Why do offshore networks need SCADA security with Deep Packet Inspection (DPI)?
Let me give you some context. The critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind. Yet nowadays they are connected to other systems using Ethernet and TCP/IP. That has been great for efficiency but it exposes mission critical production systems to malware.
Attendees learn about Belden’s products for high availability offshore networks at OTC 2013.
Given the 20 year life cycle common for industrial systems, it will be many years before more secure SCADA and ICS devices and protocols are in widespread use. This leaves thousands of legacy platform control systems open to attack from even the most inexperienced hacker, who can then disable or destroy most industrial controllers. Securing these systems requires using advanced technology that compensates for their limitations.
The difficulty with legacy SCADA / ICS protocols is that they have no granularity. A data read message looks EXACTLY like a firmware update message.
Thus if you allow data read messages, from an HMI to a PLC, to pass through a traditional firewall you are also allowing programming messages to pass through. This is a serious security issue.
You are faced with an impossible choice – keep the messages flowing that make the system run but expose it to malware, or block everything out. Since shutting systems down is not an option, accepting high risk has been the course taken by many. In a post-Macondo (Deepwater Horizon) world, this is not acceptable.
So what can an engineer do about this? Well, fortunately there is a solution.
The solution is a firewall that can dig deep into industrial protocols to understand what a message is being used for. This is beyond the capability of IT firewalls and is called Deep Packet Inspection.
Here’s how it works; after traditional firewall rules are applied, the DPI firewall inspects the content of messages and applies more detailed rules. For example, it determines if a Modbus message is a read or a write message and then drops all write messages.
In addition, good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviours (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and need to be blocked.
An example of a Modbus DPI firewall is the EAGLE Tofino Modbus TCP Enforcer, a product that uses patented technology from our Tofino Security brand for DPI. A White Paper explaining DPI in detail, and providing a case study of its use, is available for download at the end of this article.
Tofino Security’s Deep Packet Inspection for industrial protocols and Hirschmann’s zero failover RSP Switches on display at OTC 2013. These products work together to provide high availability offshore networks.
According to our cyber security expert, Eric Byres, five years ago he would have said that DPI is just a nice-to-have capability. Now, however, today’s generation of worms make it a must-have technology if you want a secure ICS or SCADA system.
The reason is that this today’s malware designers know that firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know that if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol will put the smart system administrator on his or her guard.
Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.
Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all Modbus traffic would impact production. Without tools to inspect the contents of messages and block suspicious traffic (i.e. deep packet inspection), your hands would be tied.
DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.
Last week I discussed how our cyber security products work hand-in-hand with our zero failover switches to provide high availability networks. For those of you attending OTC I encourage you to visit Belden at booth 7236 and see for yourself how our cable, connectors, switches and cyber security products work together to provide safe, secure, reliable offshore production.
In order to stay ahead of the bad guys, DPI has become a must-have in industrial firewalls. How is this affecting your ICS security plans?