#SCADAsecurity: Understanding Layer 4 and Its Importance in Scanning

write a long detailed article about the importance of TCP scanning and inventorying Process control networks including the recommended mechanisms and considerations for doing so

PCN (Process Control Network) and SCADA (Supervisory Control and Data Acquisition) systems are critical infrastructures that are commonly used in industries such as oil and gas, manufacturing, and energy to monitor and control various processes. These systems can be vulnerable to cyber-attacks, which can have significant implications, ranging from equipment failure to safety hazards. As such, it is crucial to thoroughly understand the vulnerabilities and potential threats to these systems. Scanning is an essential step in the process of identifying and inventorying the security of PCN and SCADA systems. Organizations can better understand their assets' security posture by conducting scans and identifying vulnerabilities and potential attack vectors. In this context, Layer 4 of the OSI model, the transport layer, is critical as it is where actual connectivity to the applications and logic of the controllers takes place, and where potential vulnerabilities may exist.

Layer 4 is the transport layer where connectivity to applications and logic of the controllers takes place. For IP, it typically means using either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). As mentioned earlier, IP is non-deterministic, which has implications for automated control. Layer 4 is the first place where compensations for this occur.

TCP establishes a session to ensure data delivery. A host initiates communication by sending a TCP/SYN packet. The recipient of the SYN responds with a SYN/ACK, providing session identification information, and the original host responds with an ACK/ACK, establishing the session. Periodically during the communication stream, the acknowledged process is repeated to ensure communication is maintained. Checksums are included as an inherent part of the protocol. The time sent between packets received is monitored to determine if a session is lost and to initiate the re-establishment of the communication stream.

In a nutshell, TCP has many mechanisms built into it that compensate for some of the issues introduced by the fact that IP is non-deterministic. However, this does not mean that TCP itself is secure. There are many ways to exploit TCP, and hackers and worms use them to their advantage. The most common one, and the one that can cause issues on PLCs, is the SYN scan. It works by opening up a listening port and streaming SYN packets to all selected ports on every address to be inspected. Everything that responds with a SYN/ACK is logged, and the connection is never completed with an ACK/ACK. This is where the problem arises, especially for controllers with older IP stacks. The receiving host uses resources to sit there waiting for that ACK/ACK. Although DoS attacks related to this are not that effective for newer IP stacks, SYN floods can still cause headaches. Unfortunately, PLCs do not always have newer stacks, so they are often vulnerable to this.

If you plan on scanning a SCADA system for the first time, starting with a TCP connect scan that exits gracefully as your initial connection enumeration method is best. Limit the scan to a few interesting ports and don't hit all 65k (at first at least). After you have a few under the belt for that address range, then slowly expand. Do the fast scan ports, then, if wanted, the whole 65k. After you are comfortable with this, make sure you have people watching the equipment and have a recovery plan, then try the SYN scans. Once you have gotten past this point, you can go on to the rest of your vulnerability assessment or pen test. Scanning systems always involve risk, but it is better to happen in a controlled manner.

Many PLC vendors use TCP as their primary IP communication method to their controllers, and all of them use it for their historians, MES, and control aggregation systems. HTTP access to endpoints and ModBusIP are also becoming common. It is crucial to block access to the TCP port used as the primary PLC communication protocol at the point closest to the controllers possible. ACLs are acceptable if actual firewalls are not available. For vendors that use standard ports such as Telnet, HTTP, or RPC, this can be somewhat more difficult to do. Take advantage of point-to-point and point-to-multipoint (subnet) rules. The key is to not allow access to the PLCs from an uncontrolled network. Access to the historians and central control systems should be controlled primarily on a white list basis. For large engagements such as regional operation centers, it is often possible to isolate both the central and the local subnets and connect them via VPN tunnels. If you are doing this, it is best to isolate remote sites from each other.

UDP, on the other hand, is a connectionless protocol that does not provide a guarantee of delivery. However, it is faster and more efficient than TCP, making it ideal for applications that can tolerate some data loss, such as video streaming or online gaming. While UDP may not be suitable for some control applications, it is still used for some SCADA protocols, such as ModBusUDP. ModBusUDP is an open-source SCADA protocol that is widely used in industrial control systems. It has a simple structure and is easy to implement, making it a popular choice for small-scale applications.

It is essential to understand that scanning is just one aspect of a comprehensive security strategy. In addition to scanning, organizations should implement other security measures, such as firewalls, intrusion detection systems, and antivirus software, to protect against cyber-attacks. It is also important to keep software and firmware up-to-date to ensure that vulnerabilities are addressed promptly.

In conclusion, PCN and SCADA systems are critical infrastructures that must be protected against cyber-attacks. Scanning is an essential step in identifying and inventorying the security of these systems. Layer 4, the transport layer, is critical, as it is where actual connectivity to the applications and logic of the controllers takes place. TCP and UDP are the most commonly used protocols at this layer, and both have their strengths and weaknesses. Organizations should take a comprehensive approach to security that includes scanning, firewalls, intrusion detection systems, and antivirus software, as well as keeping software and firmware up-to-date. With the right security measures in place, organizations can protect their PCN and SCADA systems from cyber-attacks and ensure the safety and integrity of their critical infrastructure.