Disclaimer:
I have no real world ISC/SCADA system or security experience, I’m just a guy that
takes in information and thinks about a better ways to do things.
We've all heard about taking a “baseline” of
your network environment so you have some way to gauge and detect any anomalous
behavior on your systems to, hopefully, help catch any type of malicious
activity before it gets out of control, or in the very least, have a good idea
of where to start when performing IR if there is a network breach. And, like
most of us that already work in well-established networks, we know how
difficult and time consuming a task this would be. But in a well-designed ICS
production environment, this might be a bit less traumatic experience than one
might think.
First of all, if a production ICS network is
properly segregated (as it should be) the traffic flowing over the network is
really not that complex because the protocols used aren't that complex. Modbus,
DNP3 and most of the other ICS protocols out there operate on very small frame
sizes and command lists compared to other network protocols, so while there may be a
lot of traffic flowing back and forth between a controller and a device, the
commands being sent are known and can generally be predicated based on their
configuration and what action the system is designed to perform. In other words, you’re not
going to see your Smart-Meter or valve controller performing Google searches or streaming YouTube videos unless something has gone terribly wrong! (Yes, that was a terribly joke).
This being the case, an ICS production
environment is ripe for baselining even if it’s already up and running (which
most are). So this is the first step in beginning to secure an ICS production
network and there really isn't any reason why this should not be happening
right now in all major and even minor critical infrastructure environments. We
all know this isn't the case, but it should be the case none the less. If
critical infrastructure company can get over this first, daunting hurdle,
keeping this baseline up to date can actually become relatively easy in the
future. Let me explain…
Once the major baseline is established and the
network engineers know what normal traffic looks like and what might be
abnormal, it becomes much easier to tune inline controls to recognize and flag
real warning signs that something maybe amiss in their systems. And at this
point, maintaining this baseline can become very easy if the proper deployment
controls are put into place when the engineers either have to replace a
controller or deploy a new system.
I am sure (or hopeful, however you want to look
at it) that when a new ICS controller is replaced due to failure or through a
system upgrade, or anytime a new piece of equipment is going to be introduced
into the system, extensive testing occurs to make sure the new device is
function properly before being deployed into the production environment. This
is only logical and makes perfect sense, but this is also the time to not only
make sure the operation and control of the system is well established, but also
the perfect time to baseline the new system’s network traffic as it’s being run
through all normal conditional testing.
By imposing this new deployment protocol you can capture all of the
communications of the system in its purest form and have a perfect baseline of
what to expect its typical traffic to look like; from normal operational
commands, to fault conditions, to extreme fail-safe actuation or any anomalous traffic
that might indicate that someone is trying or has breached the network.
This can be helpful in any kind of network, but
ICS/SCADA networks can greatly leverage this kind of process with more
precision than any other network environment I can imagine, to great benefit
not only to the company, but to the environment and to the consumers of the
products produced by critical infrastructure companies.
</my_two_cents>
Discuss…