Protect your networked automation and production facilities effectively against cyber-attacks by continuously monitoring the most important segments of your network. Here you will learn how you can proceed effectively and safely at the same time.
Reliable Network Analysis In Production Plants
Progressive networking of various IT systems and increasingly complex cyber-attacks require effective and continuous network analysis. The focus should not only be on the traffic itself, but also on all network participants. In this article you will learn how you can carry out the analysis of your network even more effectively.
Network analysis distinguishes between two task areas: The recognition of IT assets worthy of protection and the continuous analysis of traffic. Basically, network analysis of systems is about identifying existing security gaps or weak points in order to prevent cyber-attacks.
Traffic analysis, on the other hand, is a continuous process. Here it is necessary to check the permitted communications and to detect anomalies directly. The aim is to check the proper use, e.g. used protocols, connections or required encryptions. This is the essential factor to control and ensure availability.
With IIoT and Industry 4.0, many devices are nowadays connected to a network. SCADA systems, controllers, PLCs, HMIs, sensors and actuators use standardized communications and can communicate diligently with printers, smartphones and even coffee machines. Unfortunately, this is the current status in some plants, but is absolutely not recommended for safety reasons.
Let’s assume in the following that the network to be analysed is separated from the normal company network and that we therefore “only” have one SCADA system, several programming computers, controllers / PLCs, HMIs, sensors and actuators.
Is NMAP Suitable For Network Analysis of Production Plants?
The use of NMAP holds high dangers in connection with production plants. First of all, when using tools such as NMAP, or other commercial tools, one should be aware that it addresses control components ACTIVELY and can therefore lead to a load and failure of these systems. Therefore, we advise all automation companies that NMAP should only be used specifically in networks and systems where it is absolutely certain that they are robust for active requests. This must be tested beforehand!
In addition, the information about the network and recordings from the network are stored locally on the computers and can therefore also fall into the hands of hackers.
Below you will learn how you can scan relevant areas of your network passively and thus in a way that is harmless for the automation systems.
Network Analysis in 3 steps
Step 1: Determination of Network Segments Requiring Protection
Instead of analysing the entire network, it makes sense to focus on network segments that require special protection. In the context of an ISMS implementation, one asks oneself the following questions: At what point would a cyber-attack hit you sensitively? Which hardware and software elements are indispensable for the production process? Where is irreplaceable information (e.g. a specific manufacturing process) in your company that needs to be protected?
This information plays a central role for the availability of the production plant and thus the success of a company. It is therefore worthwhile to analyse the communication in the relevant areas in more detail.
Analysing IP ports
The following questions help to assess IP ports, protocols and communications:
- Is the IP port / IP protocol required in my application?
- Does the service only have the rights necessary for its task?
- Is this service password-protected and are the passwords transmitted in encrypted form?
- Is the data encrypted?
- Are there known exploits for this IP port / IP protocol?
- Can known exploits be eliminated through updates?
NOTE: A good password is of no use if it is sent to the device in plain text – and therefore every network user can read it. Even well-encrypted communications are superfluous if a weakness is known that allows the security mechanism to be leveraged.
Step 2: Continuous Traffic Monitoring
The network segments to be protected defined in step 1 should be permanently monitored. This can be done with the IRMA computer system. IRMA passively scans the network in a continuous process and sounds an alarm in the event of anomalies. All IT assets and communications as well as their use are displayed. In addition, for a detailed forensic analysis, e.g. with Wireshark, the connection data is natively stored and can be exported and used as a pcap file.
Advantages of IRMA
With the help of IRMA, those responsible for networked automation and production plants can continuously analyse their network. Due to its simple operation and automation, the use of an IT specialist is not absolutely necessary.
Older networked automation systems in particular are very sensitive when it comes to an active intervention of analysis tools in the network. A plant breakdown not only entails economic losses, but is also worrisome for employees. That is why IRMA uses passive access to the network and machine learning to display an overview of all participants and connections.
IRMA also collects and logs information about communication in these areas. At the same time, the system detects unusual processes, so-called anomalies, and sounds an alarm. An example of such anomalies could be the activities of an APT (“Advanced Persistent Threats”). These are cyber-attacks that can bypass virus scanners and firewalls and cause up to 200 days of undisturbed network damage. The sooner you recognize these dangers, the better you can react.
Step 3: Detailed Analysis with Wireshark
While IRMA detects the anomaly, a specialist can use Wireshark to perform a more detailed analysis to identify the cause. The data logged and stored by IRMA are examined in more detail: Which protocol functions were used at which time, which errors were not handled in the protocol or who communicated protocol errors to the network permanently, if necessary?
With the help of this information, possible weaknesses and disturbances can be identified within the traffic and thus security gaps can be closed.
Conclusion of the Network Analysis
In today’s world, with the networking of many participants and the desire to be able to access everything online, there are many more points of attack and weak points. Firewalls, VPN and virus scanners are no longer sufficient to adequately protect a system and its data. Apply these topics and protect your production plant against cyber-attacks with intelligent network monitoring to detect suspicious behaviour, anomalies and attacks early.
Original article written by VIDEC