ICS Performance Lab

•Download as PPTX, PDF•

1 like•671 views

Presented @ ISA Process Control & Safety Symposium October 8, 2014 Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.

Technology

Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
ICS Performance Lab
Jim Gilsinn
Kenexis Security

Jim Gilsinn - Bio
• Senior Investigator, Kenexis Security
• ISA-99 Committee (ISA/IEC 62443 Standards)
– Co-Chair, ISA99 Committee
– Co-Chair, ISA99 WG2, Security Program
• 23 years engineering experience
– Last 13 doing ICS networks and cyber security
• MSEE specializing in control theory
2

Industrial Network Types & Metrics:
Publish/Subscribe
• Publish/subscribe or peer-to-peer communications
• Main performance metric: Cyclic frequency
variability/jitter
• Real-time EtherNet/IP™ uses publish/subscribe
– Requested/Accepted Packet Interval (RPI/API)
– Measured Packet Interval (MPI)
4

Industrial Network Types & Metrics:
Publish/Subscribe
• Difference between
TPub_Com_Init &
TSub_Com_Init is network
roundtrip delay
• TPub_Com_Init, TSub_Com_Init
not important
• Variability in TPub much
more important
• Theoretically, TPub
doesn’t need to match
TSub
– In production systems,
they are the same
Subscriber Publisher
TPub_Com_Init
TPub_1
TPub_2
TPub_N-1
TPub_N
TSub_Com_Init
TSub_M
.
.
.
5

Performance Testing Methodology:
Performance Metrics
• Command/response or master/slave communications
• Main performance metric: Latency
• Large numbers of protocols use this
– Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP,
etc.
– Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc.
6

Industrial Network Types & Metrics:
Command/Response
• Difference between
TCom_Delay & TRes is
network roundtrip
delay
• Latency in TCom &
TRes important
Commander Responder
TRes_1
TRes_2
TCom_Delay_1
TCom_1
TCom_Delay_2
TCom_2
7

Isolating Traffic Streams
• Isolating traffic streams can be tricky
• 10’s – 100’s of traffic streams in production environment
• Your Wireshark Fu must be strong!
• Usually requires additional post-processing
• Multiple streams can exist between same devices
8

Isolating Traffic Streams
• Traffic pairs
– Source IP/MAC address
– Destination IP/MAC address
– Source TCP/UDP port
– Destination TCP/UDP port
• Publish/Subscribe
– Communication stream ID
– Sequence number (optional)
• Command/Response
– Command message/field
– Response message/field
– Message ID (optional)
9

Test Time vs. Packet Interval
Measured Packet Interval (ms) ~62 sec test
Mean MPI = 2ms
Min ~ 1.2
Max ~ 2.9
Test Time (s)
10

Time Plot for Command/Response
Regular Pattern to Delayed Packets
Regular Pattern of Minimal Delayed Packets
11

Command/Response Timing Plots
• Quick succession of command/response packets
• Minimal delay in command/response sequence
• Apparently large delay in a single packet
• Example: Rockwell tag reads
Delay Until Next Time Sequence
Quick Succession Read Commands
12

Building an ICS Lab
• Goals
– Develop a portable lab
– Capable of demonstrating ICS security
– Use real ICS equipment to analyze ICS protocol performance
• Purpose
– Training
– Demonstration
– Potential Sales
14

Control System
• Equipment
– PLC
– Digital & Analog I/O
– Industrial PC
– Layer 2+ network switch
• Protocols
– EtherNet/IP
– Modbus/TCP
• PLC  I/O  Lighted Buttons
• Buttons have isolated light from NO/NC switch action
• Ladder logic to light button on push
15

Performance & Security Testing
• Denial of service testing
• Performance analysis
• Control lights separate from button pushes
• Spoof button push signals
• Issue Run/Stop commands to controller
• Test IP reassignment via industrial protocols
• Demonstrate pivoting
16

