Monitoring Networks and Events in SCIs: more Information, more Security

What is network monitoring?

Network monitoring is increasingly becoming one of the pillars of deep defence and even more so in the ambit of automation and control systems. Monitoring allows us to ascertain, among other things, behaviour in communications and to identify actions out of the ordinary, whether due to the type of traffic, the moment at which they take place or their volume. The monitoring process consists of the gathering, analysis and scaling of indicators and alerts to detect and respond to intrusions, although you can also see the way to find agents external to the network and to carry out the necessary actions before they damage the systems.

Some of the most important benefits this strategy could provide when applied correctly are:

• Detecting and correcting unusual behaviour: networks, especially in control systems, are very complex. A good monitoring system helps detect bad habits, shortcomings in capacity, services that consume network bandwidth and, of course, problem areas.
• Managing the quality of service accurately: the majority of monitoring tools allow for indicators to be created in visualizing the status of the service at configurable, pre-defined intervals.
• Fast and simple visualization: Almost anything can be represented on a graph, which allows for visual analysis of the correlation with a trained operator and checking at a glance that everything is running smoothly in network monitoring.

Network monitoring in control systems

The monitoring of the network and events is more effective at levels above the model proposed by ISA 95, that is, the levels of business. This is due to the absence of industrial protocols and the extension of a greater number of automated tools, in addition to availing of more standard platforms with better security capacities in their logs. But this does not mean that they are not useful at lower levels, but merely that they must be adapted to what each level offers:

• Company level: Standard equipment and servers with sufficient resources. Windows logs must be gathered, events from Syslog or security agents, the status of antimalware, whitelists and other security tools.
• Plant level: Often standard equipment, but with a specific and dedicated use. Operating system logs (both Linux and Windows) should be easily obtained and a security agent that offers more detail than other tools can also be installed without complications.
• Control level: These specific devices usually have certain shortcomings in terms of resources dedicated to security and information can only be obtained from existing logs.
• Network equipment: All the network protection systems must apply the maximum level of inspection possible, which means deep inspection of all control network traffic, thus identifying a greater number of significant events.

The application of the monitoring of the control systems must be based on different premises, other than those relating to the world of IT, as the information to be obtained is generally of lesser quantity and of less interest, in terms of security. Normally, an IT network monitoring tool used in control systems will provide indicators with low security values, but this does not mean that it is really so.

The focus on control systems must start with obtaining a known status that allows for the parametrization of network traffic and the events generated. This status should be created from the deployment tests of the systems (FAT and SAT) primarily, but also taking into account the subsequent changes and performing periodic tests where possible. The working method would consist of comparing the current level obtained through monitoring with the known status in search of deviations. These may include new traffic flows, flows that are executed in a way that is different from that expected or behavioural anomalies.

But network monitoring doesn't have to be a difficult or tedious task as complex algorithms are not necessary in networks where the traffic is very repetitive and the actions are fenced. What can be complicated is isolating the system traffic that you really want to analyse, but that is where the network protocol analysis tools like wireshark come into play. The measurement metrics are also simple and, observing parameters such as deviation and latency, we can reach important conclusions. It must be said that control system network monitoring can also be very complex, based on the level of depth and knowledge sought. If seeking a more detailed analysis, the internal analysis, curiosities and idiosyncrasies specific to each system will be a significant barrier. What's more, you must remember that it won't always be possible to get to the root of the problem, mainly because of the limitations of the architecture in real time, network performance problems and the lack of tools and techniques to investigate many problems.

Monitoring tools for control systems

Today, there are various tools that allow action to be taken as a response to a certain condition, as IDS/IPS systems have traditionally been, but there is also a proliferation of network monitoring tools that allow for more complex actions for certain "events" observed in the network.

Among the set of existing tools all types can be distinguished; specific or adapted from the world of IT, both free and pay, simple and complex, etc. Within this extensive range, we're going to highlight Security Onion (although there are many others such as Moloch with similar features), because it is a free solution that includes a large number of tools for managing and monitoring the network, including Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, Network Miner, etc.

Security Onion is a distribution that groups together a large number of free tools with the aim of monitoring anomalies and detecting security problems in a network, which allows for everything from capture and treatment up to the presentation of the information in indicators and graphics adaptable to the parameters needed by the operator, working like an NSM (Network Security Manager). The deployment is relatively simple and quick; it also includes the option of deploying Docker to further facilitate the task of integrating everything in one solution without having to deploy multiple applications in different machines. It also uses installation menus that allow us to configure all the tools at the same time. Their capacities can be easily implemented in an industrial system thanks to the possibilities of parametrization and the use of script languages in various components, which allows for the creation of own rules and conditions for the type of traffic and the behaviour of an industrial network.

Some of the main features of network monitoring related tools which are included in the distribution are:

• Suricata: Although in reality this is an IDS/IPS system, it allows us to also analyse captures of offline traffic. It also allows for the programming of new scripts that provide the power necessary for monitoring the anomalies of the network.
• Sguil: Network analysis tool for the operator that integrates the information collected from different sources to show it in the appropriate way. It allows us to associate traffic with an alert and also indicates potential traffic that might be related, even though not involved directly.

Conclusion

With the range of tools available, it is possible to implement network security analysers in control systems without greatly impacting operations. What's more, the expansion of OSINT, the sharing of information and indicators of compromise (IoC) are becoming more and more common in these environments. Nor is the size of the industry a problem, given that there are solutions capable of evaluating many events and that allow scalable solutions in accordance with the development of the company. Free tools will allow you to discover how the solutions work and the advantages provided by monitoring and commercial solutions provide the stability and support necessary in the industry. So what are you waiting for?