in vol. 15, no. 2, pp. 860–880, 2013. Proceedings of the 2016 IEEE Joint Workshop on Cyber-Physical [43] K. Stoufer, J. Falco, and K. Scarfone, Guide to Industrial Security and Resilience in Smart Grids, CPSR-SG 2016,Austria. Control Systems (ICS) Securit, National Institute of Standards [26] National Communications System. (2004) “Supervisory Con- and Technology Special Publication, 2011. trol and Data Acquisition (SCADA) Systems.”, Technical Infor- [44] Ethernet - Te Wireshark Wiki. Wiki.wireshark.org. N.p., 2017. mation Bulletin 04-1, October 2004. Web. 16 Dec. 2016. https://wiki.wireshark.org/Ethernet. [27] Motorolla INC, White Paper: SCADA Systems,Motorola,Illi- nois, USA, 2007. [28]Y.Zhang,L.Wang,Y.Xiang,andC.-W.Ten,“Inclusionof SCADA Cyber Vulnerability in Power System Reliability Assessment Considering Optimal Resources Allocation,” IEEE Transactions on Power Systems,vol.31,no.6,pp.4379–4394, 2016. International Journal of Rotating Advances in Machinery Multimedia

Journal of The Scientifc Journal of Engineering World Journal Sensors Hindawi Hindawi Publishing Corporation Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 http://www.hindawi.comwww.hindawi.com Volume 20182013 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Journal of Control Science and Engineering

Advances in Civil Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Submit your manuscripts at www.hindawi.com

Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

VLSI Design Advances in OptoElectronics International Journal of Modelling & International Journal of Simulation Aerospace Navigation and in Engineering Observation Engineering

Hindawi Hindawi Hindawi Hindawi Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 Volume 2018 Hindawi www.hindawi.com www.hindawi.com www.hindawi.com Volume 2018

International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration

Hindawi Hindawi Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018