The Benefits of Network Security Monitoring for Grid-Edge Devices An in-depth analysis of how passive network security monitoring helps asset owners maintain an accurate, up-to-date asset inventory list, while also protecting the grid’s edge from cyber threats.
11
Embed
The Benefits of Network Security Monitoring for Grid-Edge ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Benefits of Network Security Monitoring for Grid-Edge Devices An in-depth analysis of how passive network security monitoring helps asset owners maintain an accurate, up-to-date asset inventory list, while also protecting the grid’s edge from cyber threats.
Contents
Executive Summary 3
1. Introduction 4
2. Approach & Implementation 5 A. Approach 5 B. Example Network Topology 6 C.ReviewofIEDSettingsandConfiguration 6
3. Asset Inventory Tracking 6 A. Overview 6 B. Example Use-Cases Demonstrated 7 C.VulnerabilityIdentification 7 4. Security Monitoring 8 A. Overview 8 B. Example Use-Cases and Scenarios Tested 8 5. Approach Findings, Benefits and Event Grouping 9 6. Conclusion 10 References 11
“Implementing power system automation control environments that are eliable, resilient, and secure is an interdisciplinary engineering challenge that involves multiple regulatory standards.”
5
ELECTRONIC SECURITY PERIMETER (ESP)
REMOTE ENGINEER/ OPERATOR
LOCAL ENGINEER
(a)
(b)
CONTROL SYSTEM: SUBSTATION, POWER PLANT, ETC.
IED 1
ETHERNET LINK
SERIAL LINK
MIRRORED COMMUNICATION
ALERTS & FINDINGS
IED 2 IED 3
ASSET MANAGEMENT
NSM TOOL
SPAN PORTRTU
COMPLIANCE
OPERATIONS
SECURITY
One-way Communication
Example Network Topology Used for Evaluating the NSM Tool
A. Approach Thedevelopedapproachiscenteredonthepremiseofbeingcompletelypassiveandnon-intrusivetothecontrolsystemenvironment.Usingamanagednetworkswitch,asingleportisconfiguredasthespanport.Thisspanormirroringportreplaysthecommunicationtrafficfromalloradesignatedsubsetoftheotherportsontheswitch.Byplacinganetworksecuritymonitoring(NSM)toolonthisspanport,adetailedanalysisofeachcommunicationpacketisperformed.Thisallowsallinboundandoutboundtraffictobemonitoredaswellasthetrafficbetweeneachintelligentelectronicdevice(IED)atthegrid’sedge.
B. Example Network Topology TheexamplenetworktopologyimplementedisshowninFigure1andincludes3protectionrelays,aremoteterminalunit(RTU),amanagedswitch,andafirewall.Alldevicesarelogicallydefinedwithinanelectronicsecurityperimeter(ESP).Forservicing,engineersortechniciansaretypicallyallowedtoentertheESPandconnectatransientcyberasset(TSA)totheIEDs[2].Ethernetlink(a)andseriallink(b)showtwooptionsfordirectlycommunicatingwithsuchdevices.Forcontrol,thestandardcontrolsystemprotocolsDNP3andModbusareusedwhilefordiagnosticseachIED’swebinterfacesareenabled.Additionally,avendor’sspecificprotocol,whichisanextensionoftheTelnetprotocol,isusedforcommunicationbetweentheRTUandIEDs.ThemanagedswitchisconfiguredtomirrorallTXandRXtrafficoneveryporttoaSPANport.TheNSMserverhasmultiplenetworkinterfacesandtheoneconnectedtothespanportisconfiguredforRXonly,whiletheSPANportitselfisconfiguredforTXonly.
