I attended the Swedish industrial cyber security conference 4SICS last month, where I also gave a one-day class on analyzing network traffic. 4SICS is the the leading Industrial Control System (ICS) security conference in Europe, which brings in speakers and attendees from all around the world.
Here's my summary on the conference and the status of where Europe and the world is at for Industrial Control Systems.
I have for several years been encouraging companies that run ICS to continuously capture full content network traffic in their networks. The primary benefit of doing so is to enable forensic analysis of the network traffic in case there has been an intrusion in their networks. This doesn't just apply to hacker attacks, it is also possible to detect and investigate malware infections with help of captured network traffic. Unfortunately, very few companies in the ICS field have deployed sniffers in their control systems, but it seems as if this is about to change. During 4SICS this year several presenters gave talks about success stories where captured network traffic was being used to find intrusions and malware in ICS networks.
Chris Sistrunk and Robert Caldwell delivered a talk titled "Missing the obvious: Network Security Monitoring for ICS," where they mentioned a case where network security was the driver for deploying packet sniffers in a plant. Later on it turned out that IT operations also had a lot to benefit from having access to captured network traffic, since it allowed them to detect misconfigured servers, clients and embedded devices on their networks. Chris and Robert also pointed out that the deterministic nature of ICS network traffic make it easy to find malicious traffic caused by malware.
Another presenter who used similar tactics was Robert M. Lee, who did a great talk titled, “Asset Identification and Network Security Monitoring in ICS Networks.” In his talk Robert mentioned that he could find malware in ICS networks simply by looking for deviations in the network traffic. Robert also mentioned the problems involved with applying security patches to machines in control systems. Robert said "If you can't patch it, at least monitor it," which is a very sane approach for how to handle situations where critical systems cannot be patched.
The 4SICS conference used an app poll during each talk, which gave some some interesting responses. For example, we could see that 13% answered that they had implemented a solution for network security monitoring in their control systems. So, what's stopping the other 87% of ICS network owners from capturing their network traffic?
One might argue that the harsh environments that many ICS network run in (water treatment plants, power plants, transformer stations, oil rigs etc.) are not suited for traditional IT appliances designed for climate controlled data centers. However, there is no need to buy an appliance to capture network traffic. All that is needed is a basic linux server running an open source packet sniffer.
For people like me that have high requirements for reliability and minimal packet loss in their capturing setups, a monitor port on a switch is not the preferred method for accessing network traffic. I always prefer a proper network TAP over having a switch with a monitor port.
The industrial Ethernet sector has unique requirements for network access, including 35mm DIN rail support and 24V power connectors, IP ratings for humidity, dust, and other environmental concerns that our indicative of industrial settings.
I’ve been working with Garland Technology on adapting their current line of 10M/100M and 10M/100M/1000M passive TAPs for the function and physicality of industrial networks, which, at the time of this post, is scheduled for release in early 2016.
I'm really looking forward to seeing such a DIN rail mounted network tap in the ICS lab at 4SICS 2016!
To learn more about the differences of network access, read Tim O'Neill's white paper, titled "TAP vs. SPAN".