SlideShare a Scribd company logo

Looking for Trouble on OT Networks.pdf

S
sipteck

Tools and Techniques to Identify Threats to ICS Communications

Engineering
1 of 27
Download to read offline
Standards Certification Education & Training Publishing Conferences & Exhibits Looking for Trouble on OT Networks Tools and Techniques to Identify Threats to ICS Communications 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 – Orlando, Florida, USA Speakers: Bryan Singer, CISSP, CAP Kenexis
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA 2 Presenter • Bryan L Singer, CISSP, CAP – Principal Investigator, Kenexis – Previous Chairman ISA-99 Industrial Automation and Control Systems Security – Experienced in cyber forensic investigations, network architecture and design, security assessments, software coding, penetration testing, vulnerability research, malware research, and system commissioning – Co-Author: Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS ISBN: 1439801967 • Email: bryan.singer@kenexis.com • Twitter: @BryanLSinger
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA 3 Presentation Outline • Defining “Trouble” - The challenges to Understanding OT Networks • Looking for Trouble - Methods of Capture • Removing Trouble - Analysis of OT Networks – Performance Analysis – Network Security Monitoring (NSM)
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA DEFINING TROUBLE Challenges to Understanding OT Networks 4
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Greatest Hits • In Nearly 20 Years of Industrial Networking: 5 Problem Network Cause 18 Month Delayed Startup and $10k/week Traced to >50% of fiber terminated improperly and poor switch design Catastrophic failure of batch process in pharma Excessive latency and jitter due to consumer grade network switches susceptible to electric noise $8 Million product loss in engine plant Active virus on an open network “Air Gapped” network in entertainment (ride) industrial critical failure resulted in system rebuild Maintenance laptop introduced virus to network Safety Incident on Engine Production Line Saturated network caused communication error Network Problems Often Cause Unseen Process Failures
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA • Intermittent Failures • Nuisance Trips • Stale HMI Data • Missing HMI Data • Errant behavior on HMI • Reports from IT of “errors” • Loss of remote communications Symptoms of OT Network Problems
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Understanding IT versus OT Network Performance • IT Networks: Bandwidth, Port Density, and Performance of Core and Distribution Switches • OT Networks: All about Latency and Jitter across Distribution and Access Switches • IT Networks: Short TCP Session times • OT Networks: Long TCP sessions and as many as 19 different TCP sessions for a single process instruction 7
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA OT Network Performance Considerations 8 Network Layer Consideration Physical Layer Media Integrity, electrical or RF integrity, collision prevention Network Performance Layer Bandwidth, Network Protocol Distribution, proper switch capacity and design Communications Layer Performance of the industrial protocols themselves Security Layer Ability to detect, report, and respond to security events Every Plant Should Have Appliances, Software, and other Tools to Manage Network performance at each layer!
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA LOOKING FOR TROUBLE 9 I Have a Particular Set of Skills… I will hunt you down, and I will find you I Have a Particular Set of Skills… I will hunt you down, and I will find you
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Successful Management of OT Networks • What data to capture – online analysis with COTS tools and manual analysis with PCAP data • How to analyze and interpret the data – Expert Info tools, knowing where to capture • What to do with the data – Compare to Process Historians, maintenance records, or manual observations 10
