A control system refers to a system that is used for the purpose of monitoring and maintaining a remote system efficiently, which is used to operate national major facilities such as electric power, gas, water and sewage and transportation. As a closed control system protocol standard is gradually disclosed as an international standard, attackers are provided with much more knowledge on control systems and network operations so that possibility and risk of cyber invasion to a control system are becoming higher and higher. First of all, when there occurs an accident of cyber invasion to a control system, it may cause a national disaster so that a special security management is required.
MODBUS that is one of the control system protocols is an industrial communication protocol used to control PLC (Programmable Logic Controller). The MODBUS is an application layer message protocol that provides a client/server based request/reply communication using a variety of transmission media and is one of communication methods widely used in the worldwide industrial application.
The communication method of the MODBUS protocol is generally classified into MODBUS Serial, MODBUS Plus, and MODBUS TCP/IP. The MODBUS Plus is used to communicate between host systems before the MODBUS TCP/IP was developed. Since the MODBUS TCP/IP was developed; however, it became a main communication method because it has the dominant position in the communication speed and system applicability. Instead, the existing MODBUS Plus and the MODBUS 232/485 are generally used in such a manner that they are converted into the MODBUS TCP/IP using a gateway and then connected to a host system.
As such, while the MODBUS is becoming a general protocol standard of a SCADA system, there is a problem in that the system can be easily attacked exploiting it. Especially, not because of attacking the SCADA system in a complicated manner using a malicious code such as Stuxnet, but because of directly attacking the weakness of MODBUS that is a protocol of the SCADA system, the risk may be more serious.
For example, when using Dismal attacking tools, it may be possible to collect information on what system is used depending on facilities, such as a hydraulic power plant and a thermoelectric power plant. That is, when Dismal is commanded to collect information, system information is transferred to an attacker regardless of system type, and malicious instructions may also be transferred. Accordingly, it can be said that problem is the protocol itself rather than the Zero-day attack such as the Stuxnet since the protocol may be attacked by merely manipulating a packet. That is, there is a possibility that a new type of attack may be occurred at any time by simply manipulating a packet.
Further, since the MODBUS protocol does not consider security requirements such as authentication or authorization with respect to replies of a server for requests of a client, it started to consider security requirements in view of a Denial of Service attack as well as the security weakness of the control protocol in the electric power field. It is because several devices can be crashed or loaded even by a general network traffic such as broadcast/multicast.
In conclusion, while there has been increasing concern about activities to interrupt a safe system operation of major infrastructure control system because of intentional or unintentional actions, current enterprise security goods such as Firewall, IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) focus on external network boundary areas so that they are vulnerable to problems occurring in an internal infrastructure. That is, in the state that there is a variety of penetration routes including an insider threat, a control network also focuses on a warning network security so that it is vulnerable to a method to analyze inner behaviors. Accordingly, in order to provide a stable service between control systems, a security mechanism suitable to a control system protocol is required.