Erik Hjelmvik
,
Thursday, 30 August 2012 12:03:00 (UTC/GMT)
A great way to enable digital forensics of control system networks is to implement network security monitoring.
Captured network traffic is a great source for evidence when analyzing an attackers steps as he attempts to
hack a SCADA system.
The newly added support for the IEC-104 protocol in NetworkMiner also allows
investigators and incident responders to see what commands the attacker sent to the control system.
We at Netresec recently
announced the release of NetworkMiner 1.4,
which comes with a parser for the SCADA protocol
IEC 60870-5-104 (aka IEC-104).
Bringing this Industrial Control System (ICS) protocol into NetworkMiner
is a first step to support forensics of compromised ICS networks.
The traffic from ICS networks does, of course, need to be captured (sniffed) in order to support network forensics;
we are strong supporters of such network monitoring for ICS networks (read our
“Monitor those Control System Networks”
blog post for more details).
Why monitor ICS networks?
Computer forensics typically involves performing forensic analysis of hard disks.
Disk forensics is very effective when analyzing a hard drive from a PC (like an operator workstation),
but far more complicated when it is an embedded device like a PLC or RTU that is to be analyzed.
In regard to what was believed to be a hacked SCADA system at a water facility in Illinois,
David Marcus from McAfee
said:
“My gut tells me that there is greater targeting and wider compromise than we know about.
Why? Again, my instincts tell me that there is a lack of cyber forensics and response procedures at most of these facilities.
If you do not have cyber forensic capabilities, it is hard to know if you have a cyber intrusion.”
Even though the hack was later shown to just be just a
false alarm,
David’s point about lacking capabilities for digital forensics and incident response for this type of
critical infrastructure still holds true.
Joe Weiss also
commented on the same story saying:
“We don't know how many other SCADA systems have been compromised because they don't really have cyber forensics.”
As Joe and David say, the ability to perform digital forensics in SCADA systems is truly lacking today.
Our propose with this blog post is to inform control system operators that forensic data/evidence can
be easily collected from ICS / SCADA systems by implementing a simple solution for network monitoring with
full packet capture.
How to monitor ICS networks
The SCADA network diagram below has been sectioned into multiple security zones according to the
zoning principle published by
Jens Z, Iiro and me at
CIRED 2009 (our zones align nicely with
ISA-99 security Levels by the way).
The purple octagons represent interconnections between zones.
Each such interconnection should be secured with perimeter protection, typically by a firewall,
but we additionally argue that all network traffic passing through should be captured and stored as
pcap files.
Storing all network traffic this way makes it possible to perform network forensics on the network traffic
after an intrusion is believed to have taken place.
We recommend a very simple setup, where a network tap is used to provide a copy of all traffic to a sniffer.
An acceptable alternative to buying a network tap is to configure a monitor / SPAN port on a switch
(see our sniffing tutorial
“Intercepting Network Traffic”
for more details on how to choose sniffing hardware).
Our recommended solution for the sniffer is to install FreeBSD with dumpcap
(part of the net/tshark ports package).
An even easier solution is to install Doug Burks’
Security Onion, which is a Linux distro built especially for
network security monitoring.
More about configuring a sniffer can be found in our second sniffing tutorial titled
“Dumping Network Traffic to Disk”.
Analyzing captured IEC 104 traffic
Let’s assume the file
090813_diverse.pcap from pcapr
contains network traffic from a suspected security breach at a hydro-power plant.
Let’s also assume that parameter 4821 (i.e. IOA 4821 in IEC-104 language) controls the floodgates of the plant’s dam,
where setting a value greater than 0% for this parameter would mean opening the floodgates.
By loading the pcap file into NetworkMiner and selecting the “parameters” tab we can see a nice log
of all IEC-104 communication.
NOTE: We’ve hidden several fields (like IP, port, time etc) in the screenshot above in order to make it fit.
The following timeline can be extracted from the list of events provided by NetworkMiner:
- Frame 154 - The attacker sends command to set IOA 4821 to 50.354%
- Frame 156 - The RTU confirms the request
- Frame 162 - The RTU reports that the requested command has been successfully completed, i.e. floodgates are now open!
More ICS protocols
Would you like to see more ICS protocols in
NetworkMiner?
We’d be happy to implement protocols like DNP3, MODBUS, ICCP,
Siemens S7,
IEC 61850, etc. if you can provide us with captured network traffic!
Please send an email to info[at]netresec.com if you are interested!
Posted by Erik Hjelmvik on Thursday, 30 August 2012 12:03:00 (UTC/GMT)
Tags: #Forensics
#ICS
#SCADA
#control system
#Network
#Sniff
#Capture
#Monitor
#IEC-104
#60870-5-104
#pcap