Professional Documents
Culture Documents
Chapter 2
Chapter 2
Enterprise Zone
Level 5 : Enterprise
(a) (b)
Figure 2.2. (a) Purdue and (b) ISA85 models. For a color version
of this figure, see www.iste.co.uk/flaus/cybersecurity.zip
– level 1 (local or basic control): this level includes the functions involved
in the detection, observation and control of the physical process, which are
performed by information processing systems such as PLCs, Remote
Terminal Units (RTUs), etc. The latter read the data from the sensors, execute
algorithms if necessary and store the state of the physical system. They can
perform continuous control, discrete control, sequential control or batch
control. The IEC 62443 model (Figure 2.3) explicitly shows the security
(SIS) and protection systems in this level 1. The SIS are responsible for
monitoring the process and automatically returning it to a safe state if it
exceeds security limits. They also have the function of alerting the operator in
the event of imminent hazardous conditions;
– level 2 (supervision control): this level includes the functions involved
in monitoring and controlling the physical process. It includes the HMIs of
control and data acquisition systems (SCADA) and distributed systems
(DCS). Equipment at this level is generally associated with the production
area;
– level 3 (operations management): this level includes the functions
involved in flow management to achieve the desired production. These
include batch management systems or MES, as well as historical databases or
site-wide optimization or quality management systems. Part of the
supervision system may also be at this level (Figure 2.3);
– level 4 (enterprise business systems): this level includes the functions
involved in the management of manufacturing and processing operations.
Enterprise resource planning (ERP) is the main system used at this level. It
manages basic production planning, raw material use, transport and stock
levels. In general, the ERP provides the MES with a list of manufacturing
orders that the MES will have the task of executing, controlling the flow of
operations and their traceability, providing the ERP with material
consumption, production performance and the quality of the manufactured
products.
Operations/Systems
Level 3 Management
Supervisory Control
Site Monitoring &
Level 2 Local Display
Basic Control
Level 1
Safety and
Protection
Level 0
Demilitarized
Zone
Manufacturing
Zone Site manufacturing Operations and Control Level 3
Process Level 0
Safety
Safety Critical
Zone
The objects are therefore not directly connected to the Internet, but form
subnetworks that are themselves connected to the Internet. The protocol used
by these subnetworks is often specific, more adapted to the IoT in terms of
distance or energy needs (section 2.2) than the Transmission Control Protocol
(TCP)/Internet protocol (IP) stack used by the Internet (Figure 2.9).
The architecture of an IIoT system (Lin et al. 2017; Voas 2016) (Figure
2.6) is formed of three levels:
– the level that groups objects, aggregators and distribution centers. At
this level, different types of networks can be used to meet field constraints
(energy consumption, distance) and to ensure communication between
objects and equipment connected to the traditional IP data network, called
edge devices;
– the level corresponding to the processing and storage platform. At this
level, transfers use traditional computer networks, and storage is done in the
cloud on storage and data processing platforms;
– the level corresponding to use of the data: this can be done by different
components of the company, in particular by OT users for the control and
maintenance of the installations.
It can be noted that the IIoT architecture is not a simple direct connection of
devices to the Internet, but is carried out via a set of gateways that have more or
less important data processing capabilities. These gateways also allow the
various protocols used by IIoT (section 2.2) to be converted to IP.
there is motion detected, data are sent and must be processed to turn the lamps
on or off. It is more appropriate to perform this processing locally (at the
periphery, edge computing). Switching on or off according to brightness is
more global, and it is preferable to process it at the gateway (fog computing).
The company that operates the intelligent lighting system may also want to
monitor the energy efficiency and lifetime of the lamps. The data that provide
this overview of intelligent lighting usage are sent to the cloud to generate
usage reports.
IT users
Edge Applications
gateway
Control Operations domain
Asset OT users
Management
& Monitoring
Data
2.2.1. Topology
The first step in building a network is to define how the workstations are
connected to each other. There are different topologies: star, bus, mesh
(partial or total), ring. Depending on the topology chosen, it will be easier to
wire or more robust against connection failures.
Ring Star
Mesh Bus
There are different types of networks that are classified according to their
scope and maximum throughput:
– a Local Area Network (LAN) is a corporate network that is usually
limited to a building, a floor or a room. In modern networks, most computers
are connected to a local network via one or more switches. Several local
networks can be connected via a router or a virtual private network (VPN)
(section 2.2.3). A LAN can be wired or wireless and, in this case, it most
often uses the Wi-Fi protocol;
– a Personal Area Network (PAN) is a network that covers a small area,
of the order of a few tens of meters, centered around a person and uses
protocols such as Bluetooth classic or Bluetooth Low Energy (BLE), IEEE
802.15.4, Zigbee or ISA100.11a, which are detailed below;
– a Low-Power Wide Area Network (LPWAN) is a network that can have
a range of up to 10 km and uses protocols such as LoRaWAN or SigFox. The
flow rate is limited, but it uses little energy.
