Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30
The result's identifiers
Result code in IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F17%3APU126449" target="_blank" >RIV/00216305:26230/17:PU126449 - isvavai.cz</a>
Result on the web
<a href="http://www.sciencedirect.com/science/article/pii/S1742287617301925" target="_blank" >http://www.sciencedirect.com/science/article/pii/S1742287617301925</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1016/j.diin.2017.06.005" target="_blank" >10.1016/j.diin.2017.06.005</a>
Alternative languages
Result language
angličtina
Original language name
Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30
Original language description
Programmable Logic Controllers (PLCs) are common components implemented across many industries such as manufacturing, water management, travel, aerospace and hospitals to name a few. Given their broad deployment in critical systems, they became and still are a common target for cyber attacks; the most prominent one being Stuxnet. Often PLCs (especially older ones) are only protected by an outer line of defense (e.g., a firewall) but once an attacker gains access to the system or the network, there might not be any other defense layers. In this scenario, a forensic investigator should not rely on the existing software as it might have been compromised. Therefore, we reverse engineered the GE-SRTP network protocol using a GE Fanuc Series 90-30 PLC and provide two major contributions: We first describe the Service Request Transport protocol (GE-SRTP) which was invented by General Electric (GE) and is used by many of their Ethernet connected controllers. Note, to the best of our knowledge, prior to this work, no publicly available documentation on the protocol was available affording users' security by obscurity. Second, based on our understanding of the protocol, we implemented a software application that allows direct network-based communication with the PLC (no intermediate server is needed). While the tool's forensic mode is harmless and only allows for reading registers, we discovered that one can manipulate/write to the registers in its default configuration, e.g., turn off the PLC, or manipulate the items/processes it controls.
Czech name
—
Czech description
—
Classification
Type
J<sub>imp</sub> - Article in a specialist periodical, which is included in the Web of Science database
CEP classification
—
OECD FORD branch
10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)
Result continuities
Project
<a href="/en/project/VG20102015022" target="_blank" >VG20102015022: Modern tools for detection and mitigation of cyber criminality on the New Generation Internet</a><br>
Continuities
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)
Others
Publication year
2017
Confidentiality
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Data specific for result type
Name of the periodical
Digital Investigation
ISSN
1742-2876
e-ISSN
1873-202X
Volume of the periodical
2017
Issue of the periodical within the volume
22
Country of publishing house
NL - THE KINGDOM OF THE NETHERLANDS
Number of pages
13
Pages from-to
26-38
UT code for WoS article
000407728500004
EID of the result in the Scopus database
2-s2.0-85026746386