Dissecting Industrial Control Systems Protocol for Deep

Packet Inspection

Abstract - The nation's critical infrastructures, such as avenues that can be pursued as extensions to this seminal
those found in industrial control systems (ICS), are work.
increasingly at risk and vulnerable to internal and
external threats. One of the traditional ways of 2 Industrial Control System Protocols
controlling external threats is through a network device Industrial control system protocols range from wired to
called a firewall. However, given that the payload for wireless. Wired protocols include Ethernet/IP, Modbus,
controlling the ICS is usually encapsulated in other Modbus/TCP, Distributed Network Protocol version3
protocols, the tendency is for the firewall to allow (DNP3), PROFIBUS, CANOpen, and DeviceNet. The
packets that appear to be innocuous. These seemingly wireless variety include WirelessHART, 802.15
harmless packets can be carriers for sinister attacks that (Bluetooth), 802.16 (Broadband) and Zigbee. Some of
are buried deep into the payload. The purpose of this these protocols are briefly described in the following
paper is to present the different ICS protocol header subsections.
signatures for the purpose of devising deep packet
inspection strategies that can be implemented in network
firewalls. 2.1 DNP3
The Distributed Network Protocol Version 3 (DNP 3.0)
Keywords: Industrial Control Systems (ICS), Network is a protocol standard to define communications between
Protocols, Deep Packet Inspection, Firewall, Intrusion Remote Terminal Units (RTU), master stations, and
Prevention, SCADA. Intelligent Electronic Devices (IEDs). It was originally a
proprietary model developed by Harris Controls Division
and designed for SCADA systems. DNP 3.0 is an open
1 Introduction protocol standard and is an accepted standard by the
The nation's critical infrastructures, such as those found electric, oil & gas, waste/water, and security industries
in industrial control systems (ICS), are increasingly at [Clarke, Reynders & Wright, 2004].
risk and vulnerable to internal and external threats. One
of the traditional ways of controlling external threats is DNP 3.0 is a four-layer subset of the OSI 7 layer model.
through a network device called a firewall. However, The layers are the application, data link, physical, and
given that the payload for controlling the ICS is usually pseudo-transport layers. The pseudo-transport layer
encapsulated in other protocols, the tendency is for the includes routing, flow control of data packets, and
firewall to allow packets that appear to be innocuous. transport functions such as error-correction and
These seemingly harmless packets can be carriers for disassembly and assembly of packets. The transport layer
sinister attacks that are buried deep into the payload. takes an APDU (application protocol data unit) from the
Thus, defense-in-depth techniques, such as Deep Packet application layer and breaks it down into smaller units of
Inspection (DPI), are needed to counter these potentially TPDU (transport protocol data unit), which consists of a
damaging activities. Our goal is to provide the reader one byte header followed by a maximum of 249 bytes of
with a deeper understanding of ICS protocol packets data. The header contains a bit that identifies the start of
which could be useful in packet analysis and in the the sequence of TPDU frames and another bit that
development of tools for DPI. identifies the end. Following these two bits is a six-bit
sequence counter. The Link Protocol Data Unit (LPDU),
The rest of the paper is organized into four parts. First, also known “DNP3 Frame” has a maximum limit of 292
we present a review of industrial control system bytes [Clarke, Reynders, & Wright, 2004]. The DNP3
protocols and detailed depiction of their network frames. link layer frame is shown in Figure 1.
Second, we cover various devices and systems for
network packet filtering. In the third section, we
illustrate packet dissection by analyzing a handful of
industrial network protocol packets that were captured by
an open source network packet analysis tool. Finally, we
conclude our paper by presenting possible research
 determines how the data will packed and decoded
HEADER DATA SECTION
[Modicon, 2000].