Questions
• Contact Me
– Jim Gilsinn
– 301-706-9985 or 614-323-2254
– jim.gilsinn@kenexis.com
– Twitter – @JimGilsinn
– LinkedIn – http://www.linkedin.com/in/jimgilsinn/
– SlideShare – http://www.slideshare.net/gilsinnj
17

What's hot

The CybatiWorks open platform serves as an educational environment for cyber-physical systems. The living laboratory platform uses low cost I/O, embedded devices, virtual machines and authentic automation protocols for participant cybersecurity education. The platform incorporates the Raspberry PI, PiFace I/O, Elenco Snap-Circuits, Fischertechnik components and an ICS-ified Kali Linux called CybatiWorks-1 to allow participants to build, break and cybersecure small control environments. CYBATI has performed years of research to develop this platform and is making it available for early access, school sponsorship and integrated education via the Kickstarter project announced during the session.

Open Platform for ICS Cybersecurity Research and Education

EnergySec

This presentation explains the ANSI/ISA-99 and IEC 62443 standards for industrial control systems (ICS). It describes the Zone and Conduit security model and how it is used in an plant or factory. As well, the issues of security configuration errors are discussed. A case history of zone security deployment for a Safety Integrated System in a refinery is provided. For additional information see www.tofinosecurity.com.

ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)

Byres Security Inc.

Havex Deep Dive (English)

Digital Bond

Protecting Your DNP3 Networks

Chris Sistrunk

ICS Security 101 by Sandeep Singh

OWASP Delhi

Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause. This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC. This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.

Blackhat USA 2016 - What's the DFIRence for ICS?

Chris Sistrunk

What to Do When You Don’t Know What to Do: Control System Patching Problems a...

EnergySec

RSAC 2016: How to Get into ICS Security

Chris Sistrunk

Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...

Honeywell

Presented by: Lucas Apa and Carlos Mario Penagos, IOActive Abstract: The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made might be modified, this could lead to unexpected, harmful, and dangerous consequences. This presentation demonstrates attacks that exploit key distribution vulnerabilities we recently discovered in every wireless device made by three leading industrial wireless automation solution providers. We will review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions.

Compromising Industrial Facilities From 40 Miles Away

EnergySec

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions

Honeywell

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020

Jiunn-Jer Sun

S4xJapan Closing Keynote

Digital Bond

Taking a closer look at level 0 and level 1 security

Matt Loong

Dncybersecurity

Anne Starr

Nist 800 82 ICS Security Auditing Framework

MarcoAfzali

Is your ICS breached? Are you sure? How do you know? The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.

DEF CON 23 - NSM 101 for ICS

Chris Sistrunk

Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.

BSidesAugusta ICS SCADA Defense

Chris Sistrunk

This presentation was given at BSides Las Vegas 2015. The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional. The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.

The journey to ICS - Extended

Larry Vandenaweele

Presented by: Chris Sistrunk, Entergy Abstract: IT folks have been doing it for years – building labs to test new products before rolling them out – but the concept is still rather revolutionary to most practitioners of SCADA security. Yet the benefits of a lab are many, including training staff and solving real-world problems by replicating and attacking them in the relatively low-risk lab environment. But how do you pitch this (not inexpensive) idea in a way that gets organizational buy-in? And if your organization is just too small, what are the factors to considering when using a third-party lab? Hear ideas and ask questions of someone who evolved his organization’s capabilities from one small lab to five complete labs.

Come See What’s Cooking in My Lab

EnergySec

What's hot (20)

Open Platform for ICS Cybersecurity Research and Education

ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)

Havex Deep Dive (English)

Protecting Your DNP3 Networks

ICS Security 101 by Sandeep Singh

Blackhat USA 2016 - What's the DFIRence for ICS?

What to Do When You Don’t Know What to Do: Control System Patching Problems a...

RSAC 2016: How to Get into ICS Security

Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...

