Lab 1

Scenario Overview

The industrial control system (ICS) used in this scenario simulates an environment that might be used to cool industrial equipment. The ICS is made up of five systems. The first system contains a tank, tank level sensor and a water pump. The second system is a programmable logic controller (PLC) which controls the water pump based on the level of water found in the attached tank. The third system is an Open Platform Communications (OPC) server which accesses and modifies data found on the PLC. The fourth system is running Human Machine Interface (HMI) software which communicates with the OPC server to provide a human system operator with system statistics and control. The final system in the ICS is a security appliance that provides routing and firewall services for all systems. This scenario also make use of a system running Kali Linux. In this lab the virtual network switch is configured so that the Kail system receives all data transmitted. (Network diagram)

In this lab the student will use an HMI system to control and configure the ICS in the same way a typical machine operator would. The student will then use an OPC server to control and configure the ICS. Next the student will use the Wireshark network monitoring software to view typical Modbus/TCP traffic generated while the ICS is functioning. The student will then use Metaspolit to verify that the Modbus protocol is highly insecure. Finally, the student will use Wireshark to view some S7 traffic generated by Seimens equipment.

Part 1
Install Systems

In this part of the lab you are going to install and configure the systems needed to complete the lab.

1. Access the lab remote access server at https://guac.nl.northweststate.edu and login using your assigned username and password.
2. Login a second time to the nlstu-s1.nl.northweststate.edu remote server using your assigned username and password.
3. When the Linux desktop appears, click the Activities menu located in the top left hand corner of the screen.
4. Type ics into the Type to search field that appears in the top center of the screen (Example).
5. Click the ICS Lab Control icon.
6. Select the New Lab option, click the OK button then wait for the systems to start.

Part 2
Use an HMI System to Monitor and Control ICS Components

In this part of the lab you are going to examine the basic functionality of an HMI system.

1. Access the HMI system.
2. Take a minute to observe the data and controls available in the AdvancedHMI program.
3. Click the Stop button in the AdvancedHMI program and observe that the system powers down and all activity on the ICS stops.
4. Click the Start button in the AdvancedHMI program and observe that the system powers up and the ICS again begins to function.
5. Click on the value shown in the Pump on at: field (Example).
6. Change the pump on value to 10 (Example).
7. Take a minute to observe how this modifies the behavior of the system.
8. Click on the value shown in the Pump off at: field.
9. Change the pump off value to 101
10. Take a minute to observe how this modifies the behavior of the system.
11. Take a screen shot showing the results of changing the pump off value to 101, ( Example ) then paste it into the lab form found here.
12. Click the RESET button in the AdvancedHMI program, then click the Yes button to indicate that you are sure you want to reset the system.
13. Verify that the ICS is again functional.

Part 3
Use an OPC Server to Monitor and Control ICS Components

In this part of the lab you are going to examine the basic functionality of an OPC server.

1. Access the OPC system.
2. Start the KEPServerEX 5 program by double clicking on the KEPServerEX 5 Configuration icon located in the upper left corner of the desktop.
3. In the KEPServerEX 5 program, expand the Modbus TCP/IP Ethernet category ( Example ).
4. Click the Channel1 category and note that the ID of the Cooling_Tank PLC is <10.0.255.102>.0 ( Example ).
5. Expand the Channel1 category ( Example ).
6. Click the Cooling_Tank category ( Example ).
7. Move your mouse into the space between the Tag Name and Address columns until it becomes a resize cursor then drag the boundary to the right until you can view all of the text in the Tag Name column ( Example ).
8. Notice that the addresses for the listed Boolean (Bit) values start with a 0 which indicates that they are part of the Modus Coil table.
9. Notice that the addresses for the listed Word values start with a 4 which indicates that they are part of the Modus Holding registers table.
10. Note that the address of the tag controlling power to the cooling system, the Power tag, is 000001.
11. In the KEPServerEX 5 program, go to the Tools menu then choose the Launch OPC Quick Client link to start the OPC Quick Client program which will allow you to view real time data.
12. Maximize the OPC Quick Client window.
13. Expand the Kepware.KEPServerEX.V5 category then select the Channel1.Cooling_Tank folder ( Example ).
14. Move your mouse into the space between the Item ID and Data Type columns until it becomes a resize cursor then drag the boundary to the right until you can view all of the text in the Item ID column.
15. Take a minute to observe the data shown.
16. Right click on the Channel1.Cooling_Tank.Power Item ID then choose the option Synchronous Write... ( Example ).
17. Type 0 into the Write Value field then click the OK button.
18. Take a screen shot showing the entire OPC Virtual Machine window and the value of the Channel1.Cooling_Tank_Power Item ID in the OPC Quick Client program, ( Example ) then paste it into the lab form found here.
19. Access the HMI system.
20. Note that the cooling system has been powered down as a result of the changes made at the OPC server.
21. Click the Start button in the AdvancedHMI program and observe that the system powers up and the ICS again begins to function.
22. Access the OPC system.
23. Note that the value displayed for the Channel1.Cooling_Tank_Power Item ID has changed to a 1 as a result of the changes made at the HMI system.

