Construction of DMZ DMZ in ACS TP systems using Modbus and IEC-60870-5-104 protocols
Hello everybody! This article is intended for specialists in the field of industrial control systems. The rest of it may be incomprehensible because of the abundance of specific terms.
As a rule, in an automated process control system, the implementation of the demilitarized zone is as follows:
')
In network 1, there is an OPC server from which the OPC client must receive data on network 2. There is a DMZ server. Firewall 1 only allows connections from network 1; other connections are denied. Firewall 2 only allows connections from network 2; other connections are denied. Transmission under the OPC DA standard is not possible under these conditions.
What are the standard exchange protocols in the process control system? Of course, Modbus comes to mind first. For TCP / IP there is a Modbus TCP. There is also a Modbus-RTU mode over TCP / IP: the same packets that pass via RS-485 are transmitted over TCP / IP. Modbus-RTU mode over TCP / IP became de facto standard, but remained non-standard de jure.
We define the terms:
So, consider this scheme:
In network 1, the “OPC to Modbus TCP Converter” is a Modbus-slave, it receives data from an OPC server. The “OPC to Modbus TCP Converter” itself establishes a TCP connection with the Modbus TCP OPC server (Modbus Master) in the DMZ (it has a passive waiting mode), the OPC to Modbus TCP converter (Modbus slave) in the demilitarized zone receives data from OPC server. The OPC Modbus TCP (Modbus-Master) on Network 2 establishes a connection with the “OPC Converter to Modbus TCP” in the DMZ and transmits the data to the OPC client.
In this scheme it is not standard that the “OPC to Modbus TCP converter”, being a Modbus-slave, itself establishes a connection with the Modbus-Master. That is what it took to write your converter.
Simplify the scheme:
For the server of the perimeter network we will create a simple program with the conditional name TCP connections Convertor. It opens 2 TCP port. From the network №1 “OPC to Modbus TCP converter” establishes a connection with it on port 1000, the Modbus TCP OPC server establishes a connection with it on port 1001. A packet coming on port 1000 is sent to a client connected to port 1001. A packet coming on port 1001, is sent to the client connected to port 1000.
It can be said that a potential attacker can crack the “OPC to Modbus TCP Converter” by sending him bad packets. Then, in TCP connections Convertor, you can enter a ban on connecting to it from unknown IP addresses, enter packet length monitoring and check packets for compliance with the Modbus TCP standard.
We now turn to IEC-60870-5-104. This protocol is more advanced than Modbus. With it, you can send signal reliability and time stamps. The IEC-60870-5-104 standard also supports the mode when the Slave establishes a connection with the Master.
Master standard is called a monitoring station, Slave is called a controlled station.
Redraw the schema:
We repeat the description: In network 1, the “OPC to IEC-104 converter” is a slave, it receives data from the OPC server. The “OPC to IEC-104 converter” itself establishes a TCP connection with the IEC-104 OPC server (Master) in the DMZ, and the OPC to IEC-104 converter (slave) in the perimeter network receives data from the IEC-104 OPC server. The IEC-104 OPC server (Master) on network 2 establishes a connection with the “OPC Converter to IEC-104” in the DMZ and transmits the OPC data to the client.
Again, this scheme can be simplified using the program TCP connections convertor. Another idea!
With the advent of wireless GSM / GPRS modems that provide data transmission in the network via the TCP / IP protocol stack, it has become convenient to organize communication channels with remote objects. However, it is not always possible to get a static IP address for a GSM / GPRS modem. In this case, the static IP address is assigned to the server. The GSM / GPRS modem establishes a connection with the server, the TCP connections converter program is installed on the server. The OPC server sends a request to the server on port 1000, the GSM / GPRS modem connected to port 1001 receives this packet, sends it to the counter, the counter responds, the GSM / GPRS modem sends a response to the server to port 1001, the server sends a reply to port 1000 OPC server. The OPC server “thinks” that it communicates with the meter directly, the computer with the OPC server is isolated from the external network (Internet).
