The communication method for devices operating inside industrial network segments (workstations, controllers, sensors etc.) relies more and more on protocols known from traditional IT networks such as Ethernet and/or IP.
The appearance and fast adoption of these basic protocols, the applications that are built on these protocols in IoT or industrial networks, and the fact that these networks become interconnected and have connections to traditional IT networks, opens perspectives for more efficient production, but also opens gates for potential new security risks: the threats and vulnerabilities that up until now have affected “only” the IT networks and the devices communicating on these infrastructure, suddenly become threats in traditionally isolated environments where successful external (or internal!) breaches or attacks may render plants partly or fully inoperable, in extreme cases may cause loss of human lives directly or indirectly.
Due to these concerns, it would be important to see what is happening in these ever-isolated networks that are usually seen as “black boxes”:
- What kind of devices reside in certain network segments?
- What are the relations between discovered devices, and their relations to the outside world?
- Which protocols are in use, and what kind information exchange is happening using these protocols?
- Are the operating systems and firmware versions of communicating devices vulnerable, if so, what are these vulnerabilities?
The analyzation, visualization and representation of collected data from such networks can be processed efficiently using a market leader vendor Nozomi Networks’ Guardian product family, completed by Keysight products, which is the scope of our presentation.
Collecting Data
An analyzer tool can be as efficient, as we can feed it continuously with as much data as possible. For collecting data, we have few options, e.g.: we can configure SPAN ports on network devices so that traffic is “mirrored” directly to the Guardian appliance, or we can insert network TAPs into selected network connections, collect the mirrored traffic from TAPs with a Packet Broker device, then forward the collected traffic to one or more analyzer tools even after applying on-demand filtering:
Depending on the physical architecture of certain network segments, mirroring, then collecting, selectively or completely forwarding network data to Nozomi Guardian appliances using Packet Brokers and network TAPs can be reliably and simply achieved by Keysight’s (formerly known as Ixia) devices:
After data could be transferred to Guardian, continuous analyzation, visualization of data and alarm processing can be started.
Presentation of the Demo environment
We demonstrate the capabilities of Guardian using a virtual appliance that is installed into Kontron ’s demo environment and using anonymized, but real network traffic included in PCAP files provided by the vendor, which is loaded into the system. As we will see, surprisingly large amount of information can be extracted from even a single PCAP file with a size of just 8 MBytes.
Overview of the system based on the replayed PCAP file:
The first alarms:
The logical topology of the discovered system is dynamically changing depending on the live data received:
After zooming in, we can clearly see the communication paths and protocols:
The discovered asset list:
A PC running Windows XP operating system is a hotbed for vulnerabilities:
The vulnerabilities of the device can be listed. Detailed explanations of each vulnerability with references can also be accessed:
Properties of a device in production environment
Overview of the device:
Vulnerabilities of the device:
Guardian identified that the device is communicating via modbus protocol:
Guardian can analyze, interpret and visualize the communication of different industrial protocols. In this case below, the host was communicating via modbus protocol, and during this communication, certain register values of the device were read out by another host. The read-out values are also presented:
These values can be accessed historically, and any deviation from baseline may trigger an alarm in the system. Nozomi gained advantage in the beginning by understanding industrial protocols more extensively and more deeply than its competitors, also, the processed information was presented in a simple, but spectacular view. The signatures of different attacks and protocols, the behavioral characteristics of certain devices are continuously maintained and updated, and if needed, reverse engineered by Nozomi’s Labs department, then built-in to system updates.
Nozomi’s currently well-known industrial protocols are listed in the following document.
Example for an incident visualization
Information generated by an intercepted communication of Dragonfly 2 in Guardian:
Guardian is looking for connections between distinct events, and if the built-in intelligence finds one, then it correlates them into a single event. In the example above, the occurrence and timing sequence of certain 4 distinct events resulted in the identification of a threat named Dragonfly 2. Devices and networks that were involved in the communication are also presented.
Remediation options, possible integration with firewalls and SIEM systems
It is possible to integrate Guardian with firewalls, so that Guardian may initiate to block certain types of communication through the firewalls in place, e.g.: by installing a blocking policy. Currently supported firewalls are the following:
In the example below, if we pair Guardian with a FortiGate v6 firewall, the following remediation actions would be available:
Integration with SIEM systems is also possible. Below example shows the configuration elements when pairing with IBM’s QRadar solution:
Reporting options
Guardian has a built-in reporting system, by which the up-to-date asset list, the potential vulnerabilities of the assets, and the properties of the last 10 alarms can be overviewed. The generation of the reports can be scheduled or can be generated on demand, the format and the contents are also customizable up to a certain level.
Types of Guardian appliances
Depending on the number of monitored nodes, the generated throughput of the monitored systems and depending on unique characteristics of the nodes, different physical and virtual appliances are available for monitoring. Also, standalone Guardian appliances can be organized under a single Central Management Console appliance, which provides a single pane of glass management for all Guardians, making it a simple to manage and highly scalable solution.
It is worthwhile and very simple to test the capabilities of Guardian within a PoC by using few prerecorded .pcap files that are loaded up, then replayed. It is simple, quickly achievable and produces valuable information in minutes. In cooperation with the Vendor, we can provide consultancy and a demo license for a virtual Guardian appliance.
Kontron maintains close partnership with both Nozomi and Keysight, thus able to plan and implement a complete Visibility solution for our interested customers.