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Types of Monitoring • Passive Monitoring – PCAP – Wireshark, TCPDump – Network Miner • Active Monitoring – IDS/HIDS/NIDS such as Snort, Fireeye, etc – NSM – Netflow, Syslog, SolarWinds, etc 11
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Physical Layer • Validate Media • Protect physical media and cable runs • Test physical media (cable testers, Fluke meters, etc.) 12
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer Resources • Syslog • Commercial Tools – IntraVue – SolarWinds • Open Source – Wireshark and PCAP Analysis 13
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer: Protocol Distribution May 18, 14 • From Wireshark Expert Info toosl
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer: Conversations May 18, 15 • From Wireshark Conversations Tab • Show top talkers and helps identify problem devices
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer: IO Graph • Wireshark IO Graphs • Show performance of communications over time • Helps show dropouts May 18, 16
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Tools for the Network Layer • Wireshark PCAP – Conversations Tab and Protocol dissectors • Vendor specific tools • Manual Analysis of PCAP Data • Emerging tools for OT protocol performance 17
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Protocol Layer • This is the hard one, and rarely is it managed well • Many networks have been seen to be sound from an IT perspective, yet don’t work for industrial protocols • Typical failures come from not following vendor recommended network design or excessive network latency / jitter due to design limitations • Successful analysis of this layer requires protocol specific knowledge (EthernetIP, MODBUS, etc) • SolarWinds or similar solutions indicate network stack up or down via IGMP, but to analyze protocol performance, need to look at protocol itself 18
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Protocol Layer • Quick succession of command/response packets • Minimal delay in command/response sequence • Apparently large delay in a single packet • Example: Rockwell tag reads 19 Quick Succession Read Commands Delay Until Next Time Sequence
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Protocol Layer 20 Test Time (s) Measured Packet Interval (ms) ~62 sec test Mean MPI = 2ms Min ~ 1.2 Max ~ 2.9
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Security Layer • Tools for Watching the Security Layer – Intrusion Detection Systems – Snort, Bro-IDS, Suricata, FireEye – Get familiar with Security Onion – Manual Analysis using Wireshark (no magic at the packet layer) – Network Security Monitoring (NSM) such as FireEye • Each facility should have at least IDS at the OT border/DMZ 21
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Security Layer: Intrusion Detection
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Security Layer: IDS
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA REMOVING TROUBLE 24
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA What to Do with the Data • Correlate network events to process events where possible • Replace and reroute physical media as necessary • Review ladder logic, test media, and further analyze network traffic where protocol issues exist • Utilize forensic tools to remove security threats 25
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Key OT Network Design Considerations • Utilize Layer 3 Management on Core and Distribution layers as much as possible • Establish recovery point objectives to ensure that network availability is in line with process availability – never have a 5 hour network support a 5 minute process! • Utilize IDS/HIDS/NIDS at core and distribution layers where possible 26
2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Key Takeaways / Summary • Every plant should have tools to: – Diagnose Physical Network Media – Gather network PCAP and monitor network health (Wireshark, SolarWinds, etc) – Ability to monitor industrial protocol specific performance – IDS/HIDS/NIDS or other NSM to monitor for security events • Bryan L Singer, CISSP, CAP – Bryan.singer@Kenexis.com – Twitter: @BryanLSinger 27