Compromising Industrial Facilities From 40 Miles Away

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020

S4xJapan Closing Keynote

Taking a closer look at level 0 and level 1 security

Dncybersecurity

Nist 800 82 ICS Security Auditing Framework

DEF CON 23 - NSM 101 for ICS

BSidesAugusta ICS SCADA Defense

The journey to ICS - Extended

Come See What’s Cooking in My Lab

Similar to ICS Performance Lab

2015 02 antaira quarterly webinar optimizing a robust automation network

Jose Juan Santiago Gomez

In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security. Key Takeaways: 1. Gain perspective regarding common security threats facing industrial networks. 2. Learn about the relevant standards governing industrial cyber security. 3. Increase understanding of some best practices for securing industrial networks.

CyberSecurity Best Practices for the IIoT

Creekside Marketing Group, LLC

Industrial Ethernet case studies provide lessons learned as detailed in specific installations to gain practical advice from working installations, to ensure your next application uses the best practices to maximize benefits in a minimum amount of time. Ethernet survey results will be discussed. An exam and certificate are available for one professional development hour (PDH), according to Registered Continuing Education Program (RCEP) rules from the American Council of Engineering Companies.

Industrial Ethernet,Part 2: Case Studies

ControlEng

Embedded

Arpan Pal

Industrial Control Systems Security - A Perspective on Product Design (Sequi,...

sequi_inc

As we step into the Industrial IoT (Internet of Things) era, network reliability remains the first objective for factory control and automation systems. However, many people are not familiar with the unique requirements of Industrial Networks or their integration with traditional enterprise networks. In this webinar you will learn about the trends for SMART factories, best practices for network integration and some leading technologies available to help you design and build an industrial network that meets your needs today and in the future. Key Takeaways: 1. Understand the unique needs of industrial networks 2. Understand how they interface with traditional IT/Enterprise networks 3. Learn about some available technologies that address these needs

Smart Networks for the Industrial Internet of Things

Creekside Marketing Group, LLC

OPAL-RT Seminar on HYPERSIM

OPAL-RT TECHNOLOGIES

BRKIOT-2108.pdf

JokaTek

22 лютого відбувся Embedded Webinar #17 “Low-level Network Testing in Embedded Devices Development” від спікера Сергія Корнієнка. Під час вебінару ми говорили на такі теми: - Підхід до низькорівневого тестування мережевих протоколів; - Інструменти, які можна використати в реальних проєктах; - Знайдені баги та способи знаходження корневих причин на прикладі реального R&D проєкту. Відео та деталі заходу: https://bit.ly/embedded_webinar_17 Приєднатись до спільноти: https://www.facebook.com/groups/EmbeddedCommunity Відкриті Embedded-позиції у GlobalLogic: https://bit.ly/Embedded_Positions

Embedded Webinar #17 "Low-level Network Testing in Embedded Devices Development"

GlobalLogic Ukraine

Join us as Link Labs VP of Business Development and Cellular IoT Product Director, Glenn Schatz, discusses common misconceptions about LTE Cat-M1 and Cat-NB1 (NB-IoT), as well as how business and product leaders can use these transformative technologies to deliver value to their customers, while avoiding some of the pitfalls companies face when embarking on this journey. In this Webinar we will cover: What are the key features and benefits of LTE Cat-M1 and NB-IoT? What is the state of devices and network availability today? How do the various low-power modes work (PSM, eDRX, and vendor-specific), and how can they be used in my application? What are some of the risks and challenges of developing a product with one of these technologies? How much do these devices cost? What do the data plans look like? What is in store for the future with 2G and 3G sunsets (both CDMA and GSM) and the emergence of 5G?