As a rule, in an automated process control system, the implementation of the demilitarized zone is as follows:
')
In network 1, there is an OPC server from which the OPC client must receive data on network 2. There is a DMZ server. Firewall 1 only allows connections from network 1; other connections are denied. Firewall 2 only allows connections from network 2; other connections are denied. Transmission under the OPC DA standard is not possible under these conditions.
What are the standard exchange protocols in the process control system? Of course, Modbus comes to mind first. For TCP / IP there is a Modbus TCP. There is also a Modbus-RTU mode over TCP / IP: the same packets that pass via RS-485 are transmitted over TCP / IP. Modbus-RTU mode over TCP / IP became de facto standard, but remained non-standard de jure.
We define the terms:
- Modbus-Slave - a program that gives data via Modbus protocol
- Modbus Master - a program that receives data from the Slave via the Modbus protocol
So, consider this scheme:
In network 1, the “OPC to Modbus TCP Converter” is a Modbus-slave, it receives data from an OPC server. The “OPC to Modbus TCP Converter” itself establishes a TCP connection with the Modbus TCP OPC server (Modbus Master) in the DMZ (it has a passive waiting mode), the OPC to Modbus TCP converter (Modbus slave) in the demilitarized zone receives data from OPC server. The OPC Modbus TCP (Modbus-Master) on Network 2 establishes a connection with the “OPC Converter to Modbus TCP” in the DMZ and transmits the data to the OPC client.
In this scheme it is not standard that the “OPC to Modbus TCP converter”, being a Modbus-slave, itself establishes a connection with the Modbus-Master. That is what it took to write your converter.
Simplify the scheme:
For the server of the perimeter network we will create a simple program with the conditional name TCP connections Convertor. It opens 2 TCP port. From the network №1 “OPC to Modbus TCP converter” establishes a connection with it on port 1000, the Modbus TCP OPC server establishes a connection with it on port 1001. A packet coming on port 1000 is sent to a client connected to port 1001. A packet coming on port 1001, is sent to the client connected to port 1000.
It can be said that a potential attacker can crack the “OPC to Modbus TCP Converter” by sending him bad packets. Then, in TCP connections Convertor, you can enter a ban on connecting to it from unknown IP addresses, enter packet length monitoring and check packets for compliance with the Modbus TCP standard.
We now turn to IEC-60870-5-104. This protocol is more advanced than Modbus. With it, you can send signal reliability and time stamps. The IEC-60870-5-104 standard also supports the mode when the Slave establishes a connection with the Master.
Master standard is called a monitoring station, Slave is called a controlled station.
Redraw the schema:
We repeat the description: In network 1, the “OPC to IEC-104 converter” is a slave, it receives data from the OPC server. The “OPC to IEC-104 converter” itself establishes a TCP connection with the IEC-104 OPC server (Master) in the DMZ, and the OPC to IEC-104 converter (slave) in the perimeter network receives data from the IEC-104 OPC server. The IEC-104 OPC server (Master) on network 2 establishes a connection with the “OPC Converter to IEC-104” in the DMZ and transmits the OPC data to the client.
Again, this scheme can be simplified using the program TCP connections convertor. Another idea!
With the advent of wireless GSM / GPRS modems that provide data transmission in the network via the TCP / IP protocol stack, it has become convenient to organize communication channels with remote objects. However, it is not always possible to get a static IP address for a GSM / GPRS modem. In this case, the static IP address is assigned to the server. The GSM / GPRS modem establishes a connection with the server, the TCP connections converter program is installed on the server. The OPC server sends a request to the server on port 1000, the GSM / GPRS modem connected to port 1001 receives this packet, sends it to the counter, the counter responds, the GSM / GPRS modem sends a response to the server to port 1001, the server sends a reply to port 1000 OPC server. The OPC server “thinks” that it communicates with the meter directly, the computer with the OPC server is isolated from the external network (Internet).
Source: https://habr.com/ru/post/323916/
All Articles