The functions which the Modbus protocol support are

listed below [Clarke, Reynders, & Wright, 2004]:
DESTINATION SOURCE
• Coil control commands for reading and setting
SYNC LENGTH LINK CONTROL
ADDRESS ADDRESS
CRC
a single coil or a group of coils
• Input control commands for reading input
Figure 1. The DNP3 Link Layer Frame
status of a group of inputs
• Register control commands for reading and
2.2 CAN setting one or more holding registers
Controller area network (CAN) protocols operate at the • Diagnostic tests and report functions
physical and the data link layer of the OSI model. The • Program functions
protocol supports at most 110 nodes on a half-duplex • Polling control functions
network and is based on the Ethernet Carrier Sense • Reset
Multiple Access with Collision Detection (CSMA/CD) The Modbus protocol specifies the Protocol Data Unit
model. Because the specific transmission times across (PDU), which is comprised by the function code and the
the network cannot be guaranteed, CAN provides data field, and is independent of the underlying
transmission priorities using arbitration on message communication layers. Additional fields such as the
priority (AMP) with CSMA/CD to compensate for this address and error-check fields augment the PDU to
issue [Krutz, 2006]. complete the application Data Unit (ADU) [Modbus.org,
2012]. The generic Modbus frame (ADU) is depicted in
The CSMA/CD + AMP scheme allows for priority rating Figure 3.
to be included in a message. The identifier in the
message determines the message’s priority, which has a
length of 11 bits. A CAN data frame consists of a start of Address Function Code Data Error-Check

frame, an arbitration field, a control field, a data field, a

Figure 3. Generic Modbus Frame
CRC field, an ACK field, and an end of frame field
[CAN in Automation, 2013].
The single octet Address field identifies the
R I r Data
controller/device to which the request/response is being
SOF Arbitration T D e Length Data CRC ACK EOF directed. The single octet function code can be any code
R E s Code
from one of these three categories: Public, User-defined,
Figure 2. A Standard CAN Data Frame and Reserved function codes. The data field contains the
information that is being requested, the exception code,
In the standard CAN data frame depicted in Figure 2, or the information, such as the addresses and number of
SOF is the start of frame, followed by the 11-bit registers, that is being passed to the server. The Error-
Arbitration field, a 1-bit Remote Transmission Request Check field contains the Longitudinal Redundancy
(RTR), a 1-bit Identifier Extension (IDE) a 1-bit reserve Check (LRC) information for the ASCII mode and for
flag, a 4-bit Data Length Code (DLC), 0-8 Byte Data the RTU mode, the Cyclic Redundancy Check (CRC)
payload, a 15-bit Cyclic Redundancy Check (CRC), a 1- information.
bit CRC delimiter, a 2-bit Acknowledgement (ACK)
field (first bit for slot and the second bit for the 2.4 Modbus TCP
delimiter), and finally, the seven “recessive” bits called The Modbus organization, Modbus.org, extended the
the End of Frame (EOF). In data communication, a Modbus protocol to work over the Transmission Control
“recessive” bit has the logical value 1. Protocol (TCP) by encapsulating the Modbus PDU with
the Modbus TCP ADU [Thomas, 2008]. This protocol is
2.3 Modbus registered to utilize port 502 and is realized by
Perhaps the most widely deployed ICS protocol is the augmenting the standard Modbus PDU with a Modbus
Modbus. It is based on the master/slave principle, where Application Protocol (MBAP) header as shown in Figure
transactions can be a query/response type, where only a 4.
single slave addressed, or a broadcast/no response type MBAP Header

where all slaves is addressed. Data in transmission can

TID PID Len UID Function Code Data
be of two modes: American Standard Code for
Information Interchange (ASCII) or Remote Terminal Figure 4. Modbus TCP ADU
Unit (RTU). The selection mode defines the bit contents
of the message fields which are transmitted serially and
The MBAP Header is made up the following: a two-octet nodes [Lian, Moyne, & Tilbury, 2001]. The ControlNet
Transaction Identifier (TID), a two-octet Protocol protocol became a part of the Common Industrial
Identifier (PID), a two-octet total length (Len) in bytes of Protocol (CIP) family of protocols in 1997.
the remaining fields, and an octet indicating the Unit
Identifier (UID) which identifies the remote slave The Medium Access Control (MAC) frame format
connected by a serial line [Modbus.org, 2012b]. transmitted on ControlNet is shown in Figure 6 [ODVA,
2006]. The transmitted data, which could be as many as
2.5 Profibus 510 bytes, is carried by a series of link packets
Process Fieldbus (Profibus) is an open fieldbus serial (LPackets). A link packet can either be a Fixed Tag or a
network standard, and is mainly used for real-time Generic Tag, each of which is shown in Figures 7 and 8,
control applications. The protocol operates on the respectively. The Fixed Tag LPackets are used for
application, data link, and physical layers of the OSI Unconnected Messaging and network administration
model. Profibus comes in three forms: Profibus Process while the Generic Tag LPackets are used for Connected
Automation (PA), Decentralized Peripherals (DP), and Messaging [ODVA, 2006]. The link data field occupies
Profibus Fieldbus Message Specification (FMS) [Krutz, 506 bytes in the fixed tag and 505 bytes in the generic
2006]. tag.

