HART (Highway Addressable Remote Transducer Protocol is the Remotely-controlled measuring transducer)

Digital Security: Results of a research of security of the industry protocol HART

During the research conducted in 2013 by the expert of Digital Security company (the Digital Security guard) Alexander Bolshev and the expert in the field of cybersecurity Alexander Malinovsky it became clear that in systems using the HART protocol in the work (including the power plants, chemical plants, oil and gas platforms and other enterprises working with explosive materials), there are multiple vulnerabilities allowing to get access to malefactors.

HART was developed by Rosemount company, but at present devices with its support are issued ABB, Endress & Hauser, Emerson, Honeywell, Siemence and other large players of the market of APCS devices. Generally the protocol is used for connection of RTU devices (sensors and the remote systems of input of an output) to programmable logic controllers (PLC, industrial controllers). Besides, information from sensors can be read out also from the computer, by means of the gateway HART and HART modems. Software tools of work with HART include the HMI system (SCADA), the OPC server (OLE for Process Control) and a PAS system (Plant Asset management Software).

The main and most popular physical medium for the HART protocol is the current loop. Transmission rate on it is 1200 baud, at the same time the digital signal can be imposed on an analog component. In case of presence of an analog component, on the HART line only one device is supported. In a multipoint configuration the analog component is absent, but on the line can be up to 15 HART sensors.

By default, the protocol allows existence only of two control devices. Length of the HART lines can be up to 3 km. Usually, HART devices are used on objects of critical importance.

When carrying out this research the expert of Digital Security set the following purposes:

• check stability of the HART protocol to a possibility of reading and implementation of packets in a current loop;
• check possible existence of vulnerabilities in program systems which use HART and look whether the potential malefactor can spufit (to forge) packets in a transmission medium of HART.

For the solution of the first task the HART module prototype was developed for family of debug payments of general purpose based on AVR (Arduino) microcontrollers with the HART modem. As it was shown at the ZeroNights 2013 conference, the developed prototype can read out and implement signals in a current loop.

In the course of the research of the software working with the HART protocol the vulnerabilities allowing to cause failure in service of both the software, and drivers of serial ports of the operating system using in a special way the created packets of HART were found. Sales opportunity of failure in service was found in the system of setup and monitoring of thermal sensors of INOR company – MePro 2.12.0.

Also serious vulnerability in the DTM component was found. The FDT/DTM technology is developed by FDT group and intended for simplification of development of systems of PAS and work with field devices. Technologies are the cornerstone COM containers and objects which interact among themselves by means of XML-messages. Researchers showed vulnerability in the DTM component developed by large vendor. The malefactor, having changed the tag on the HART sensor, can provoke XML injection which can lead to loading of external XSLT style that allows to carry out the attack of XXE (XML External Entity). Reading any files, the SSRF attacks, a releing of NTLM and others can be an effect of the attack.

Besides, vulnerable was a HART OPC Server software product. Vulnerability of an access denial was found in processing procedure of packets of HART-over-IP. The packet with incorrect HART-IP heading can provoke falling of the OPC server.

Despite use on crucial objects and statements of producers, security of the HART protocol is insufficient. Vulnerabilities in some program systems working with this protocol can lead to catastrophic effects. The potential malefactor who got physical access to the line of a current loop with which HART sensors work can forge their indications, lead monitoring systems to failure in service and even to get access to CIS through vulnerabilities in DTM components. All this can cause not only a compromise of the systems of an industrial facility, but failure in technology processes of the whole power plant or chemical plant.