Industrial Control Systems / Supervisory Control and Data Acquisition (ICS/SCADA) are both the lifeblood of any critical infrastructure, and play an important role in any operation’s ability to communicate between various ICS components, relay sensitive data, or manage critical sensors and equipment. Due to the specific and unique needs within the industrial control industry, more and more ICS vendors are making the decision to use either public network protocols, or creating private proprietary protocols based on the different needs of programmable logic controller (PLC) vendors. Despite the need to balance both security concerns and operational requirements with the decision to use public and private ICS protocols, each protocol has their own potential risk profile, and we will review them one by one.
In our research, we analyze six ICS protocols (three public and three private) which are widely used in the critical infrastructure sectors of power, water, transportation, petroleum, manufacturing or kinds of. In each of the public and private ICS protocols, we found some common flaws which allow attacker can easy sniff ICS protocols traffic without communication encryption and perform ICS protocol attacks which like command injection or response injection on PLC without authentication and authorization. Also, we provide 4 attack demos in one public and one private protocol, prove those common flaws will cause huge impacts to ICS.