Part 4
Use Wireshark to view Modbus/TCP traffic

In this part of the lab you are going to use Wireshark to view Modbus/TCP traffic.

1. Access the Kali system.
2. At the login screen enter student into the Enter your username field and Password01 into the Enter your password field.
3. Click the Log In button.
4. Open a terminal (command prompt) window by clicking the Terminal Emulator button found at the upper left hand corner of the window (Example).
5. Start the Wireshark program by typing the command wireshark
6. After the Wireshark program starts, select the cell-area-zone network device to indicate that you wish to capture data on that device ( Example ).
7. Click the Start Capturing packets button to begin capturing network data ( Example ).
8. The data you need to view will be captured very quickly so immediately end the capture by clicking on the Stop Capturing packets button ( Example ).
9. View only traffic going to or coming from the OPC server by clicking in the display filter field, typing ip.addr==10.0.255.100 then clicking the Apply display filter button or pressing <ENTER> to activate the filter ( Example ).
10. If necessary scroll to the right in the top, packet list panel, until you are able to view the data shown in the Info column (Example).
    • The standard Wireshark output window is divided into three panels, the top panel is named the packet list panel and contains a summary of each packet captured.
    • The middle panel is named the packet details panel and shows a decoded view of the packet currently selected in the packet list panel.
    • The bottom panel is named the packet bytes panel and shows the raw data contained in the packet currently selected in the packet list panel.
11. Scroll through the packets in the packet list panel until you find a packet that is a Query of type Read Coils (Example).
12. In the packet list panel select a packet that is a Query of type Read Coils.
13. In the middle, packet details, panel expand the Modbus category of decoded data (Example).
14. If necessary scroll down the packet details panel so that all of the decoded Modbus data is shown.
15. Note that the Reference Number shown in the Modbus category is 0, this indicates that the system should read from the Coil table starting at offset 0 which corresponds to the first Coil in the Coil table.
    • The Modbus Coil table is used to store read/write binary data.
    • The first Coil in the Coil table has the address 000001 which, as was observed when the OPC server was being examined, represents the Power tag which monitors and controls the status of power going to the cooling system.
16. Note that the Bit Count is 5, this indicates that the request should read 5 bits (Coils) of data.
17. In the packet list panel select a packet that is a Response of type Read Coils.
18. If necessary, expand the Modbus category of detail data then scroll down so that all of the decoded Modbus data is shown ( Example ).
19. Note that the value of Bit 0, which represents the Coil with the address of 000001 (Power), is currently set to 1 indicating that the system is powered on.
20. Access the HMI system.
21. Click the Stop button in the AdvancedHMI program and observe that the all activity on the ICS stops.
22. Return to the Kali system.
23. Click the Start Capturing packets button to begin capturing network data.
24. Click the Continue without Saving button when you are informed that there are unsaved packets in the program.
25. The data you need to view will be captured very quickly so immediately end the capture by clicking on the Stop Capturing packets button.
26. Scroll through the packets in the packet list panel until you find a packet that is a Response of type Read Coils.
27. If necessary, expand the Modbus category of detail data then scroll down to view the values of the bits (Coils) retrieved from the PLC ( Example ).
28. Note that the value of Bit 0, which represents the Coil with the address of 000001 (Power), is currently set to 0 indicating that the system is powered off.
29. Take a screen shot that shows the entire Kali window ( Example ) then paste it into the lab form found here.
30. Close the Wireshark program clicking the Quit without Saving button when prompted.
31. Access the HMI system.
32. Click the Start button in the AdvancedHMI program and observe that the ICS again begins to function.

Part 5
Use Metasploit to exploit Modbus/TCP vulnerabilities

In this part of the lab, you will use the Metasploit program on the Kali system to exploit Modbus/TCP's lack of authentication or authorization controls.