Link labs LTE-M NB-IOT Hype Webinar slides

Brian Ray

Devising a practical approach to the Internet of Things

Gordon Haff

A presentation made while I was managing the UK OGSA Evaluation Project in 2004, while I was on leave from CSIRO, at UCL Computer Science department, working with Wolfgang Emmerich: in which we "believe 6 impossible things before breakfast". This project encountered and partially solved many of the problems that Cloud computing finally solved. Paul Brebner, Oxford University Computing Laboratory invited talk: "Grid middleware is easy to install, configure, debug and manage - across multiple sites (One can't believe impossible things)", 15 October 2004. The project web site is still here (2020): http://sse.cs.ucl.ac.uk/UK-OGSA/

Grid middleware is easy to install, configure, secure, debug and manage acros...

Paul Brebner

iot-component-dimensioning

sadiqFakheraldian

Tutorial: Maximizing Performance and Network Utility with a Science DMZ

Globus

Virtual Twins: Modeling Trends and Challenges Ahead

Brain IoT Project

UGM 2015: X1149 workshop

Interlatin

Securing the Internet of Things

Paul Fremantle

6 profiling tools

videos

UCT IoT Deployment and Challenges

The IOT Academy

Global C4IR-1 Masterclass Bowyer - McLaren 2017

Justin Hayward

Similar to ICS Performance Lab (20)

2015 02 antaira quarterly webinar optimizing a robust automation network

CyberSecurity Best Practices for the IIoT

Industrial Ethernet,Part 2: Case Studies

Embedded

Industrial Control Systems Security - A Perspective on Product Design (Sequi,...

Smart Networks for the Industrial Internet of Things

OPAL-RT Seminar on HYPERSIM

BRKIOT-2108.pdf

Embedded Webinar #17 "Low-level Network Testing in Embedded Devices Development"

Link labs LTE-M NB-IOT Hype Webinar slides

Devising a practical approach to the Internet of Things

Grid middleware is easy to install, configure, secure, debug and manage acros...

iot-component-dimensioning

Tutorial: Maximizing Performance and Network Utility with a Science DMZ

Virtual Twins: Modeling Trends and Challenges Ahead

UGM 2015: X1149 workshop

Securing the Internet of Things

6 profiling tools

UCT IoT Deployment and Challenges

Global C4IR-1 Masterclass Bowyer - McLaren 2017

More from Jim Gilsinn

Presented: September 21, 2017 At: CS2AI, Washington, DC A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.

ISA/IEC 62443: Intro and How To

Jim Gilsinn

Presented @ 2016 ISA Process Control & Safety Symposium, November 10, 2016 The exchange of key information between business operations, suppliers, customers, production, and ultimately the production equipment itself can provide significant financial and productivity advantages. This presentation will discuss some practical approaches to utilizing the cyber security principles from ISA/IEC 62443 in order to integrate the business and production environments. It will also present some of the different solutions for meeting a variety of scenarios, such as data historians, patching/updating, and remote maintenance.

Practical Approaches to Securely Integrating Business and Production

Jim Gilsinn

Presented: BSidesDC 2015, Washington, DC, October 18, 2015 YouTube Video @ https://youtu.be/v3LBywLthjY Determining the overall health and security of an industrial control system (ICS) network is currently done by looking at the negative case. If the network infrastructure devices indicate that all the devices are connected and communicating, then the network must be operating correctly. If the controllers indicate that they are able to communicate with the other devices in the system, then the system must be operating correctly. If the network security monitoring (NSM) or security information and event management (SIEM) system are not indicating any security events, then the system must be operating correctly. In each of these cases, the assumption is that the system is operating correctly if there are no errors or events being indicated by any of the devices. In reality, the actual health and security of the system can only be determined by positive conditions. The communication streams need to be measured to determine that they are operating within certain limits based upon a desires set of conditions, like rate and maximum latency. Many controllers keep track of these factors for real-time communications, however they are often only recorded as averages and not high-fidelity measurements. This paper presents an approach to analyzing the real-time network traffic performance of an ICS by measuring the jitter and latency associated with individual network traffic streams in the system. By using statistical and mathematical analysis of the high-fidelity jitter and latency data, a network reliability factor can be determined and used to indicate the health of those traffic streams. The author will present a method to combine the individual network reliability factors into a network reliability monitoring system. Lastly, the author will discuss how network reliability monitoring can be used to indicate potential security problems by observing the network traffic patterns.

