工控研究入門篇

0x00 序言

最近要參加工控安全競賽，學習整理一些工控內容，爲比賽做好準備。

0x01 工控術語

SCADA:數據採集與監視控制系統

ICS:工業控制系統

DCS:分佈式控制系統/集散控制系統

PCS:過程控制系統

ESD:應急停車系統

PLC:可編程序控制器(Programmable Logic Controller)

RTU:遠程終端控制系統

IED:智能監測單元

HMI:人機界面(Human Machine Interface)

MIS:管理信息系統(Management Information System)

SIS: 生產過程自動化監控和管理系統(Supervisory Information System)

MES:製造執行管理系統

0x02 常見工控協議和端口

協議名稱	使用端口
Siemens S7	TCP/102
Modbus	TCP/502
IEC 60870-5-104	TCP/2404
DNP3	TCP/20000 UDP/20000
EtherNet/IP	TCP/44818 UDP/2222,44818
BACnet	UDP/47808
Tridium Niagara Fox	TCP/1911
OMRON FINS	TCP/9600
PCWorx	TCP/1962
ProConOs	TCP/20547
MELSEC-Q	TCP/5007
Crimson V3	TCP/789
EtherCAT	UDP/34980
FL-net	UDP/55000-55003
Foundation Fieldbus HSE	TCP/1089-1091 UDP/1089-1091
ICCP	TCP/102
OPC UA Discovery Server	TCP/4840
OPC UA XML	TCP/80,443
PROFINET	TCP/34962-34964 UDP/34962-34964
ROC PLus	TCP/4000 UDP/4000

常見設備及型號表

廠商	型號	版本	特徵
Adcon Telemetry	A850 Telemetry Gateway	-	A850 Telemetry Gateway
ABB	RTU500	RTU560	ABB RTU560
ABB	-	-	ABB Webmodule
Allen-Bradley	-	-	Allen-Bradley
BroadWeb	-	-	BroadWeb
General Electric	Cimplicity	-	CIMPLICITY-HttpSvr
Cimetrics	Eplus - B/IP to B/WS Gateway Firewall	-	Cimetrics Eplus Web Server
Schneider Electric	CitectSCADA	-	CitectSCADA
Schneider Electric	-	-	ClearSCADA
Delta Controls	enteliTOUCH	-	DELTA enteliTOUCH
Electro Industries GaugeTech	-	-	EIG Embedded Web Server
Elster EnergyICT	-	-	EnergyICT
-	-	-	GoAhead-Webs InitialPage.asp
Siemens	Simatic HMI	XP277	HMI, XP277
HMS	EtherNet/IP / Modbus-TCP Interface	-	HMS AnyBus-S WebServer
Beck IPC	IPC@CHIP	-	IPC@CHIP
Clorius Controls	-	-	ISC SCADA Service HTTPserv:00001
Modbus	-	-	Modbus Bridge
Modbus	-	-	ModbusGW
Rockwell Automation	Micrologix	-	Micrologix
-	-	-	NET ARM Web Server/1.00
Schneider Electric	Modicon	M340	Modicon M340
Moxa	-	-	MoxaHttp
Schneider Electric	Modicon	M340	Modicon M340 CPU
Siemens	-	-	PLC
Siemens	Simatic S7	-	Portal0000.htm
Tridium	-	-	Niagara Web Server
Schneider Electric	PowerLogic ION	-	Power Measurement Ltd
Schneider Electric	PowerLogic PM	PM800	PowerLogic PM800
Powerlink	-	-	Powerlink
General Electric	Proficy	-	ProficyPortal
RTS Services	-	-	RTS SCADA Server
Reliance	Reliance 4 SCADA/HMI system	-	Reliance 4 Control Server
Rockwell Automation	-	-	Rockwell Automation
Siemens	Simatic S7	S7-200	S7-200
Siemens	Simatic S7	S7-300	S7-300
SAP	NetWeaver Application Server	-	SAP NetWeaver Application Server
Siemens	-	-	SCADA
Siemens	Simatic HMI	-	SIMATIC HMI
Siemens	Simatic NET	-	SIMATIC NET
Allen-Bradley	-	-	SLC5
Siemens	Scalance W	-	Scalance W
Schleifenbauer	SPbus gateway	-	Schleifenbauer SPbus gateway
Siemens	Scalance X	-	Scalance X
Schneider Electric	-	-	Schneider-WEB
Siemens	-	-	Siemens
Allen-Bradley	-	-	Series C Revision
Siemens	Simatic HMI	-	Simatic
Siemens	Simatic S7	-	Simatic S7
SoftPLC	-	-	SoftPLC
SpiderControl	-	-	SpiderControl
Stulz	-	-	Stulz GmbH Klimatechnik
Schneider Electric	Tac XENTA 913	-	TAC/Xenta
Schneider Electric	Modicon	-	TELEMECANIQUE BMX
THUS	-	-	THUS plc
Schneider Electric	Tac XENTA 913	-	TAC XENTA913
Wind River	-	-	VxWorks
Wago	-	-	WAGO
Codesys	WebVisu	-	Webvisu
Siemens	Simatic HMI	-	Welcome to the Windows CE Telnet Service on HMI_Panel
NRG Systems	WindCube	-	WindWeb
Wind River	-	-	WindRiver-WebServer
Adcon Telemetry	addUPI-OPC Server	-	addUPI Server
Rabbit	-	-	Z-World Rabbit
Elster EnergyICT	eiPortal	-	eiPortal
Echelon	i.LON 600	-	i.LON
Moxa	ioLogik	-	ioLogik Web Server
Tridium	-	-	niagara_audit
CherryPy	-	-	openerp+server: “CherryPy”
Schneider Electric	PowerLogic ION	-	Meter ION
Trend	IQ3xcite	-	Server:“IQ3”
Fujitsu	ServerView	-	serverview
Somfy	-	-	title:Somfy
Adcon Telemetry	-	-	title:adcon
Modbus	-	-	webSCADA-Modbus
CoDeSyS	-	-	codesys
Omron	Omron CJ2M PLC ftpd	-	omron
Modbus	Modbus TCP	-	service:“Modbus”
Rockwell Automation	EtherNet-IP-2	-	EtherNet/IP
Modbus	dnp3 gateway	-	dnp3
BACnet	Boa HTTPd	-	BACnet