Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Industry experts worldwide have struggled for long time, practically since the Stuxnet event in 2010, with the question of how to protect their Industrial Control Systems (ICS) managing water and sewage, electricity supply, transportation, communications, public safety alerting systems and manufacturing facilities from cyber-attack. All experts know well that there is no single cyber defense method, no matter how advanced or expensive which can provide absolute defense – “there is no silver bullet”.
Scare alarms created by periodic publishing of new Zero-Day Vulnerabilities and new Common Vulnerabilities and Exposures (CVE) documents, together with the fact that ICS architectures cannot be frequently updated, upgraded nor patched, are increasing the “surface of concern”. Therefore, among many defense options, experts are selecting Intrusion Detection System (IDS) solutions, in order to detect and mitigate attack prior to damage happening. Once such a decision is made, the next challenge is selecting from among two dozen vendors offering IDS methods for ICS Cyber defense.
Selecting between HIDS and NIDS
If your task is to protect a small-scale ICS with just a few computers, you may consider the Host-Based IDS (HIDS), but it will require installing the IDS software on the existing ICS computer. Some people may refrain from this method, because every software change in the HMI or the engineering computer (using legacy type operating system) represents a risk of malfunction. Alternatively, selecting the Network based IDS (NIDS) requires adding a dedicated host to the control architecture, and the interface to your ICS will be through “sniffer devices” or through the network switch, connecting to the “mirroring” port.
Selecting between Communication or Process oriented IDS
Obviously, you may select both operating methods simultaneously if you feel that it is appropriate for defending you ICS from internally as well as externally generated cyber-attacks. The selection requires that for every ICS you must list all the “attack vectors” and describe the “attack surface” as well. It is important to mention here that, according to Best Practices for ICS, we do not consider deploying an Intrusion Prevention System (IPS), because its operation is aimed at an interevent with the ICS process.
Prior to describing the different IDS methods, it is important to mention that Visibility analysis in the ICS network plays an important role. We all are well aware of the famous statement: “You cannot protect what you do not know”, which means that you must have accurate details on your installed ICS.
The outcome of the visibility analysis (based on a self-learning process) will display important details required to support all types of IDS Processes:
- Compile a list of devices connected to the ICS network (local and remotely connected IIoT), including details on the manufacturer, model number, installed firmware, IP addresses and more.
- Describe the baseline communication among these devices. It will provide detailed information on: rate of access, amount of data for each session, type of data (encrypted/plaintext) and more.
- Consistent data exchange with external databases, your IDS performing visibility analysis will periodically update you about published CVEs, specifically related to devices installed in your system.
Prior to dealing with the selection task, refer to the following paragraphs describing four IDS methods:
a) Detecting anomaly in communication sessions within the ICS network
Visibility analysis is the most basic process, and it can be done with minimum risk of causing malfunction. Upon completion of the visibility analysis using one of the available technologies, you will have a clear baseline picture on your installation and consequently your IDS will detect any communication session which is out of the range defined by the baseline obtained through the lengthy self-learning process.
b) Detecting anomaly in communication protocol within the ICS network
Identify error messages caused by unsupported code or unavailable addresses and detect incorrect protocol formats. Your IDS should be capable of identifying the difference between a protocol error and a cyber-attack. Such an attack might start with the reconnaissance phase when the attacker is scanning your system. Since the attacker may not know which protocol is used, detecting such an anomaly may indicate that something has happened.
c) Detecting anomaly in process commands sent across the ICS network
Attackers may try damaging the system by sending unusual, high-risk commands (i.e. temperature increase) based on what they managed to learn during the reconnaissance phase. A correctly designed ICS with operating safety in mind, should protect itself from such commands (no matter where initiated), which are aimed at damaging the process or the machinery. The ICS must turn itself to a fail-safe condition.
d) Detecting anomaly in process conditions within the ICS network
The attacker or the attacking process must reach the PLC controlling the critical process, (exactly what happened at the Stuxnet attack in 2010). In order to prevent damage to the machinery, the IDS must detect if the operating condition of the machinery monitored through several field sensors is within the safe and normal boundary. Some of the IDS available on the market are monitoring these critical sensors.
Careful cyber defense process
In addition to the functions filled by the IDS, ICS experts are taking multiple steps in order to detect unusual conditions and prevent damage. However, these steps involving software updates at the PLC and the HMI levels, modifying the application program, etc. must be taken very carefully. The reason for this is that every software or hardware modification or change in the system might lead to an unstable operation of the ICS.
System owners should act carefully and make sure that prior to taking any action, they have a rescue plan that allows them to restore the system to its original condition prior to changes. They must have the most skilled resources available on site, having specific knowledge for your ICS. Strong Cyber defense is achievable through adherence to the PPT Triad (People-Processes-Technologies). The anomaly behavior IDS is one among several effective methods for achieving operating Safety, Reliability and Productivity (SRP).
About Daniel Ehrenreich
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, and periodically teaches in colleges and present at industry conferences on integration of cyber defense with industrial control systems; Daniel has over 27 years of engineering experience with ICS for: electricity, water, gas and power plants as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as the Chairman for the ICS Cybersec 2019 conference taking place on 16-9-2019 in Israel and for the Asia ICS Cyber Security conference taking place in Singapore on 7-11-2019.