Defense in Depth: DNP3

Wednesday, June 15, 2016 @ 01:06 PM gHale


By Heather MacKenzie
Two things that make ICS cybersecurity different from IT security are the use of industrial-specific protocols like DNP3 and the common usage of endpoints like PLCs, IEDs and RTUs that are 15+ years old.

Both of these factors are significant in industries that depend on WAN communication networks, such as power, water/wastewater, transportation plus oil and gas systems.

Two SCADA security experts, Erik Schweigert of Belden and Joel Langill of SCADAhacker.com, conducted a webinar that described the challenges of securing systems like power grids. In it they explained why field firewalls and Deep Packet Inspection play important roles in cyber resiliency for many types of critical infrastructure.

RELATED STORIES
How Firewalls Work
ICS Security: Essential Firewall Concepts
Security and Transportation Systems
Defining Deep Packet Inspection

If you want to understand how to secure industrial protocols like DNP3 or the unique challenges of Defense in Depth for OT.

Read on to find out the top 10 things that came up during the webinar:

10. Unique Advantages of DNP3 Communications
DNP3 (Distributed Network Protocol) and its European counterpart IEC 60870-5-104 are very good at communicating over low bandwidth Wide Area Networks (WANs). This makes DNP3 ideal for power grids and other SCADA systems like oil and gas pipeline management systems.

9. Why Power Grids Using DNP3 Remian Susceptible to Remote Attacks
While DNP3 is a master/slave protocol like Modbus, DNP3 supports unsolicited messages like report-by-exception messages from slaves to master. This exposes power grids to large remote attack surfaces. For example, in the Marochy-Shire sewage system attack, false information from a field station was sent to the command center and the outcome was one million liters of spilled sewage.

8. Embedded Devices Can’t be Protected with Host-based Solutions
For industrial security, host-based endpoint protection measures are insufficient.
There are very few security controls available for installation on devices like PLCs and IEDs. Thus, an important way to protect them is to use network entry point security controls. This is a foundational concept for the Zones and Conduits discussion coming up later.

7. ICS Security is Not All about Hackers
15-25-year-old control equipment, designed before the Internet, is still in active use in many industrial systems. These legacy devices need to be protected from network traffic that they can’t tolerate.

6. Types of Cyber Threats Impact Industrial Networks
A network diagram with animations show how malware can bypass the plant boundary firewall to get to the control system. He also shows how a network device failure can take down a group of PLCs. His visuals are great for understanding the unique challenges of ICS security.

5. Segment an Industrial Network Using Zones and Conduits
The IEC 62443 Zones and Conduits model is a key part of Defense in Depth for ICS systems.
Industrial firewalls used at the field level are conduit-based security controls that protect automation systems from malware and accidental internal network incidents such as device failures or human error.

What is interesting is Zones and Conduits is a hard concept for IT to “get” as there is no standard enterprise equivalent for it.

4. Why Protocol-Specific Deep Packet Inspection is Important for ICS Security
Deep Packet Inspection (DPI) describes two technologies used by firewalls to detect and block unwanted communications.

Think of an envelope in snail mail. You can recognize it as an envelope and you can even see who it is from and where it is going. This could be mapped to a standard firewall where you can limit the IP address by source and destination, and even port information, but that is as complex as it gets. In terms of this example, the content inside the sealed envelope, such as a friendly letter, is where the real information lies protected; this is where DPI really occurs.

In terms of a firewall with DPI technology, this is what is actually happening. The firewall looks at the specific letters, if you will, in that packet on the wire. But how does a signature-based system (such as Snort) differ from a truly protocol-specific DPI engine?

Going back to the envelope and letter analogy, in the case of a signature-based approach, it is akin to saying the letter can only have certain words in a certain order and they can only be presented in this specific way.

A signature-based system is a reactive system in which a vulnerability (vuln) must already be known so as to be able to design the signature to identify it, which in turn also implies the vuln is already out in the wild. This signature functions by essentially being overlaid on a packet (mapping a set of bytes against a known byte pattern) of a specific vulnerability.

3. Why ICS Security Needs to be Easy to Implement
Implementing DPI has to be easy for PLC programmers to do; otherwise it either won’t be done or will be done poorly, jeopardizing security.

2. The Advantages of Security Appliances for Industrial Security
This is the product discussion – focusing on the key ways industrial firewalls are different from IT firewalls.

1. Unique Opportunity to Learn from ICS security Experts
There aren’t many true ICS security experts out there. This webinar is given by two of them. Don’t miss the chance to learn their unique insights from years in this field.

Erik Schweigert is a cyber security researcher and engineer who has developed pioneering Deep Packet Inspection technology for ICS systems. Joel Langill has more than 30 years’ of experience securing global industrial control systems and is the founder of Scadahacker.com.
www.scadahacker.com

Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s full blog.