C. Review of IED Settings and Configuration AssoonastheNSMtoolcameonline,itbegananalyzingallthecommunicationinthecontrolsystemlocalareanetworkincludingallingressandegresstraffic.Usingthisobservedinformation,theNSMtoolbegantoorganizetheobserveddevicesintoanetworkmapaccordingtothePurdueModel[5].Afterjustafewminutes,theNSMtoolhadaccuratelymappedalldevicesandprotocolsthatwhereutilizedoverthenetwork.Toconfirmthis,areviewoftheIEDsettingsfileswasperformed.TheIPinformationcontainedinthesefileswasthenusedtoconfirmthespecificwhitelistedIPsthatwouldbeusedtotriggeranalarmintheNSMtool.
A. Overview Maintaininganaccurateandup-to-datebaselineconfigurationoftenreliesonamanualandhandwrittenprocess.Amoreefficientandlesserror-proneapproachistoleveragetheexistingsystemtoautomaticallyobserveanddocumentchangesastheyaremade.AsnotedinSectionII,theexampletopologyutilizesavendor’sslightvariationoftheTelnetprotocoltocommunicatebetweentheRTUandIEDs.Sincethisinformationistransmittedinplaintextandiscopiedandreplayedoverthespanport,theNSMtoolisabletocaptureandanalyzethisinformation.
B. Example Use Cases Demonstrated 1. Remote engineer upgrades firmware on IED 1: There are several applications that may permit a remote engineer tohaveinteractiveaccesstoanIED.Thisaccessallowstheengineertoperformanynumberofcommandsasthoughhewasphysicallyatthedevice.Dependingonhowthisremoteaccessisconfigured,hecouldbeallowedtocommunicatedirectlytotheIED,ortheRTUcanbeconfiguredasanaccesspointrouter.
2. Local engineer upgrades IED 2 firmware via Ethernet connection: Iftheprevioususecaseisnotallowed,anengineerortechnicianmayberequiredtotraveltothesitetoperformthenecessarymaintenance.Whilelocallyinthecontrolhouseorplant,theengineerplugsintothenetworkswitchusinganapprovedtransientcyberasset[2]andlogicallyconnectstotheIED.OnceconnectedtheengineerrunstheupgradecommandanduploadsthefirmwaretotheIED. 3. Local engineer upgrades IED 3 firmware via direct serial connection:Thelastusecaseisunique,sinceitrequiressomeadditionalprogrammingintheRTUinordertofullycapturetheupgrade.Unliketheotherexamples,thiscommunicationisnotbeingperformedoverthenetwork,andthereforewillnotbecaptured.Additionally,thepollingofthedeviceisbeingperformedviaaserialconnectionbetweentheRTUandtherelay.ThispollingisthereforealsonotbeingcapturedbytheNSMtool.ThesolutionhereistotelltheRTUtologthefirmwarechangeofIED3andallassociatedinformationtoSyslog.Thiswaywhentheupdatedassetinformationisplacedonthenetwork,theparsingfeatureoftheNSMtoolisstillabletocaptureandlogtheevent.
C. Vulnerability Identification Byhavinganaccuraterepresentationofthecurrentfirmwareversioninstalledoneachdevice,theNSMtoolwasabletoidentifyknownvulnerabilitiesthatareassociatedwiththatversionofthefirmware,protocols,anddetectedsoftware.Thesevulnerabilitiesarebasedonthecommonvulnerabilityenumeration(CVE)standardandhaveanassociatedriskscoreidentifyingtheimpactthatvulnerabilitycouldhavetothesystem.Thisinformationcanbeusedtodeterminewhenthedeviceneedsservicing.Thisabilitygreatlyreducesthepotentialattacksurfaceandhelpseasetheburdenassociatedwithmeetinganumberofcomplianceandmaintenancerequirements.
Identify network communication failures: Moreofanoperationalaspectofthegrid,theexaminedNSMtoolwasabletodeterminewhencommunicationbetweendevicesceases.Thiscapabilitycanbeextremelyvaluablesinceitcanhelpdiagnoseabrokenlinkordowninterface.
