FIT5037: Network Security 1st Assignment Second Semester 2019
Assignment Activities
1. [30 Marks] This exercise is based on the very popular MODBUS protocol that is widely
used in industrial networks to report a Programmable Logic Controller (PLC) results to a
SCADA system. The protocol has a simple structure and was designed primarily to provide
fast, almost real time response and safety. There are a lot of information that can be found
over the internet on how MODBUS works. We are focusing on the MODBUS version that
runs over TCP. There are two district types of entities in MODBUS, MODBUS server and
the MODBUS client (or MODBUS slave and master respectively). Indicatively, some websites
that you can find more information on MODBUS are the following:
https://en.wikipedia.org/wiki/Modbus
http://www.modbus.org/
https://www.modbustools.com/modbus.html
Some videos on youtube that might help you:
https://www.youtube.com/watch?v=txi2p5_OjKU
https://www.youtube.com/watch?v=JBGaInI-TG4
Most importantly you can find a full implementation of the Modbus protocol in:
https://pypi.org/project/uModbus/
(a) Perform a small analysis of the MODBUS protocol and report the status of the protocol
in terms of security. Highlight possible security issues and describe an attack model on
the protocol. Note, that the protocol was not designed to be secure
(b) We need to provide some enhancements in order to increase the MODBUS security
status. Such enhancements must enforce in MODBUS the security principles of device
authentication, data confidentiality and data integrity. To achieve that, design and
implement in python, a simple protocol that will be able to support the above principles
by specifying the following:
i. An appropriate key agreement scheme to decide a session key between Server and
Client. The session key extraction mechanism must include the use of a salt value
ii. The message integrity and encryption/decryption schemes that will be used in order
to secure the communication channel
Note: You will need to specify the appropriate security mechanisms and generate
the correct keys/credentials for them
(c) After implementing a secure MODBUS Client and Server as two autonomous python
programs that can be executed in a single machine, two containers need to be created in
the laboratory VM. One container will refer to the secure modbus server and the other
to the secure modbus client.
Use the core network emulation in order to emulate a scenario where the Modbus
devices communicate. For example, you can create a network consisting of a single
router with two interfaces each connected to one of the defined virtual bridges and then
associate the containers with the bridges.
(d) Provide a Wireshark capture pcap file where the functionality of the presented protocol
is demonstrated. Describe and Analyze the pcap file entries in your report to justify the
protocol correct usage.
Notes:
(a) For all the cryptographic primitives use the cryptography module of python pyca
(https://cryptography.io). If a cryptographic primitive is not supported by the
installed openssl version on the VM you can use an alternative primitive that achieves
the same goal.
3
FIT5037: Network Security 1st Assignment Second Semester 2019
(b) For the umodbus library you must follow the installation instructions of the website.
You will probably need internet access on the VM and/or the containers for installing
pip. Be careful to install it for python 3.
(c) Your choices of authentication method, key exchange, and symmetric encryption
methods will affect your grade in this task. Choose algorithms that would be considered
secure
(d) The authentication method does not rely on external services (for simplicity). Not
Trusted Third Party should be needed.
(e) You can use the example code for the Modbus Server and client as a starting point.
Assume that you are performing the Modbus actions described in the provided library
client/server example.
(f) You can use configuration files for both client and server to feed any required information
for the server and client such as security parameters etc. Python provides easy to use
and powerful functions for reading and parsing files or strings. Few examples are:
i. YAML where the content can be read directly to python data structures.
ii. Simplified INI file where options are specified as keyword=value one per line for
which you can use the split() function to separate the keyword from the value.
Similarly you can use keyword value with one option per line (space as separator as
well as any other character that will not appear as part of the keywords or values).
iii. For simplicity you can use os.urandom() function directly for random values
whenever needed in your protocol. You can also use the python random library.
iv. You can mimic a simplified version of protocols you learn in the subject regarding
negotiation, authentication, key exchange, key derivation, and encryption used in
your protocol.
v. To start you can use the VM as both client and server and once you completed the
protocol test it in two separate containers.
2. [30 Marks] Let us assume that we have the network that is provided in your individualized
Core Network Emulator configuration file (use only one of the two members file). The
network includes a factory organization that has two structures. One of them is the actual
factory (in a physically remote location) and the other is the factory central facility. In the
remote location there is an industrial network with PLCs and modbus sensors that are
collecting data and sending them to a SCADA Entity installed in the central factory facility.
Also, the factory has a web-site that is accessible to all users (in the central facility) and a
local webserver in the remote factory premises for factory personnel only (that are in the
central factory network or the remote factory premises)
(a) [15 Marks] In this task, you will try to provide a security mechanism for modbus that
is different than the previous one. This time you need to use VPN. Thus, you will
configure a VPN between the remote factory facility and the central factory of acme.sec.
For this you will use two containers one for the modbus server and one for the modbus
client that need to be assigned to the appropriate virtual interfaces of the CORE
emulator configuration file.
i. You need to create a site-to-site IPsec VPN using strongswan extension of CORE
between the two gateway nodes of the network (ie. bast (factory) and osiris (central
facility).
ii. The VPN gateways must use public key authentication and Fully Qualified Domain
Names (FQDN) that match the CN (Common Name) field in their certificates.
iii. Using the above presented solution, what kind of security principles (or objectives)
are achieved? Does the VPN solution solves all Modbus security problems? Justify
your answer in the report and the interview.