Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems

Ryan Grandgenett, Robin Gandhi, William Mahoney

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal "private" network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.

Original languageEnglish (US)
Title of host publication9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
EditorsSam Liles
PublisherAcademic Conferences Limited
Pages58-65
Number of pages8
ISBN (Electronic)9781632660626
StatePublished - Jan 1 2014
Event9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014 - West Lafayette, United States
Duration: Mar 24 2014Mar 25 2014

Publication series

Name9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014

Other

Other9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
CountryUnited States
CityWest Lafayette
Period3/24/143/25/14

Fingerprint

SCADA systems
Ethernet
Control systems
Data acquisition
Network protocols
Local area networks
Critical infrastructures
Reverse engineering
Software design
Computer networks
Testbeds
Actuators
Servers
Automation
Availability
Controllers
Monitoring
Communication
Sensors
Industry

Keywords

  • Control systems
  • Denial of service
  • Ethernet/IP
  • SCADA

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Safety, Risk, Reliability and Quality

Cite this

Grandgenett, R., Gandhi, R., & Mahoney, W. (2014). Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems. In S. Liles (Ed.), 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014 (pp. 58-65). (9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014). Academic Conferences Limited.

Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems. / Grandgenett, Ryan; Gandhi, Robin; Mahoney, William.

9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014. ed. / Sam Liles. Academic Conferences Limited, 2014. p. 58-65 (9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Grandgenett, R, Gandhi, R & Mahoney, W 2014, Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems. in S Liles (ed.), 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014. 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014, Academic Conferences Limited, pp. 58-65, 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014, West Lafayette, United States, 3/24/14.
Grandgenett R, Gandhi R, Mahoney W. Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems. In Liles S, editor, 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014. Academic Conferences Limited. 2014. p. 58-65. (9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014).
Grandgenett, Ryan ; Gandhi, Robin ; Mahoney, William. / Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems. 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014. editor / Sam Liles. Academic Conferences Limited, 2014. pp. 58-65 (9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014).
@inproceedings{aac92a91d2a34c169d3431a004900532,
title = "Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems",
abstract = "Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal {"}private{"} network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.",
keywords = "Control systems, Denial of service, Ethernet/IP, SCADA",
author = "Ryan Grandgenett and Robin Gandhi and William Mahoney",
year = "2014",
month = "1",
day = "1",
language = "English (US)",
series = "9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014",
publisher = "Academic Conferences Limited",
pages = "58--65",
editor = "Sam Liles",
booktitle = "9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014",

}

TY - GEN

T1 - Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems

AU - Grandgenett, Ryan

AU - Gandhi, Robin

AU - Mahoney, William

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal "private" network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.

AB - Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal "private" network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.

KW - Control systems

KW - Denial of service

KW - Ethernet/IP

KW - SCADA

UR - http://www.scopus.com/inward/record.url?scp=84931076534&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84931076534&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84931076534

T3 - 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014

SP - 58

EP - 65

BT - 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014

A2 - Liles, Sam

PB - Academic Conferences Limited

ER -