Critical Infrastructure Protection through Network Behavior Management

Critical Infrastructure Protection ICS Network Behavior Management

By Enrique Martín García

August 2014

Executive Summary

Security level for all infrastructures that bring essential services to society

must be reviewed and supervised in a continuous way.

This supervision must be based on indicators able of offering objectives

and sustainable values through time, due the robust and lasting design

this infrastructures should had.

In this paper we will focus on the first set of indicators to define and

manage, all related with the right Industrial Control Network behavior for

these infrastructures.

ICS Network Behavior Management

Enrique Martín García August 2014

2

2

Contents

INTRODUCTION ....................................................................................................................... 3

LEGAL FRAMEWORK ............................................................................................................. 3 EEUU: CYBERSECURITY FRAMEWORK FEBRERO 2014 – NATIONAL INSTITUTE OF STANDARDS

AND TECHNOLOGY (NIST) ....................................................................................................... 3 EEUU: ES-C2M2 V1.1 FEBRUARY 2014 – DEPARTMENT OF ENERGY – DEPARTMENT OF

HOMELAND SECURITY ............................................................................................................. 6 FRANCIA NATONAL SECURITY AGENCY FOR THE INFORMATION SYSTEMS (ANSSI) ..................... 7 LEY 8/2011, DE 28 DE ABRIL, POR LA QUE SE ESTABLECEN MEDIDAS PARA LA PROTECCIÓN DE LAS

INFRAESTRUCTURAS CRÍTICAS. ................................................................................................ 9

RIPE – ROBUST ICS PLANNING & EVALUATION ............................................................... 10

INDICATORS .......................................................................................................................... 13 CONNECTION BETWEEN THE COMMAND CENTER AND THE SENSOR IS PROTECTED AND

ENCRYPTED, ENSURING THE CONFIDENTIALITY AND INTEGRITY OF IT. ..................................... 15 INVENTORY BUILDING ............................................................................................................ 15 INVENTORY QUALITY ............................................................................................................. 16 DETAILED INTERACTION BETWEEN DEVICES ............................................................................ 18

CONCLUSION ........................................................................................................................ 19

REFERENCES ........................................................................................................................ 20

ABOUT THE AUTHOR ........................................................................................................... 20



3

3

Introduction

In the last three years Critical Infrastructure Protection strategies have been empowered both the U.S and Europe. This empowerment has been achieved through standards, guidelines and Cyber Security Frameworks to the Society essential services sectors in each country. Also, new legal and regulation frameworks has been developed to rule and define the security controls, countermeasures and supervision mechanisms this kind of sites have to put in place. In all of them, as well as older safety related Information Technology (IT) standards, inventory of technology assets management mechanisms implementation is required for the Critical Operator (OC) that provides essential services from its Critical Infrastructure (CI). Furthermore, given the properties of industrial control networks, continuous monitoring of behavioral abnormalities is also requested. To effectively manage behavioral abnormalities, one should begin by establishing a baseline of the control network that covers all information assets, their interconnection and regular operations that develop between them (traffic matrix and operational matrix). Given the diversity of classifications of critical sectors and legislation in European countries, this paper will focus on the case of Spain.

Legal Framework

To put into context the metrics related to inventory of assets and behavior monitoring that different frameworks and standards propose, I will briefly review some of the latest updates produced at this date.

EEUU: Cybersecurity Framework Febrero 2014 – National Institute of Standards and Technology (NIST)

In this framework, the need to maintain an inventory of IT assets is collected on the first defined function: Identify. Under the function of Identify (ID) is the category of Asset Management (AM), and under this, six sub categories of management are established:

ID.AM-1: Organization devices and systems are inventoried

ID.AM-2: Organization Applications and Software platforms are inventoried

ID.AM-3: Communications and data streams are collected in diagrams.

ID.AM-4: External information systems are listed

ID.AM-5: Resources (Systems, devices, applications, etc.) are ranked according to their classification, criticality and business value.

ID.AM-6: Cybersecurity Roles and responsibilities for all employees and third parties are implanted.



4

4

Of these inventories, deep communications description, is often the most difficult to achieve in the OC, due to updates that industrial control networks have suffered in recent years because of the convergence of communications (TCP / IP) and connection, more or less secure, with other OC business networks. The need to maintain an updated communications and information flows inventory are located in the following standards:

CCS CSC 1

COBIT 5 DSS05.02

ISA 62443-2-1:2009 4.2.3.4

ISO / IEC 27001:2013 A.13.2.1

NIST SP 800-53 Rev. 4 AC-4, AC-3, AC-9, PL-8

FIGURE 1: NIST CYBERSECURITY FRAMEWORK FUNCTION 1

Regarding the detection of behavioral anomalies, is recognized in the third function defined by the Framework: Detect. Under the function Detect (DE) is the category of Anomalies and events (AE), and under this, five sub management categories are established:

DE.AE-1: A basic network operations and data flows for users and devices exists and is managed

DE.AE-2: The detected events are analyzed to understand the objectives of the attacks and methods.

