Abstract image of a woman sitting on books and studying on a laptop

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

Download as PPTX, PDF
Jim Gilsinn, profile picture
Jim Gilsinn

This document discusses network reliability monitoring as a complement to network security monitoring (NSM) and security information and event management (SIEM) for industrial control systems. It notes that while NSM works well for monitoring traffic crossing between zones in ICS networks, it is less effective in lower level zones where most traffic remains internal. Network reliability monitoring provides an alternative by developing profiles of normal network traffic and scanning for deviations that could indicate issues. While complex algorithms are not needed, it requires strong protocol knowledge and root cause analysis can be difficult. Examples are given showing network reliability metrics and how man-in-the-middle attacks did not significantly impact traffic.

Technology
1 of 26
Downloaded 98 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Network Reliability Monitoring for ICS Going beyond NSM and SIEM
Jim Gilsinn • Senior Investigator, Kenexis Consulting – ICS Network & Security Assessments & Designs – Developer, Dulcet Analytics, Reliability Monitoring Tool • Previous Life – NIST Engineering Lab – 20+ Years Engineering – ICS Cyber Security & Network Performance – Control Systems, Automated Vehicles, Wireless Sensors & Systems • International Society of Automation (ISA) – ISA99 Committee, Co-Chair (ISA/IEC 62443 Standard Series) – ISA99-WG2, Co-Chair (ICS Security Program)
What is Network Security Monitoring? • “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.” • “a way to find intruders on your network and do something about them before they damage your enterprise.” The Practice of Network Security Monitoring, Richard Bejtlich
What is Security Information and Event Management? • SIEM products and services provide “real-time analysis of security alerts generated by network hardware and applications.” –Data aggregation –Correlation –Alerting –Dashboards –Compliance –Retention –Forensics analysis Wikipedia
This is NOT A Talk About NSM or SIEM • Richard Bejtlich has some good books on NSM • Chris Sistrunk has some really good presentations on NSM for ICS • <Pick_a_search_engine> and vendors have information on both NSM and SIEM –As always, take it with a grain of salt
When NSM Won’t Work? • “…if you can’t observe the traffic that you care about, NSM will not work well.” • “Node-to-node activity, though, is largely unobserved at the network level.” The Practice of Network Security Monitoring, Richard Bejtlich
Example ICS/SCADA Network: Upper-Level Architecture • Most Traffic Crosses Zone Boundaries • Less ICS-Specific Protocols • More Common Platforms
NSM Works Great in Upper-Level Architecture • Most traffic crosses zone boundaries – Network traffic can be observed • Less ICS-specific protocols – Less ICS-specific protocol knowledge needed to analyze – More available automated network traffic analyzers • More common platforms – Some platforms allow NSM agents – Security logs available
Example ICS/SCADA Network: Lower-Level Architecture • Most Traffic Remains Within Zone • Mostly ICS- Specific Protocols • ICS-Specific Platforms
NSM Doesn’t Work As Well in Lower-Level Architecture • Most Traffic Remains Within Zone – Traffic doesn’t generally flow through NSM sensors – Most traffic remains in smaller segregated segments within zone • Mostly ICS-specific protocols – More ICS-specific protocol knowledge to analyze – Less available automated tools to analyze, if any at all • ICS-specific platforms – Non-standard OS on ICS-specific hardware – Some standard OS exist, with vendor-recommended limitations