Profibus Process Automation (PA) uses a common serial Preamble

Start
Delimiter
Source
Address
LPackets CRC
Start
Delimiter
bus to connect both data acquisition devices and control
devices. This implementation gives this form intrinsic
safety and reliability features. This form also provides
power to devices through the bus. LPacket LPacket LPacket ... LPacket

Figure 6. ControlNet MAC Frame Format

The Profibus Decentralized Peripherals (DP) provides
high-speed communication between Programmable
Logic Controllers (PLCs) in a decentralized Size Control Service
Destination
Link Data
Address
environment.
Figure 7. Fixed Tag LPacket Format
The Profibus Fieldbus Message Specification(FMS)
supports a large number of applications. It is also used
for general automation and for average transmission Size Control Connection ID Link Data
rates.
Figure 8. Generic Tag LPacket Format
The Profibus DP telegram header (11 bytes) and data
field (variable length—maximum of 244 bytes) is 2.7 EtherNet/IP
depicted in Figure 5. The header consists of the start Another member of the CIP protocol family is the
delimiter (SD), the net data length (LE), the length EtherNet/Industrial Protocol or EtherNet/IP. This
repeated (LEr), destination address (DA), source address protocol runs over TCP/IP or UDP/IP. TCP/IP uses the
(SA), function code (FC), the destination service access reserved port 0xAF12 for transmitting Explicit messages
point (DSAP), the source service access point (SSAP), while UDP/IP uses the reserved port 0x08AE for
the frame checking sequence (FCS), and the end transmitting I/O messages. A typical Ethernet frame with
delimiter (ED) [Acromag, 2002]. the encapsulated EtherNet/IP data is shown in Figure 9
[ODVA, 2006].
SD LE LEr SD DA SA FC DSAP SSAP DU FCS ED
TCP or EtherNet/IP EtherNet/IP
Ethernet IP Ethernet
1 1 1 1 1 1 1 1 1 Var 1 1 UDP Encapsulation Encapsulation
Header Header Trailer
Header Header Data

Figure 9. Ethernet Frame with Encapsulated EtherNet/IP

Figure 5. Profibus-DP (Message) Telegram Structure

2.6 ControlNet The encapsulation header and data fields are shown in
ControlNet is a token-passing bus control network Figure 10. The two-octet command (Cmd) field
protocol that is based on the IEEE 802.4 standard. The represents various types of commands such as broadcast,
nodes in the token bus network are configured into a ring session opening and closing, and receiving and sending
topology, and in particular, in ControlNet, each node data for connected and unconnected messaging.
knows the address of the preceding and succeeding
 Encapsulation Header Encapsulation Data # iptables –A INPUT –p tcp –m modbus –funccode 8 –
Session Sender Data Common allowtcp 1 –j DROP
Cmd Len Status Options
Handle Context Packet Format # iptables –A input –p tcp –m modbus –funccode !16 –
Figure 10. Encapsulation Packet Format allowtcp 1 –j DROP