Recommended

CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksJoseph Holbrook, Chief Learning Officer (CLO)
 
Demystifying Cyber Attacks on ICS-.pdf
Demystifying Cyber Attacks on ICS-.pdfDemystifying Cyber Attacks on ICS-.pdf
Demystifying Cyber Attacks on ICS-.pdfsipteck
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
The key to unlocking the Value in the IoT? Managing the Data!
The key to unlocking the Value in the IoT? Managing the Data!The key to unlocking the Value in the IoT? Managing the Data!
The key to unlocking the Value in the IoT? Managing the Data!DataWorks Summit/Hadoop Summit
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Splunk
 
Zuniga-Privacy-ECSG-update
Zuniga-Privacy-ECSG-updateZuniga-Privacy-ECSG-update
Zuniga-Privacy-ECSG-updateBrandon Height
 
Solera Networks @ Sharkfest 2008
Solera Networks @ Sharkfest 2008Solera Networks @ Sharkfest 2008
Solera Networks @ Sharkfest 2008Denny K
 

Recommended

CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksJoseph Holbrook, Chief Learning Officer (CLO)
 
Demystifying Cyber Attacks on ICS-.pdf
Demystifying Cyber Attacks on ICS-.pdfDemystifying Cyber Attacks on ICS-.pdf
Demystifying Cyber Attacks on ICS-.pdfsipteck
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
The key to unlocking the Value in the IoT? Managing the Data!
The key to unlocking the Value in the IoT? Managing the Data!The key to unlocking the Value in the IoT? Managing the Data!
The key to unlocking the Value in the IoT? Managing the Data!DataWorks Summit/Hadoop Summit
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Splunk
 
Zuniga-Privacy-ECSG-update
Zuniga-Privacy-ECSG-updateZuniga-Privacy-ECSG-update
Zuniga-Privacy-ECSG-updateBrandon Height
 
Solera Networks @ Sharkfest 2008
Solera Networks @ Sharkfest 2008Solera Networks @ Sharkfest 2008
Solera Networks @ Sharkfest 2008Denny K
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
How to apply machine learning into your CI/CD pipeline
How to apply machine learning into your CI/CD pipelineHow to apply machine learning into your CI/CD pipeline
How to apply machine learning into your CI/CD pipelineAlon Weiss
 
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...Priyanka Aash
 
Tidc 2007 healthcare
Tidc 2007 healthcareTidc 2007 healthcare
Tidc 2007 healthcareArpan Pal
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 
IT OT Integration_Vishnu_Murali_05262016_UPDATED
IT OT Integration_Vishnu_Murali_05262016_UPDATEDIT OT Integration_Vishnu_Murali_05262016_UPDATED
IT OT Integration_Vishnu_Murali_05262016_UPDATEDVishnu Murali
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrumentJonah Kowall
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume todayNana Owusu
 
Right to patent stc 2013 conference
Right to patent stc 2013 conferenceRight to patent stc 2013 conference
Right to patent stc 2013 conferenceIndium Software
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesInformation Security Awareness Group
 
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...Savvius, Inc
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...Splunk
 
ITAM Portfolio-The Big Umbrella-Slideshare.pptx
ITAM Portfolio-The Big Umbrella-Slideshare.pptxITAM Portfolio-The Big Umbrella-Slideshare.pptx
ITAM Portfolio-The Big Umbrella-Slideshare.pptxSandeep Bhatia
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 

More Related Content

Similar to Looking for Trouble on OT Networks.pdf

Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
How to apply machine learning into your CI/CD pipeline
How to apply machine learning into your CI/CD pipelineHow to apply machine learning into your CI/CD pipeline
How to apply machine learning into your CI/CD pipelineAlon Weiss
 
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...Priyanka Aash
 
Tidc 2007 healthcare
Tidc 2007 healthcareTidc 2007 healthcare
Tidc 2007 healthcareArpan Pal
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 
IT OT Integration_Vishnu_Murali_05262016_UPDATED
IT OT Integration_Vishnu_Murali_05262016_UPDATEDIT OT Integration_Vishnu_Murali_05262016_UPDATED
IT OT Integration_Vishnu_Murali_05262016_UPDATEDVishnu Murali
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrumentJonah Kowall
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume todayNana Owusu
 
Right to patent stc 2013 conference
Right to patent stc 2013 conferenceRight to patent stc 2013 conference
Right to patent stc 2013 conferenceIndium Software
 
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...Savvius, Inc
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...Splunk
 
ITAM Portfolio-The Big Umbrella-Slideshare.pptx
ITAM Portfolio-The Big Umbrella-Slideshare.pptxITAM Portfolio-The Big Umbrella-Slideshare.pptx
ITAM Portfolio-The Big Umbrella-Slideshare.pptxSandeep Bhatia
 

Similar to Looking for Trouble on OT Networks.pdf (20)

Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - Manager
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
How to apply machine learning into your CI/CD pipeline
How to apply machine learning into your CI/CD pipelineHow to apply machine learning into your CI/CD pipeline
How to apply machine learning into your CI/CD pipeline
 
