detecting problems in industrial networks through continuous monitoring, level 301 marcelo ayres...
DESCRIPTION
Each SCADA network, in a healthy state, presents a specific quality of service (QoS) which rarely changes given the repetitive process of the IACS operations. The continuous monitoring of QoS parameters of an automation network may anticipate problems such as malware contamination and equipment failures like switches and routers. It is very important to be aware of these changes in behavior in order to receive alerts and promptly handle them, avoiding incidents that could compromise the operation of the network and be financially or environmentally costly. In this session Mr. Branquinho presents the results of tests to measure the performance of a simulated automation network parameters using a small SCADA network sandbox. First, the normal operating parameters of the network were measured. Next, several attacks were launched against the simulated automation network. At the conclusion of the work the graphs of the network in healthy state with the graphs of the network with the security incidents described above. The session will show how the network parameters were affected by each kind of incident and built a table showing the way the main parameters of an automation network were affected by the attacks.TRANSCRIPT
![Page 1: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/1.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Marcelo Branquinho & Jan Seidl
Detecting problems in industrial networks Detecting problems in industrial networks through continuous monitoringthrough continuous monitoring
TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
![Page 2: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/2.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Presentors
Marcelo [email protected]
• CEO at TI Safe.
• Senior member of ISA and committee
member of ANSI/ISA-99.
• Researcher in security technologies to
protect critical infrastructure.
• Technical Coordinator at TI Safe.
• Expert in risk analysis in
automation systems.
• Researcher in the field of malware
engineering.
![Page 3: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/3.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Follow us!
• Twitter: @tisafe
• SlideShare: www.slideshare.net/tisafe
• Facebook: www.facebook.com/tisafe
• Flickr: http://www.flickr.com/photos/tisafe
![Page 4: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/4.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
You don’t have to copy...
http://www.slideshare.net/tisafe
![Page 5: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/5.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Agenda
• What should be monitored in an automation network?
• Preparation of the monitoring environment.
• The attacks performed.
• Results of monitored attacks.
• Conclusion.
![Page 6: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/6.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
What should be monitored in an
automation network?
![Page 7: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/7.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
What to monitor in an automation network?
• The “Health" of critical servers
• Runtime errors in operating systems
• Processes
• High Availability
• Data traffic on industrial protocols
• Controllers (PLCs)
• SNMP traps
• ICMP Packets (Ping)
![Page 8: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/8.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The “Health” of critical servers
• Critical servers need to have stability and continuity of operations ensured.
• Monitor the health allows the prevention of certain failures, as well as some malicious
compromise, according to certain symptoms.
• The main technical features that can be monitored in critical servers are:
• Free disk space.
• CPU and Memory.
• Unsuccessful login attempts.
• Input and Output packets rate.
![Page 9: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/9.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
O.S. runtime erros
• Useful in anticipating hardware failures.
• The anticipation of failures, in turn, protects the automation technical team from
unscheduled stop for components replacement.
• The main runtime errors in operating systems that can be monitored are :
• Memory allocation.
• Disk read/write.
• CPU temperature.
• Fan speed.
![Page 10: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/10.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Processes
• The monitoring of process stability can contribute in two situations :
• Alerting the responsible team in case of failures in the execution of critical
processes.
• Restart the process automatically, when possible.
• It is also recommended to monitor known exploited process names and ports, such as :
• RDP
• HTTP/HTTPS
• TeamViewer
• Cmd.exe
• Windows PowerShell
![Page 11: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/11.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
High Availability
• Aims to minimize the downtime of the monitored resource, anticipating potential
failures.
• Link states can be checked to see if the plant’s network enters into contingency state.
• The monitoring agent can perform automated tasks when necessary.
![Page 12: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/12.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Data traffic in industrial protocols
• Is recommended to do a port mirroring to monitor data traffic on industrial protocols.
• In the case of Modbus, for example, a network sniffer can be used to monitor several
parameters.
• The main parameter to be monitored are:
• Disallowed function codes.
• Tag values.
• Command origin.
• Sent and received commands.
![Page 13: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/13.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Controllers (PLCs)
• SNMP monitoring
• Monitors network I/O, droped packets, network errors, etc.
• Has higher reliability and, according to the errors, diagnose something wrong that
might be happening.
• ICMP Monitoring (Ping)
• Alternatively if SNMP is not supported by the controller.
• Used to check connectivity and response time.