NSM Doesn’t Work As Well in Lower-Level Architecture • ICS/SCADA equipment was generally not designed with security in mind – Devices aren’t capable – Information doesn’t exist – Hardware platforms are minimalistic designs
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring • Negative indicators don’t tell whole story – Absence of security reports doesn’t indicate everything is working properly • Develop a “known-good” set of traffic signatures – FAT, SAT, commissioning, system changes, periodic testing, etc. – Continuous monitoring possible • Compare periodic scans to “known-good” signatures • Look for deviations from norm – New traffic streams – Traffic streams performing different than expected – Traffic anomalies
Network Reliability Monitoring Can Be Simple • Complex algorithms not necessary – Hardest part can be isolating traffic streams – Your Wireshark Fu needs to be strong in many cases – Measurement metrics relatively simple (Jitter & Latency) • Free and low-cost tools exist – Wireshark for traffic stream processing – Spreadsheets for metric analysis • Basic charts & graphs are easy to generate
Network Reliability Monitoring Can Be Incredibly Hard • Detailed analysis takes knowledge of ICS-protocols – Inner working – Quirks & idiosyncrasies • Root cause analysis is incredibly difficult – Device real-time architecture – Network performance issues – Lack the tools & techniques to investigate many issues • Automating the analysis process can be difficult – Building in process knowledge to algorithms
So… What Can You See? Expected Frequency *Jitter is Variation From Expected Frequency ~10ms Mean Measured Packet Interval ±400µs Jitter*
So… What Can You See? ~10.4ms Mean Measured Packet Interval ±400µs Jitter* Wider Distribution More Peaks in Histogram
So… What Can You See? ~1ms Mean Measured Packet Interval ±10µs Jitter* Beat Patter @ ~30s
So… What Can You See? ~2ms Mean Measured Packet Interval ±1ms Jitter* Beat Patter @ ~50s
So… What Can You See? • OS & application operations – Garbage collection – Antivirus checks & updates – On-screen operator commands • Network anomalies – Network EMI interference – Signal degradation – Flaky connections • Security-related incidents
Man-In-The-Middle Testing • Kali Linux VM – Ettercap – ARP Poisoning – All default settings (script-kiddy style) • Captured traffic off mirror port • PLC to I/O – EtherNet/IP™ – 10ms frequency • MITM against PLC
MITM Testing – Source IP Address was I/O Block ~10ms Mean Measured Packet Interval ±400µs Jitter*
MITM Testing – Source Address was PLC
MITM Testing – Results • PLC and I/O block didn’t care – Both devices continued transmitting in the presence of MITM attack – Likely due to multicast EtherNet/IP protocol • When PLC traffic isolated from MITM, it showed no change in performance • Ettercap scripts to modify command signals generated – Increase sequence number – Modify output commands to I/O block • Checked captures without seeing red-flags – VirusTotal – NetworkMiner – Bro
Summary • NSM is good – If you are doing it great – If not, maybe you should • NSM can’t detect everything, especially for ICS/SCADA networks • There are ways to measure network reliability in the lower layers – ICS/SCADA networks are particularly well suited to this
Questions & Comments? • Jim Gilsinn • Senior Investigator, Kenexis • +1-614-323-2254 • Jim.Gilsinn@Kenexis.com • @JimGilsinn