Unauthorized device sends ICS/SCADA operate command: With the whitelisted map created and since the testedNSMtoolunderstandscontrolsystemprotocols,thetoolwasabletosuccessfullydetectwhenanunauthorizeddeviceinitiatesacommandtoagrid-edgedevice.Inthiscase,thetoolwasabletolearnthemaster-slaverelationshipsofthenetworkdevices,andthereforebecomecapableofdetectinganomalies.
Failed or successful remote or local logins into an RTU or IED: Theimplementeddeviceswereconfiguredtosoundanalarmuponeitherasuccessfulorfailedlogin.ThesealarmswerethendetectedbytheNSMtool.
Use of default passwords: BydetectingtheMACaddressofeachdeviceonthenetwork,theNSMtoolisabletodeterminethespecificmanufacturerofthatdevice.Usingabuilt-indatabaseofvendorutilizeddefaultpasswords,theNSMtoolcomparesdetectedusernameandpasswordpairstothisdatabase.Wheneveramatchisfoundanotificationisproducedidentifyingthenetworkeddevicethathasdefaultusernameandpasswords.
1
2
3
4
5
9
Dangerous ICS/SCADA DNP3 function code sent to an RTU: Thereareanumberofbuiltinfunctioncodesthat identify the health of the assets at the grid’s edge. These codes help determine the health of the assets andcanbeusedtodetectanumberofman-in-themiddleattacks.Inbothcases,theNSMtoolaccuratelycapturedandloggedtheseevents.
Malformed ICS protocol packet sent to master: Thesepacketsindicateadvancedlevelsofspoofing.SincetheNSMtoolisawareoftheutilizedcontrolsystemprotocols,itwasabletodetectavarietyofmalformedpackets.
Port scanning or other network profiling activities: AsdemonstratedbyIndustroyer,thefirstmalwarespecificallydesignedtoattackpowersystems,trusteddevicescanbecomerogueandstartinitiatingportscans [7].Thisattackdemonstratedtheneedtobeabletodetectanyportscanning,eventhoughtheseactionsmayoriginatefromadevicethatisalreadylocatedwithinthetrustedcontrolsystemnetwork.
IP spoofing and ARP poisoning: ThereareseveralcontrolsystemprotocolsanddevicesthatarevulnerabletoadvancedlevelsofspoofingandARPpoisoning.ByexaminingeachcommunicationpacketatmultiplelayersoftheOSImodel,theNSMtoolwasabletoalarmontheseevents.
Anomalous utility operator activities (either intentional or accidental): SincethetestedNSMtoolcanbeconfiguredtobecontextuallyawareofthecontrolapplicationandalreadyunderstandstheutilizedprotocols,triggerswerecreatedthatmonitorforsuspiciousorunrealisticoperations.Forinstance,multipleback-to-backbreakeropencommandscanbeclassifiedassuspiciousactivityandthereforewarrantanotification.Thistypeofeventwasalsoobservedinthe2016Ukrainecyberattackthatresultedinthephysical loss of power [7].
Brian ProctorForescoutBrianhasspentmostofhiscareer(13+years)asaICS/SCADAcybersecurityengineerandcybersecurityteamleadworkingfortwoprogressiveCaliforniaInvestorOwnedUtilities(IOUs).Heholdsavarietyoftechnicalcertifications,includingtheGlobalIndustrialControlSystemProfessional(GICSP),CertifiedInformationSystemsSecurityProfessional(CISSP),CertifiedinRiskandInformationSystemsControl(CRISC),andiscertifiedinprojectmanagementfromUniversityofCaliforniaatIrvine.In2013,BrianwaspresentedwiththeCriticalInfrastructurePrivateSectorawardfromSecuringoureCity,aSanDiegobasedcybersecuritynon-profitorganization.In2016,Brianwasaco-inventorofaR&Dmagazinetop100awardwinnerforoneofthetopinventionsoftheyearrelatingtoaGPSanti-spoofingmitigationtechnology