Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems

Ryan Grandgenett, Robin Gandhi, William Mahoney

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

Supervisory Control and Data Acquisition (SCADA) systems are essential to the operation of national critical infrastructures. It is not surprising that these systems continue to be the targets of many covert and disastrous cyberattacks. The feasibility and consequences of cyber-attacks will likely increase as more automation systems are connected to enterprise or even public computer networks. Securing SCADA communications as well as discovering and patching security bugs before a threat agent (internal or external) can exploit them is of critical importance. Unfortunately many vendor implementations of the protocols that control and manage SCADA systems assume that no threats exist on the internal "private" network. This assumption of a trusted Local Area Network (LAN) is inadequate and unacceptable given the sophistication of cyber attacks on SCADA systems. Once an attacker gains a foothold on any machine on the LAN where SCADA controllers, sensors and actuators are installed, the monitoring and disruption of cyber physical process becomes possible. To systematically discover vulnerabilities in SCADA control and management protocol design, we conducted research into the design of these protocols. This paper presents three proof-of-concept denial of service attacks discovered as a result of our study. These attacks expose inherit vulnerabilities in Allen-Bradley's current implementation of EtherNet/IP, a widely used SCADA protocol and ODVA (Open DeviceNet Vendors Association) standard, and the RSLogix 5000 software that designs and programs SCADA system operations. The ControlLogix EtherNet/IP Web Server Module (1756-EWEB) is used in our testbed to confirm the vulnerabilities. A cyber-physical model environment was set up to monitor, analyze, and record the SCADA system's network traffic. Reverse engineering of EtherNet/IP packets from the network traffic was performed in order to determine the structure, command options, and potential vulnerable fields. Our findings have led to the creation of three denial of service attacks: mass session request, command packet flooding, and TCP connection hoarding. These attack programs abuse Allen Bradley's EtherNet/IP documented structure, commands, and trusting nature of internal network traffic to directly impact the availability of the SCADA system. These same attacks, executed against a real, live system, could have devastating effects; as such the failure to recognize and fix EtherNet/IP implementation shortcomings could have lasting and widespread physical impact. This paper presents the analysis, development process, results, and potential consequences of the attack programs.

Original languageEnglish (US)
Title of host publication9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
EditorsSam Liles
PublisherAcademic Conferences Limited
Pages58-65
Number of pages8
ISBN (Electronic)9781632660626
Publication statusPublished - Jan 1 2014
Event9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014 - West Lafayette, United States
Duration: Mar 24 2014Mar 25 2014

Publication series

Name9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014

Other

Other9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014
CountryUnited States
CityWest Lafayette
Period3/24/143/25/14

    Fingerprint

Keywords

  • Control systems
  • Denial of service
  • Ethernet/IP
  • SCADA

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Safety, Risk, Reliability and Quality

Cite this

Grandgenett, R., Gandhi, R., & Mahoney, W. (2014). Exploitation of Allen Bradley's implementation of etherNet/IP for denial of service against industrial control systems. In S. Liles (Ed.), 9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014 (pp. 58-65). (9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014). Academic Conferences Limited.