Mitigating availability problems in the industry

Availability is one of the pillars around which all industrial processes revolve. The loss of communications or the increase in their delay, would not only cause large financial losses, but anomalies may also occur in the working of devices. Abnormal behaviour should not appear, despite the fact that the plant operators or other employees from the organisations may be in situations that they have never dealt with. A clear example of this situation could be the case of a HMI that always shows the same information due to the fact that the communications are not getting to it correctly. In this case, there may be a denial of service to the devices that provide the information to the HMI so that this shows them graphically, thus preventing the information being sent.

An attacker may carry out other types of actions that cause denials of service with the aim of preventing legitimate users from accessing industrial devices, whether temporarily or permanently. One of the most common methods that causes a denial of service involves saturating the device by means of sending a vast amount of requests with the aim of blocking responses or making these be carried out so slowly that the process is considered as inefficient.

Once the common steps to an attack that causes a denial of service are known, it is interesting to know the evolution that these attacks have been through and how they have affected industrial sectors in recent years. In order to have a more precise vision of this statistic, below there is a graph which gathers the warnings related to the weaknesses detected throughout the year which affected industrial devices or software.

Although the increase in these attacks has not been very notable, it must be taken into account that it is one of the highest percentages in the statistics. This percentage may be due to, among other factors, the evolution that attacks directed to the industrial sector are experiencing. The ransomware attacks directed at hospitals are a clear example of this, as they have caused problems with regards maintaining a state of normality within health services, in some cases, making the services provided at the hospital collapse.

DENIAL OF SERVICE ATTACKS

Below, some of the most well-known attacks that cause a denial of service in industrial control systems are described:

• PING of death: This type of attack that causes a denial of service is one of the oldest network attacks that exists. The theory of this attack lies in creating an IP datagram whose total size exceeds the authorised maximum (65,535 bytes). When a packet with these characteristics is sent to a system that contains a weak stack of TCP/IP protocols, this leads to the fall of the system causing the denial of service.

  For more information, go to the following link which contains examples that affected devices present in the industrial control systems. https://www.sans.org/reading-room/whitepapers/detection/denial-service-attacks-mitigation-techniques-real-time-implementation-detailed-analysi-33764

• UDP Flood Attack: This technique which causes a denial of service is very similar to ICMP flooding. The difference lies in the fact that in UDP, datagrams with different sizes are used. In this flood attack, the attacker sends a UDP packet to a random port of the victim. When the victim receives the packet, they verify that there is an application bugging that port. If this is not the case, it will respond with an ICMP Destination Unreachable packet. If enough UDP packets are delivered to enough of the victim's ports, the system will collapse and will not be capable of freeing resources in order to maintain its normal working.

  As an example of these attacks, the following warning published on the CERTSI web page can be viewed: https://www.certsi.es/alerta-temprana/avisos-sci/multiples-vulnerabilidades-productos-siemens-2

Other examples of attacks that cause denials of service due to the sending of malformed packets or the arbitrary code execution to industrial devices can be seen via the following links:

• https://www.certsi.es/alerta-temprana/avisos-sci/gestion-incorrecta-paquetes-simatic-s7-400-siemens
• https://www.certsi.es/alerta-temprana/avisos-sci/vulnerabilidad-el-servidor-web-codesys
• https://www.certsi.es/alerta-temprana/avisos-sci/multiples-vulnerabilidades-productos-siemens-2

Given some of the examples of attacks that cause denials of service at a network level, and bearing in mind the importance that availability has for the industrial sector, below it can be seen how the control of interruptions of a process of the uncontrolled loss of some communications, adding to the response time, pose a great challenge. In the case of critical interruptions, by controlling the stops, the importance falls back to the network protocols and the correct choice of these for the design of networks.

In the case of the uncontrolled loss of communication, the use of high availability environments or redundant environments could be thought of. The redundancy refers to complete nodes that are replicated or components of these, as well as methods or other network elements that are repeated and that can be used in the case of a system collapse, cyberattack, maintenance of the main network, etc. Linked to this, the high availability consists in the system's capacity to offer an active service for a determined percentage of time, or the capacity to recover this should there be a network failure.

It is important to take into account that high availability is not necessary for all types of systems, as not all require continuous access, although it is true that in the vast majority of industrial environments, high availability is needed. Likewise, an organisation that has redundant networks in its industrial environment enables, in the case of a stoppage due to a cyberattack, maintenance or any other situation, in addition to not stopping production, the redirecting of all work to the redundant part.

The use of firewalls in high availability or the redundancy of ring communication networks formed by a wealth of PLC devices, are measures that enable a high availability service to be given, but in the case of a DoS or DDoS attacks, what should we do?

Defence and Mitigation of DoS and DDoS Attacks.

One of the measures that is most used in industrial environments in order to prevent this and other different types of attacks is the application of the "Defence in Depth" strategy. This strategy is based on the application of a layered defence that combines "measures" in different areas in order to improve overall security.

In addition to this strategy, many network devices such as routers and switches now incorporate security measures in a native way against denial of service attacks on a network level. It is recommendable to correctly enable and configure these measures in order to increase the cybersecurity of our environment. Thanks to these good practices, the effectiveness of the previously mentioned attacks with their different variants, which cause denial of service, is greatly reduced. This does not mean that other actions that cause denial of service cannot be undertaken, but thanks to the incorporation of these security provisions, the mitigation capacity with regards to these and other possible attacks within the industrial network is increased.

Another option which enables for the attacks that cause denials of service attacks to be reduced is based on the use of secure configuration guides (hardening) for devices. The use of these configuration guides and the distribution of the features that industrial devices have enable different types of attacks to be avoided, including denials of service. In addition to secure configuration, a use of white lists in order to prevent some processes from generating a large consumption of resources in the devices may help to prevent performance problems.

An example of secure configuration following good practice at an industrial level could be the use of version 4, of the NTP protocol, if the device supports this version of the protocol and the monitoring of this service (port 123/UDP). There are different techniques such as using NTP servers to create denial of service and given that in the industrial world, the NTP server is an important asset, it should be a parameter to monitor in order to know that it is always working correctly.

Other security measures that may be applied in order to resolve attacks that cause denials of service, in this case more aimed at the IT world, although there is a place for many of them in the OT world, can be viewed in the article “Protection Measures against Denial of Service Attacks (DoS)”.

With regards to wireless communications in industrial environments, it must be taken into account that devices such as frequency inhibitors or attacks on WiFi networks and Bluetooth, etc. could create problems. In this case, it is important to take into account for the possible access by the company's employees to wireless networks, devices found within this and the range that they may have.

Conclusion

Although the denials of service translate into financial losses within industrial companies, these days there are mechanisms to prevent attacks being carried out that cause these service outages. Thus it is important to bear in mind:

• A good segmentation of the networks based on an in-depth defence strategy.
• A review of the configurations in devices, specifically industrial ones, activating and correctly configuring all their security capacities.
• The use of versions of protocols that incorporate security within their communications as much as possible (DNP3 secure, SNMPv3, OPC UA, etc.).
• A white list of the processes that are carried out in the industrial systems.
• Control of the scope of action that the wireless networks have.
• The application of security patches and updates published by the manufacturers.