More Related Content

PPTX
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
PPTX
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
PDF
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
PDF
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
PPTX
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
PPTX
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PPTX
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 

What's hot (20)

PDF
The journey to ICS - Extended
Larry Vandenaweele
 
PDF
Should I Patch My ICS?
Digital Bond
 
PPTX
The Future of ICS Security Products
Digital Bond
 
PPT
DHS ICS Security Presentation
guest85a34f
 
PPTX
Using Assessment Tools on ICS (English)
Digital Bond
 
PPTX
Scada security presentation by Stephen Miller
AVEVA
 
PDF
Monitoring ICS Communications
Digital Bond
 
PDF
Industrial Control System Security Overview
pgmaynard
 
PPTX
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
 
PPTX
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
PDF
S4xJapan Closing Keynote
Digital Bond
 
PPTX
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
PPTX
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
PDF
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
null The Open Security Community
 
PDF
CSIRS ICS BCS 2.2
David Spinks
 
PPTX
Critical Infrastructure and Security
Can Demirel
 
PPSX
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
PDF
Securing SCADA
Jeffrey Wang , P.Eng
 
PDF
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
PDF
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
 
The journey to ICS - Extended
Larry Vandenaweele
 
Should I Patch My ICS?
Digital Bond
 
The Future of ICS Security Products
Digital Bond
 
DHS ICS Security Presentation
guest85a34f
 
Using Assessment Tools on ICS (English)
Digital Bond
 
Scada security presentation by Stephen Miller
AVEVA
 
Monitoring ICS Communications
Digital Bond
 
Industrial Control System Security Overview
pgmaynard
 
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
 
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
S4xJapan Closing Keynote
Digital Bond
 
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
null The Open Security Community
 
CSIRS ICS BCS 2.2
David Spinks
 
Critical Infrastructure and Security
Can Demirel
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
Securing SCADA
Jeffrey Wang , P.Eng
 
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
 
Ad

Viewers also liked (9)

PPTX
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
PPTX
Havex Deep Dive (English)
Digital Bond
 
PPTX
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Digital Bond
 
PPTX
ASFWS 2011 : Cyberguerre et Infrastructures critiques : Menaces & Risques
Cyber Security Alliance
 
PPTX
ICS Security Training ... What Works and What Is Needed (Japanese)
Digital Bond
 
PPTX
BSidesAugusta ICS SCADA Defense
Chris Sistrunk
 
PDF
ICS Network Security Monitoring (NSM)
Digital Bond
 
PDF
Lessons Learned from the NIST CSF
Digital Bond
 
PDF
Cisco ASA
Thomas Moegli
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
Havex Deep Dive (English)
Digital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Digital Bond
 
ASFWS 2011 : Cyberguerre et Infrastructures critiques : Menaces & Risques
Cyber Security Alliance
 
ICS Security Training ... What Works and What Is Needed (Japanese)
Digital Bond
 
BSidesAugusta ICS SCADA Defense
Chris Sistrunk
 
ICS Network Security Monitoring (NSM)
Digital Bond
 
Lessons Learned from the NIST CSF
Digital Bond
 
Cisco ASA
Thomas Moegli
 
Ad

Similar to Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM (20)

PDF
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
PPTX
Where Are All The ICS Attacks?
EnergySec
 
PPT
Control system including PLC cybersecurity
Dr.Maged Mikhail
 
PDF
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
PPT
Power Grid Communications & Control Systems
fajjarrehman
 
PPTX
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
PPTX
INSECS: Intelligent networks security system
Nadun Rajasinghe
 
PPTX
Kaseya Connect 2012 - THE ABC'S OF MONITORING
Kaseya
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
PDF
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
TI Safe
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PDF
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
PPTX
Science DMZ security
Jisc
 
PPTX
Spirent: The Internet of Things: The Expanded Security Perimeter
Sailaja Tennati
 
PPT
intrusion detection system (IDS)
Aj Maurya
 
PPTX
Pass4sure 640-554 Cisco IOS Network Security
Hecrocro
 
PPTX
Network Intrusion Detection Systems #1
Peter Dulačka
 
PPT
Day4
Jai4uk
 
PPTX
640-554 IT Certification and Career Paths
hibaehed
 
PDF
Sym 2015 product overview apr2015
Todd Masters
 
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Where Are All The ICS Attacks?
EnergySec
 
Control system including PLC cybersecurity
Dr.Maged Mikhail
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
Power Grid Communications & Control Systems
fajjarrehman
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
INSECS: Intelligent networks security system
Nadun Rajasinghe
 
Kaseya Connect 2012 - THE ABC'S OF MONITORING
Kaseya
 
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
TI Safe
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
Science DMZ security
Jisc
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Sailaja Tennati
 
intrusion detection system (IDS)
Aj Maurya
 
Pass4sure 640-554 Cisco IOS Network Security
Hecrocro
 
Network Intrusion Detection Systems #1
Peter Dulačka
 
Day4
Jai4uk
 
640-554 IT Certification and Career Paths
hibaehed
 
Sym 2015 product overview apr2015
Todd Masters
 

More from Jim Gilsinn (11)

