We constantly hear about cyberattacks on companies and electrical systems: hackers stop uranium enrichment centrifuges, blast furnaces overflow with liquid broom, gas pressure controls are disabled, leading to explosions… Just read the news: cyber warfare has been going on for at least 20 years. And it is not a myth.
Industrial control systems are increasingly being targeted by attackers and cyberarmies. Individual worms Stuxnet (2010) and Flame (2012) have been replaced by more sophisticated schemes of multistage attacks. For example, to spread the Havex Trojan in 2014, hackers hacked into industrial control software (SCADA) vendor websites and infected official SCADA system distributions, which were then installed at companies, allowing attackers to gain control over control systems in several European countries.
Against this backdrop, it is not unreasonable to wonder: how do attackers actually control switches and sensors via the Internet and how do they find vulnerabilities in such devices? With this article we open a series on SCADA and MODBUS to answer at least some of these questions. We will look at the MODBUS protocol and how it is used to control industrial devices.
We want to note that there is a lot of material on the Internet on this subject and you can find descriptions of any complexity if you wish. Our task is different. We want to explain everything “from scratch”, for those who wanted to understand everything, but because of the complexity of technical texts did not understand how simple it is.
To start with a little history.
Many readers are already familiar with the RS232 standard which defines the electrical signals sent by serial ports on computers. Before USB these ports were used to connect peripheral devices such as modems. RS232 is still widely used for debugging industrial devices and also as an alternative for access when the usual network connection is lost. The main limitation of RS232 is that it only allows two devices to be connected. This is because the pins at each end of the wire are active all the time, even when no data is being sent. In practice, if two transmitting devices are connected to the same wire at the same time, their operation will be like two people shouting loudly at the same time – neither of them will hear the other. Therefore, in this standard, each device requires a dedicated wire in the connector to transmit its data to the other.
What is RS485?
To solve the problems with RS232, a new standard was introduced: RS485. Like RS232, all devices must still determine the overall data rate, although RS485 can operate at up to 10 megabits per second. The RS485 standard requires transmitting devices to be “silent” when no data is being sent, which means that multiple devices can be connected to the same wire at once. This means that all recipient devices must also “listen” on the same wire, making RS485 half-duplex. This, in general, small disadvantage is fully compensated by the advantages of being able to connect many devices to the same wire line. There are also schemes where two RS485 buses are connected in parallel to the same devices, thus achieving a kind of duplex mode.
Many readers will be reminded of the old Ethernet when 10 megabits per second was connected with coaxial cables allowing several computers to be connected to the same cable. RS485 has a lot in common with the old Ethernet, but offers more flexibility in some respects.
If you recall, the old Ethernet required termination resistors, otherwise known as terminators, to be installed at the ends of the cable. In the case of RS485, resistors are required only for high-speed operation. At lower speeds, resistors are not needed. Reducing the speed in the channel allows the connecting cable to be more than 10 times longer than a 10 megabit cable, i.e. 1 km instead of 100 m.
RS485 has another limitation: no more than 32 devices can be connected to one bus.
This is where the old-fashioned parallel SCSI interface came into play, which used many RS485 parallel channels at once, forming a 50-pin bus, to ensure speed. It seemed that the old SCSI buses only ran on short cables, when in fact this was because the terminators were not installed correctly and thick cables often broke.
Unlike Ethernet, RS485 allows only one device to send bytes at a time to all the others. That is, one “talks” and all the others are “silent”. There are no MAC addresses, collision detection, data packets, or other Ethernet features in this standard. In the case of RS485, all of these are implemented in higher-level protocol software, such as was the case with RS232. RS485 is a byte stream and it is up to you to decide what those bytes will be. And whether they will be “correct”. Significant “noise” in the “line” can corrupt the data. For proper functioning in RS485 you need to define a set of rules for all devices on the bus. If two devices are transmitting data at the same time, the result will be skewed. Therefore, the first thing to do is to come up with a protocol.
Often, in RS232 the control of transmitted bytes was done by high-level protocols like SLIP or PPP. In RS485 a very common control protocol doing the same is Modbus.
Developed way back in 1979, Modbus is very simple by today’s standards. However, with that simplicity comes reliability, and many modern industrial devices still use this protocol. Modbus is an open standard, while many competing (and often superior) standards, such as BACnet, are paid and proprietary.
To prevent collisions, Modbus operates in master-slave mode. In Modbus, there is only one master device on the RS485 bus that requests data from the other slave devices. After the master initiates a request to one of the slave devices, that slave is allowed to transmit its response. This ensures that only one device transmits at a time. The CRC code in each message protects against distortion due to line noise.
Conceptually, Modbus devices are based on numbered registers, each of which can contain a numeric value. The Modbus master sends messages such as “read register X” or “write X to register Y” with the slaves returning the appropriate response.
For example, for an electricity meter, one register might contain the current mains voltage, while another register might contain the current energy consumption rate in watts. Because registers are addressed only by numbers, it is extremely important to have a register map for the device you are working with to find out which register is responsible for what or into which registers the information must be written to perform the action you want.
Registers are divided into categories. Each category can have 65,536 registers. The categories themselves are only three. The first category is called coils. It is so called because it was originally used to turn coils on and off in relays to control devices such as heaters, compressors or air conditioning. The registers in this category are only one bit wide, so they are not normally used at this time. In the other two categories, each of these registers is 16 bits wide.
Byte order(endianess) is the direction of the bits in a byte – whether they are listed from lesser to greater 12345678 (big-endian, greater at the end) or from greater to lesser 87654321 (little-endian, less at the end). Complicated? Just think of a train station – numbering the cars from the head or the tail of the train.
