Security

mrgada does not encrypt network traffic, because of the additional overhead. This is not uncommon, for example ifix using s7a driver (non symbolic addressing) has no encryption, security relies entirely on network setup and limiting phyisical security breaches. s7 is also faster because of less overhead, s7 is also propriatary comunication of siemens meant for plcs.

the main drawback of this architecture is that devices outside the VLAn can’t read/write to the plc directly. In an industrial setting this is ok, because the operator panels are on the same VLAn as the plc, but creating an ios app for example to read/write data to the plc is currently not possible.

It is possible however to build apps that do not directly read/write to the plc, for example the historian in examples page. Port forwading may be enabled to allow accses to the postgresql database, allowing for process historical data to be accsesed from the internet.

RSA Encryption Overhead Calculation

Scenario We are encrypting a payload of 1500 bytes using RSA encryption directly. The key sizes considered are:

  • 2048-bit RSA key

  • 4096-bit RSA key

Details of Calculation

2048-bit RSA

  • Key Size: 2048 bits (256 bytes)

  • Maximum Block Size: ~214 bytes (due to padding)

  • Number of Blocks: ⌈ 1500 / 214 ⌉ = 7 blocks

  • Encrypted Size per Block: 256 bytes

  • Total Encrypted Size: 7 × 256 = 1792 bytes

  • Overhead: 1792 - 1500 = 292 bytes

  • Overhead Percentage: (292 / 1500) × 100 ≈ 19.5%

4096-bit RSA

  • Key Size: 4096 bits (512 bytes)

  • Maximum Block Size: ~470 bytes (due to padding)

  • Number of Blocks: ⌈ 1500 / 470 ⌉ = 4 blocks

  • Encrypted Size per Block: 512 bytes

  • Total Encrypted Size: 4 × 512 = 2048 bytes

  • Overhead: 2048 - 1500 = 548 bytes

  • Overhead Percentage: (548 / 1500) × 100 ≈ 36.5%

Summary Table

RSA Key Size

Encrypted Size (bytes)

Overhead (bytes)

Overhead (%)

2048-bit

1792

292

19.5%

4096-bit

2048

548

36.5%

It is essentil to secure the network using routers or VLANs, to deny inbund requests to your subnetwork. Allow only essential ports to the server (time sync, printers, etc). This limits attack to Physical Security Breachs.

Additional security

Non of the aditional security measures are needed if the mellicous acter doesnt have accses to the phisical network, so ensure all network switches and machines have addiquate physical protection.

Adding ip blocker to the scada server application, only accepting ips of local clients. Adding checksum checking of the binary application, adding an editional herdel to decompiling of the app.