Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:53 PM
Connect Directly

Experiment Simulated Attacks On Natural Gas Plant

ICS/SCADA experts test continuous monitoring approach as a way to spot denial-of-service, malware, and other attacks

An experiment conducted by ICS/SCADA security experts reveals how utilities could spot malware and cyberattacks on their automation environments on the fly merely by continuously monitoring the customarily predictable behaviors of those networks and systems.

ICS/SCADA automation networks -- unlike typical IT networks -- operate in predictable bandwidth usage, traffic patterns, and CPU usage, for example, so any anomalies or changes to the norm indicate something's awry -- a malware infection, DDoS, brute-force attack, or even a random equipment failure, experts say.

Security experts from ICS/SCADA consulting and services firm TI Safe recently built a testbed of a simulated natural gas plant ICS/SCADA network to see whether continuous monitoring could flag attacks. The researchers captured the baselines, or quality-of-service parameters, of the simulated network, and waged denial-of-service, malware, ARP poisoning, and remote shell attacks on the simulated industrial network that included a programmable logic controller (PLC) and supervisory station system. They used open-source tools such as nmap to watch for any uncharacteristic activity or behaviors of the systems, and spotted blatant changes when the attacks hit.

They got some dramatic results: Their nmap scans, for instance, displayed a marked spike in incoming and outgoing traffic with the PLC. Overall, they found, continuous behavior monitoring was more effective than traditional signature-based defenses.

"We infected machines in the environment and made some errors in the switch ... to give us evidence on how it would report switch failure and malware infection," says Marcelo Branquinho, executive director at TI Safe, who worked on the experiment.

[Test network aims to simulate real-world effects of attacks on critical infrastructure to help power plants and other operators better lock down their environments. See SCADA 'Sandbox' Tests Real-World Impact Of Cyberattacks On Critical Infrastructure.]

In a white paper recently published on their research, Branquinho and Jan Seidl included graphical data generated by the open-source Zabbix monitoring tool that shows obvious and unusual traffic spikes detected by their nmap open-source scanner when rogue traffic was sent to the PLC. "In a normal situation, nothing happens -- there's a straight line" for the traffic, Branquinho says. "When something goes wrong, you have some spikes."

The testbed included a Wago 741-800 PLC and some hardware simulating an industrial natural gas plant using a TofinoScada Security Simulator, a Windows 7-based supervisory station, a Debian Linux 6-based monitoring server, two virtual machines, and a Debian Linux 6 machine Modbus traffic sniffer server. The Zabbix monitoring software ran on Debian Linux with MySQL 5.1 as the back-end.

The "attacker" machine was a Linux-based HP laptop that unleashed ICMP flood denial-of-service attacks, remote access shell exploits via Metasploit Meterpreter, and Address Resolution Protocol (ARP) poisoning attacks.

"Once the irregular network traffic has been captured and analyzed by the monitoring software, the security team will use the data dumps to assess what is really happening on the network. The anomalous traffic is compared to traffic from baseline to provide important information about which servers (or equipments) are generating the anomalous traffic, ports and services that may be involved, and which network protocols are being used," the researchers wrote in their report.

Jim Butterworth, CSO at HBGary, says he believes the continuous monitoring approach makes sense for the ICS/SCADA environment. "Their experiment was very controlled, in a small sandbox, but I think it could scale" to large infrastructures, he says. "It's very feasible to normalize the behavior of a Windows box," for example, because its purpose would be very specific in a process control network, he says. "Getting to the norm [in these environments] completely makes sense, even down to the Modbus traffic."

This approach could help catch a worm attack like Stuxnet, too: The peer-to-peer communication method used in these types of attacks would be spotted, Branquinho says. An infection would show response time changes uncharacteristic of the network, for example. "We're talking about real-time networks with a very fixed response time. If a device responds in 10 seconds and then starts to respond in 20 seconds, something is happening to it," he says.

Stuxnet appeared to have sabotaged the supervisory screen used by the operator watching the centrifuges, so the attack was masked, notes Branquinho. "If they simply trusted the supervisory screen ... you wouldn't see the attack happening because you wouldn't know that the speed of centrifuges had changed," he says. Monitoring the parameters of the actual devices and their traffic would flag that something had gone wrong, according to Branquinho.

Most automation network operators running firewalls and intrusion prevention systems aren't inspecting their logs today, he says. "People should have some tools to integrate all of the logs and to generate human alerts," he says.

Open-source tools are an option for building out a continuous monitoring environment in ICS/SCADA today, the researchers say in their report. "For industrial automation environments, with their unusual protocols, there are few commercial tools available for purchase, and the customization of an open source tool that fits the monitoring needs should be considered."

But it's not just a matter of downloading and firing up an open-source monitoring tool. "You've got to have some knowledge to understand what could happen to the environment. Which risks is the environment exposed to?" Branquinho says.

And for some highly regulated utilities, dropping in an open-source tool isn't a given, warns HBGary's Butterworth. "Everything is so controlled," he says, so not all tools would be authorized under regulatory rules.

The full report on TI Safe's experiment is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
DDoS Protection
DDoS Protection,
User Rank: Apprentice
7/9/2013 | 3:04:45 PM
re: Experiment Simulated Attacks On Natural Gas Plant
Interesting method to identify a DDoS attack. You can then react faster to the threat and mitigate the DDoS.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.