PPTX
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
PPTX
Network Security: Protecting SOHO Networks
Jim Gilsinn
 
PPTX
Cook Like a Hacker!
Jim Gilsinn
 
PPTX
ICS Performance Lab
Jim Gilsinn
 
PPTX
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
 
PPTX
Low-Cost ICS Network Performance Testing
Jim Gilsinn
 
PPTX
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
PPTX
You name it, we analyze it
Jim Gilsinn
 
PPTX
Wireshark Network Protocol Analyzer
Jim Gilsinn
 
PPTX
Network Packet Analysis with Wireshark
Jim Gilsinn
 
PPTX
Test Tool for Industrial Ethernet Network Performance (June 2009)
Jim Gilsinn
 
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Network Security: Protecting SOHO Networks
Jim Gilsinn
 
Cook Like a Hacker!
Jim Gilsinn
 
ICS Performance Lab
Jim Gilsinn
 
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
 
Low-Cost ICS Network Performance Testing
Jim Gilsinn
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
You name it, we analyze it
Jim Gilsinn
 
Wireshark Network Protocol Analyzer
Jim Gilsinn
 
Network Packet Analysis with Wireshark
Jim Gilsinn
 
Test Tool for Industrial Ethernet Network Performance (June 2009)
Jim Gilsinn
 

Recently uploaded (20)

PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
What is a Computer? Input Devices /output devices
GulJan8
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