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

Jim Gilsinn

Presented @ BSidesDE, November 14, 2014 Cook like a hacker, and I don’t mean Ramen noodles, take-out pizza, and a bowl of cereal. A lot of hacking involves using a basic set of equipment, learning a powerful set of tools, following a basic set of procedures, a lot of improvising and experimenting, and learning from your mistakes. Cooking is the same. You can cook amazing meals, but it means that you have to be willing to apply a hacker-type mindset to an area that doesn’t involve computers.

Cook Like a Hacker!

Jim Gilsinn

Presented @ 2014 ICS Cyber Security Conference October 21, 2014 It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.

Integrating the Alphabet Soup of Standards

Jim Gilsinn

Presented @ Emerson Exchange October 7, 2014 Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...

Jim Gilsinn

Presented at the OPC Foundation's "The Information Revolution 2014" in Redmond, WA August 5-6, 2014 This presentation discusses the modes and methodologies an attacker may use against an industrial control system in order to create a complex process attack. The presentation then discusses some specific examples, both real and hypothetical. The presentation finishes with a description of some common ways in which an organization could defend itself against these types of attacks.

Cyber & Process Attack Scenarios for ICS

Jim Gilsinn

With the recent publication of ANSI/ISA-62443-3-3-2013, it is possible for end-users, system integrators, and vendors to qualify the capabilities of their systems from an ICS cyber security perspective. This process is not as simple as it may seem, though. In many cases, the capabilities of individual components of a system can be determined from specifications and manuals. The capabilities of the system also needs to be evaluated as a whole to determine how those individual components work together. Component-level and System-level certifications are common practice in the safety environment, and will eventually become common in the ICS cyber security environment as well. Certification bodies, like the ISA Security Compliance Institute (ISCI), have begun the process to develop certification efforts around ISA-62443-3-3. Until many more groups of components and systems have been officially certified, third-party assessments and evaluations will be common. This presentation will discuss an example of how Kenexis Consulting has evaluated a particular vendor’s components and systems to determine compliance with ISA-62443-3-3. The presentation will go through the evaluation methodology used and describe how Kenexis used the evaluation to develop a series of real-world use-cases of the components and system in the ICS environment.

Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3

Jim Gilsinn

Wireshark Network Protocol Analyzer

Jim Gilsinn

Presented @ ISA Safety & Security Symposium 2012 Aneheim, CA, April 2012 Wireshark is the de facto network packet analysis tool used in the industry today. It is an easily extensible open–source tool that provides a large number of capabilities for users. It’s not just for IT–based protocols either. Many industrial protocols have created packet decoders for Wireshark. This tutorial will provide the user with: * An introduction to protocol layering * A basic overview of packet capture and analysis * A demonstration of how Wireshark can be used for packet capture and analysis * Examples of some industrial protocol in Wireshark * An explanation of some more advanced features available in Wireshark

Network Packet Analysis with Wireshark

Jim Gilsinn

Presented @ 55th International Instrumentation Symposium League City, Texas, 1–5 June 2009 Ethernet is being used by a wider variety of industrial devices and applications. Industrial applications and systems require deterministic operations that traditional Ethernet and Transport Control Protocol / Internet Protocol (TCP/IP) suites were not originally designed to support. A standardized way to describe and test industrial devices is needed in order to aid users to characterize the performance of their software and hardware applications. The Manufacturing Engineering Laboratory (MEL) of the National Institute of Standards & Technology (NIST) has been working to develop a set of standardized network performance metrics, tests, and tools since 2002. NIST has cooperated with standards organizations and other groups during that time. NIST is presently working on developing an open-source test tool, called Industrial Ethernet Network Performance (IENetP), to aid vendors in characterizing the performance of their devices. The IENetP test tool will be capable of conducting a full series of performance tests and reporting the results to the user. The current version of the software is capable of analyzing network traffic and producing statistics and graphs showing the network performance of a device.