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
 
Tidc 2007 healthcare
Tidc 2007 healthcareTidc 2007 healthcare
Tidc 2007 healthcare
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product Development
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 
IT OT Integration_Vishnu_Murali_05262016_UPDATED
IT OT Integration_Vishnu_Murali_05262016_UPDATEDIT OT Integration_Vishnu_Murali_05262016_UPDATED
IT OT Integration_Vishnu_Murali_05262016_UPDATED
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume today
 
Right to patent stc 2013 conference
Right to patent stc 2013 conferenceRight to patent stc 2013 conference
Right to patent stc 2013 conference
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
Network Network Visibility - The Key to Rapidly Troubleshooting Network Perfo...
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
Virtual Gov Day - IT Operations Breakout - Jennifer Green, R&D Scientist, Los...
 
ITAM Portfolio-The Big Umbrella-Slideshare.pptx
ITAM Portfolio-The Big Umbrella-Slideshare.pptxITAM Portfolio-The Big Umbrella-Slideshare.pptx
ITAM Portfolio-The Big Umbrella-Slideshare.pptx
 

Recently uploaded

High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 

Recently uploaded (20)

High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 

Looking for Trouble on OT Networks.pdf

  • 1. Standards Certification Education & Training Publishing Conferences & Exhibits Looking for Trouble on OT Networks Tools and Techniques to Identify Threats to ICS Communications 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 – Orlando, Florida, USA Speakers: Bryan Singer, CISSP, CAP Kenexis
  • 2. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA 2 Presenter • Bryan L Singer, CISSP, CAP – Principal Investigator, Kenexis – Previous Chairman ISA-99 Industrial Automation and Control Systems Security – Experienced in cyber forensic investigations, network architecture and design, security assessments, software coding, penetration testing, vulnerability research, malware research, and system commissioning – Co-Author: Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS ISBN: 1439801967 • Email: bryan.singer@kenexis.com • Twitter: @BryanLSinger
  • 3. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA 3 Presentation Outline • Defining “Trouble” - The challenges to Understanding OT Networks • Looking for Trouble - Methods of Capture • Removing Trouble - Analysis of OT Networks – Performance Analysis – Network Security Monitoring (NSM)
  • 4. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA DEFINING TROUBLE Challenges to Understanding OT Networks 4
  • 5. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Greatest Hits • In Nearly 20 Years of Industrial Networking: 5 Problem Network Cause 18 Month Delayed Startup and $10k/week Traced to >50% of fiber terminated improperly and poor switch design Catastrophic failure of batch process in pharma Excessive latency and jitter due to consumer grade network switches susceptible to electric noise $8 Million product loss in engine plant Active virus on an open network “Air Gapped” network in entertainment (ride) industrial critical failure resulted in system rebuild Maintenance laptop introduced virus to network Safety Incident on Engine Production Line Saturated network caused communication error Network Problems Often Cause Unseen Process Failures
  • 6. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA • Intermittent Failures • Nuisance Trips • Stale HMI Data • Missing HMI Data • Errant behavior on HMI • Reports from IT of “errors” • Loss of remote communications Symptoms of OT Network Problems
  • 7. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Understanding IT versus OT Network Performance • IT Networks: Bandwidth, Port Density, and Performance of Core and Distribution Switches • OT Networks: All about Latency and Jitter across Distribution and Access Switches • IT Networks: Short TCP Session times • OT Networks: Long TCP sessions and as many as 19 different TCP sessions for a single process instruction 7
  • 8. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA OT Network Performance Considerations 8 Network Layer Consideration Physical Layer Media Integrity, electrical or RF integrity, collision prevention Network Performance Layer Bandwidth, Network Protocol Distribution, proper switch capacity and design Communications Layer Performance of the industrial protocols themselves Security Layer Ability to detect, report, and respond to security events Every Plant Should Have Appliances, Software, and other Tools to Manage Network performance at each layer!
  • 9. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA LOOKING FOR TROUBLE 9 I Have a Particular Set of Skills… I will hunt you down, and I will find you I Have a Particular Set of Skills… I will hunt you down, and I will find you
