What are protocol gateways?
Protocol gateways, also known as protocol translators, are small non-descript devices that mainly function as translators for various protocols and physical layers (i.e., Transmission Control Protocol (TCP) and serial lines). This allows machinery, sensors, actuators, and computers that operate industrial facilities such as factories, dams, power plants, and water processing facilities to communicate with one another.
In an industrial facility, several devices function together in one seamless process. To do this, they must effectively communicate or transmit information to one another. In an ideal scenario, all these devices use the same protocol. However, such a homogeneous setup is not always possible given the variety of devices a facility may need and the different manufacturers that provide them.
The process of creating industrial-internet-of-things (IIoT) environments and adapting for Industry 4.0 present protocol challenges because it merges operational technology (OT) and information technology (IT), wherein traditional OT networks are connected to IT networks. These two networks do not use the same protocols, with OT communicating over serial cables and IT communicating through the Ethernet, Wi-Fi, and mobile networks.
Protocol gateways help bridge the disparity in protocols in both scenarios. The diagram in figure 1 shows the typical position of protocol gateways.
Figure 1. The typical position of a protocol gateway, at the bottom of the control network
Protocol gateways work at the very edge of the control network, just before the process network that starts with the programmable logic controllers (PLC). PLCs, as its name suggests, helps control complex industrial processes and are connected to other devices, such as sensors, switches, and motors, that make up the process network. These devices collect data, such as temperature readings and the RPM of a motor, which they need to send to a human-machine interface (HMI) through the PLC. In turn, engineers can also send instructions to different machines through the HMI. Being in different networks, the HMI and other devices use different protocols (Modbus TCP and Modbust RTU, respectively). These protocols are bridged by the protocol gateway, allowing the devices to communicate information to the HMI and the HMI to send commands by engineers or operators to different machinery.
Classification of protocol gateways
Protocol gateways are small, router-sized devices, with prices that range from US$300 to more advanced models that cost US$1,200. Most well-known vendors of industrial equipment also manufacture protocol gateways.
Protocol gateways can be classified by the way they translate protocols and the kind of protocols and layers they can translate.
We have identified two ways different protocol gateways translate protocols:
In real-time, where an incoming packet is translated immediately. These gateways translate the packets on-the-fly, once validated and parsed according to the protocol specifications.
As data stations that adopt an offline translation approach. Data stations match the incoming packets against a translation table that the user is asked to configure in the gateway manually. This table, known as the I/O mapping table, works as a routing table that indicates how inbound requests are routed to the final peer and in which way.
They can also be classified according to the type of protocols and layers they can convert. We have identified three categories using this classification.
Translates different layers within a single protocol (e.g., Modbus TCP to Modbus RTU)
Translates different protocols within a single layer (e.g., Modbus RTU to Profibus)
Translates different protocols and physical layers (e.g., Modbus TCP to Profibus)
Security risks and impact
Understanding what might happen should such devices fail can help explain the importance of protocol gateways. If the protocol gateway fails, the communication between the control systems and the machines stop leading to complications in the operations and process.
Our research on protocol gateways identified security risks involved in the use of such devices. Protocol gateways can be the weak link among the interconnected devices of an industrial facility. They may lack the security reserved for other critical devices, making them an attractive target for attackers. As with any device, vulnerabilities are also an area of concern, as it can present an opportunity for cybercriminals to exploit the protocol gateway or use the device for a larger attack.
Our research found that an attacker can use protocol gateways to Inhibit Response Function or Impair Process Control through:
- Denial of Service (DoS) attacks, by sending specific packets or repeated commands
- Manipulating of the I/O Image through authentication vulnerabilities allowing unauthorized access or weak encryption of configuration databases
- Unauthorized Command Message because of translation vulnerabilities
An abused protocol gateway, being instrumental in an Inhibit Response Function or Impair Process Control conditions, could lead to the following:
- Denial of View. An attack that can disrupt and prevent the operator from overseeing the status of the Industrial Control System’s (ICS) environment.
- Denial of Control. An attack that can prevent operators from interacting with process controls temporarily.
- Manipulation of View. An attack in which adversaries tamper with the data or information reported to operators from various sensors in the facility.
- Manipulation of Control. An attack that allows adversaries to manipulate control over physical processes in the facility.
All these threats result in a communication breakdown within the industrial environment, facilitated by a weakness or an attack on protocol gateways.
Securing Protocol Gateways
Given the critical role protocol gateways play in industrial operations, security measures should be in place to protect these devices from attacks that could take advantage of its functions. Here are summarized strategies for protecting protocol gateways, based on our research:
- Consider the design aspects, such as differences in filtering capabilities when procuring these devices.
- Consider a protocol-aware ICS firewall and an in-house monitor. ICS firewalls only cover the Ethernet or Control Network side, while an in-house monitor can cover the serial side, or process network.
- Dedicate enough time to configure and secure the gateway. Protocol gateways can be an overlooked aspect of an industrial facility’s overall security.
Overall, operators should treat protocol gateways as critical OT devices. Considering it as such can better frame the necessary security measures in consideration of the threats that may take advantage of its important function.