Security Experts:

Reconnaissance in Industrial Networks: What You Don't See Can Hurt You

Organizations that operate Industrial Control Systems (ICS) understand the critical nature of these assets and have led all business sectors in the  use of strong physical security controls. But ICS were built with process uptime and high availability in mind before cyber criminals were a threat. Today, cyber security in ICS is far behind IT security standards. This poses real risks to plant operations, personnel, the environment and the community in general.

Most cyber attacks on industrial networks begin with a thorough reconnaissance phase designed to gather as much intelligence as possible on human, network and protocol information, as well as information about the manufacturing process, industrial applications, and potential vulnerabilities.

Anatomy of the Reconnaissance Phase 

Industrial (OT) Network VisibilityA typical reconnaissance mission begins with identifying an initial target that will facilitate the intrusion into the organization. This can be accomplished using well known techniques such as social engineering, email phishing, etc. It is not uncommon to find unpatched workstations running legacy operating systems such as Windows XP in these operational environments. As a result, attackers can inject malicious code into these systems with relative ease to remotely access and compromise them. The attackers simply need a single point of entrance to get started.

Once inside the network, attackers can gain an understanding of the control process or look for system features that can be exploited to obtain access to critical assets, such as engineering workstations and controllers. Information gathering sometimes last for months, as attackers roam the network undetected.

ICS Reconnaissance Detection 

The leading obstacle to detecting reconnaissance activity in industrial networks is lack of visibility. Unlike IT environments where network monitoring solutions and audit trails are a standard best practice, most ICS environments lack these capabilities. Monitoring network activity in ICS environments is a challenge due to the usage of different protocols:

The communication of process data (tags, set points, etc.) between the operators and the industrial machines (I/Os) takes place over standard industrial data-plane protocols such as MODBUS, PROFINET, and DNP3. Since they are known, and well documented, it is relatively easy to monitor them. However, monitoring these protocols will not help detect reconnaissance activities.

ICS reconnaissance, like network scans and attempts to read the logic of a controller, takes place over control-plane engineering protocols. Unlike the well known data-plane protocols, the control-plane protocols are often proprietary and vendor specific. As such, most of them are unnamed and undocumented which makes them difficult to monitor. To make matters worse, engineering activities related to critical ICS assets, like reading or changing controller logic, re-configurations, and firmware upload/download aren’t monitored or logged. 

Full Visibility is Critical for Discovering Reconnaissance

This lack of visibility into control-plane activities means that reconnaissance operations can go undiscovered for long periods of time. However, that’s not the only reason control-plane activities should be monitored. Even more concerning is the fact that malicious control-plane activity can result in far more perverse attacks than those executed from the data-plane given the potential for deploying altered control logic to a controller. Altering the control logic of a PLC, RTU or DCS can trigger a catastrophic event that could be nearly impossible to stop by operators. Organizations that only monitor data-plane network traffic do not have a complete view of ICS activity. 

Full visibility and control of control-plane activity is required to maintain the security and safety of the ICS. The critical role engineering workstations play in deploying logic to controllers makes this visibility a key factor in preventing a cyber attack while also facilitating operational efficiencies.

Early Detection is the Key 

In order to mitigate the risks associated with reconnaissance, industrial organizations need early detection of suspicious activity like unauthorized network scans, attempts to read information from controllers and other unsanctioned control-plane activity. Providing operational engineers and cyber security personnel with complete visibility into the control-plane will enable them to detect and respond to suspicious activities to minimize or eliminate threats before operational disruptions can occur.

Related: Learn More at the Singapore ICS Cyber Security Conference 

view counter
Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.