hosts
4 Segments the message, manages errors Transport layer
Transport TCP or UDP
3 Manages the IP packets Internet layer
Network ICMP, ARP, RARP
2 Transports data between two MAC Network interface
Data link addresses Ethernet, Token ring,
Carries out physical transport FDDI, Wifi …
1 Physical
2.3.1. Ethernet
Over the years, Ethernet has become the standard protocol for wired
communication. It operates at level 2 and uses the MAC addresses of the
various connected devices to transport the data. The IEEE 802.3 standard
defines the standard version of Ethernet with the carrier sense multiple
36 Cybersecurity of Industrial Systems
100
802.15.4
802.15.1
Zigbee
Bluetooth 802.11
10 6LowPAN
classic WiFi
ISA100
WirelessHART BLE
1
2.3.2. Wi-Fi
The range can reach several tens of meters indoors, if there are no
obstacles.
A low-power version called BLE has been developed for the IoT. Version
5, adopted in 2016, increases the range to 300 m, with a throughput of 2
Mbit/s.
These protocols are used as protocols for IIoT field networks between
objects and concentrators.
38 Cybersecurity of Industrial Systems
The range can be up to 10 km, and the flow rate is quite low. For example,
it is around 100 bps for Sigfox and 0.25-50 kbps for LoRa. The devices
targeted are low-energy sensor networks.
IP is one of the main protocols used by the Internet. The most widely used
version is the IPv4 version. Like Ethernet, it is a stateless protocol (no
session information), which means that it does not know any relationship
between packets. This protocol is used to define the source and destination
host on layer 3, to find the (fastest) path between two communication
partners, to route packets and to handle errors with Internet Control Message
Protocol (ICMP). For example, an error occurs if the destination is
inaccessible.
Applicaon Applicaon
header SMTP, HTTP, FTP etc.
TCP
Applicaon data TCP: transport
header
IP TCP
Applicaon data IP:
header header
Ethernet header IP TCP
Preamble , @dest, @source, type header header
Applicaon data CRC Ethernet, X25 etc.
0 4 10 16 19 24 31
Source Port Destination Port
Sequence Number
Acknowledgment Number
Len Reserved Flags Window
Checksum Urgent Pointer
Options... Padding
Data...
numbers all packets to ensure that they are processed in the same order as the
one transmitted by the source system. The destination host sends an
acknowledgment to inform the source that the packet has been received
correctly after checking a checksum, otherwise the source retransmits the
packet. Finally, TCP allows the use of ports. The port of the sending instance
is called a “source port” and the receiving port on the target is called a
“destination port”. Commonly used application protocols such as HTTP,
FTP, IRC, etc., have a default port of less than 1024. For example, an HTTP
server normally listens on port 80.
Sender Receiver
SYN
x=rand()
SYN
X+1 y=rand()
ACK
Y+1 x+1
A SYN
S flood attack works by b not respon nding to the server with the
expected ACK code. The malicioous client eith her cannot sennd the expected
acknowwledgment of receipt
r or, by usurping
u the source
s IP addrress in the SY
YN,
force thhe server to send
s the SYNN-ACK to a fake IP addrress, which w will
thereforre not send ann ACK, because it has neveer sent a SYN.. The server w will
wait forr the acknowwledgment of receipt for so ome time, as simple netwoork
congestion could alsso be the cauuse of the miissing ACK. However, in an
attack, semiopen coonnections crreated by thee malicious client consume
resourcees on the server, and can ulttimately exceed the availabble resources aand
cause a server servicee failure.
UDP is, like TCP, a transport layer protocol, but unlike TCP, it does not
manage the notion of session and is therefore classified as stateless. In
addition, it does not manage the loss of packet order and only implements the
addressing of programs by ports. A typical UDP header is shown in Figure
2.15. UDP is mainly used for streaming services such as radio or Internet TV,
but it is also the most widely used transport protocol for DNS. The advantage
of UDP is its much higher speed than TCP.
IPv6 is the latest version of the IP. It is an improvement of IPv4 that has
been developed to address the main deficiencies of IP4, including address
depletion and security. IPv4 addresses have 32 bits (4 bytes): they change to
128 bits with IPv6, which is adapted to the development of the IoT. We have
about 3.4 × 1038 addresses. To better understand the size of this address space,
it can be seen that each human being will be able to have at least several
billions of billions of addresses. An example of an IPv6 address is as follows:
4440:1023:AABA:0A01:0055:5054:9ABC:ABB0
The ARP protocol, used by IPv4 to perform MAC address and IP address
matching, is replaced by Neighbor Discovery Protocol (NDP) and SEcure
Neighbor Discovery (SEND). One of the vulnerabilities allowing Man In The
Middle attacks (Chapter 4) disappears.
Both IPv4 and IPv6 versions can coexist on the same network.
