Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho

www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.

Marcelo Branquinho & Jan Seidl

Detecting problems in industrial networks Detecting problems in industrial networks through continuous monitoringthrough continuous monitoring

TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.


Presentors

Marcelo [email protected]

• CEO at TI Safe.

• Senior member of ISA and committee

member of ANSI/ISA-99.

• Researcher in security technologies to

protect critical infrastructure.

Jan [email protected]

• Technical Coordinator at TI Safe.

• Expert in risk analysis in

automation systems.

• Researcher in the field of malware

engineering.


Follow us!

• Twitter: @tisafe

• SlideShare: www.slideshare.net/tisafe

• Facebook: www.facebook.com/tisafe

• Flickr: http://www.flickr.com/photos/tisafe


You don’t have to copy...

http://www.slideshare.net/tisafe


Agenda

• What should be monitored in an automation network?

• Preparation of the monitoring environment.

• The attacks performed.

• Results of monitored attacks.

• Conclusion.


What should be monitored in an

automation network?


What to monitor in an automation network?

• The “Health" of critical servers

• Runtime errors in operating systems

• Processes

• High Availability

• Data traffic on industrial protocols

• Controllers (PLCs)

• SNMP traps

• ICMP Packets (Ping)


The “Health” of critical servers

• Critical servers need to have stability and continuity of operations ensured.

• Monitor the health allows the prevention of certain failures, as well as some malicious

compromise, according to certain symptoms.

• The main technical features that can be monitored in critical servers are:

• Free disk space.

• CPU and Memory.

• Unsuccessful login attempts.

• Input and Output packets rate.


O.S. runtime erros

• Useful in anticipating hardware failures.

• The anticipation of failures, in turn, protects the automation technical team from

unscheduled stop for components replacement.

• The main runtime errors in operating systems that can be monitored are :

• Memory allocation.

• Disk read/write.

• CPU temperature.

• Fan speed.


Processes

• The monitoring of process stability can contribute in two situations :

• Alerting the responsible team in case of failures in the execution of critical

processes.

• Restart the process automatically, when possible.

• It is also recommended to monitor known exploited process names and ports, such as :

• RDP

• HTTP/HTTPS

• TeamViewer

• Cmd.exe

• Windows PowerShell


High Availability

• Aims to minimize the downtime of the monitored resource, anticipating potential

failures.

• Link states can be checked to see if the plant’s network enters into contingency state.

• The monitoring agent can perform automated tasks when necessary.


Data traffic in industrial protocols

• Is recommended to do a port mirroring to monitor data traffic on industrial protocols.

• In the case of Modbus, for example, a network sniffer can be used to monitor several

parameters.

• The main parameter to be monitored are:

• Disallowed function codes.

• Tag values.

• Command origin.

• Sent and received commands.


Controllers (PLCs)

• SNMP monitoring

• Monitors network I/O, droped packets, network errors, etc.

• Has higher reliability and, according to the errors, diagnose something wrong that

might be happening.

• ICMP Monitoring (Ping)

• Alternatively if SNMP is not supported by the controller.

• Used to check connectivity and response time.

• Limited information therefore lower accuracy and less reliability.


Preparation of the monitoring

environment


The Test Environment

The sandbox mounted inside TI Safe’s Laboratory includes:

• A Wago 741-800 PLC

• A simulator of a natural gas plant (Tofino Scada Security Simulator)

• A Windows 7 Station (physical) to the supervisory system

• A virtual machine acting as the monitoring server (Debian Linux 6 with Zabbix)

• A virtual machine acting as Modbus traffic sniffer server (Debian Linux 6 with script in python +

scapy)


The Monitoring Environment

• The monitoring server is a virtual machine running Debian

Linux operating system.

• This server has been downloaded and installed by running the

open source monitoring solution Zabbix 2.0.6 using MySQL

5.1 as the data backend.

Figure: The network Sniffer and its structure


Checking Frequency

• Depending on the load that the machine performs, items can be configured to be polled

in a defined interval.

• Servers with lighter load can have shorter checks (each 15 to 30 seconds).

• Servers with hogher load can have more delayed checks (1 minute or more).

• The main idea is to preserve the machine computational power and the network

bandwidth.


Alerting

• Designed to alert the response team.

• Best used when launched from a set of probes and reducing the possibility of false

positive.

• Can generate sound alerts and display visual signaling on a panel, as a blinking

server .

• The recommended alerts are:

• SMS

• Jabber

• E-mail


The attacks performed


The Attacker Machine

• The attacker machine is a HP laptop directly connected at the plant switch, running Kali Linux 1.0

from a Live-CD.

Below is a list of software used on tests:

Software / Tool Description Attack Author

Hping3 ICMP flood tool Network Layer 3 denial of service

http://www.hping.org/

T50 Flood tool Network Layer 3 denial of service

https://github.com/merces/t50

Meterpreter Remote access shell Remote compromise, malware infection

http://www.metasploit.com/

Arpspoof ARP poison/spoofing tool

ARP poison http://arpspoof.sourceforge.net/

Pymodbus Modbus python library Unauthorized modbus traffic

https://github.com/bashwork/pymodbus


Attacks performed

Attack Attack Vector PLC Denial of Service

Communications interception ARP poison PLC, Supervisory Stations

PLC Denial of Service Layer 3 network flood, 0day PLC

Supervisory station malware infection

Modbus malware, Meterpreter shell backdoor

Supervisory Stations, Network

Supervisory station compromise

Meterpreter shell backdoor Supervisory Station

Unauthorized remote logon Enabling remote desktop on machine, accessing machine from other machine on network

Supervisory Station

Unauthorized modbus traffic Sending commands from attacker machine

PLC


Results of monitored attacks



• $ nmap –sV 192.168.1.1

• Communications interception


• Denial of Service

• Malware infection



• Unauthorized Modbus traffic



Conclusion


Conclusion

• The homogeneity of the cyclical behavior in industrial networks and servers allows us to

establish the 'healthy' network parameters.

• Network and servers analysis and applications monitoring are critical for the detection

of unusual network traffic.

• More tangible results can be achieved through behavior monitoring than through the

monitoring of known keywords, the 'signatures'.

• The establishment of a baseline traffic in the network control system is necessary for

the detection of anomalous traffic through the analysis of differences.

• Triggers can be configured to indicate parameters outside the usual data ranges that

can mean a compromise of the assets being monitored.

• Alarms (including sounds) can be configured based on triggers.

• Only a few commercial tools for IACS monitoring are available for purchase, and we

recommend the customization of an open source tool for your own monitoring needs.


Audience Q&A


We can help you!

[email protected]@tisafe.com

Rio de Janeiro: +55 (21) 2173-1159 São Paulo: +55 (11) 3040-8656Twitter: @tisafeSkype: ti-safe

Technology

Detecting Problems in Industrial Networks Through Continuous Monitoring, Level 301 Marcelo Ayres Branquinho