We have recently been engaged by a client to work with them to develop OT specific Cyber Security training. The scope included a section on using Wireshark in an industrial setting – specifically their setting which is pretty specialist, using ModbusTCP, DNP3, IEC60870-5-104 and OPC UA. Our remit was to provide a small test network that the delegates could connect to, run Wireshark, filter by protocol and see how they worked at a packet level. Because the classes were to be hosted in numerous locations across the country we opted to use laptops running simulation servers for a SCADA client to connect to.
Servers & Clients
The first concern was the SCADA application, and we chose VTScada. Their free version is fully featured and supports all the protocols required by the client now, and the ones they will inevitably add as the training program progresses.
The ModbusTCP simulator chosen was ModRSsim2 for the only reason we had used this application a few times when working with another client on an R&D project and we liked the simplicity of the product.
For DNP3 and IEC60870-5-104 there was not a massive selection of simulators, and simulators from FreyrSCADA were selected – we could have also used their ModbusTCP product.
When discussing OPC UA it was a choice between Matrikon and Kepware, we chose Kepware because we have used it on a number of previous projects and we know the product.
VMWare Testing
Because this will be a simulation network that delegates can interact with, and there is nothing like playing with things to break them, we chose to create a pair of virtual machines, one for the SCADA client and one for the protocol server, and use the snapshot feature in order to be able to reset the environment for each course.
Configuration
The videos run through the configuration of the servers and VTScada product – they have no sound and are just there as a simple guide to get started with one or two tags. It must be stressed that NO security was configured as part of this exercise, this is not a production environment and we are only using this for Wireshark packet capture purposes.
It is assumed that the VTScada instance has an IP address of 192.168.1.80, the protocol server has an IP address of 192.168.1.55 and a machine name of W10ENT-DEVELOPMENT. When configuring the OPC UA client ensure the endpoint URL set in the Connection tab matches the URL in the certificate issued by the server or you will get an error in the Server Certificate tab and will not establish a connection.
ModbusTCP
On the protocol server start the application and it will automatically start listening on Port 502.
On the VTScada client configure the Port, the Driver and the Tag:
DNP3
On the FreyrSCADA protocol server start the application and configure the Server and Objects:
On the VTScada client configure the Port, the Driver and the Tag:
IEC60870-5-104
On the FreyrSCADA protocol server start the application and configure the Server and Objects:
On the VTScada client configure the Port, the Driver and the Tag:
OPC UA
On the Kepware KEPServer protocol server start the application and configure the firewall and the server settings:
On the VTScada client configure the Driver and the Tag:
Now you are ready for packet capture of these protocols and can start to experiment with security settings. The added bonus is that should our client ask for additional protocols it is likely that VTScada can service them, and we also expect the client to provide physical hardware from their inventory for demonstration purposes and we now have a stable environment in which to introduce them and develop further training.