Based on the extent of cyber attacks on organizations that employ Industrial Control Systems (ICS), it should be assumed that there’s a good chance someone will try to hack into yours and cause interferences that may effect the network’s safety and reliability. It’s not a question of if, but when.
To prevent such an attack and its consequences, my recommendation is that ICS-based companies run a simple security assessment on their ICS networks, before resorting to hiring a six-figure consultancy firm.
The basic security assessment consists of a number of simple steps that don’t require any cyber-expertise; nevertheless it requires some pre-planning.
In general, the security assessment verifies that the network behaves the way it was designed to, and that there are no vulnerabilities that may harm or disrupt processes, or make changes to network activity.
The five steps to a successful security assessment are:
- Reviewing the existing network plan
- Recording the network traffic
- Processing the recorded data
- comparing the processed data vis-à-vis the network plan
- Detecting vulnerabilities in the network
Reviewing the planned network structure
The network structure review includes a deep analysis of the ICS network plan, focusing on the underlying architecture of the ICS network: the integration between the IT and the OT networks, vendors, internal connection, external connections, maintenance tasks and more.
Once the structure is approved by the operator, you’re ready to move on to the next stage.
Recording network traffic
The purpose of the second stage is to understand what is actually running on the ICS network. All ICS network traffic will be recorded using a device that will connect to your network through passive port mirroring (to avoid network disruption.) Once the device is connected to a switch and the port mirroring on the switch is configured, all network traffic will be recorded using tools such as TCPdump.
Processing the recorded data
This step is intended to make the recorded traffic visibly legible, so it could be compared to the network structure as initially planned.
Using tools such as Wireshark, the operator is able to view the PCAP files in an intuitive way and to gain an understanding of the network behavior.
The required data that needs to be processed for the comparison between the actual traffic to the network plan includes:
- Communication between devices
- Type of protocols between devices
- Ports used during each session including information about the function codes for industrial protocols
- Device period in the network (first and last time it is seen)
- Type of devices by vendors
- Traffic generated by devices
Comparison between actual data and plan
After processing the data, the next stage is verifying that the network is running according to the planned structure as designed. This stage requires extreme accuracy, since this is where unauthorized activities are detected. The result of this stage is a list of all suspicious data, e.g. unknown IP addresses, links, protocols, and devices that generate large amounts of traffic.
Discovery of vulnerabilities
In the final step, the list created in the comparison stage is analyzed to determine whether the suspicious traffic was the result of human error (e.g. a network manager that forgot to close a network access port used by a technician for a specific maintenance task, which of course should have been closed as soon as the maintenance operation ended.)
When malicious activity is detected, such as an unauthorized connection to an unknown IP address, my recommendation is to hire a firm that specializes in cases like these. However, even before they begin their work, there are a few things we can do:
- Determine whether malicious activities had disrupted network processes
- Check whether the IP address which the unauthorized connection communicated with is outside of the ICS network boundaries
- Search online for more information about the unknown IP address, for example on the ICS-CERT website, and see whether other devices are trying to reach the same IP address.