Visibility Solutions

Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.

Resources

Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.

Blog

The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners

Partners

Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.

Company

Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.

Contact

Whether you are ready to make a network TAP your foundation of visibility or just have questions, please contact us. Ask us about the Garland Difference!

Blogheader image.png

TAP Into Technology

Leading the Way in Network Technology

4SICS Conference Recap on Industrial Control Systems

Posted by Erik Hjelmvik | 11/16/15 9:02 AM

I attended the Swedish industrial cyber security conference 4SICS last month, where I also gave a one-day class on analyzing network traffic. 4SICS is the the leading Industrial Control System (ICS) security conference in Europe, which brings in speakers and attendees from all around the world.

Here's my summary on the conference and the status of where Europe and the world is at for Industrial Control Systems.

I have for several years been encouraging companies that run ICS to continuously capture full content network traffic in their networks. The primary benefit of doing so is to enable forensic analysis of the network traffic in case there has been an intrusion in their networks. This doesn't just apply to hacker attacks, it is also possible to detect and investigate malware infections with help of captured network traffic. Unfortunately, very few companies in the ICS field have deployed sniffers in their control systems, but it seems as if this is about to change. During 4SICS this year several presenters gave talks about success stories where captured network traffic was being used to find intrusions and malware in ICS networks.

"If you know what your traffic looks like these things stick out like a sore thumb"- Chris Sistrunk and Robert Caldwell at 4SICS 2015

Chris Sistrunk and Robert Caldwell delivered a talk titled "Missing the obvious: Network Security Monitoring for ICS," where they mentioned a case where network security was the driver for deploying packet sniffers in a plant. Later on it turned out that IT operations also had a lot to benefit from having access to captured network traffic, since it allowed them to detect misconfigured servers, clients and embedded devices on their networks. Chris and Robert also pointed out that the deterministic nature of ICS network traffic make it easy to find malicious traffic caused by malware.

Rob Caldwell and Chris Sistrunk at 4SICS

Another presenter who used similar tactics was Robert M. Lee, who did a great talk titled, “Asset Identification and Network Security Monitoring in ICS Networks.” In his talk Robert mentioned that he could find malware in ICS networks simply by looking for deviations in the network traffic. Robert also mentioned the problems involved with applying security patches to machines in control systems. Robert said "If you can't patch it, at least monitor it," which is a very sane approach for how to handle situations where critical systems cannot be patched.

The 4SICS conference used an app poll during each talk, which gave some some interesting responses. For example, we could see that 13% answered that they had implemented a solution for network security monitoring in their control systems. So, what's stopping the other 87% of ICS network owners from capturing their network traffic?

Harsh Environments are Just One Concern of ICS Networks

One might argue that the harsh environments that many ICS network run in (water treatment plants, power plants, transformer stations, oil rigs etc.) are not suited for traditional IT appliances designed for climate controlled data centers. However, there is no need to buy an appliance to capture network traffic. All that is needed is a basic linux server running an open source packet sniffer.

For people like me that have high requirements for reliability and minimal packet loss in their capturing setups, a monitor port on a switch is not the preferred method for accessing network traffic. I always prefer a proper network TAP over having a switch with a monitor port.

The industrial Ethernet sector has unique requirements for network access, including 35mm DIN rail support and 24V power connectors, IP ratings for humidity, dust, and other environmental concerns that our indicative of industrial settings.

I’ve been working with Garland Technology on adapting their current line of 10M/100M and 10M/100M/1000M passive TAPs for the function and physicality of industrial networks, which, at the time of this post, is scheduled for release in early 2016.

I'm really looking forward to seeing such a DIN rail mounted network tap in the ICS lab at 4SICS 2016!

35mm Din Rail Mount Network TAP by Garland Technology

To learn more about the differences of network access, read Tim O'Neill's white paper, titled "TAP vs. SPAN". 

 

Topics: Network Security, Network Visibility/Monitoring, Industrial Ethernet

Written by Erik Hjelmvik

Erik Hjelmvik is an experienced incident handler and software developer who who has specialized in network forensics and network security monitoring. Erik is also known in the network forensics community for having created NetworkMiner, which is an open source network forensics analysis tool. Since the release of NetworkMiner in 2007 it has become a popular tool among incident response teams and law enforcement. Today, NetworkMiner is used by companies and organizations all over the world and is included on popular live-CDs such as Security Onion and REMnux. Erik is also one of one of the founders behind the Swedish company Netresec, which is an independent software vendor with spearhead competence in network security monitoring and network forensics. Netresec develops and sells software products specially designed to capture and analyze network traffic on the wire as well as in pcap files.