2.8 EtherCAT The first rule drops a Modbus packet with a diagnostic
function code; the second rule drops a Modbus packet
EtherCAT stands for Ethernet for Control Automation
whose function code is NOT a write multiple registers
Technology. It is a control system protocol that is mainly
(16). The rules are simple examples of filtering Modbus
used to satisfy very high performance requirements in
packets but are not very useful in practice. Obviously
the manufacturing environment. For a typical 1000
there is a great need for developing filters that are
distributed points the update time is approximately 30
creatively constructed using DPI and intelligent
microseconds [Digital Bonds, 2013]. The format of an
mechanisms. These filters can then be applied on fields
EtherCAT UDP frame is shown in Figure 11. The
and values in control systems. These fields might include
EtherCAT telegram consist of one or more datagrams,
register read and write commands, controlled objects,
each serving a particular memory area of the logical
and service requests [Byres, 2012].
process images of up to 4 GB in size. The EtherCAT
frame header consists of a length field, a reserve field,
and a type field which indicates the nature of the data 3.2 Deep Packet Inspection(DPI)
carried by the EtherCAT telegram [EtherCAT, 2013]. Deep Packet Inspection is the process of allowing packet
inspecting devices, such as firewalls and Intrusion
EtherCAT Prevention Systems (IPS), to perform an in-depth
Ethernet IP UDP EtherCAT Ethernet
Header Header Header
Frame
Telegram Trailer analysis of packet contents. This in-depth analysis is
Header
much broader than common technologies in that it
Figure 11. EtherCAT UDP Frame combines protocol anomaly detection and signature
scanning to realize its potential [Ramos, 2009]. The
3 Network Filters interested reader is referred to Antonello, et al. (2012) for
a comprehensive literature review on various tools and
Network filters found in devices such as routers,
techniques for the development of DPI systems.
gateways, bridges, firewalls, and intrusion prevention
systems are the first line of defense against malicious
packets. In this section, we examine the different 4 ICS Protocol Packet Dissection
techniques that are used to realize their filtering In this section, we present snapshots of captured
functionalities. We also introduce the concept of deep industrial protocol packets that are encapsulated by
packet inspection to usher our on-going work on ICS Ethernet. We believe that, due to the ubiquity of the
protocol packet dissection. adaptation of industrial protocol on this networking
technology, network attacks on industrial control
equipment will most likely come with this encapsulation.
3.1 Filtering Techniques A cursory analysis of each packet is presented with
Deep packet inspection is small part of the filtering the aim of stimulating the interest of the reader in
techniques that are adopted by security providers in their exploring the other ICS protocol packets that are not
commercial products. A non-exhaustive list, which is shown in this paper. Further, a packet dissection using
shown below, is presented in [Franz & Pothamsetty, freely accessible packet capture and analysis software
2004]. such as Wireshark [Wireshark, 2013] or Capsa Network
• Layer 2 filtering using intelligent Analyzer [Colasoft, 2013] provides tremendous boost
switches/bridges; towards securing industrial networks. Foremost among
• Access Control Lists on Layer 3 and 4 using the derived benefits are 1) the facilitation of deep packet
routers; inspection; 2) the enhancement of data collection for
• Stateful Firewall filtering; predictive analytics; and 3) the provision of a deeper
• Application Proxy filtering; and understanding of the protocol architecture and behavior.
• Deploying DPI and Intrusion Preventing
Systems.
In describing an implementation of a Modbus firewall 4.1 Modbus/TCP Packet
for DPI, Franz & Pothamsetty showed some simple A sample captured Modbus/TCP packet dissection is
firewall rules [Franz & Pothamsetty, 2004]: shown in Figure 12. Note how perfect the Modbus and
Modbus/TCP segments map directly with the APDU
fields shown in Figure 4. With this information at hand,
the DPI designer can now judiciously put forth more
sensible IPS or firewall rules that are tuned to the secure 4.3 EtherCAT Packet
operations of the ICS. As an additional note, after a A sample captured EtherCAT packet dissection is shown
quick perusal on how the protocol is assembled, a trained in Figure 14. Again, it can easily be seen the mapping of
security analyst can easily recognize a security the dissected fields to those shown in Figure 11. The
vulnerability: the lack of an authentication mechanism. EtherCAT frame header is carrying “command” types of
data that are defined in each of the datagrams
(telegrams).

Figure 12. Sample Modbus/TCP Packet

4.2 EtherNet/IP Packet

A sample captured EtherNet/IP packet dissection is
shown in Figure 13. A perusal of the packet dissection
shows the encapsulated EtherNet/IP header and the
command specific data fields. In a similar vein as what is Figure 14. Sample EtherCAT Packet
described above, the information gathered here can be
used for intelligent monitoring and securing an 5 Conclusions and Future Plans
EtherNet/IP enable device. This paper presented a review of industrial control
protocols and the need for an in-depth defense
mechanism in form of a Deep Packet Inspection system.
We also presented our on-going work on the dissection
of various ICS packets as a springboard for the
development of a DPI system dedicated to the protection
of industrial controls. Further, we have to emphasize the
fact that a solid understanding of the ICS protocols and
architectures is critical to securing these systems. This
seminal work on scrutinizing ICS packets is a small
contribution to that end.