Test Tool for Industrial Ethernet Network Performance (June 2009)

Jim Gilsinn

More from Jim Gilsinn (11)

ISA/IEC 62443: Intro and How To

Practical Approaches to Securely Integrating Business and Production

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

Cook Like a Hacker!

Integrating the Alphabet Soup of Standards

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...

Cyber & Process Attack Scenarios for ICS

Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3

Wireshark Network Protocol Analyzer

Network Packet Analysis with Wireshark

Test Tool for Industrial Ethernet Network Performance (June 2009)

Recently uploaded

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Discover the essentials of performance testing in the IT sector with our concise guide. Learn about various testing types such as load, stress, endurance, spike, scalability, and volume testing. Understand key performance metrics like response time, throughput, CPU and memory utilization, and error rate. Explore top tools like Apache JMeter, LoadRunner, Gatling, Neoload, and BlazeMeter. Gain insights into best practices for defining objectives, creating realistic scenarios, automating tests, and optimizing performance to ensure user satisfaction, reliability, scalability, and cost efficiency. Ideal for developers, QA engineers, and IT professionals. Visit Expeed Software for more information. https://expeed.com/

In-Depth Performance Testing Guide for IT Professionals

Expeed Software

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

How to differentiate Sales Cloud and CPQ on first glance might be tricky if you do not know where to look and what to look at. You will know :-) Managing the sales process within Salesforce is a common use case that can be managed with standart Sales Cloud. If you want to do entire quoting process you will find out Salesforce CPQ solution exists. What is then the difference if both can handle selling products? You will see comparison of 10 different features, which Sales Cloud and Salesforce CPQ handle differently. Simple question you will always remember if you should consider using Salesforce CPQ will be a cherry on top.

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

CzechDreamin

Speed Wins: From Kafka to APIs in Minutes

confluent

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

Screen flow is a powerful automation tool that is commonly designed for internal and external users. However, what about the guest users? We will dive into various methods of launching screen flows and understand how to make them publicly accessible, extending their usability to a broader audience. The presentation will also cover the implementation of security layers and highlight best practices for a smooth and protected user experience. Discover the potential of screen flows beyond conventional use and learn how to leverage them effectively.

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

CzechDreamin

The standard Salesforce Approval process can be limiting in many ways, especially in complex scenarios. What if there was a way to implement very flexible approvals where one can use Apex code to make data updates in unrelated records, dynamically generate next steps details, and compute assignees on the fly? And still use UI-based configurations to implement concrete approval processes. In this session, we will share ideas behind such a solution and show a few lines of code to get you started.

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

CzechDreamin

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

"Impact of front-end architecture on development cost", Viktor Turskyi

Fwdays

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Essentials of Automations: Optimizing FME Workflows with Parameters

In-Depth Performance Testing Guide for IT Professionals

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

How world-class product teams are winning in the AI era by CEO and Founder, P...

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

Speed Wins: From Kafka to APIs in Minutes

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

When stars align: studies in data quality, knowledge graphs, and machine lear...

"Impact of front-end architecture on development cost", Viktor Turskyi

UiPath Test Automation using UiPath Test Suite series, part 3

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

ODC, Data Fabric and Architecture User Group

Connector Corner: Automate dynamic content and events by pushing a button

Search and Society: Reimagining Information Access for Radical Futures

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

ICS Performance Lab

1. Standards Certification Education & Training Publishing Conferences & Exhibits ICS Performance Lab Jim Gilsinn Kenexis Security

2. Jim Gilsinn - Bio • Senior Investigator, Kenexis Security • ISA-99 Committee (ISA/IEC 62443 Standards) – Co-Chair, ISA99 Committee – Co-Chair, ISA99 WG2, Security Program • 23 years engineering experience – Last 13 doing ICS networks and cyber security • MSEE specializing in control theory 2

