Network Security Monitoring for Industrial Control Systems

Monitoring is everywhere and just about for everything: baby monitoring, heart monitoring, air quality monitoring, electric grid disturbance monitoring, and even credit monitoring. Monitoring is needed so if something isn’t going as planned, it can be addressed. In my last FireEye blog post[i], I talked a little bit about Network Security Monitoring (NSM) and how it’s been used to defend networks for more than 25 years. In this blogpost, I want to help you understand how it can work in your network.

Real-world Example of NSM for ICS

NSM is not widely implemented in Industrial Control Systems (ICS), and I believe this is one of the reasons we don’t hear about many ICS attacks[ii]. But, asset owners are beginning to see the value of gaining the same visibility in their ICS networks as in their IT networks. Recently, my colleague at a large public utility recently completed implementing network monitoring in their SCADA system. This provided new visibility into their control system network. Not only could they look for attacks on their network, but their NSM toolkit found a lot of operational problems.

With NSM deployed on their SCADA system and their IDS tuned to their standard ICS protocols and network behavior, they found:

  • Misconfigured devices
  • Incorrect software versions
  • Defects in SCADA device firmware
  • Hardware failures
  • Unexpected IP addresses (internal and external)
  • Unexpected protocols on the SCADA network

They used this information to correct their device configurations, work with their vendors to fix software and firmware problems, and also harden their SCADA network. As a result, their network became more efficient, reliable, and defensible than ever.

See Your Network

If you don’t have NSM in your ICS, but want to start looking for some immediate benefits that will help improve your visibility, start with a simple network packet capture. Wireshark[iii], is an excellent free tool that can capture network traffic, but it also can decode over 20 ICS specific protocols such as DNP3, Modbus TCP, Ethernet/IP, and BACnet. When I worked at the power company, I used Wireshark to troubleshoot problems on the SCADA network. I still use it now, along with several other free tools for NSM such as Network Miner[iv], and the Security Onion[v] Linux distribution. There are two excellent books about the basics of NSM and deploying Security Onion to different types of networks: The Practice of Network Security Monitoring[vi], and Applied Network Security Monitoring[vii].

Looking at the ICS network with NSM tools is like going to get a checkup at the doctor. You can verify whether the traffic looks normal, gauge when things don’t look healthy, and find out if there is an infection. If you look on a regular basis, you can continuously monitor the health of your ICS security and reliability. On the other hand, if you don’t look you certainly won’t find anything, until it’s too late. We make use of these and other tactics at Mandiant when investigating client ICS networks – We perform packet capture and enable analysis activities.

It’s About People

The NSM tools that I mentioned are wonderful, but they are useless without a dedicated person or team to use and fine-tune them. An ICS security analyst should manage these tools, and use them to get visibility into the network, determine what is normal, hunt for evil, and respond to incidents. Remember that attackers who want to breach your network are people sitting at keyboards, so it takes people to defend against them.

[i] Sistrunk, Chris. “Incident Response for Industrial Control Systems.” FireEye. 11 June 2015. 25 Sept 2015.

[ii] Sistrunk, Chris. “Has Your ICS Been Breached? Are You Sure? How Do You Know?” POWER Magazine. 1 June 2015. 25 Sept 2015.

[iii] 25 Sept 2015.

[iv] Hjelmvik, Erik. “Passive Network Security Analysis with NetworkMiner” Forensic Focus.  25 Sept 2015.

[v] Security Onion Solutions. 25 Sept 2015.

[vi] Bejtlich, Richard. The Practice of Network Security Monitoring: Understanding Incident Detection and Response. No Starch, 2013. Print.

[vii] Sanders, Chris, and Jason Smith. Applied Network Security Monitoring: Collection, Detection, and Analysis. Waltham, MA: Syngress, 2013. Print.