•
•
3
•
•
•
•
•
Circuit BreakerPressure meter
Valve
HMI / SCADA / DCS
Engineering Station
PLCRTU
DCS Controller
Controller A/C
Thermometer
System Input
System OutputReference
Measured Output
Keypad
Controller Turbine
Pressure Meter
System Input
System OutputReference
Measured Output
HMI
Cyber Attack By Changing
Control Parameters
Is it possible? Likely?
6
•
HMI PLC
RPM is 300
Turbine
Sensor Data
1 of 2
•
•
HMI PLC
RPM is 300
Turbine
Sensor Data
HMI PLC
Set RPM to 500
Turbine
Set Actuator
2 of 2
9
•
•
HMI PLC
Set RPM to 1000
Turbine
?
1 of 3
10
•
•
HMI PLC
Set RPM to 1000
Turbine
?
- Read RPM from HMI- If RPM > 500
- Ignore new RPM- Else
- Set RPM
CONTROL LOGIC
2 of 3
11
•
•
HMI PLC
Set RPM to 1000
Turbine
Nothing
CONTROL LOGIC
3 of 3
- Read RPM from HMI- If RPM > 500
- Ignore new RPM- Else
- Set RPM
12
Firmware
Configuration
Logic
Process Parameters
12
Engineering Station
PLC
Upload logic
- Read RPM from HMI- If RPM > 500
- Ignore new RPM- Else
- Set RPM
1 of 4
12
Engineering Station
PLC
Download new logic
- Read RPM from HMI- If RPM > 500
- Set RPM to 1000- Else
- Set RPM to 1000
2 of 4
12
Engineering Station
HMI PLC
Set RPM to 300
Turbine
Upload new logic
- Read RPM from HMI- If RPM > 500
- Set RPM to 1000- Else
- Set RPM to 1000
3 of 4
12
Engineering Station
HMI PLC
Set RPM to 300
Turbine
Set RPM to 1000
Upload new logic
- Read RPM from HMI- If RPM > 500
- Set RPM to 1000- Else
- Set RPM to 1000
4 of 4
12
Engineering Station
HMI PLC
Read RPM
Turbine
Upload new logic 1 of 3
12
Engineering Station
HMI PLC
Read RPM
Turbine
RPM is 1000
Upload new logic
- Got read RPM command- result = Query Sensor- Report back result
2 of 3
12
Engineering Station
HMI PLC
Read RPM
Turbine
RPM is 1000
Upload new logic
- Got read RPM command- result = Query Sensor- Report back RPM=500
3 of 3
20
21
Engineering Station
HMI PLC
Set RPMRead Temperature Read Control Logic
Update Firmware
1 of 4
22
Application Protocols Control-Layer Protocols
Engineering Station
HMI PLC
Set RPMRead Temperature Read Control Logic
Update Firmware
2 of 4
23
Application Protocols Control-Layer Protocols
Engineering Station
HMI PLC
Set RPMRead Temperature Read Control Logic
DNP3
Modbus
BACnet
PROFINET
…
Update Firmware
3 of 4
24
Application Protocols Control-Layer Protocols
Honeywell
Rockwell
Schneider Electric
Siemens
Emerson
…
Engineering Station
HMI PLC
Set RPMRead Temperature Read Control Logic
DNP3
Modbus
BACnet
PROFINET
…
Update Firmware
4 of 4
Controller A/C
Thermometer
System Input
System OutputReference
Measured Output
Keypad
27
•
•
•
HMI PLC Turbine
28
••
••
••
•
We’ve learned that the
Industrial Controllers are the most
important part of an ICS network
29
Now what?
- Confidential -
- Confidential -
- Confidential -
- Confidential -
•
•
•
•
•
- Confidential -
•
•
•
•
•