How runZero speaks to the TwinCAT 3 Automation Device Specification (ADS) Protocol

|
Updated

In the realm of industrial automation, communication protocols play a crucial role in ensuring seamless interaction between various components and systems. One such protocol in the TwinCAT 3 ecosystem is the Automation Device Specification (ADS) protocol. Developed by Beckhoff Automation, ADS is integral to the TwinCAT 3 software suite, facilitating robust and efficient communication between different automation devices. 

What is ADS? #

The Automation Device Specification (ADS) protocol is a communication protocol designed to enable interaction between TwinCAT 3 automation devices. ADS functions as a gateway for data exchange and command execution between software applications and hardware components. It operates over TCP/IP networks, ensuring reliable and real-time communication. Both TCP and UDP are supported by the protocol as well as a secure version called Secure ADS which uses TLSv1.2 to secure the TCP connection.

The Role of ADS in TwinCAT 3 #

TwinCAT 3 leverages ADS to connect its various components. Within this environment, ADS facilitates communication between the TwinCAT runtime, PLCs, and HMI systems. By providing a standardized interface for data exchange, ADS simplifies the integration of different elements within the TwinCAT ecosystem. This integration capability is instrumental in developing sophisticated automation solutions that require interaction between multiple devices and software modules.

runZero Speaks ADS #

The runZero research team has been working hard to increase the OT protocols available in runZero. We recently added the ADS protocol for passive scanning to identify devices that speak ADS. We have a very good understanding of the OSI model so we have started layering in support for any of these Ethernet-based protocols. 

After reviewing the ADS specification we discovered that it operates on TCP port 48898 and UDP port 48899. By adding these ports to our broader global ports list we can start to decode the new traffic and identify the communicating devices. Although we see all of the traffic on those ports, we are only interested in a very specific packet to identify devices. The ADS specification outlines a ReadDeviceInfo command (Figure 1) which would tell us the version, build, and name of the device.

ReadDeviceInfo packet layout courtesy of Beckhoff Automation LLC

FIGURE 1 - ReadDeviceInfo packet layout courtesy of Beckhoff Automation LLC

If the packet is successfully decoded into this command we can assert that it is a legitimate device since the packet originated on the documented ports above. This gives us a high degree of confidence to continue fingerprinting this device and place it into your asset inventory.

As industrial automation continues to evolve, so too will the ADS protocol. Future developments may include enhancements to support emerging technologies such as IoT and Industry 4.0. There is potential for increased integration with cloud-based systems and advanced analytics, further expanding the capabilities of ADS. Staying abreast of these trends will be essential for us to further improve our fingerprinting capabilities as this protocol makes its way into other domains outside of industrial automation.

Subscribe now to stay up to date on runZero support for discovery of OT protocols.

Written by Blain Smith

Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks at conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

More about Blain Smith
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved