Skip to content

Communication Technology Relevant to OT Environment – with solutions

Exercice 1 : Basic Communication

Respond to the following questions :

  1. Which of the following is a common Layer 2 protocol?

    1. Ethernet
    2. TCP
    3. HTTP
    4. FTP

  2. Routers use MAC addresses to forward data to the correct destination within the same local network. Is this correct?

  3. Routers operate at the Data Link Layer to forward data to the correct destination based on MAC addresses. Is this correct?
  4. IP addresses are used at the Network Layer to identify devices on a network. Is this correct?

  5. Which of the following is a common Layer 3 protocol?

    1. IP (Internet Protocol)
    2. ARP (Address Resolution Protocol)
    3. ICMP (Internet Control Message Protocol)
    4. All of the above

  6. Which Wireshark display filter would you use to show only HTTP traffic?

    1. tcp.port == 80
    2. http
    3. ip.addr == 192.168.1.1
    4. dns

  7. Which Wireshark display filter would you use to show only traffic to or from a specific IP address ?

    1. ip.addr == 192.168.1.100
    2. tcp.port == 80
    3. http
    4. dns
Solution

The solutions are :

  1. Ethernet
  2. True
  3. False
  4. True
  5. d.
  6. a. and b.
  7. a.

Exercice 2 : IP addressing

Figure out what the IP address of the zhaw.ch is and check whether this belonged to the same organization already in 1999 (with the help of the present file, sourced from https://www.aturtschi.com/whois/networks.html).

Write down :

  1. what the IP address is
  2. whether it belonged already to the same organization (and, if not, to what organization)
  3. who manages it now
Solution

The solutions are :

  1. 160.85.104.112 (using dig zhaw.ch or similar)
  2. No, it belonged to Technikum Winterthur Ingenieurschule|TWI|Technikumstr. 9|CH-8401 Winterthur|Switzerland
  3. Both ZHAW and Switch are declared as maintainers (https://apps.db.ripe.net/db-web-ui/fulltextsearch -> https://rest.db.ripe.net/RIPE/inetnum/160.85.0.0%20-%20160.85.255.255.txt)

Exercice 3 : Wireshark usage

In one of the previous use cases, you looked into the NHS attack. In this context, using the related pcap file, please respond to the following questions :

  1. In the referenced pcap file related to Wannacry attack, can you state what is the url used for the kill switch and in what frame it is contained?
  2. Can you find a way to show the following picture in Wireshark that helps understanding the communication of Wannacry?
Solution
  1. In the 1st request, which is a DNS entry, you will see the value of the url value (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com)
  2. From Statistics, pick “Flow Graph* as per image below

Note : for more details about the attack itself, head to https://cloud.google.com/blog/topics/threat-intelligence/wannacry-malware-profile/.

Exercice 4 : MODBUS security

We have seen in the course that MODBUS does not have an built-in security. In order to counter this important weakness, https://www.modbus.org has published a protocol specification addressing this situation. Skim through it and resume what the proposed solution entails.

Solution

The organisation puts forth the following Modbus/TCP Security Principles :

  • Modbus/TCP Security @port 802
  • x.509v3 certificate based identity and authentication with TLS
  • Mutual client/server TLS authentication
  • Authorization using roles transferred via certificates
  • Authorization rules are product specific
  • No changes to mbap

Exercice 5 : EtherCAT

We have seen that EtherCAT is peculiar in that it contains multiple messages. Analyze the one of the capture and, looking at the datagram number 29, :

  • state what the Ethernet destination is
  • assess whether this may be compatible with the standard Ethernet
  • name how many commands there are
  • explain what these commands do (for this, the Bekhoff’s site may be useful)

Note

The capture is the official example from the wireshark Project. One can find it under https://wiki.wireshark.org/samplecaptures#ethercat

Solution
  1. In the Ethernet layer, the broadcast address is used
  2. As it is broadcast, it would be flooded by all switches the datagram encounters - but EtherCAT does not allow to have a switch. So, from a frame definition perspective, this is standard. However, if fitted into a plain IEEE 802.3 network, this would not work
  3. Looking at the frame (see image), one can deduct that
    1. Destination is broadcast
    2. It is compatible with a standard Ethernet frame
    3. There are 7 commands
    4. The commands do
      • APRD: Auto Increment Read. A slave increments the address. A slave writes the data it has read to the EtherCAT datagram if the address received is zero.
      • BRD: Broadcast Read. All slaves write a logical OR of the data from the memory area and the data from the EtherCAT datagram to the EtherCAT datagram. All slaves increment the Position field.
      • APWR: Auto Increment Read Write. A slave writes the data it has read to the EtherCAT datagram and writes the newly acquired data to the same memory area if the received address is zero.

Exercice 6 : Wireless solutions, which one is best

In the course, we briefly touched upon upon zigbee and wirelessHART. However, no statement was made as to which one is best suited for what situation - in the OT context. Read the following papers to build your own opinion :

Which one, according to the papers, is best? In all circumnstances?

