MODBUS is a communications protocol published by Modicon in 1979 for use with programmable logic controllers (PLCs). Initially conceived as a serial communications link, more recent versions of the MODBUS protocol allow for communications over an Ethernet network using TCP/IP. Because it is simple and robust, MODBUS has since become a de facto standard communication protocol and is now one of the most commonly used means of connecting industrial electronic devices in industrial control systems (ICSs). For example, MODBUS is often used to connect a supervisory computer with one or more remote terminal units (RTUs) in supervisory control and data acquisition (SCADA) systems.
SCADA is one type of industrial control system (ICS). Industrial control systems are computer-controlled systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large scale processes that can include multiple sites, and large distances. These processes include industrial, infrastructure, and facility-based processes. Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes. Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems. Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.
The security of SCADA and other ICS networks is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. However, the move from proprietary technologies to more standardized and open solutions together with the increased number of connections between segregated control networks and office networks and the Internet has made such control networks more vulnerable to cyber-attack. There are two distinct threats to a modern segregated control network. The first threat is unauthorized access to the control software via changes induced intentionally or accidentally by virus infections and other software threats residing on the control host machine. The second threat is packet access to the network segments hosting SCADA devices. In many cases, there is rudimentary or no security on the actual packet control protocol, so anyone who can send packets to the SCADA device can control it. In many cases SCADA users assume that a VPN is sufficient protection and are unaware that physical access to SCADA-related network jacks and switches provides the ability to totally bypass all security on the control software and fully control those SCADA networks. These kinds of physical access attacks bypass firewall and VPN security and are best addressed by endpoint-to-endpoint authentication and authorization such as are commonly provided in the non-SCADA world by in-device SSL or other cryptographic techniques. The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety. Thus, there is a great motivation to maintain SCADA and other ICS networks secure by physically preventing any unauthorized access to such networks. The easiest way to do this is ensure that there is no interconnection whatsoever to any remote networks. However, often there is a need to transfer information from the secure SCADA or other ICS network to a non-secure location, e.g., a historian database on a remote network. Thus there is a conflict between providing the best level of security and transferring information to the remote network. This is because the transfer of information will typically require a two-way interface, and because such two-way interface could provide easy access for an external cyber-attack.
Highly engineered solutions, such as the Owl Computing Technologies Dual Diode, (described in U.S. Pat. No. 8,068,415, the disclosure of which is incorporated herein by reference) provide a one-way data link in the form of a direct point-to-point optical link between network domains in the low-to-high direction or in the low-to-high direction. The unidirectionality of the data transfer is enforced in the circuitry of the network interface cards at both network endpoints and in the cable interconnects. In this way, the hardware provides an added layer of assurance of unidirectional information flow and non-bypassable operation. In contrast to software based one-way data transfer systems, it is easy to prove that data is not bypassing the Dual Diode.
In such systems, shown in block diagram form in FIG. 1, a first server (the Blue Server) 101 includes a transmit application 102 for sending data across a one-way data link, e.g., optical link 104, from a first network domain coupled to server 101 to a second network domain coupled to server 111. First server 101 also includes a transmit (here a phototransmission) component, e.g., optical emitter 103. Transmit application 102 provides data to the optical emitter for transmission across the optical link 104. A second server (the Red Server) 111 includes a receive (here a photodetection) component, e.g., optical detector 113, for receiving data from the optical link 104, which data is then provided to the receive application 112 for further processing. The first server 101 is only able to transmit data to second server 111, since it does not include any receive circuitry (e.g., an optical detector comparable to detector 113) and the second server 11 is only able to receive data from first server 101, since it does not include any transmit circuitry (e.g., an optical emitter comparable to emitter 103).
FIG. 2 shows a conventional MODBUS-based industrial control system 200. A computer 210 running SCADA software 220 communicates via a MODBUS TCP/IP driver 225 with a series of MODBUS-enabled devices 241 to 244 over the plant process computer network 230 (e.g., an Ethernet network). Some of the MODBUS-enabled devices (i.e., device 243 in FIG. 2) may contain multiple slaves devices 261, 262 coupled via a sub-network 250. This type of system 200 can be vulnerable to both types of threats discussed above, i.e., unauthorized access to the control software and packet access to the network segments.
It is an object of the present invention to provide a secure way to transfer information from an ICS network while maintaining the integrity of network to ensure protection from remote cyber-attack.