ICS vulnerabilities are still being discovered, and I don’t think that will stop any time soon. I started tracking known ICS vulnerabilites in 2014, and I recently updated my graph (special thanks to Risk Based Security for providing me with ICS data). The years between 2001 and 2010 are “the lost decade” for ICS security…and 2010 on is “the Age of Stuxnet.” In today’s world, security breaches are inevitable, even for control systems. We’re starting to see more and more security incidents and even attacks, with the Ukrainian Power Grid Attack being the latest.
— Chris Sistrunk (@chrissistrunk) December 31, 2015
So how do we get in front of this?
I want to talk to you a little bit about network taps.
Network taps are not new and have been used in enterprise and even home networks for years. Taps are an important part of network security monitoring (NSM) efforts. I’ve been talking and blogging about implementing NSM in industrial control systems (ICS) for over a year now. I’m beginning to see NSM be implemented in real ICS, which is really exciting. Those that are implementing NSM in ICS are using it to look for evil, but also use it to detect misconfigurations and devices with firmware problems for example.
Taps are a great way to get visibility into a network. Some taps even have failsafes, which ensure that if the tap loses power or fails, the network traffic still passes through unharmed.
Things to consider when installing a tap in an ICS
- Location location location. Make sure that you place the network tap in the right place(s) in your ICS network. You will want to monitor the ingress/egress points to the system, and also important systems internal to the ICS (to monitor lateral movement). If you have NAT, make sure you place the tap where it can capture true IP addresses. The Practice of Network Security Monitoring and Applied Network Security Monitoring cover tap placement within any type of network topology.
- Network tap specifications. Just like other pieces of equipment, you will want to consider the types of ports, number of ports, and the bandwidth needed for the tap. The location will help determine this. You also should consider power supply requirements (like if a substation has 48VDC power, the tap needs to support it or you will need a power converter).
- Outage to the ICS network. Using a network tap is indeed passive, but one of the drawbacks for ICS is that you have to take an outage to the network to install the tap. This can be worked around with careful planning. For instance, you could install a tap during a normal planned outage, or even during a plant shutdown.
- Protecting the network tap and NSM sensor. Once the tap and NSM sensor are installed, you must take measures to secure and protect them. Visibility into an ICS network is valuable for defenders, but also attackers as well. Make sure that attackers can’t access your tap, the packet captures, or NSM sensor data.
Taps can be used in DFIR
In the case attackers do breach a network, incident responders will want to get visibility into compromised hosts and also collect network evidence. Check out Chapter 9 in Incident Response & Computer Forensics is on network evidence to see what is collected. However, most ICS networks today don’t have network visibility. To get this visibility in an ICS network, an incident responder would have to use port mirrors on existing ICS switches, or they will bring a hub (which aren’t made anymore) or network tap with them. Several tap manufacturers make portable network taps that are perfect for a DFIR jump kit.
One example of a portable network tap is this new P100CCA model from Garland Technology. They provided me this to review and it’s a great little tap for 10/100MB copper networks (which will work in many ICS networks). The power supply even includes a set of international voltage plug adapters, which is really handy if you are responding to incidents around the world. You just throw it in a bag, plug it in, and start capturing pcaps!
When I attended 4SICS 2015, I gave a class on NSM in ICS networks. There was also an ICS lab with a lot of different PLCs, HMIs, and other ICS devices that attendees could attack. My friend Erik Hjelmvik with NETRESEC and I both captured pcaps from the 4SICS Lab network with this Garland tap, and also a larger model. Special thanks to Garland!
— Chris Sistrunk (@chrissistrunk) October 21, 2015
I hope you enjoyed this post about network taps and how they can be used in ICS networks. I encourage you to try capturing ICS traffic, even if you start with a test or lab environment first. But if you have some trouble on your ICS network, take the opportunity to capture some traffic with a portable network tap. Who knows…you just might find the problem if you look!