Search

SCADA Articles on SCADA World

Using Free Tools To Detect Attacks On SCADA Networks

2015-05-09 14:28:25views: 738Kelly Jackson Higgins

Using Free Tools To Detect Attacks On SCADA Networks

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations. Operators at Natanz nuclear facility in Iran might well have caught Stuxnet before it spread and sabotaged operations at the plant if they had been watching the wires for anomalous network traffic, a pair of ICS/SCADA experts say. Rob Caldwell and Chris Sistrunk of Mandiant, a FireEye company, say network security monitoring is a simple and inexpensive technique for detecting attack attempts against power plants and other ICS/SCADA environments. Various free open-source monitoring tools can help spot unusual file traffic or command and control communications.

"NSM would have caught" Stuxnet, says Sistrunk, senior consultant with Mandiant's ICS practice. It would have shown, for example, the infamous malware getting updated, he says.

"Any time a PLC gets a new code update, and if you were aware of your files, you could see that file go across the wire," he says.

Sistrunk and Caldwell, principal consultant with Mandiant, say network security monitoring also could catch the infamous Havex and BlackEnergy malware associated with attacks on ICS/SCADA networks, for example. The monitoring technique could be set to detect known indicators of compromise, says Caldwell, who with Sistrunk next week at the S4 Conference in Miami will school ICS/SCADA operators on the use of open-source NSM for their networks.

"We're really just trying to evangelize, getting folks to start looking at what's going in their [industrial] control systems. You can do all of this stuff with open source [tools] out there. And if you want to take advantage of automation and some GUIs, you can look at commercial software" as well, Caldwell says.

Passive network security monitoring isn't new to the traditional IT network space, and security experts such as Richard Bejtlich, chief security strategist for FireEye, have recommended it for some time as a key element to incident response. Sistrunk and Caldwell say it's a perfect fit for the ICS environment because it's non-intrusive, so there's no risk of it disrupting critical processes or operations.

"It all comes back to the premise … know your network," Caldwell says. That means watching the flows of traffic and knowing what's normal and what's not, and drilling down into what types of sessions and transactions occur, he says. "Not just looking at data, but at any extracted content, what kind of files are spreading around the network, and what Web pages are being hit or DNS servers are being resolved," he says.

"A network-centric point of view gives a lot of clues to tie into seeing if anything has been compromised," he says.

There are several open source network security monitoring tools; Caldwell and Sistrunk at S4 will demonstrate a set of tools from the open-source Security Onion Linux suite, including Wireshark, NetworkMiner, Bro, and Snorby, for network monitoring and intrusion detection.

Few ICS/SCADA operators today employ network security monitoring. Dale Peterson, CEO at ICS/SCADA consulting firm Digital Bond and host of the S4 Conference, says some large oil companies and other critical infrastructure operators with more mature security programs employ NSM. "NSM is a huge tool," Peterson says, especially for helping an organization detect and recover quickly from an attack or attempt. "It depends on the maturity of the ICS security program. So we typically don't recommend it unless you have good perimeter [security] and the ability to recover" from an attack, he says.

"If you want to keep it simple, just do log management and alerting," Peterson says. The next level of monitoring would be the use of commercial monitoring tools commonly found in security operations centers such as SIEM and IDS/IPS, he notes.

Open-source NSM isn't a set-it-and-forget-it process, though. "The fundamental thing is you've got to have people involved, using their intel to be able to say 'this is not normal'" traffic, Caldwell says.

Link: http://www.darkreading.com/perimeter/using-free-tools-to-detect-attacks-on-ics-scada-networks/d/d-id

SCADA Articles

Using Free Tools To Detect Attacks On SCADA Networks
2015-05-09 14:28:25views: 739

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations. Operators at Natanz nuclear facility in Iran might well have caught Stuxnet before it spread and sabotaged operations at the plant if they had been watching the wires for anomalous network traffic, a pair of ICS/SCADA experts say.

Hackers gain full control of critical SCADA systems
2015-05-09 14:04:07views: 771

Russian researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. The vulnerabilities were discovered by researchers who over the last year probed popular and high-end ICS and SCADA systems used to control everything from home solar panel installations to critical national infrastructure.

SCADA Attacks Double in 2014
2015-05-06 07:17:15views: 795

Annual threat report from Dell Security shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.
For Dell to report an annual surge in point-of-sale (POS) attacks aimed at payment card infrastructures might not be such a surprise to people who pay any attention to the news.

The Industrial Software Revolution Begins Now
2013-10-16 11:33:59views: 1369

Invensys is kicking off the conference “The Industrial Software Revolution Begins Now” and underscoring the ‘revolution’ concept with the release of its Wonderware InTouch 2014 and Wonderware System Platform 2014 software.

Integrating Video into HMI/SCADA
2012-06-29 10:19:55views: 1683

The useful integration of video with industrial control systems has been a reality for a few years, but a burst of applications and installations is on the horizon. Cheaper bandwidth, wide availability of Internet protocol (IP) cameras, and greater familiarity with industrial Ethernet networks seem to be driving user interest.

AdvancedHMI - a different approach to HMI development
2012-06-14 10:46:48views: 1355

AdvancedHMI base package is a free software used to build HMIs that display information residing in a PLC. You will find it to be one of the fastest platforms to build an HMI with. The software takes advantage of the Visual Basic .NET development environment so effort is focused on the core software and not reinventing a development environment.

Web Services and SCADA
2012-06-12 23:06:33views: 1069

Web services can be another method for connectivity to SCADA and MES systems. They can retrieve tomorrow's weather, the price of stocks or commodities, the time of sunrise and sunset, and a slew of other publicly-available resources.

SCADA virtualisation with WinCC Version 7
2011-12-21 12:01:11views: 993

As automation solutions become increasingly complex, it follows that the effort required to maintain both hardware and software will also increase. PCs must be provided with suitable specification and operating systems to support the applications.

Cloud-Based SCADA Systems: The Benefits and Risks
2011-12-20 22:57:31views: 600

Cloud computing is a hot topic. As people become increasingly reliant on accessing important information through the Internet, the idea of storing or displaying vital real-time data in the cloud has become more commonplace. With tech giants like Apple, Microsoft, and Google pushing forward the cloud computing concept, it seems to be more than just a passing trend.

An alternative to DCS or PLC/SCADA
2011-10-04 13:46:22views: 561

Traditionally, users have had a choice between a DCS or a PLC/SCADA approach when selecting a control system for use in process control applications. A key benefit of traditional DCSs was that the suppliers took a ‘systems approach’ and it was designed for large scale applications.