Introduction
GE Intelligent Platforms (formerly GE Fanuc) developed the Service Request Transport Protocol (GE-SRTP) for data transfer from programmable logic controllers (PLCs). This protocol is used over Ethernet, and almost all GE automation equipment equipped with an Ethernet port supports GE-SRTP. Any SRTP client can read and write system memory from multiple remote SRTP-capable devices.
The FieldServer can operate as both a Server and a Client. When acting as a Client, it can read and write system memory from any number of remote SRTP-capable devices. In this mode, the FieldServer can also scale word data such as %AQ, %AI, and %R.
When configured as a Server, the driver accepts system messages that write to system memory and responds to read requests. The driver always operates at privilege level 4 when acting as a server, allowing both read and write operations. However, the driver cannot emulate both a client and a server on the same connection to the same IP address.
Driver diagnostics and statistics are exposed in the FieldServer Data Arrays, allowing remote devices and systems to monitor them. Write-through and port expander modes are also available. On average, the driver can read approximately 5700 bytes of table data per second.
SRTP Working
The GE-SRTP Driver protocol transfers data to and from devices over Ethernet by allowing the FieldServer to communicate via the GE-SRTP driver. Almost all GE automation equipment with an Ethernet port supports this protocol.
The FieldServer can operate either as a Client or a Server. As a Client, the driver reads and writes system memory for multiple remote SRTP devices. In this role, it can scale word data. When acting as an SRTP Server, the driver accepts system messages written to memory and responds to incoming read requests.
It is important to note that the driver cannot function as both a Client and a Server on the same connection to the same IP address simultaneously. The driver also publishes communication data, diagnostics, and statistics in the FieldServer data arrays. These values can be monitored by downstream systems and remote devices.
Signal Flow from HMI to PLC using SRTP Protocol
PLCs are widely used in industries such as manufacturing, water management, transportation, aerospace, and healthcare. Due to their importance in critical infrastructure, they are frequent targets of cyber-attacks, with Stuxnet being the most notable example.
In many installations, PLCs are protected only by an outer security layer such as a firewall. Once an attacker gains access to the network, very few additional defenses may exist. Therefore, from a forensic perspective, relying on existing installed software cannot always be trusted.
Researchers reverse engineered the GE-SRTP network protocol on a GE Fanuc Series 90-30 PLC and made two notable contributions. First, they identified that the Service Request Transport Protocol was created by General Electric to support Ethernet communication among its PLCs, and until then, no public documentation existed. Second, they developed a software application capable of direct network-based communication with the PLC, eliminating the need for an intermediate server.
Although the tool’s forensic mode allows only read access, its default configuration makes it possible to write to PLC registers. This means that users could potentially disrupt or manipulate processes controlled by the PLC.
A PLC contains various registers which are accessed through an HMI (Human Machine Interface). Typically, an HMI is a software application running on a PC. In this system, the HMI computer runs Windows XP and is used by operators to interact with the PLC.
Wonderware InTouch v9.5 is used to build the Human Machine Interface. Communication between the GE Fanuc Series 90-30 PLC and the HMI requires a Wonderware I/O Server, which supports multiple data sources. In this implementation, Wonderware InTouch, Microsoft Excel, and Dynamic Data Exchange (DDE) protocol are used. The GE-SRTP protocol transfers data between the Wonderware I/O server and the GE Fanuc Series 90-30 PLC.
Advantages of GE-SRTP
- High quality data transmission
- Easy to configure and use
- Reliable communication with low latency
- Supports source code access
- Content agnostic and interoperable
- Highly secure in well-configured environments
Disadvantages of GE-SRTP
- Requires additional memory and programming effort
- Higher latency due to connection-oriented nature
Applications of GE-SRTP
- Used to transfer data to and from Programmable Logic Controllers (PLCs)
- Operates over Ethernet for supported GE automation equipment
- Commonly used in various Ethernet-connected controllers
![](https://www.semiconductorforu.com/wp-content/uploads/2025/03/2020-Battery_KE1010R2-970x250-ROTATING-FINAL-V3.gif")
