Publication Details
Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30
BAGGILI Ibrahim, BREITINGER Frank and KARPÍŠEK Filip. Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30. Digital Investigation, vol. 2017, no. 22, pp. 26-38. ISSN 1742-2876. Available from: http://www.sciencedirect.com/science/article/pii/S1742287617301925
Czech title
Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 č
Type
journal article
Language
english
Authors
Baggili Ibrahim (University of New Haven)
Breitinger Frank (University of New Haven)
Karpíšek Filip, Ing. (DIFS FIT BUT)
Breitinger Frank (University of New Haven)
Karpíšek Filip, Ing. (DIFS FIT BUT)
URL
Keywords
GE Fanuc Series 90-30, Live memory acquisition, GE-SRTP protocol SCADA, PLC
Abstract
Programmable Logic Controllers (PLCs) are common components implemented
across many industries such as manufacturing, water management, travel,
aerospace and hospitals to name a few. Given their broad deployment in
critical systems, they became and still are a common target for cyber
attacks; the most prominent one being Stuxnet. Often PLCs (especially
older ones) are only protected by an outer line of defense (e.g., a firewall) but once an attacker gains access to the system or the
network, there might not be any other defense layers. In this scenario, a forensic investigator should not rely on the existing software as it
might have been compromised. Therefore, we reverse engineered the
GE-SRTP network protocol using a GE Fanuc Series 90-30 PLC and provide
two major contributions: We first describe the Service Request Transport
protocol (GE-SRTP) which was invented by General Electric (GE) and is
used by many of their Ethernet connected controllers. Note, to the best
of our knowledge, prior to this work, no publicly available
documentation on the protocol was available affording users' security by
obscurity. Second, based on our understanding of the protocol, we
implemented a software application that allows direct network-based
communication with the PLC (no intermediate server is needed). While the
tool's forensic mode is harmless and only allows for reading registers,
we discovered that one can manipulate/write to the registers in its
default configuration, e.g., turn off the PLC, or manipulate the
items/processes it controls.
Published
2017
Pages
26-38
Journal
Digital Investigation, vol. 2017, no. 22, ISSN 1742-2876
Publisher
Elsevier Science
DOI
BibTeX
@ARTICLE{FITPUB11520,
author = "Ibrahim Baggili and Frank Breitinger and Filip Karp\'{i}\v{s}ek",
title = "Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30",
pages = "26--38",
journal = "Digital Investigation",
volume = 2017,
number = 22,
year = 2017,
ISSN = "1742-2876",
doi = "10.1016/j.diin.2017.06.005",
language = "english",
url = "https://www.fit.vut.cz/research/publication/11520"
}
Files