  • 10. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Successful Management of OT Networks • What data to capture – online analysis with COTS tools and manual analysis with PCAP data • How to analyze and interpret the data – Expert Info tools, knowing where to capture • What to do with the data – Compare to Process Historians, maintenance records, or manual observations 10
  • 11. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Types of Monitoring • Passive Monitoring – PCAP – Wireshark, TCPDump – Network Miner • Active Monitoring – IDS/HIDS/NIDS such as Snort, Fireeye, etc – NSM – Netflow, Syslog, SolarWinds, etc 11
  • 12. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Physical Layer • Validate Media • Protect physical media and cable runs • Test physical media (cable testers, Fluke meters, etc.) 12
  • 13. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer Resources • Syslog • Commercial Tools – IntraVue – SolarWinds • Open Source – Wireshark and PCAP Analysis 13
  • 14. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer: Protocol Distribution May 18, 14 • From Wireshark Expert Info toosl
  • 15. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer: Conversations May 18, 15 • From Wireshark Conversations Tab • Show top talkers and helps identify problem devices
  • 16. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Network Layer: IO Graph • Wireshark IO Graphs • Show performance of communications over time • Helps show dropouts May 18, 16
  • 17. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Tools for the Network Layer • Wireshark PCAP – Conversations Tab and Protocol dissectors • Vendor specific tools • Manual Analysis of PCAP Data • Emerging tools for OT protocol performance 17
  • 18. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Protocol Layer • This is the hard one, and rarely is it managed well • Many networks have been seen to be sound from an IT perspective, yet don’t work for industrial protocols • Typical failures come from not following vendor recommended network design or excessive network latency / jitter due to design limitations • Successful analysis of this layer requires protocol specific knowledge (EthernetIP, MODBUS, etc) • SolarWinds or similar solutions indicate network stack up or down via IGMP, but to analyze protocol performance, need to look at protocol itself 18
  • 19. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Protocol Layer • Quick succession of command/response packets • Minimal delay in command/response sequence • Apparently large delay in a single packet • Example: Rockwell tag reads 19 Quick Succession Read Commands Delay Until Next Time Sequence
  • 20. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Protocol Layer 20 Test Time (s) Measured Packet Interval (ms) ~62 sec test Mean MPI = 2ms Min ~ 1.2 Max ~ 2.9
  • 21. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Security Layer • Tools for Watching the Security Layer – Intrusion Detection Systems – Snort, Bro-IDS, Suricata, FireEye – Get familiar with Security Onion – Manual Analysis using Wireshark (no magic at the packet layer) – Network Security Monitoring (NSM) such as FireEye • Each facility should have at least IDS at the OT border/DMZ 21
  • 22. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Security Layer: Intrusion Detection
  • 23. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Security Layer: IDS
  • 24. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA REMOVING TROUBLE 24
  • 25. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA What to Do with the Data • Correlate network events to process events where possible • Replace and reroute physical media as necessary • Review ladder logic, test media, and further analyze network traffic where protocol issues exist • Utilize forensic tools to remove security threats 25
  • 26. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Key OT Network Design Considerations • Utilize Layer 3 Management on Core and Distribution layers as much as possible • Establish recovery point objectives to ensure that network availability is in line with process availability – never have a 5 hour network support a 5 minute process! • Utilize IDS/HIDS/NIDS at core and distribution layers where possible 26
  • 27. 2015 ISA WWAC Symposium Aug 4-6, 2015 – Orlando, Florida, USA Key Takeaways / Summary • Every plant should have tools to: – Diagnose Physical Network Media – Gather network PCAP and monitor network health (Wireshark, SolarWinds, etc) – Ability to monitor industrial protocol specific performance – IDS/HIDS/NIDS or other NSM to monitor for security events • Bryan L Singer, CISSP, CAP – Bryan.singer@Kenexis.com – Twitter: @BryanLSinger 27