1. Access the Kali system.
2. Access a terminal window on the Kali system.
3. Type the msfconsole command to start the Metasploit program.
4. After the Metasploit program starts type the command search modbus to display the Metasploit modules that specifically target systems using the Modbus protocol.
5. Type the command use auxiliary/scanner/scada/modbusclient to load the Modbus Client Utility module ( Example ).
6. Type the command show options to view the options available in the Modbus Client Utility module ( Example ).
7. Type the command set rhosts 10.0.255.102 to indicate that you want the module to connect with the PLC ( Example ).
8. Type the command set action READ_COILS to indicate that you want to read from the Coil table on the PLC ( Example ).
9. Type the command set data_address 0 to indicate you want to read from the Coil table starting at offset 0 ( Example ).
   • The address of the Coil with an offset of 0 is 000001 which, as was observed when the OPC server was being examined, represents the Power tag which monitors and controls the status of power going to the cooling system.
10. Type the command exploit to execute the Modbus Client Utility module with the options set.
11. Note that the value of the data found at offset 0 of the Coil table is currently set to 1 indicating that the system is powered on.
12. Type the command set action WRITE_COIL to indicate that you want to write a single value into the Coil table on the PLC.
13. Type the command set data 0 to indicate that you want to change the value at offset 0 of the Coil table to a 0.
14. Type the command exploit to execute the Modbus Client Utility module with the options set.
15. Take a screen shot that shows the entire Kali window ( Example ) then paste it into the lab form found here.
16. Access the HMI system.
17. Note that the cooling system has been powered down as a result of the changes made using the Metasploit program.
18. Access the Kali system.
19. Type the command exit to end the Metasploit program.

Part 6
Use Wireshark to view Siemens S7 traffic

In this part of the lab you are going to use Wireshark to view Siemens S7 traffic.

1. Access a terminal window on the Kali system.
2. Start the Wireshark program by typing the command wireshark
3. From the File menu in Wireshark choose the Open option.
4. Navigate to the /home/student/labs/ics-basics directory then open the snap7.pcapng capture file.
5. View only traffic going to or coming from the OPC server by clicking in the display filter field, typing ip.addr==10.0.255.100 then clicking the Apply display filter button or pressing <ENTER> to activate the filter (Example ).
6. If necessary scroll to the right in the top, packet list panel, until you are able to view the data shown in the Info column ( Example ).
7. Scroll through the packets in the packet list panel until you find a packet that contains the summary Info data ROSCTR: [Job ] Function: [Read Var]( Example ).
8. In the packet list panel select a packet that contains the summary Info data ROSCTR: [Job ] Function: [Read Var] ( Example ).
9. In the middle, packet details, panel expand the S7 Communication category then the Header: (Job) category of decoded data ( Example ).
10. If necessary scroll down the packet details panel so that all of the decoded Header: (Job) data is shown ( Example ).
11. Note the value for the Protocol Data Unit Reference.
    • The protocol data unit reference value is used to match data requests with data replies.
12. Expand the Parameter: (Read Var) category.
13. If necessary scroll down the packet details panel so that all of the decoded Parameter: (Read Var) data is shown.
14. Note that the first item to be read is a single byte of data from memory area Q of the PLC ( Example ).
    • Memory area Q is used to store read/write binary data used to turn devices on or off.
    • In the cooling system the value at address Q0.0 controls and monitors all power for the cooling system ( Example ).
    • In the cooling system the value at address Q0.1 controls and monitors the pump in the cooling system ( Example ).
15. In the packet list panel select a packet that contains the summary Info data ROSCTR: [Ack_Data ] Function: [Read Var].
16. In the middle, packet details, panel scroll down if necessary and expand the Data category.
17. If necessary scroll down the packet details panel so that all of the decoded Data data is shown.
18. Expand the Item [1]: (Success) category.
19. If necessary scroll down the packet details panel so that all of the decoded Item [1]: (Success) data is shown.
20. Note the hexadecimal value for Data: ( Example ).
    • Only two bits of data are being used in the byte of data read from the Q memory area ( Example ).
      • A binary value of 0000 0000 (hexadecimal 00) indicates that both the pump and power to the system is off.
      • A binary value of 0000 0001 (hexadecimal 01) indicates that the pump is off and power to the system is on.
      • A binary value of 0000 0010 (hexadecimal 02) indicates that the pump is on and power to the system is off.
      • A binary value of 0000 0011 (hexadecimal 03) indicates that both the pump and power to the system is on.
      • In the example shown here the pump is on and power to the system is on.
21. View only traffic going to or coming from the OPC server which contains the protocol data unit reference 1909 by clicking in the display filter field, typing ip.addr==10.0.255.100 and s7comm.header.pduref==1909 then clicking the Apply display filter button or pressing <ENTER> to activate the filter ( Example ).
22. Use the data displayed in Wireshark to answer the last question the lab form found here.
23. To end the lab, restart the ICS Lab Control program from the Desktop if necessary, select the Pause/End Lab option, click the OK button then wait for the systems to stop.