In this post I will describe the usage of an IDS (Intrusion Detection System) tool for achieving Network Visibility in ICS networks.
This post will be divided into two sections. First, I will cover the operational and security needs in Network Monitoring. Second, I’ll describe the package within the Radiflow IDS which monitors the ICS network.
The need for ICS Visibility
When it comes to operational excellence, perhaps the most important thing an operator needs to do is to become familiar with all of his network assets through extensive Network Monitoring. Knowing your networked assets—their type, communication channels and protocols—makes up the basis for managing the ICS network. Field engineers will sometimes connect devices to the network, whether their PC or test equipment, and the operations manager would often fail to document those new devices. The difficulty of automating the asset management process in modern ICS networks is on the rise in most utilities we speak with.
From the Cyber-Security perspective, the operator needs to maintain control over the network – during normal, uneventful operation hours, and more so when an attack on the network is suspected. It’s no surprise, then, that excellent Cyber-Security Management starts with excellence in Asset Management.
The security aspect of network monitoring in ICS networks is a major concern, as reflected in many governing bodies’ recommendations. NIST pointed out that “Without regular security monitoring, incidents might go unnoticed, leading to additional damage and/or disruption,” and that “unknown connections into the ICS can leave a backdoor for attacks.” In addition, NERC CIP requires that operators conduct periodic audits of their network assets.
However, network monitoring, if not done correctly, can present in itself a risk to ICS networks. The traditional IT method of network monitoring involves the active scanning and interrogation of IP devices. This active method, in ICS networks, may influence the operational communication channels. In addition, several controllers do not react well to such scanning, which may cause them to shut down. Applying network monitoring to ICS networks, then, would require more passive methods.
The Network Visibility Package in Radiflow IDS
Radiflow’s Situational Awareness IDS includes a Network Visibility package. This package is responsible for passively monitoring the operational assets inside the ICS network, to help the operator detect new devices. The IDS’s passive monitoring of the network also helps the operator detect new sessions, such as attempts to connect to controllers, spoofed IP addresses and network scanning.
Once deployed, the package starts self-learning the ICS network. No configuration is needed, and the operator can easily view the resulting network map and audit the results. The operator can also add devices and communication links that were not active during the learning phase, and he is able to configure an activity policy for each session that will be monitored using the Policy Monitor package (which will be described in a future post).
At the end of the learning phase the Network Visibility engine creates a baseline for monitoring changes in the network behavior. With this baseline the IDS is able to detect anomalies, which may indicate a cyber-incident or an undocumented change in the network (such as adding or removing devices). As the package is passive, it does not present any risk to the operational network.
To correctly monitor the network, the package is built upon a foundation of a deep-packet-inspection analyzer. The analyzer, which was designed specifically for parsing ICS protocols, parses each industrial packet and extracts the industrial details, such as unit IDs, I/O addresses, function codes and other. Without it, the network would be seen as a collection of IP entities (e.g. PCs), while in fact, these IP entities represent industrial devices with master/slave relations.
In summary, the feature highlights of the Network Visibility Package are:
- Passive monitoring of the network
- Self-learning of the network map
- Detection of new entities and services
- Using a DPI analyzer for ICS protocols
- Generation of alerts upon changes in the network map
- API for retrieving network asset information