DE.AE-3: The events collected from multiple sources and sensors are aggregated and correlated.

DE.AE-4: The impact of events is assigned

DE.AE-5: Ranks of warnings for incidents is established The need to detect anomalies in network control is found in the following standards:

COBIT 5 DSS03.01



5

5

ISA 62443-2-1:2009 4.4.3.3

NIST SP 800-53 Rev. 4 AC-4, AC-3, CM-2, SI-4

FIGURE 2: NIST CYBERSECURITY FRAMEWORK FUNCTION 3



6

6

EEUU: ES-C2M2 v1.1 February 2014 – Department of Energy – Department of Homeland Security

Equivalently defined also for Oil & Natural Gas Sector (NGOs), this maturity model also establishes the need to maintain an inventory of assets, both IT and OT:

FIGURE 3: INVENTORY IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU

It also establishes the need to properly document the behavior of communications, as later established the need to monitor traffic anomalies in the OT and IT networks, as other international studies recommend 3



7

7

FIGURE 4: MONITORING IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU

Francia Natonal Security Agency for the Information Systems (ANSSI)

The National Agency for the Security of Information Systems (ANSSI), published in August, 2014 a methodology for classification of organizations using information systems for industrial control and a detailed set of security measures to be taken by each of these organizations depending on their classification.

FIGURE 5: DETAILED MEASURES FOR INDUSTRIL CONTROL SYSTEMS USERS



8

8

Cybersecurity Measures to adopt, is the systematic maintenance of asset inventory of industrial control which should reflect all interconnections diagrams and flows between them, and monitoring:

FIGURE 6: CYBER SECURITY MEASURES INDEX DETAILED USERS ORGANIZATIONS INDUSTRIAL

CONTROL SYSTEMS



9

9

Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas.

In Spain, the PIC 8/2011 Act raises the need for organizations designated as operators for critical infrastructure by CNPIC, to develop an Operator Security Plan and Specific Plan Protection which reflect detailed inventories elements that make up its industrial control network, among other assets. In particular, section 3.1 of the Specific Plan Protection Operator, "General Data Infrastructure" provides for the inclusion of at least the following information:

"On the ICT systems that manage the IC and its architecture (network map, map of communications systems map, etc.)."

In Section 3.2 of the Plan itself, "Assets / Elements IC" contemplates the inclusion of at least the following information:

"Computer systems (hardware and software) used."

"Communication networks that allow data exchange and used for this IC."

FIGURE 7: MINIMAL CONTENTS FOR THE PLAN DE PROTECCIÓN ESPECÍFICO (PPE) In short, all the necessary information to establish the control network normal behavior is requested.



10

10

In view of the foregoing, it seems clear that the need for asset inventory considering the establishment of a base line of behavior, will define indicators of compliance. These two realities make naturally design a set of metrics based on the inventory and management of network behavior. (Network Cyber Behavior Management TM). The following sections describe the methodology and proposed solution to define and maintain these metrics.

RIPE – Robust ICS Planning & Evaluation

The Robust ICS Planning and Evaluation (RIPE1 2013) Framework provides a management model based on defined quality in industrial control systems for critical processes, and in line with the proposal for Cyber-Resilience measuring from INTECO2. This model rests on the definition of three main blocks:

Technology Block (IT and OT systems)

Organizational Block (People)

Operational Block (processes and procedures)

FIGURE 6: RIPE MODEL CONTEXT DIAGRAM

In this Framework are measured periodically, and with a low economic impact, compliance metrics in eight areas of critical infrastructures:

Asset Inventory: For each facility / plant should be documented and periodically review all assets involved in the provision of an essential service or protect. This inventory collected for each IC integrated into all elements of Physical and Logical Security.



11

11

Connection diagram of assets: It is critical to document and review existing connectivity between assets inventoried in the previous section, in order to establish the interdependence of all the assets together and the ranking of the same when grouped in providing an essential service.

Interaction between assets: With the information gathered in the previous points, build diagrams operational flows between devices, which will complete the description of the interdependence of essential services and the subsequent monitoring of the security of the plant / installation.

Roles and functions of Staff: The staff is the first active to protect and the most fundamental part of any defense strategy of plant / facility. Maintain an updated list of all the staff of the IC and review it periodically to ensure their validity information. This information is critical to the implementation of any policy of physical and logical access.

Development of staff skills and knowledge: The level of safety of the plant / installation must be understood within the cycle of continuous improvement of provision of essential services. It is essential that the people who operate and ensure the safety of these services possess the amount of training necessary for the performance of their duties. Periodic monitoring of compliance training plans and progress in each plant facilitates tracking of periodic targets set by the CSMS.

