Distributed network protocol 3.0 (DNP3) is the second most-widely used serial communications protocol in industrial control systems (ICS), after Modbus. As EPRI (Electric Power Research Institute) mentioned in a 2019 technical update: “it is the most widely used utility communications protocol in North America” and is used to enable communication between components in process automation systems.
It is used in supervisory control and data acquisition (SCADA) systems for data acquisition equipment to communicate with control equipment. It was originally built for the electrical grid but is now also used for oil and gas, water and sewage, transportation, and more. DNP3 empowers operators to track device levels such as current, voltage, alarm status, device control or breaker status in order to detect any issue arising. The protocol was developed in 1993 with no built-in security (no authentication nor encryption) and with the common set of function codes and data types, making it an attack vector of interest for hackers to plan spoofing or eavesdropping attacks.
In terms of cybersecurity for operation technology (OT) networks, people tend to focus on the transmission control protocol/internet protocol (TCP/IP) level because that’s what most commercial solutions offer. In the past, it was easier to just ignore serial communications security because there was no way to safely or securely identify what was happening at the lower level since data being polled from SCADA was often from TCP/IP connected devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs). Recent attacks on critical energy have underscored the importance of re-examining utility cybersecurity – an important aspect of this effort are the DNP3-connected devices widely used across the utility sector.
The problem we face with digital transformation is all assets are being connected to the internet. This means nothing is fully secure and if an adversary gains access to any part of a network, they can traverse into more critical operations and cause significant downtime, damage assets or even become a threat to human safety. Following the recent attacks on the water supply chain in Oldsmar, Florida and now Colonial Pipeline, we need to improve our cybersecurity posture regarding critical infrastructure.
According to reports, Colonial Pipeline did not need to take their system offline but could have done so as a precaution if their IT/OT systems are inter-connected. In this scenario, the ransomware attack targeted the IT side but could have pivoted to the pipeline operations on the OT side. Can we be sure that once Mandiant/FireEye have concluded their investigation, the attackers no longer have a foothold in the network? It is known that hackers like to stay in systems they worked so hard to get control of.
One step to improve cybersecurity for critical systems that rely on legacy controls is to monitor serial communications, level 0/1 of the Purdue Model, to help with early detection. It is one way to detect an attack if a system is already compromised.
Those communications at the lower level can be trusted to carry reliable, untouched data because that is where the physical devices are communicating, rather than at the Level 2 and above where the data could have been altered. That data could show the direct communication between a PLC and a breaker, such as directing it to open or close that breaker. If you are monitoring it, it is possible that a bad actor has already modified it; meaning it is not representative of what is happening at the physical process level.
For example, Stuxnet carried out a false feedback attack on an human-machine interface (HMI) that targeted the nuclear program in Iran. It is a computer worm that targeted PLCs and ordered the centrifuges to run at a faster pace than normal. However, because the feedback to the HMI was falsified, the operators observed normal traffic and were not able to see how fast they were running.
Another example is the BlackEnergy attack on the Ukrainian power grid in December 2015. The attacker took control of the HMI, switched off breakers and changed the password so the operator wouldn’t be able to log in. This caused over 230,000 people to lose electricity for up to 6 hours. The operators had to control the breakers manually to restore power. In the US, many power grid control systems don’t have manual backups, which would make it even more challenging to restore service in such a situation.
Critical infrastructure has become a big target and we realize more and more how insecure it is by the day. The SolarWinds and Microsoft hacks have also proven, yet again, we are not prepared to defend ourselves against such threats. SolarWinds infected many companies but “has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries.”
We are far from being cyber-secure and need to upgrade our cyber practices to fight the increasing number of attacks we face today. Those attacks are become more and more harmful and a threat to human safety. We should update cybersecurity procedures towards new options that can help close the loop to monitor and protect all levels of the Purdue model to be more secure, without ignoring the lower levels.
As seen with SolarWinds, many organizations are already compromised, and attackers are lurking in networks while planning an attack. Even after an attack, there is always a possibility that hackers may stay in the environment to steal more files, read e-mails or even plan another attack. Do not assume the system is safe because any system could be targeted. To be secure, at a minimum, users should monitor what is happening in the network as much as possible in order to detect such stealthy compromises. It’s not a guarantee of anything, but it will provide some comfort.