Solution

Exercice 7 : EtherCAT: calculating transfer time

Knowing that EtherCAT support the speeds 100 Mb/s, 1 Gb/s and 10 Gb/s, define a function that allows you to compute the transfer time (round-trip) given the following parameters :

  • the speed of the interface
  • Master Software Processing Time (how much it takes for the master software to process the frames - normally a few microseconds)
  • the number of slaves in the chain (typical propagation time 1 microsecond/slave)
  • the amount of process data (this will most affect the overall communication time. You are not to the size of a maximum Ethernet packetfor your EtherCAT process data. Still, crossing this value will result in multiple cyclic frames sent which will add some bytes of overhead)
Solution

The computed roundtrip time, using above mentioned parameters can be seen below:

RTTms = data sizebytes / (speed of the interfacegbps * 109 / 8) + (number of slaves * master processing timeµs * 10-6) + (number of slaves * 10-6) * 1000

Exercice 8 : MPLS

Given the following pcap file, can you describe

  1. How many labels there are
  2. What protocol the frames are transporting ?
Solution
  1. 2 labels (18 and 16 - outer and inner respectively)
  2. telnet

Exercice 9 : Zero Trust

Can you give 1 example each of Zero Trust Behavioral and Hybrid policies?

Solution
  1. Jack normally accesses SAP from his laptop between 7.23 and 17.25 and his location is either the office or his home. As a result, all accesses before 07.00 and later than 18.30, as well as from other locations, will not be granted.
  2. Jane can access the HR intranet site, where arrivals and departures are published, from within the company network from her laptop. Alternatively, with the use of a VPN for as long as she is connecting from within a DACH country.

Exercice 10 : Zero Trust in Electric Operations Technology

The North American Electric Reliability Corporation has published a White Paper titled “Zero Trust Security for Electric Operations Technology” (here or here).

Can you list :

  • the benefits
  • the challenges
  • the recommendations
  • what the stance about IPS is
  • any other salient point you have identified ?
Solution

  • Benefits

    • Zero Trust (ZT) offers the electric industry a clear direction forward for continual improvement in securing critical infrastructure against emerging threats to Operational Technology (OT), such as ransomware and industrial control system (ICS) malware tools like Pipedream.
    • ZT aims to strengthen security with controls that are better able to detect, mitigate, or prevent threats like ransomware and pivoting attacks.
    • ZT is a paradigm shift that builds upon and enhances existing cybersecurity controls and capabilities.
    • Security policy enforcement becomes data-centric (focused on what data requires protection) instead of network-centric or device-centric.
    • The emphasis shifts to entity identity and context over location within a network perimeter.

  • Challenges

    • OT networks and legacy devices may create constraints that necessitate hybrid approaches to ZT implementation.
    • Smaller utilities must be cautious about advancing too quickly, as it could lead to an excessive administrative or technological burden without appropriately evolving their governance processes and support staff to achieve ZT maturity.
    • Successful transition with minimal disruption requires research and testing.
    • Developing a ZT environment in the OT space will take time and deliberate action.
    • Stakeholder buy-in and executive support at the highest levels are essential for success.

  • Recommendations

    • Entities should invest in staff training for Zero Trust.
    • Organizations should develop OT security programs and design roadmaps based on a ZT maturity model.
    • ZT Architecture (ZTA) should be incorporated incrementally and through a thoughtful implementation process.
    • Implementation should be done in collaboration with OT integrators and vendors.
    • Entities are encouraged to stage rollouts of ZTA starting with Information Technology (IT) networks and Demilitarized Zones (DMZ) to build familiarity with the complexities, challenges, and impacts before implementing in the OT space.
    • Entities may explore implementing Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) to support ZT practices. ABAC offers more complexity and automated control, while RBAC is easier to implement but offers less granular controls.
    • Requiring out-of-band approval for system management access is a recommended best practice to prevent an attacker from approving elevated access on an infiltrated node.
    • Public Key Infrastructure (PKI) can be used to support identity and access management controls by providing a framework for secure authentication, authorization, and encryption.
    • Government can assist by providing tax incentives for infrastructure investments, grants for industry organizations promoting cybersecurity, and funding to help smaller entities move towards a more defensible electric infrastructure.
    • Organizations should assess the value of ZT to their IT and OT security programs and develop a roadmap to mature technology and controls towards ZTA, with an emphasis on realistic timelines and resources.
    • Industry needs to continue to develop equipment and software, as well as people, processes, policies, and governance capable of delivering on ZT principles.
    • Advanced applications (like real-time contingency applications) and support applications (like historians), as well as engineering access, offer likely paths for testing ZT implementations.
    • Collaboration and mutual assistance through memberships in various organizational groups are encouraged.

  • Stance on IPS

    • Concerning Intrusion Prevention Systems (IPS) there is a clear statement indicating

      Products and tools designed for OT may lean towards improving detective capabilities over prevention to enable compatibility with sensitive OT requirements and legacy assets. However, limitations can still arise, and hybrid design approaches may represent an optimal solution.