Operating Guidelines and Procedures: The integrity of essential services may be interrupted by an erroneous or unproven and unauthorized operation. To avoid such problems, keep an updated operational guidelines are revised periodically and to minimize problems in the provision of essential services by the plant / installation set.

Planning and design changes: In line with the previous point, any new element within the IC or any new industrial process must be documented and approved by the responsible exploitation. The review of the process and associated documentation will minimize risks in the continuity of essential services and the proper maintenance of CSMS.

Assets procurement: The security requirements in the assets to be deployed in plants / facilities should be seen from the phase of acquisition of such assets. Controlling procurement processes in regard to these requirements, facilitate the integration of the same in the ongoing management of the safety of the plant / installation.

Control of these eight areas will allow the completion of the impact assessment on the essential services of the plant / installation support, being consistent with the security policy defined by the OC on important issues such as safety management, training staff and management continuity Each of these areas is evaluated according to two criteria of quality targets for percentages of compliance:

Degree of completion

Accuracy of information completed



12

12

In the case of asset inventory, for example, the following criteria are applied:

RIPE System inventory Quality

Quality Completeness and accuracy of the system inventory Computation: Accuracy * Completeness / 100

Completeness Percentage of components listed in the system inventory based on total number of components as identified by walk-down inspection

Accuracy Percentage of components listed accurately in the system inventory as identified by walk-down inspection

TABLA 1: INDICATORS VALUE CRITERIA AND CALCULATION

In a specific example, after applying the valuation of these criteria in eight areas of two individual installations, we obtain the following values:

FIGURE 9: TWO PLANTS COMPLIANCE POLAR DIAGRAM

In the case of the plant represented by the red line, we observed a much greater compliance in areas such as asset inventory and personnel than in the plant represented by the blue line. This would allow the organization to take advantage of operational procedures to deploy from the first floor in the second, achieving improved security levels in a short space of time and with low costs.



13

13

In the following point we will define indicators from the RIPE Technology Block for industrial control networks that define the expected behavior pattern (Blueprint) for these networks:

Asset Inventory

Representation of the connection assets

Detailed interaction between them

Indicators The calculation of the indicators defined by the previous reference frame must be generated and updated with minimal effort. To do this we propose the use of SCAB solution (Security Awareness Control Box) for SCADA systems and technology-based deep inspection of behavior control protocols. (DPBI). SCAB is a system of monitoring and anomaly detection that analyzes network traffic and detects unusual events of the network (eg, cyber attacks or operational errors) using detection technology based firms not by building pattern behavior of the network automatically and unattended. The pattern of behavior built by the solution, define:

Connection Models

Protocols used

Message Types protocols

Messages fields

Values of the fields of the messages This information set define the White List in our control network operations. Today, SCAB allows monitoring and inspection of the following protocols:

Protocolos Deep Protocol Behavior Inspector

Perfil de conexión

MMS

Modbus/TCP

OPC-DA

IEC 101/104

DNP3

IEC 61850

ICCP TASE.2

CSLib (ABB)

DMS (ABB)

S7 (Siemens)

SMB/CIFS



14

14

Protocolos Deep Protocol Behavior Inspector

Perfil de conexión

RPC/DCOM

PVSS

LDAP

NetBIOS

HTTP

FTP

SSH

SSL

SMTP

IMAP

POP3

VNC/RFB

RTSP

AFP

TABLE 2: SCAB SUPPORTED PROTOCOLS

SCAB solution architecture is the following:

FIGURE 10: SCAB SOLUTION ARCHITECTURE



15

15

Command Center collects intelligence monitoring from various sensors, and features:

Web-based user interface (supported browsers: Google Chrome, Mozilla Firefox,

Internet Explorer (≥ 9), Safari)

Large set of alert filters

An extensible workflow engine work for processing incoming email to different delivery systems (eg, SIM / SIEM) by user-defined rules

An extensible motor tasks for scheduling tasks, such as sending reports, the synchronization of the internal clock, optimizing the internal database, etc;

Access control based on roles for users. In production environments, multiple monitoring sensors can be used to control different network segments and report the observed traffic and threats detected to a single command center.

Connection between the command center and the sensor is protected and encrypted, ensuring the confidentiality and integrity of it.

Inventory Building

After connecting SCAB sensors to network, we can start the learning phase. At this stage, SCAB autonomously builds our pattern of network behavior. The following flow is shown below:

FIGURE 11: CONTROL NETWORK BEHAVIORAL BLUEPRINT CREATION

We can customize the behavior pattern if necessary just adding, modifying or deleting connections using a text editor. Any changes to these patterns are audited and stored in the sensor itself safely.



