Network analysis for SCADA/ICS systems

I’m looking for good discussions of SCADA and ICS (Industrial Control System, not Incident Command System) systems and the horrible insecurities therein. Bonus points if there are PCAPs available so I can see what the traffic actually should look like and/or what attacks may look like.

And no, I don’t know which of the dozens of legacy serial protocols which have been badly hacked into working insecurely over TCP/IP I may be required to examine/support/defend.

Any recommendations or ideas for avenues of approach are welcome. My time is substantially farther away from infinite than the task at hand, but I have to make an attempt.

I recommend not reading anything about such things if you want to sleep peaceably in your beds at night.

There is at least now an awareness of the issues, which is better than it was :wink:

I’m not sure if there’s anything “off the shelf” available. Snort and Suricata have some SCADA protocol support, though I’ve never been in a position to test either. DigitalBond do SCADA focussed rules and you can get their rules through ET Pro.

If their rules are “good enough” for what you’re doing then a quick and easy cheap way to get something running quickly is Security Onion. I have my issues with SO, but as an easy intro to rolling your own IDS at low cost it’s ok.

Do you know what kind of bandwidths you’re likely to be dealing with?

I know virtually nothing. It’s for an exercise. We aren’t expected to do well in the exercise, but that’s no reason to roll over entirely. Part of the pre-requisite training is a 16-hour online DHS class on securing ICS; the writing on the wall is clearly legible.

In that case… aim for a server (ideally) with 32 GB or more of RAM and ideally an Intel server grade NIC (or, at least not a Realtek) for the traffic capture, and something else for accessing the server.

Install SecurityOnion in StandAlone mode. I’d suggest Suricata (IDS) and Snorby (IDS console) along with OpenFPC (packet capture) are all that you’ll need. With the Emerging Threats (open source) rules you’ll have at least some coverage of SCADA.

With SCADA as your primary/only concern I’d suggest dumping most of the other rules. That’ll help the performance of your IDS. Possibly keep the malware, trojan and scan rules if you want to cover the SCADA gateway devices.

Finally, you’ll need some way of getting packets from the network to your server. SPAN ports work as long as the switches aren’t too busy and the total traffic on that switch/router doesn’t exceed 1 Gb/s. A Tap is preferable, but decent ones cost lots of money. There are cheap ones, but I’ve no idea how well they work.

In an ideal world, your SCADA system would not be near anything connected to the Internet. Or have any form of network connectivity.

Sadly, we do not live in an ideal world.

We’re so far from an ideal world when it comes to IT (sorry, cyber) security that it wasn’t funny 10 years ago.