Deep Packet Inspection (DPI) is important for the future of SCADA / ICS security - and in this article I explain why.


DPI SCADA Security: Reviewing the Basics

In Part 1 of this series I explained DPI technology in detail. To review, the traditional IT firewall examines the TCP/IP and Ethernet headers in the network messages it sees. It then makes decisions whether to allow or block a message based on this limited information.

DPI technology allows the firewall to dig deep into the SCADA protocols that sit on top of TCP/IP and Ethernet. The firewall then determines exactly what the SCADA protocol is being used for and makes better decisions on what should be allowed or blocked.

The example I gave in the last article was the seaway management company that used Tofino Modbus DPI firewalls[1] to protect the PLCs running its canal locks and bridges. By blocking all Modbus write messages (and programming messages), and allowing Modbus Data read messages, the company could improve the safety of the canal system for both the ships in the canals and the public using the draw bridges at the locks.

Why New Malware Demands DPI Technology

Five years ago I would have said that DPI is just a nice-to-have capability. Now thanks to the current generation of worms like Stuxnet, Duqu and Conficker, it is a must-have technology if you want a secure ICS or SCADA system.

Today’s malware designers know that firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know that if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol will put the smart system administrator on his or her guard.

Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.

Stuxnet is a particularly good example of this covert use of otherwise innocent protocols. It made heavy use of a protocol called Remote Procedure Call (RPC) for both infecting new victims and for peer-to-peer (P2P) communications between infected machines.

an-119_using_tofino_to_control_stuxnet_figure_1_v2
Stuxnet spread many ways, including using the protocol RPC as a vector.

Now RPC is an ideal protocol for SCADA and ICS attacks because it is used for so many legitimate purposes in modern control systems. For example, the dominant industrial integration technology, OPC Classic, is based on DCOM and this in turn requires that RPC traffic be allowed.

Furthermore, control system servers and workstations are routinely configured to share files or printers using the Microsoft SMB protocol, which also runs on top of RPC. Perhaps most relevant in this example, all Siemens PCS 7 control systems make extensive use of a proprietary messaging technology that travels over RPC. So if you were an administrator watching network traffic on a Stuxnet infected network, all you would see was a little more RPC traffic than usual, hardly a cause for alarm.

Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all RPC traffic would likely result in a self-induced denial of service for your entire factory. Without tools to inspect the contents of RPC messages and block suspicious traffic (i.e. deep packet inspection), your hands would be tied.

Deep Packet Inspection Provides Fine-Grained Security

DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.

In order to stay ahead of the bad guys, DPI has become a must-have in industrial firewalls. How is this affecting your ICS security plans?