OT Protocol Analysis Report: Modbus, OPC DA & S7

-

 


Protocol Analysis Report: Modbus, OPC DA, and S7 Communication

1. Introduction

This report provides a detailed analysis of three common industrial communication protocols: Modbus, OPC DA, and S7 Protocol (Siemens S7) using Wireshark and PCAP data. The report includes protocol headers, payload structures, and key features observed during traffic analysis.

2. Modbus Protocol Analysis

2.1 Overview

Modbus is a serial communication protocol widely used in SCADA and ICS networks. It operates over TCP (Modbus/TCP) or serial communication (Modbus RTU/ASCII).

2.2 Key Modbus Header Fields (Modbus/TCP)

  • Transaction ID (2 bytes): Unique ID for request-response mapping.

  • Protocol ID (2 bytes): Always 0x0000 for Modbus.

  • Length (2 bytes): Specifies length of the message.

  • Unit ID (1 byte): Identifies the target device.

  • Function Code (1 byte): Defines the operation (e.g., read, write).

2.3 Common Function Codes

Function CodeOperation
0x01Read Coils
0x02Read Discrete Inputs
0x03Read Holding Registers
0x04Read Input Registers
0x05Write Single Coil
0x06Write Single Register
0x0FWrite Multiple Coils
0x10Write Multiple Registers

2.4 Payload Analysis

  • Request Payload: Contains function code and data (e.g., register addresses, values).

  • Response Payload: Contains function code and requested data or error codes.

2.5 Sample Wireshark Capture

Example packet from a Modbus Read Holding Registers (0x03) request:

Transaction ID: 0x0001
Protocol ID: 0x0000
Length: 0x0006
Unit ID: 0x01
Function Code: 0x03 (Read Holding Registers)
Start Address: 0x0000
Register Count: 0x0002

3. OPC DA (OLE for Process Control - Data Access) Analysis

3.1 Overview

OPC DA is a Microsoft COM/DCOM-based protocol for real-time data exchange between SCADA, HMI, and PLCs.

3.2 Key OPC DA Communication Features

  • Uses DCOM for communication, making it difficult to analyze directly in Wireshark.

  • Implements Remote Procedure Calls (RPC) over TCP port 135.

  • Relies on CLSID (Class Identifiers) to locate OPC servers.

  • Traffic is often encrypted, requiring decryption for deep analysis.

3.3 OPC DA Header Fields

  • Interface UUID: Identifies OPC services.

  • Opnum: Defines operation (e.g., read, write, browse).

  • Object References: Indicates OPC server or data point reference.

  • Timestamps & Data Quality: Ensures real-time accuracy.

3.4 Sample Wireshark Capture

Example OPC DA Read Item Value request:

UUID: 9dd0b56c-ad9e-43ee-8305-487f3188bf7a (OPC Data Access Server)
Opnum: 6 (Read)
Item ID: \Server\Tag1
Quality: Good (0xC0)
Timestamp: 2024-03-27T14:23:55.000Z
Value: 125.5

4. Siemens S7 Protocol Analysis

4.1 Overview

S7 Protocol is used for communication between Siemens PLCs and SCADA systems over TCP/IP (port 102).

4.2 Key S7 Header Fields

  • Message Type: Identifies request/response type.

  • ROSCTR (Request-Response Control):

    • 1 (Job Request)

    • 3 (Ack)

    • 7 (User Data)

  • PDU Reference: Used for tracking request-response pairs.

  • Parameter Data: Defines read/write operations.

  • Payload Data: Contains actual PLC register values.

4.3 Common S7 Operations

Function Code
Operation Type
0x04Read Variable
0x05Write Variable
0x28PLC Control
0x29PLC Stop

4.4 Sample Wireshark Capture

Example packet for an S7 Read Request:

Message Type: Job Request (0x32)
ROSCTR: 0x01 (Request)
PDU Reference: 0x1234
Function Code: 0x04 (Read Variable)
Variable Type: DB (Data Block)
DB Number: 1
Start Address: 10
Length: 4 bytes

5. Conclusion

This analysis provides key insights into Modbus, OPC DA, and S7 traffic patterns. Understanding their headers and payload structures allows for:

  • Efficient troubleshooting of industrial network issues.

  • Intrusion detection and anomaly identification in ICS networks.

  • Better cybersecurity defense against protocol-specific attacks.

For further investigations, advanced packet filtering, deep packet inspection (DPI), and IDS rules should be implemented to detect unauthorized or malicious activity in OT environments.

Appendices

  • Wireshark Display Filters:

    • modbus (Modbus/TCP traffic)

    • tcp.port==135 (OPC DA traffic)

    • s7comm (Siemens S7 traffic)

Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more