The challenge for the authors will be in the

continual development of the DPI for control systems.
Future plans include:
• Development of a proof-of-concept Linux based
DPI; and
• Expansion of the ICS frame signatures to
include those that utilizes the wireless network
protocols.

Figure 13. Sample EtherNet/IP Packet 6 Acknowledgements

This paper is based upon a project partly supported by
the National Science Foundation under grant award
XXXXX-XX. Opinions expressed are those of the and DeviceNet” IEEE Control Systems Magazine,
authors and not necessarily of the Foundation. February, 2001. Pp. 66-83.

Modbus.org (2012). “Modbus Application Protocol

7 References Specification” v1.1b3. Retrieved March 10, 2013 from
http://modbus.org/docs/Modbus_Application_Protocol_
Acromag Incorporated. (2002). “Introduction to Profibus V1_1b3.pdf.
DP.” Busworks 900PB Series. Profibus/RS485 Network
I/O Modules. Technical Reference. Retrieved: Modbus.org (2012b). “Modbus Messaging on TCP/IP
http://www.diit.unict.it/users/scava/dispense/II/Profibus. Implementation Guide” v1.0b. Retrieved March 10,
pdf. March 13, 2013. 2013 from
http://www.modbus.org/docs/Modbus_Messaging_Imple
Antonello, R., et al. (2012), Deep Packet Inspection Tool mentation_Guide_V1_0b.pdf.
and Techniques in Commodity Platforms: Challenges
and Trends.” Journal of Network and Computer Modicon (2000). “Modbus Protocol” v1.1b3. Retrieved
Applications, November 2012, 35(6):1863-1878. March 13, 2013 from
Elsevier, Ltd. http://irtfweb.ifa.hawaii.edu/~smokey2/software/about/si
xnet/modbus/modbus_protocol.pdf.
Byres, Eric (2012). “Understanding Deep Packet
Inspection for SCADA Security.” White paper--Tofino Open DeviceNet Vendor Association, Inc. (ODVA)
Security. December 12, 2012. Retrieved January 10, (2006). “The Common Industrial Protocol (CIP) and the
2013 from http://www.tofinosecurity.com. Family of CIP Networks”. Retrieved March 15, 2013
from
CAN in Automation (2013). CAN Specification 2.0, Part http://www.odva.org/portals/0/library/publications_numb
B. Retrieved March 08, 2013 from CAN in Automation: ered/pub00123r0_common%20industrial_protocol_and_
http://www.can- family_of_cip_netw.pdf. Ann Arbor, MI.
cia.org/fileadmin/cia/specifications/CAN20B.pdf
Ramos, Anderson (2009), “Deep Packet Inspection
Clarke, G., Reynders, D., & Wright, E. (2004). Practical Technologies,” in Information Security Management
Modern SCADA Protocols. Oxford: Elsevier Ltd. Handbook, Harold Tipton & Micki Krause, eds. 6th
Edition Vol 3. Auerbach Publications, NY.
ColaSoft (2013). “Capsa Network Analyzer.” Retrieved
February 28, 2013 from http://www.colasoft.com. Thomas, George (2008). “Introduction to Modbus Serial
and Modbus TCP,” The Extension—A Technical
Digital Bond (2013). “EtherCAT”. Retrieved March 14, Supplement to Control Network. Contemporary Control
2013 from Systems, Inc. Retrieved March 01, 2013 from
http://www.digitalbond.com/scadapedia/protocols/etherc http://www.ccontrols.com/pdf/Extv9n5.pdf.
at/.
Wireshark (2013). “Wireshark.” Retrieved February 28,
Franz, M. & Pothamsetty, V. (2004), “ModbusFW Deep 2013 from http://www.wireshark.org.
Packet Inspection for Industrial Ethernet,’ Cisco
Systems. Retrieved March 01, 2013 from http://
blogfranz.googlecode.com/files/franz-niscc-modbusfw-
may04.pdf.

EtherCAT Technology Group (2013). “EtherCAT-the

Ethernet Fieldbus Technical Introduction and
Overview”. Retrieved March 15, 2013 from
http://www.ethercat.org/en/technology.html#3.1.

Krutz, R. L. (2006). Securing SCADA Systems.

Indianapolis: Wiley.

Lian, F., Moyne, J., & Tilbury, D. “Performance

Evaluation of Control Networks: Ethernet, ControlNet,