16

16

FIGURE 12: CONNECTION MATRIX EDITOR

After finishing the learning phase, we got the ICS Local Network Communication Profile. In that moment SCAB knows every tuple allowed in the ICS network:

Src IP,Src Port -> Dest. IP,Dest Port

This is something hard to get in a multipurpose Local Area Network (even a Home one) without having several changes (Alerts) per hour. From that moment we can be alerted by:

New devices on the network and out of inventory

Devices trying connections out of the model and inventory.

Devices receiving information from others out of the model and inventory.

Inventory Quality

As we saw in the initial example, this indicator is calculated as follows:

RIPE Asset inventory Quality

Quality Completeness and accuracy of the system inventory Computation: Accuracy * Completeness / 100

Completeness Percentage of components listed in the system inventory based on total number of components as identified by SCAB

Accuracy Percentage of components listed accurately in the system inventory as identified by SCAB

TABLE 3: INVENTORY INDICATORS VALUE CRITERIA AND CALCULATION



17

17

Representing the active connections

From the information gathered by SCAB in their learning phase, it is easy to represent graphically the interactions of the nodes of the control network, and build an easily upgradeable diagram.

RIPE Connections Diagram Quality

Quality Completeness and accuracy of the connections inventory Computation: Accuracy * Completeness / 100

Completeness Percentage of connections listed in the inventory based on total number of connections identified by SCAB

Accuracy Percentage of connections listed accurately in the inventory as identified by SCAB

TABLE 4: CONNECTIONS INDICATORS VALUE CRITERIA AND CALCULATION

A connection collected digraph example could be the following:

FIGURE 12: SCAB SHELF-LEARNING CONNECTION DIGRAPH



18

18

Detailed interaction between devices

FIGURE 13: SCAB SHELF-LEARNING FUNCTIONS OPERATIONAL MATRIX

Among the information contained in the pattern of network behavior of self -generated check we can see that, not only the connections between devices and ports are set according to a certain protocol, but also messages and values (control functions) are being used in our network. SCADA server connects to PLCs using the MODBUS protocol and running only functions 3 and 16. In this way, we can establish compliance with this indicator periodically, plus real-time detect unusual transactions or malicious control commands. .

RIPE Functional Interaction Quality

Quality Completeness and accuracy of the Functional interactions inventory Computation: Accuracy * Completeness / 100

Completeness Percentage of Functional interactions listed in the inventory based on total number of Functional interactions identified by SCAB

Accuracy Percentage of Functional interactions listed accurately in the inventory as identified by SCAB

TABLE 5: FUNCTIONAL INTERACTION INDICATORS VALUE CRITERIA AND CALCULATION



19

19

Conclusion

It seems clear need to review the cyber security level of ICs, but this review should not rely solely on documentary evidence of auditing but also on objective criteria to ensure quality monitoring and enable continuous improvement of the IC itself. The use of indicators about the quality of inventory assets, the correct representation of the connection and updated functional operational interaction between them, allow us monitoring the behavior of the control network that provides essential services and the security of the plant or facility. The SCAB solution allows easy maintenance of these three indicators and continuous monitoring by deep industrial protocols behavior inspection, thereby maintaining the security level required for our Critical Infrastructure.



20

20

References

[1]: The RIPE Framework: A Process-Driven Approach towards Effective and Sustainable Industrial Control System Security – 2013 Ralph Langner: http://www.langner.com/en/wp-content/uploads/2013/09/The-RIPE-Framework.pdf [2] “Ciber-Resiliencia: Aproximación a un marco de medición” – 2014 INTECO: http://www.inteco.es/extfrontinteco/img/File/Estudios/int_ciber_resiliencia_marco_medicion.pdf [3]: Monitoring Industrial Control Systems to improve operations and security - 2013: http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_monitoring_EU.pdf

About the Author

Enrique Martín García is Director of the Centre of Excellence for Cyber Security Division within the IT Consulting & Integration Services - Global Solutions at Schneider Electric.

He has over 25 years experience in the world of information technology, many of whom have been involved in projects design and implementation of security solutions.

Since 2013 it has been responsible for designing the portfolio of services and solutions in Cyber Security for ITC, participating in various conferences in which he has given various presentations on advanced protection solutions for industrial control networks protocols.

© 2

01

3 S

ch

ne

ide

r E

lectric

. A

ll rig

hts re

se

rve

d.

http://www.langner.com/en/wp-content/uploads/2013/09/The-RIPE-Framework.pdf

http://www.inteco.es/extfrontinteco/img/File/Estudios/int_ciber_resiliencia_marco_medicion.pdf

http://www.inteco.es/extfrontinteco/img/File/Estudios/int_ciber_resiliencia_marco_medicion.pdf

http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_monitoring_EU.pdf

http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_monitoring_EU.pdf

Critical Infrastructure Protection through Network Behavior Management

Technology

cyber security frameworks

indicators able

legal framework

set of indicators

contents introduction

inventory building

inventory quality

las infraestructuras