A taxonomy of security vulnerabilities in SCADA protocols

Modern industrial facilities, such as oil refineries, chemical factories, electric power generation plants, and manufacturing facilities are large, distributed complexes. Plant operators must continuously monitor and control many different sections of the plant to ensure its proper operation. The development of networking technology has made this remote command and control feasible. The earliest control networks were simple point-to-point networks connecting a monitoring or command device to a remote sensor or actuator. These have since evolved into complex networks that support communication between a central control unit and multiple remote units on a common communication bus. The nodes on these networks are usually special purpose embedded computing devices such as sensors, actuators, and programmable logic controllers (PLCs). These industrial command and control networks are commonly called SCADA (Supervisory Control and Data Acquisition) networks.; The increasing interconnectivity of SCADA (Supervisory Control and Data Acquisition) networks has exposed them to a wide range of network security problems. One of the important issues in securing SCADA networks is to identify vulnerabilities in the SCADA communication protocols. This dissertation addresses the problem of security assessment of SCADA communication protocols. The main contribution of this dissertation is the organization of information related to known vulnerabilities in SCADA protocols into a taxonomy that provides a systematic methodology for the security assessment of other SCADA protocols. Attack and vulnerability taxonomies have been generally accepted as a reliable method of using knowledge from past mistakes in predicting sources of vulnerabilities in new systems. The dissertation analyses existing qualitative security assessment guidelines and proposes a new framework for organizing information about known attacks and vulnerabilities to find unknown or similar vulnerabilities in new systems. There are no existing databases of vulnerabilities in SCADA protocols. In order to develop the framework for security assessment of SCADA protocols, this dissertation presents a comprehensive security assessment of one SCADA protocol. The protocol chosen for this work was the PROFIBUS protocol. The information gained from the results of this assessment is then mapped onto the general framework to develop a SCADA-protocol specific taxonomy of vulnerabilities. To demonstrate its usefulness, this new taxonomy is then used to identify vulnerabilities in the Foundation Fieldbus protocol.