Abstract
Supervisory control and data acquisition (SCADA) systems were designed to be open, robust, and easy to operate and repair, but not necessarily secure. In recent years, there have been multiple successful attacks targeting SCADA systems. Most of them have been caused by deploying malware on a supervisory computer in order to control and manage programmable logic controllers (PLCs) and remote terminal units (RTUs). This work investigates a different potential way to control PLCs or RTUs in a plant which consists in inflitrating over-the-air (OTA) links based on SCADA wireless modems. Indeed, PLCs and RTUs are often linked to a supervisory computer wirelessly using outdated radios, with low security at the physical-layer level. An example of such a radio is the CalAmp Guardian-400 wireless modem. A blackbox reverse engineering of the physical layer of the latter is performed, which leads to complete signal demodulation and decoding. Our results demonstrate that any electronic equipment connected serially to the radio is vulnerable to wireless packet injection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Roark, R.C., Van Wie, D.G.: Feasibility Study of a New Air Interface and Physical Layer Packet Definition for the ALERT User Community (2003)
Boyes, W.: Instrumentation Reference Book, 4th edn, p. 27. Butterworth-Heinemann (2011). ISBN 978-0-7506-8308-1
Siggins, M.: 14 Major SCADA Attacks and What You Can Learn From Them. DPS Telecom. Accessed 26 Apr 2021
Reverse-Engineering Wireless SCADA Systems. https://shmoo.gitbook.io/2016-shmoocon-proceedings/build_it/10_reverse-engineering-wireless-scada-systems. Accessed 14 Dec 2020
FCC Id NP42424016-001 - CalAmp Wireless Networks Corporation T-96SR Telemetry Transceiver/Modem. https://fccid.io/NP42424016-001. Accessed 16 July 2022
Blossom, E.: GNU radio: tools for exploring the radio frequency spectrum. Linux J. (2004)
Attacks targeting industrial control systems is up 110 percent. https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/. Accessed 29 Aug 2022
Global Cyber Megatrends. https://www.raytheon.com/sites/default/files/2018-02/2018_Global_Cyber_Megatrends.pdf. Accessed 29 Aug 2022
ADALM-PLUTO Software-Defined Radio Active Learning Module. https://www.analog.com/en/design-center/evaluation-hardware-and-software/evaluation-boards-kits/adalm-pluto.html. Accessed 23 Nov 2022
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Larouche, JB., Roy, S., Mailhot, F., Tardif, PM., Frappier, M. (2023). SCADA Radio Blackbox Reverse Engineering. In: Jourdan, GV., Mounier, L., Adams, C., Sèdes, F., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2022. Lecture Notes in Computer Science, vol 13877. Springer, Cham. https://doi.org/10.1007/978-3-031-30122-3_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-30122-3_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30121-6
Online ISBN: 978-3-031-30122-3
eBook Packages: Computer ScienceComputer Science (R0)