  • Other Salient Points Identified

    • Zero Trust is a collection of concepts, not a single product or tool on the marketplace that provides a complete ZTA.
    • ZT builds upon and enhances historical controls and perimeter-based security models, rather than tearing them down.
    • Trust should not be automatically granted based on a device being on an enterprise network infrastructure; requests originating from anywhere, including within the network, should receive the same security scrutiny.
    • All communication should be done in a secure manner, protecting confidentiality and integrity and providing source authentication.
    • Some organizations may already have existing infrastructure and controls that qualify as components of a ZTA.
    • The paper focuses specifically on the implementation considerations in the OT environment for the electric industry.
    • The paper leverages the concepts of ZT maturity models for varying levels of implementation.
    • Maturing towards ZTA is crucial for ensuring the resilience of the Bulk Power System (BPS) against cyber threats and protecting the critical function of providing secure and reliable electricity.

Exercice 11 : OPC UA - Security Assessment

The BSI (Bundesamt für Sicherheit in der Informationstechnik) did an analysis of the security of OPC UA in 2021. Please read the report (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/OPCUA/OPCUA_2022_EN.html) and respond to the following questions :

  1. Were significant security flaws identified?
  2. How many security modes does the model offer? How do they fare in the BSI analysis?
  3. What were the criticized elements of the state of the art analysis?
Solution

Here the responses :

  1. No.
  2. 3 (None, Sign and SignAndEncrypt). The results can be seen below
  3. See chapter 3.2

Exercice 12 : Implement your own OPC UA

We have seen in theory how OPC UA can support interoperability and programmability in OT. How challenging is it to implement a real one though?

Go ahead and implement one on your own!

Here a skeleton - though you can use other programming languages and different libraries - for you in python :

OPC UA Server

from opcua import Server, ua
import time
import logging
from enviro import Settings
from datetime import datetime

# Create a dedicated logger
logger = logging.getLogger('opcua_server')
logger.setLevel(logging.INFO)

# Create console handler and set level to info
ch = logging.StreamHandler()
ch.setLevel(logging.INFO)

# Create formatter
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')

# Add formatter to ch
ch.setFormatter(formatter)

# Add ch to logger
logger.addHandler(ch)

# Create the OPC UA server
server = Server()
server_url = Settings.server_url
server.set_endpoint(server_url)
namespace = server.register_namespace(Settings.service_name)

# Populate own nodes
node = server.get_objects_node()
param = node.add_object(namespace, "Sensors")
var = param.add_variable(namespace, "Temperature",0.0, ua.VariantType.Float)
var.set_writable()

# Start server
server.start()
logger.info("OPC UA Server Started")
print("Press Ctrl-C to Stop Program")
try:
    while True:
        now = datetime.now()
        current_time = now.strftime("%H:%M:%S")
        logger.info(f"OPC UA Server Running {current_time}")
        value = var.get_value()
        logger.info(f"Current Value: {value}")
        time.sleep(1)
except KeyboardInterrupt:
    pass
server.stop()
print("OPC UA Server Stopped")

OPC UA client - a writer and a GUI

The writer

The following client writes to the same temperature node as defined by server with a cadence of 10 seconds. The values written are random numbers within the 18-32 °C range.

from opcua import Client
import time
import random
import logging
from enviro import Settings

# Create a dedicated logger
logger = logging.getLogger('opcua_cont_client')
logger.setLevel(logging.INFO)

# Create console handler and set level to info
ch = logging.StreamHandler()
ch.setLevel(logging.INFO)

# Create formatter
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')

# Add formatter to ch
ch.setFormatter(formatter)

# Add ch to logger
logger.addHandler(ch)

# Address of OPC UA Server Python
url = Settings.server_url
client = Client(url)
client.connect()

# Get node to write data to
root = client.get_root_node()
nodeId = root.get_child(["0:Objects", "2:Sensors", "2:Temperature"])
node = client.get_node(nodeId)

logger.info("OPC UA Client Connected")
print("Press Ctrl-C to Stop Program")
try:
    while True:
        value = random.randint(18,32)
        logger.info(f"Generated value: {value}")
        node = client.get_node(nodeId)
        value = float(value)
        node.set_data_value(value)
        time.sleep(10)
except KeyboardInterrupt:
    pass
client.disconnect()
logging.info("OPC UA Client Disconnected and Program Stopped")

The GUI

To use a GUI client like the one below, you can simply follow the steps indicated under https://github.com/FreeOpcUa/opcua-client-gui.

Warning

PyQT 5 is needed to make this work! Make sure to follow the instructions correctly.

Environment settings

The settings used for running the server are 

class Settings:
    server_url: str = "opc.tcp://127.0.0.1:4840"
    service_name: str = "https://secindopt.github.io/"
    service_node: str = "MyDevice"
Feel free to adapt them as per your likings/environment!

Note

The python requirements to run the above can be found in requirements.txt.

Solution

This is not a question - as it only asks you to implement the client/server listed above.

Exercice 13 : Secure your own OPC UA

Now that you have your own (simple) OPC UA, can you harness it? Describe how, by using your own keys, you can use the SignAndEncrypt method. Obviously, implement it to ensure all runs smoothly and describe the steps necessary to it.

Solution

See Exercice 3 : Implement a securely communicating OPC UA Server.