Perimeter

1/8/2015
07:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Using Free Tools To Detect Attacks On ICS/SCADA Networks

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations.

Operators at Iran's Natanz nuclear facility might well have caught Stuxnet before it spread and sabotaged operations at the plant if they had been watching the wires for anomalous network traffic, a pair of ICS/SCADA experts say.

Rob Caldwell and Chris Sistrunk of Mandiant, a FireEye company, say network security monitoring is a simple and inexpensive technique for detecting attack attempts against power plants and other ICS/SCADA environments. Various free open-source monitoring tools can help spot unusual file traffic or command and control communications.

"NSM would have caught" Stuxnet, says Sistrunk, senior consultant with Mandiant's ICS practice. It would have shown, for example, the infamous malware getting updated, he says.

"Any time a PLC gets a new code update, [for example], and if you were aware of your files, you could see that file go across the wire," he says.

Sistrunk and Caldwell, principal consultant with Mandiant, say network security monitoring also could catch the infamous Havex and BlackEnergy malware associated with attacks on ICS/SCADA networks, for example. The monitoring technique could be set to detect known indicators of compromise, says Caldwell, who with Sistrunk next week at the S4 Conference in Miami will school ICS/SCADA operators on the use of open-source NSM for their networks.

"We're really just trying to evangelize, getting folks to start looking at what's going in their [industrial] control systems. You can do all of this stuff with open source [tools] out there. And if you want to take advantage of automation and some GUIs, you can look at commercial software" as well, Caldwell says.

Passive network security monitoring isn't new to the traditional IT network space, and security experts such as Richard Bejtlich, chief security strategist for FireEye, have recommended it for some time as a key element to incident response. Sistrunk and Caldwell say it's a perfect fit for the ICS environment because it's non-intrusive, so there's no risk of it disrupting critical processes or operations.

"It all comes back to the premise … know your network," Caldwell says. That means watching the flows of traffic and knowing what's normal and what's not, and drilling down into what types of sessions and transactions occur, he says. "Not just looking at data, but at any extracted content, what kind of files are spreading around the network, and what Web pages are being hit or DNS servers are being resolved," he says.

"A network-centric point of view gives a lot of clues to tie into seeing if anything has been compromised," he says.

There are several open source network security monitoring tools; Caldwell and Sistrunk at S4 will demonstrate a set of tools from the open-source Security Onion Linux suite, including Wireshark, NetworkMiner, Bro, and Snorby, for network monitoring and intrusion detection.

Few ICS/SCADA operators today employ network security monitoring. Dale Peterson, CEO at ICS/SCADA consulting firm Digital Bond and host of the S4 Conference, says some large oil companies and other critical infrastructure operators with more mature security programs employ NSM. "NSM is a huge tool," Peterson says, especially for helping an organization detect and recover quickly from an attack or attempt. "It depends on the maturity of the ICS security program. So we typically don't recommend it unless you have good perimeter [security] and the ability to recover" from an attack, he says.

Peterson says it's relatively simple to institute network security monitoring in an ICS network. "Communications going to and from PLCs … should be very consistent," so it would catch any unusual traffic, he says.

"If you want to keep it simple, just do log management and alerting," Peterson says. The next level of monitoring would be the use of commercial monitoring tools commonly found in security operations centers such as SIEM and IDS/IPS, he notes.

Open-source NSM isn't a set-it-and-forget-it process, though. "The fundamental thing is you've got to have people involved, using their intel to be able to say 'this is not  normal'" traffic, Caldwell says. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.