TY - GEN
T1 - Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems
AU - Grandgenett, Ryan
AU - Gandhi, Robin
AU - Mahoney, William
PY - 2014
Y1 - 2014
N2 - Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal "private" network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.
AB - Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal "private" network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.
KW - Control systems
KW - Denial of service
KW - Ethernet/IP
KW - SCADA
UR - http://www.scopus.com/inward/record.url?scp=84931076534&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84931076534&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84931076534
T3 - 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
SP - 58
EP - 65
BT - 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
A2 - Liles, Sam
PB - Academic Conferences Limited
T2 - 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
Y2 - 24 March 2014 through 25 March 2014
ER -