Way back, before Programmable Logic Controllers (PLCs) became the norm, plant floor automation was performed with racks and racks of industrial relays, pneumatic plunger timers, and electromagnetically counters to control the starting and stopping of motors, opening of valves, and other control-related process interactions. The program that ran the control for such a setup was not a program at all but a combination of interconnected circuits, timers, and relays. By forming the electrical paths, physical actions such as opening valves, running motors, and turning on lights were accomplished. The programmer of a relay system like this was the plant floor electrical engineer and program changes involved physically changing the electrical circuits. There was no programmer's Terminal or interface to connect to and there weren&apos...

Introduced in 1979, Modbus has been the de facto standard ever since. Modbus is an application layer messaging protocol. Placed at level 7 of the OSI model, it provides client/server communication between devices connected via different types of communication buses or communication media. Modbus is the most widely used ICS protocol, mainly because it's a proven and reliable protocol, simple to implement, and open to use without any royalties:

On the left-hand side in the preceding figure, we see Modbus communicating over serial (RS-232 or RS-485). The same application layer protocol is used for communicating over Ethernet, as shown on the right-hand side.

The Modbus protocol is built upon a request and reply model. It uses Function Code in combination with a data section. The Function Code specifies which service is requested for or responded to...

Process Field Net, or PROFINET, is an industry technical standard in accordance with IEC 61784-2. It is used for data communication over Industrial Ethernet and designed for collecting data from, and controlling of, equipment in Industrial systems with delivery time approaching of 1 ms. The standard is maintained and supported by PROFIBUS & PROFINET International (PI), an umbrella organization headquartered in Karlsruhe, Germany.

PROFINET shouldn't be confused with PROFIBUS, which is a fieldbus communication standard for real-time automation purposes, first introduced in 1989 by the German department of education and research and later adopted by Siemens. The following diagram shows the specific place in the Industrial control system for each protocol:

 

PROFINET supports Ethernet, HART, ISA100, and Wi-Fi, as well as legacy buses found on older...

Although not directly industrial control protocols by themselves, the upcoming sections are a list of common IT protocols that can be found on OT networks. The list includes a summarization of their well-known vulnerabilities.

Many ICS devices will have built-in diagnostic web pages and some form of web server to allow access to the diagnostic pages. HTTP is known to have the following vulnerabilities:

• Vulnerable HTTP server application code
• Hard coded credentials
• SQL injection
• Cross-site scripting
• Broken authentication and session management
• Insecure direct object references
• Cross-site request forgery
• Security misconfiguration
• Insecure cryptographic storage
• Failure to restrict URL...

This chapter covers only some of the vulnerabilities found in only some of the industrial protocols out there. There are many more protocols and many more vulnerabilities and exploitation methods we could discuss, probably filling an entire book by itself. I choose the protocols that did make the chapter based on their prevalence out on the ICS networks in plants and factories. Then, I picked the most obvious vulnerabilities for those protocols. As it turns out, these vulnerabilities are also easy to exploit. This is the state of affairs ICS security is in, unfortunately. Apart from one or two extremely well-funded attacks, most ICS (OT) breaches use attack vectors that were eliminated from IT networks ages ago. A recently discovered malware campaign is a great example of this. The malware that took down the Ukrainian power grid in 2015 was first believed to be a...