3. INTRO TO ICS NETWORK PERFORMANCE 3

4. Industrial Network Types & Metrics: Publish/Subscribe • Publish/subscribe or peer-to-peer communications • Main performance metric: Cyclic frequency variability/jitter • Real-time EtherNet/IP™ uses publish/subscribe – Requested/Accepted Packet Interval (RPI/API) – Measured Packet Interval (MPI) 4

5. Industrial Network Types & Metrics: Publish/Subscribe • Difference between TPub_Com_Init & TSub_Com_Init is network roundtrip delay • TPub_Com_Init, TSub_Com_Init not important • Variability in TPub much more important • Theoretically, TPub doesn’t need to match TSub – In production systems, they are the same Subscriber Publisher TPub_Com_Init TPub_1 TPub_2 TPub_N-1 TPub_N TSub_Com_Init TSub_M . . . 5

6. Performance Testing Methodology: Performance Metrics • Command/response or master/slave communications • Main performance metric: Latency • Large numbers of protocols use this – Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP, etc. – Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc. 6

7. Industrial Network Types & Metrics: Command/Response • Difference between TCom_Delay & TRes is network roundtrip delay • Latency in TCom & TRes important Commander Responder TRes_1 TRes_2 TCom_Delay_1 TCom_1 TCom_Delay_2 TCom_2 7

8. Isolating Traffic Streams • Isolating traffic streams can be tricky • 10’s – 100’s of traffic streams in production environment • Your Wireshark Fu must be strong! • Usually requires additional post-processing • Multiple streams can exist between same devices 8

9. Isolating Traffic Streams • Traffic pairs – Source IP/MAC address – Destination IP/MAC address – Source TCP/UDP port – Destination TCP/UDP port • Publish/Subscribe – Communication stream ID – Sequence number (optional) • Command/Response – Command message/field – Response message/field – Message ID (optional) 9

10. Test Time vs. Packet Interval Measured Packet Interval (ms) ~62 sec test Mean MPI = 2ms Min ~ 1.2 Max ~ 2.9 Test Time (s) 10

11. Time Plot for Command/Response Regular Pattern to Delayed Packets Regular Pattern of Minimal Delayed Packets 11

12. Command/Response Timing Plots • Quick succession of command/response packets • Minimal delay in command/response sequence • Apparently large delay in a single packet • Example: Rockwell tag reads Delay Until Next Time Sequence Quick Succession Read Commands 12

13. BUILDING AN ICS LAB 13

14. Building an ICS Lab • Goals – Develop a portable lab – Capable of demonstrating ICS security – Use real ICS equipment to analyze ICS protocol performance • Purpose – Training – Demonstration – Potential Sales 14

15. Control System • Equipment – PLC – Digital & Analog I/O – Industrial PC – Layer 2+ network switch • Protocols – EtherNet/IP – Modbus/TCP • PLC  I/O  Lighted Buttons • Buttons have isolated light from NO/NC switch action • Ladder logic to light button on push 15

16. Performance & Security Testing • Denial of service testing • Performance analysis • Control lights separate from button pushes • Spoof button push signals • Issue Run/Stop commands to controller • Test IP reassignment via industrial protocols • Demonstrate pivoting 16

17. Questions • Contact Me – Jim Gilsinn – 301-706-9985 or 614-323-2254 – jim.gilsinn@kenexis.com – Twitter – @JimGilsinn – LinkedIn – http://www.linkedin.com/in/jimgilsinn/ – SlideShare – http://www.slideshare.net/gilsinnj 17

ICS Performance Lab

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to ICS Performance Lab

Similar to ICS Performance Lab (20)

More from Jim Gilsinn

More from Jim Gilsinn (11)

Recently uploaded

Recently uploaded (20)

ICS Performance Lab