Presented @ ISA Process Control & Safety Symposium
October 8, 2014
Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.
5. Industrial Network Types & Metrics:
Publish/Subscribe
• Difference between
TPub_Com_Init &
TSub_Com_Init is network
roundtrip delay
• TPub_Com_Init, TSub_Com_Init
not important
• Variability in TPub much
more important
• Theoretically, TPub
doesn’t need to match
TSub
– In production systems,
they are the same
Subscriber Publisher
TPub_Com_Init
TPub_1
TPub_2
TPub_N-1
TPub_N
TSub_Com_Init
TSub_M
.
.
.
5
6. Performance Testing Methodology:
Performance Metrics
• Command/response or master/slave communications
• Main performance metric: Latency
• Large numbers of protocols use this
– Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP,
etc.
– Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc.
6
7. Industrial Network Types & Metrics:
Command/Response
• Difference between
TCom_Delay & TRes is
network roundtrip
delay
• Latency in TCom &
TRes important
Commander Responder
TRes_1
TRes_2
TCom_Delay_1
TCom_1
TCom_Delay_2
TCom_2
7
8. Isolating Traffic Streams
• Isolating traffic streams can be tricky
• 10’s – 100’s of traffic streams in production environment
• Your Wireshark Fu must be strong!
• Usually requires additional post-processing
• Multiple streams can exist between same devices
8
9. Isolating Traffic Streams
• Traffic pairs
– Source IP/MAC address
– Destination IP/MAC address
– Source TCP/UDP port
– Destination TCP/UDP port
• Publish/Subscribe
– Communication stream ID
– Sequence number (optional)
• Command/Response
– Command message/field
– Response message/field
– Message ID (optional)
9
10. Test Time vs. Packet Interval
Measured Packet Interval (ms) ~62 sec test
Mean MPI = 2ms
Min ~ 1.2
Max ~ 2.9
Test Time (s)
10
11. Time Plot for Command/Response
Regular Pattern to Delayed Packets
Regular Pattern of Minimal Delayed Packets
11
12. Command/Response Timing Plots
• Quick succession of command/response packets
• Minimal delay in command/response sequence
• Apparently large delay in a single packet
• Example: Rockwell tag reads
Delay Until Next Time Sequence
Quick Succession Read Commands
12
14. Building an ICS Lab
• Goals
– Develop a portable lab
– Capable of demonstrating ICS security
– Use real ICS equipment to analyze ICS protocol performance
• Purpose
– Training
– Demonstration
– Potential Sales
14
15. Control System
• Equipment
– PLC
– Digital & Analog I/O
– Industrial PC
– Layer 2+ network switch
• Protocols
– EtherNet/IP
– Modbus/TCP
• PLC I/O Lighted Buttons
• Buttons have isolated light from NO/NC switch action
• Ladder logic to light button on push
15
16. Performance & Security Testing
• Denial of service testing
• Performance analysis
• Control lights separate from button pushes
• Spoof button push signals
• Issue Run/Stop commands to controller
• Test IP reassignment via industrial protocols
• Demonstrate pivoting
16
17. Questions
• Contact Me
– Jim Gilsinn
– 301-706-9985 or 614-323-2254
– jim.gilsinn@kenexis.com
– Twitter – @JimGilsinn
– LinkedIn – http://www.linkedin.com/in/jimgilsinn/
– SlideShare – http://www.slideshare.net/gilsinnj
17