SLIDE 1
Network Monitoring on Industrial Control Systems
Alvaro Cardenas, PhD. David I Urbina, PhD. candidate
1/13/15 2
- Introduction of NSM
- Long term goals
- Current Research
– ICS T
raffjc Analysis
– Intrusion Detection
- Some T
- ols for NSM
Network Monitoring on Industrial Control Systems Alvaro Cardenas, - - PowerPoint PPT Presentation
Network Monitoring on Industrial Control Systems Alvaro Cardenas, - - PowerPoint PPT Presentation
Network Monitoring on Industrial Control Systems Alvaro Cardenas, PhD. David I Urbina, PhD. candidate Introduction of NSM Long term goals Current Research ICS T raffjc Analysis Intrusion Detection Some T ools for NSM
SLIDE 2
SLIDE 3
1/13/15 3
Network Security Monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.
- Informit
SLIDE 4
1/13/15 4
Network Security Monitoring in ICS
SLIDE 5
1/13/15 5
Long term goals
- Improve Operational Situational Awareness (OSA).
- Improve Security Situational Awareness (SSA).
- Integrate OSA and SSA into the Control Centers.
SLIDE 6
1/13/15 6
Integration OSA and SSA in ICS
SLIDE 7
1/13/15 7
Traffjc Analysis
SLIDE 8
1/13/15 8
IP
Modbus/TCP
Ethernet 2 / 802.3
Data Data TCP Data Data Modbus Data Link Network Transport Application
Dissecting Modbus Packets
SLIDE 9
1/13/15 9
Modbus/TCP
SLIDE 10
1/13/15 10
Intrusion Detection
SLIDE 11
1/13/15 11
Detection methods:
- Knowledge-based intrusion-detection techniques
apply the knowledge accumulated about specifjc attacks and system vulnerabilities. (IT)
- Behavior-based intrusion-detection techniques
assume that an intrusion can be detected by
- bserving a deviation from the normal or expected
behavior of the system or the users. (ICS)
SLIDE 12
1/13/15 12
Detection methods:
- Knowledge-based intrusion-detection techniques
apply the knowledge accumulated about specifjc attacks and system vulnerabilities. (IT)
- Behavior-based intrusion-detection techniques
assume that an intrusion can be detected by
- bserving a deviation from the normal or expected
behavior of the system or the users. (ICS)
SLIDE 13
1/13/15 13
T1 T2
Law Abiding “Behavior”
B B B A A A
SLIDE 14
1/13/15 14
Physical Model
Using models to detect deviations
SLIDE 15
1/13/15 15
Which tools do we use?
SLIDE 16
1/13/15 16
- Ubuntu-based Linux
distribution for NSM.
- Free and open source GNU GPL v2
- Helps on:
– Deep Packet Inspection – Protocol Analysis – Traffjc Analysis – Intrusion Detection and Prevention
SLIDE 17
1/13/15 17
Deployment scenarios
– Standalone – Server-sensor
SLIDE 18
1/13/15 18
- Core functions
– Full packet capture → netsnifg-ng (http://netsnifg-ng.com) – Network-based IDS
- Snort (http://snort.org)
- Suricata (http://suricata-ids.org)
- Bro (http://bro-ids.org)
– Host-based IDS
- OSSEC (http://www.ossec.net)
– Analysis T
- ols
- Sguil (http://sguild.sourceforge.net)
- Squert (http://www.squertproject.org/)
- Snorby (https://snorby.org/)
- ELSA (https://code.google.com/p/enterprise-log-search-and-archive/ )
SLIDE 19
1/13/15 19
Extensible network analysis framework not restricted to any particular detection approach.
- Free and Open Source
Bro
SLIDE 20
1/13/15 20
Bro features
- Logging framework
- Multiple Traffjc Analyzers for IT and ICS protocols
- Extensible Analysis Architecture
- Domain-specifjc, Turing complete Scripting
language
SLIDE 21
1/13/15 21
Previous related research
- Analysis of Encrypted Traffjc
–
Best Paper Award, "On the Practicality of Detecting Anomalies with Encrypted T raffjc in AMI", IEEE SmartGridComm, 2014.
SLIDE 22
1/13/15 22