  • 1. Network Reliability Monitoring for ICS Going beyond NSM and SIEM
  • 2. Jim Gilsinn • Senior Investigator, Kenexis Consulting – ICS Network & Security Assessments & Designs – Developer, Dulcet Analytics, Reliability Monitoring Tool • Previous Life – NIST Engineering Lab – 20+ Years Engineering – ICS Cyber Security & Network Performance – Control Systems, Automated Vehicles, Wireless Sensors & Systems • International Society of Automation (ISA) – ISA99 Committee, Co-Chair (ISA/IEC 62443 Standard Series) – ISA99-WG2, Co-Chair (ICS Security Program)
  • 3. What is Network Security Monitoring? • “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.” • “a way to find intruders on your network and do something about them before they damage your enterprise.” The Practice of Network Security Monitoring, Richard Bejtlich
  • 4. What is Security Information and Event Management? • SIEM products and services provide “real-time analysis of security alerts generated by network hardware and applications.” –Data aggregation –Correlation –Alerting –Dashboards –Compliance –Retention –Forensics analysis Wikipedia
  • 5. This is NOT A Talk About NSM or SIEM • Richard Bejtlich has some good books on NSM • Chris Sistrunk has some really good presentations on NSM for ICS • <Pick_a_search_engine> and vendors have information on both NSM and SIEM –As always, take it with a grain of salt
  • 6. When NSM Won’t Work? • “…if you can’t observe the traffic that you care about, NSM will not work well.” • “Node-to-node activity, though, is largely unobserved at the network level.” The Practice of Network Security Monitoring, Richard Bejtlich
  • 7. Example ICS/SCADA Network: Upper-Level Architecture • Most Traffic Crosses Zone Boundaries • Less ICS-Specific Protocols • More Common Platforms
  • 8. NSM Works Great in Upper-Level Architecture • Most traffic crosses zone boundaries – Network traffic can be observed • Less ICS-specific protocols – Less ICS-specific protocol knowledge needed to analyze – More available automated network traffic analyzers • More common platforms – Some platforms allow NSM agents – Security logs available
  • 9. Example ICS/SCADA Network: Lower-Level Architecture • Most Traffic Remains Within Zone • Mostly ICS- Specific Protocols • ICS-Specific Platforms
  • 10. NSM Doesn’t Work As Well in Lower-Level Architecture • Most Traffic Remains Within Zone – Traffic doesn’t generally flow through NSM sensors – Most traffic remains in smaller segregated segments within zone • Mostly ICS-specific protocols – More ICS-specific protocol knowledge to analyze – Less available automated tools to analyze, if any at all • ICS-specific platforms – Non-standard OS on ICS-specific hardware – Some standard OS exist, with vendor-recommended limitations
  • 11. NSM Doesn’t Work As Well in Lower-Level Architecture • ICS/SCADA equipment was generally not designed with security in mind – Devices aren’t capable – Information doesn’t exist – Hardware platforms are minimalistic designs
  • 13. Network Reliability Monitoring • Negative indicators don’t tell whole story – Absence of security reports doesn’t indicate everything is working properly • Develop a “known-good” set of traffic signatures – FAT, SAT, commissioning, system changes, periodic testing, etc. – Continuous monitoring possible • Compare periodic scans to “known-good” signatures • Look for deviations from norm – New traffic streams – Traffic streams performing different than expected – Traffic anomalies
  • 14. Network Reliability Monitoring Can Be Simple • Complex algorithms not necessary – Hardest part can be isolating traffic streams – Your Wireshark Fu needs to be strong in many cases – Measurement metrics relatively simple (Jitter & Latency) • Free and low-cost tools exist – Wireshark for traffic stream processing – Spreadsheets for metric analysis • Basic charts & graphs are easy to generate
  • 15. Network Reliability Monitoring Can Be Incredibly Hard • Detailed analysis takes knowledge of ICS-protocols – Inner working – Quirks & idiosyncrasies • Root cause analysis is incredibly difficult – Device real-time architecture – Network performance issues – Lack the tools & techniques to investigate many issues • Automating the analysis process can be difficult – Building in process knowledge to algorithms
  • 16. So… What Can You See? Expected Frequency *Jitter is Variation From Expected Frequency ~10ms Mean Measured Packet Interval ±400µs Jitter*
  • 17. So… What Can You See? ~10.4ms Mean Measured Packet Interval ±400µs Jitter* Wider Distribution More Peaks in Histogram
  • 18. So… What Can You See? ~1ms Mean Measured Packet Interval ±10µs Jitter* Beat Patter @ ~30s
  • 19. So… What Can You See? ~2ms Mean Measured Packet Interval ±1ms Jitter* Beat Patter @ ~50s
  • 20. So… What Can You See? • OS & application operations – Garbage collection – Antivirus checks & updates – On-screen operator commands • Network anomalies – Network EMI interference – Signal degradation – Flaky connections • Security-related incidents
  • 21. Man-In-The-Middle Testing • Kali Linux VM – Ettercap – ARP Poisoning – All default settings (script-kiddy style) • Captured traffic off mirror port • PLC to I/O – EtherNet/IP™ – 10ms frequency • MITM against PLC
  • 22. MITM Testing – Source IP Address was I/O Block ~10ms Mean Measured Packet Interval ±400µs Jitter*
  • 23. MITM Testing – Source Address was PLC
  • 24. MITM Testing – Results • PLC and I/O block didn’t care – Both devices continued transmitting in the presence of MITM attack – Likely due to multicast EtherNet/IP protocol • When PLC traffic isolated from MITM, it showed no change in performance • Ettercap scripts to modify command signals generated – Increase sequence number – Modify output commands to I/O block • Checked captures without seeing red-flags – VirusTotal – NetworkMiner – Bro
  • 25. Summary • NSM is good – If you are doing it great – If not, maybe you should • NSM can’t detect everything, especially for ICS/SCADA networks • There are ways to measure network reliability in the lower layers – ICS/SCADA networks are particularly well suited to this
  • 26. Questions & Comments? • Jim Gilsinn • Senior Investigator, Kenexis • +1-614-323-2254 • Jim.Gilsinn@Kenexis.com • @JimGilsinn