• Limited information therefore lower accuracy and less reliability.
![Page 14: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/14.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Preparation of the monitoring
environment
![Page 15: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/15.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The Test Environment
The sandbox mounted inside TI Safe’s Laboratory includes:
• A Wago 741-800 PLC
• A simulator of a natural gas plant (Tofino Scada Security Simulator)
• A Windows 7 Station (physical) to the supervisory system
• A virtual machine acting as the monitoring server (Debian Linux 6 with Zabbix)
• A virtual machine acting as Modbus traffic sniffer server (Debian Linux 6 with script in python +
scapy)
![Page 16: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/16.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The Monitoring Environment
• The monitoring server is a virtual machine running Debian
Linux operating system.
• This server has been downloaded and installed by running the
open source monitoring solution Zabbix 2.0.6 using MySQL
5.1 as the data backend.
Figure: The network Sniffer and its structure
![Page 17: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/17.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Checking Frequency
• Depending on the load that the machine performs, items can be configured to be polled
in a defined interval.
• Servers with lighter load can have shorter checks (each 15 to 30 seconds).
• Servers with hogher load can have more delayed checks (1 minute or more).
• The main idea is to preserve the machine computational power and the network
bandwidth.
![Page 18: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/18.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Alerting
• Designed to alert the response team.
• Best used when launched from a set of probes and reducing the possibility of false
positive.
• Can generate sound alerts and display visual signaling on a panel, as a blinking
server .
• The recommended alerts are:
• SMS
• Jabber
![Page 19: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/19.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The attacks performed
![Page 20: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/20.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
The Attacker Machine
• The attacker machine is a HP laptop directly connected at the plant switch, running Kali Linux 1.0
from a Live-CD.
Below is a list of software used on tests:
Software / Tool Description Attack Author
Hping3 ICMP flood tool Network Layer 3 denial of service
http://www.hping.org/
T50 Flood tool Network Layer 3 denial of service
https://github.com/merces/t50
Meterpreter Remote access shell Remote compromise, malware infection
http://www.metasploit.com/
Arpspoof ARP poison/spoofing tool
ARP poison http://arpspoof.sourceforge.net/
Pymodbus Modbus python library Unauthorized modbus traffic
https://github.com/bashwork/pymodbus
![Page 21: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/21.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Attacks performed
Attack Attack Vector PLC Denial of Service
Communications interception ARP poison PLC, Supervisory Stations
PLC Denial of Service Layer 3 network flood, 0day PLC
Supervisory station malware infection
Modbus malware, Meterpreter shell backdoor
Supervisory Stations, Network
Supervisory station compromise
Meterpreter shell backdoor Supervisory Station
Unauthorized remote logon Enabling remote desktop on machine, accessing machine from other machine on network
Supervisory Station
Unauthorized modbus traffic Sending commands from attacker machine
PLC
![Page 22: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/22.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Results of monitored attacks
![Page 23: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/23.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Results of monitored attacks
• $ nmap –sV 192.168.1.1
• Communications interception
![Page 24: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/24.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
• Denial of Service
• Malware infection
Results of monitored attacks
![Page 25: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/25.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
• Unauthorized Modbus traffic
Results of monitored attacks
![Page 26: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/26.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Conclusion
![Page 27: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/27.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Conclusion
• The homogeneity of the cyclical behavior in industrial networks and servers allows us to
establish the 'healthy' network parameters.
• Network and servers analysis and applications monitoring are critical for the detection
of unusual network traffic.
• More tangible results can be achieved through behavior monitoring than through the
monitoring of known keywords, the 'signatures'.
• The establishment of a baseline traffic in the network control system is necessary for
the detection of anomalous traffic through the analysis of differences.
• Triggers can be configured to indicate parameters outside the usual data ranges that
can mean a compromise of the assets being monitored.
• Alarms (including sounds) can be configured based on triggers.
• Only a few commercial tools for IACS monitoring are available for purchase, and we
recommend the customization of an open source tool for your own monitoring needs.
![Page 28: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/28.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
Audience Q&A
![Page 29: Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho](https://reader035.vdocuments.us/reader035/viewer/2022062419/5576228ed8b42a4e1c8b4da5/html5/thumbnails/29.jpg)
www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
We can help you!
[email protected]@tisafe.com
Rio de Janeiro: +55 (21) 2173-1159 São Paulo: +55 (11) 3040-8656Twitter: @tisafeSkype: ti-safe