There is no standard for the byte order of each register value, so some devices will pass their 16-bit register values in direct byte order, while other devices will pass them backwards. Here again, you’ll have to refer to the register map to figure out what order the device is using.
Sometimes two registers are combined to store a longer, 32-bit or 64-bit value (as an integer or floating-point number). Here you also need to watch the byte order, that is, in what order the two registers are already together. Register values are written directly to the device’s microcontroller memory. Usually registers with a certain byte order are combined with registers in the same order to get 32 or 64 bit values. But sometimes there are devices that combine registers in one byte order and return register values in a different order. This is very inconvenient, but sometimes you have to put up with it. A register map is to your aid, oh, if only there were always one.
Learning to speak Modbus?
Finding a USB to RS485 adapter is not difficult at all. On your system they appear as “/dev/ttyUSB0” or “COM1:” depending on your OS.
There are many Modbus gateways that can provide an interface between RS485 and a TCP/IP network. Typically they will hang on TCP port 502 and once connected the bytes sent and received via TCP will be identical to those sent via RS485. For this reason, most Modbus utilities allow you to specify either the port or the IP address when connecting.
There are a huge number of devices in the world that speak Modbus, however, but since many of them are industrial, they can be expensive. A search for “(rs485, modbus)-usb” on AliExpress or similar will give you an idea of what to buy (this will match anything that contains the words rs485 or modbus, but ignores anything that contains “usb”, so all USB-to-RS485 will not clutter up your search results). You will find devices like moisture sensors and relay boards, however, keep in mind. Finding truly industrial devices is more difficult and sometimes you will have to dig through the device description to find what you need.
Before you buy any Modbus device, make sure that it either comes with a register map or that it can be found online. Without the register map it will be very difficult to figure out what does what.
How do I use Modbus?
In most cases, there are programs designed for specific devices, such as NUTs (Network UPS Tools), which can only communicate with certain models of redundant power supplies via Modbus. But there are also general programs such as “mbpoll” which are useful for performing raw read and write operations on Modbus devices, confirming that you are reading the register map correctly.
To really do anything useful with a Modbus device, you will have to write your own program that provides an interface between the Modbus registers and your system.
For example I wrote a program that polls the power meter connected to my computer and if the power drops below a certain threshold then the monitors go to sleep mode and therefore nobody is in the room. Then the program writes a couple of register values to a relay which turns off the power to the sound system and the lights in the room. The shutdown data is also saved to the database, which is useful for displaying the monitoring panels, from where I can time what was going on in the room.
And I can also read the temperature and humidity in different rooms by reading them from Modbus sensors located in different rooms. When I “mined” Modbus and a simple python scripto helped me calculate the cost of electricity and mining efficiency to the nearest penny.
It’s not like industrial use in any way, but using primitive circuits allowed me to learn more.
So how do they hack into the power grid?
SCADA system (Supervisory Control And Data Acquisition) is a hardware and software system designed to develop or ensure the real-time collection, processing, display and archiving of information about the object of monitoring or control. In simple terms, it is a production control system. And not only.
Although Modbus is one of the protocols used in SCADA systems, there are a number of others, such as PROFIBUS and BACnet. In particular, BACnet provides much more information about what each data point means and controls, but even this data does not yet speak for itself.
Remote investigation of the SCADA infrastructure is not an easy task, and it will likely start with getting to schematics, network architecture, and other documentation. Without that, figuring out how Modbus devices are networked, what they do, and the implications of sending them control messages will be very difficult to understand.
Access to the internal plant network should also almost certainly be obtained, since the days when unprotected devices were posted directly to the internet are over, and most even the dumbest admins now at least know that these devices do not support any security of their own.
Industrial devices are usually placed in an isolated VLAN, inaccessible from the rest of the corporate network. Gaining access to such a closed VLAN is no easy task, involving gaining access to a device that has access to this closed network, such as a data collection interface or a PC used to control SCADA systems.
In recent known attacks, attackers have spread malware to PCs controlling SCADA systems. How they managed to figure out which IP addresses to listen to, which protocols to use, which registers to write and the correct values to record, remains a mystery. After all, all they had to work with was a simulated environment based on previously downloaded schematics.
Perhaps the attack on the Ukrainian power system was thwarted because commands were sent to the wrong IP address at the last moment, so perhaps the device was replaced or moved. Or maybe the attackers just had an old version of the documentation? In that case, only RTFM will help…
There is always an opportunity to play around with the possibilities.
According to information from xakep.ru SCADA applications are full of vulnerabilities. All that’s left is to find them.
The SCADA Strange Love group has published a project on GitHub called SCADAPASS. This list contains more than one hundred products from ABB, B&B Electronics, BinTec Elmeg, Digi, Echelon, Emerson, Hirschmann, IBM, Moxa, Rockwell, Samsung, Schneider Electric, Siemens, Wago, Westermo and Yokogawa. The list included a variety of equipment – industrial routers, programmable logic controllers, servers, network modules and so on. All of these solutions are used by systems for automated process control (APCS) and have a common denominator: they come with unacceptably simple logins and passwords, for example, root:root.
Sometimes it’s that simple. And if you think this article isn’t as relevant in 2020 as it was 10 years ago, you’re wrong. Yes, admins have become more vigilant, but systems have also become much more complex. In any complex system there are delicate knots. And where the knots are thin, the knots are torn.
This article is just the beginning of our story about industrial systems and methods of their protection.
Never use the methods described in the article. This article is written for informational purposes only. The author is not responsible for the application of the skills. Otherwise, you are breaking the law.