Let's take a look at the types and features of representative PLC protocols

-

OT protocol used in OT sites (Automotive industry/Food and beverage/Water treatment etc.) where PLCs are the main focus

Common PLC Protocols and Their Characteristics

ProtocolTCP/UDPRemarkEncryptionMajor PLC
Modbus TCP/IPTCP 502Function Codes (e.g., 01=Read Coils, 03=Read Holding Registers). Simple master-slave communication.NoSchneider, Siemens, Rockwell, ABB

Modbus RTUSerial (RS-232/485)Uses CRC error checking, compact binary message format.
No
Schneider, Siemens, ABB

PROFINETTCP 34962-34964 / UDP 34962Real-Time (RT) & Isochronous Real-Time (IRT) for fast deterministic communication.
No
Siemens, Phoenix Contact, ABB
Profibus DP/PASerial (RS-485, MBP)DP: High-speed automation. PA: Field devices in hazardous areas.NoSiemens, ABB, Phoenix Contact
EtherNet/IPTCP 44818 / UDP 2222Common Industrial Protocol (CIP) for cyclic, real-time messaging.No (TLS optional)Rockwell (Allen-Bradley), Schneider, Omron
S7 Protocol (Siemens S7Comm, S7Comm+)TCP 102Used in Siemens PLCs for control, diagnostics, and data exchange.S7Comm (unencrypted),  S7Comm+ (encrypted)Siemens

OPC UA (Unified Architecture)TCP 4840Secure data modeling with XML/JSON/Binary encoding. Supports authentication.Encrypted (TLS, certificates)Siemens, Rockwell, Schneider, ABB

CC-Link IETCP 1969Real-time industrial Ethernet with high-speed communication.NoMitsubishi Electric, Omron

DNP3 (Distributed Network Protocol 3.0)TCP 20000 / UDP 20000Used in SCADA & remote automation. Secure authentication available.Encrypted (if using Secure DNP3)Schneider, GE, ABB

HART (Highway Addressable Remote Transducer)Serial (Bell 202) / TCPFSK (Frequency Shift Keying) over 4-20mA analog signal. Digital communication overlay.NoEmerson, Siemens, ABB

BACnet/IPUDP 47808Used in building automation. Supports object-oriented messaging.Encrypted (if using BACnet/SC)Siemens, Schneider, Honeywell

MQTT (Message Queuing Telemetry Transport)TCP 1883 / TCP 8883 (SSL)Lightweight, publish-subscribe messaging for IIoT.Encrypted (if using TLS/SSL)Siemens, Rockwell, Schneider, ABB
CANopenSerial (CAN bus)Broadcast-based protocol for real-time automation.NoBosch, Phoenix Contact, ABB
DeviceNetCAN-based (No TCP/UDP)CIP-based fieldbus for industrial automation.NoRockwell, Omron, Schneider

MELSEC (Mitsubishi Electric)TCP 5006 / UDP 5006Used for Mitsubishi PLC-to-PLC and HMI communication.NoMitsubishi Electric

Powerlink (Ethernet POWERLINK)UDP 2233Real-time Ethernet protocol with precise synchronization.NoB&R, ABB

EtherCAT (Ethernet for Control Automation Technology)UDP 34980High-speed, deterministic communication.NoBeckhoff, Siemens, Omron
GE SRTP (Service Request Transfer Protocol)TCP 18245Proprietary GE protocol for PLC-to-PLC communication.NoGE (General Electric)

IEC 60870-5-104TCP 2404Used in power grid control. Supports cyclic and spontaneous transmission.Optional encryption (TLS support)Siemens, ABB, Schneider

IEC 61850 MMS (Manufacturing Message Specification)TCP 102Used in substation automation. Object-oriented communication model.Encrypted (TLS support)Siemens, ABB, GE

Recap

  • Modbus TCP, PROFINET, EtherNet/IP, and OPC UA are the most widely used PLC protocols.
  • Most traditional PLC protocols lack encryption, posing cybersecurity risks.
  • EtherCAT and Powerlink provide high-speed real-time automation but lack encryption.
  • OPC UA, Secure DNP3, MQTT (TLS), and IEC 61850 offer encryption for secure communication.
  • S7Comm+ and BACnet/SC have added encryption support for industrial security.


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안

Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more