Industrial Control Systems / Supervisory Control and Data Acquisition (ICS/SCADA) are widely used in critical infrastructure (CI) sectors such as power, water, and manufacturing all over the world.
If a malicious attacker impacts, takes control of, or compromises a CI system, millions could face a dangerous and chaotic situation such as no power, water, or any way to communicate (telecommunication | Internet). These control systems build the minimum baseline for people’s life. Among ICS/SCADA, ICS communication protocols play an important role used to communicate with HMI and PLC or PLC and engineering workstation. Due to the flourishing development of the industrial control industry, more and more ICS protocols are proposed by different PLC vendors. Some ICS protocols are public, and some are private. But, most ICS protocols have potential risks.
In our research, we analyzed more than 5 ICS protocols which widely used in power, water, transportation, petroleum, manufacturing or other kinds of critical infrastructure sectors. In these public and private ICS protocols, we found some common flaws which allows attackers to sniff ICS protocol traffic without communication encryption and perform ICS protocol attacks like command injection or response injection on PLC without authentication and authorization.
We will also demo two command injection attacks in one public and one private protocol, proving the impact that these common flaws will cause should they be exploited. We end with suggestions for a defense strategy for ICS protocols without the need for patching or modifying any communication protocol’s setting.