2.5.1. Introduction
Since the 1990s, there has been a convergence of protocols that first used
Ethernet 802.3, then wherever real-time aspects are not critical, use IP, which
also allows the use of Wi-Fi equipment. IP network equipment is ubiquitous,
easy to deploy, relatively inexpensive and well known to administrators. This
technology facilitates the connection of manufacturing systems with the
company’s IT systems for better production management. It should also be
noted that this convergence is not limited to ICS and business management
aspects, but that voice (VoIP), television, video surveillance, and many
services also use IP networks. It explains the significant increase in
companies’ vulnerability to cyber-attacks.
2.5.2. Modbus
Application Layer
Modbus on TCP
IP Network Layer
EIA/TIA-232C
Physical Layer Physical Layer Physical Layer
EIA/TIA-485
In general, the TCP/IP version is used between levels 1 and 2, that is,
between PLCs and supervision, whereas the RTU version is used between
levels 0 and 1 to connect PLCs and Intelligent Electronic Devices (IEDs) to
PLCs. The trend is toward a generalization of TCP/IP even at the lowest
levels.
46 Cybersecurity of Industrial Systems
The Modbus protocol is not secure, the frame content (Figure 2.17) is
easily accessible, and they can be easily modified. In addition, since some
commands can be issued in broadcast mode (sent to all receivers), a denial of
service (DoS) attack can easily be performed. The vulnerability of Modbus is
all the more worrying as it is used over TCP/IP.
IT
Applications Profinet applications
HTTP
SNMP, Real-time Real-time
DHCP, Data Data IRT IRT
etc. Isochronous Standard Isochronous Standard
Real Time channel Real Time channel
TCP/UDP channel channel …
Real time
IP Time
(b)
Ethernet
(a)
Profinet does not have any native security features. The functionalities
incorporated in the protocol focus on improving system availability and
operational reliability. To prevent potential attacks on a Profinet network, it
is necessary to set up a segmentation of networks, Virtual LANs (VLAN) or
introduce a DMZ (Chapter 10).
design, AS-i does not work over TCP/IP and is not one of the most
vulnerable protocols.
Security services are offered at the data link level (level 2) and at the
network level (level 3) in order to obtain a level of security equivalent to the
wired solution. All messages are encrypted.
Start
RTR-
Identifier Length Data CRC ACK EOF
1 IDE-r0
11 bits 3 bits 4 bits 0-64 bits 15 bits 3 bits 8 bits
TCP/UDP
CompoNet ControlNet DeviceNet
Network and Transport Network and Transport Network and Transport
IP
Although CIP uses a formalized model, it does not define any mechanism,
implicit or explicit, for security. In addition, it defines objects required to
identify devices, which can facilitate the discovery of equipment in the
network and provide targets for attackers. Since there are also common
application objects for exchanging information between devices, an intruder
is able to manipulate a wide range of industrial devices using this type of
object. In addition, the characteristics of some CIP messages (real-time,
multicast) are incompatible with communication encryption, so CIP does not
provide mechanisms to do this.
Binary Webservice
Hybrid
Message UA Secure
HTTPS with UA Binary
Transport
SSL/TLS
security
4840 443 80
The use of DCOM and RPC (Remote Process Call) makes OPC very
vulnerable to attacks and, as OPC is based on OLE, it can also be affected by
all its vulnerabilities. In addition, since OPC is running on Windows, it can
also be affected by all operating system vulnerabilities. As it is quite difficult
to apply patches to industrial control systems, many vulnerabilities already
discovered and for which patches are available continue to be exploitable on
some industrial control networks.
There are many other protocols such as Powerlink Ethernet (another real-
time version of Ethernet), EtherCAT (Ethernet for Control Automation
Technology) and KNX (specialized for building). Details on these protocols
can be found in Zurawski (2014).
A number of protocols have been developed for the IoT. A first protocol,
called 6LowPAN, is located between the network layer and the link layer of
the OSI model, while others are at application level, such as Message
Queuing Telemetry Transport (MQTT) and Constrained Application Protocol
(CoAP), and are located at level 7 of the OSI model (Figure 2.11).
2.6.1. 6LowPAN
MQTT was developed in 1999, but with the exponential growth of the IoT,
and the need to connect and communicate low-powered intelligent devices,
MQTT has recently found a market. MQTT was designed to be a low overload
protocol, which took into account bandwidth and processor limitations.
Each message has an address, called a “topic”. For example, the name of
a topic can be temperature. Namespaces are structured in a tree
structure such as:
plant1/compressor/valve1/temperature
54 Cybersecurity of Industrial Systems
plant1/compressor/+
2.6.3. CoAP
Like the latter, CoAP is a document transfer protocol. CoAP packets are
much smaller than HTTP streams. Encoding is done to save space. Packages
are simple to generate and can be analyzed without consuming a lot of
memory. CoAP works on UDP, not TCP. Clients and servers communicate
via stateless datagrams, and CoAP allows UDP broadcasting and multicast
broadcasting. CoAP follows a client/server model. Clients make requests to
servers, and servers send responses. Customers can read, modify, create and
delete resources.
and allows real-time data exchanges that are reliable, efficient and
interoperable. It works in publish/subscribe mode. DDS meets the needs of
applications such as financial trading, air traffic control, smart grid
management and other Big Data applications.