ICS-CERT: SNORT in an ICS Environment

Wednesday, May 23, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

Much ado has been made of the disclosure of PLC vulnerabilities by the Project Basecamp team at the S4 conference in January 2012.

Nearly as much has been made about those bugs discovered by Billy Rios and Terry McCorkle in the ICS software—primarily HMIs—that they evaluated in their free time for the 100 days of SCADA bugs presentation at DerbyCon 2011.

Finally, following closely on the heels of the vulnerability disclosures, ICS-CERT issued an alert on February 3, 2012, about SSH brute force scanning against critical infrastructure.

This combination of events further highlights the need to detect and respond to attacks against critical infrastructure. Unfortunately, it is well known that a gap exists between ICS cyber defenses and adversarial capabilities.

To address the immediate need for situational awareness of potential threats, ICS-CERT has evaluated available research on control system networks incident detection and Network-based Intrusion Detection System (NIDS) technology.

The National Electric Cyber Security Organization (NESCO) and the Open Information Security Foundation (OISF) announced that they will be supporting updates for the NIDS preprocessors specific to ICS protocols, which were originally written by Digital Bond.

The effort will focus on the updates necessary for SNORT and Suricata, both open source NIDS packages, to function effectively in ICS environments.

Why is this significant? Up to this point, a major obstacle for ICS security teams has been how to test and deploy IT security tools in the ICS space. In many cases, this simply hasn’t been possible because of ICS operational needs and the legacy technology used in many ICS environments.

Now, the open-source IT security research community has paired up with ICS security teams, DHS, NESCO, and other stakeholders to research specific ICS network threats and produce tools to address them.

NIDS Support for ICS Environments:

SNORT 2.9.2.1 was released on January 19, 2012, and included the upgraded preprocessors, allowing ICS integrators and implementers to detect incidents running against ICS network resources or communications protocols.

No date for the Suricata preprocessor updates has been published at this time; although the updates were scheduled for OISF discussion on February 7, 2012. NIDS signatures for common network protocols, such as DNP3, Modbus TCP, and EtherNet/IP, as well as a range of vulnerability signatures, can be downloaded from the Digital Bond website for use with SNORT, Suricata, or other NIDS products that can import NIDS signatures in the SNORT format.

Or, when deploying a NIDS in the ICS environment isn’t possible, a NIDS system can be deployed at the junction of the corporation and control system network. Because most major NIDS applications can consume rule sets in the SNORT format, it is possible to deploy a sensor with the ICS rule sets at the corporate/control system or DMZ/control system junctions without disrupting operational network communications. This would provide some level of visibility into the health, status, etc. of the control system network communications without the fear of service interruption or network throttling.

Digital Bond has a link to the SNORT preprocessors and rule sets available for download on its QuickDraw IDS web page. They also have identified a number of major IT security companies whose NIDS applications can import the ICS rules if the new, ICS deployment needs to be shoe-horned off an existing NIDS deployment.

Documentation and Research Resources:

Haven’t deployed a NIDS in an ICS environment before? More and more documentation is available from a number of sources, outlining specifics of how to plan NIDS deployments in ICS networks.

ICS-CERT has compiled a preliminary list of NIDS-ICS resources for customers and industry partners who are considering a NIDS deployment. This list is not comprehensive, but it contains information regarding needs assessments, architectural planning, and common obstacles others have found when deploying NIDS in process control networks.

Manuel Humberto Santander Peláez’s, a security expert working for a utility company and a SANS Internet Storm Center handler, post on the SANS Internet Storm Center regarding SNORT 2.9.2.1, http://isc.sans.edu/diary.html?storyid=12346

Overview of the SNORT release and its impact on the SCADA world, http://www.infosecisland.com/blogview/19649-Snort-and-SCADA-Protocol-Checks.html

NIST’s recommendations for acquiring and deploying an IDS system, http://csrc.nist.gov/publications/nistbul/itl99-11.txt

A second post by Manuel regarding the need for security in an ICS environment, http://isc.sans.edu/diary.html?storyid=9436

Patrick Weaver’s reference on the SNORT website for using SNORT to meet NERC CIP requirements, http://www.snort.org/assets/114/Snort_RH5_SCADA.pdf

Digital Bond’s QuickDraw IDS portal, which requires subscription to the portal to view the documentation but is free to the public, contains a variety of documentation regarding NIDS needs and deployment requirements in an ICS environment, http://www.digitalbond.com/tools/quickdraw

Industrial Defender’s NIDS portal, which requires subscription to the portal to view the documentation but is free to the public, contains a variety of documentation regarding NIDS needs and deployment requirements in an ICS environment, http://www. industrialdefender.com/products/supported/nids.php

As always, feel free to contact the ICS-CERT team if you have any questions or need further information regarding ICS security concerns or incidents.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Feb2012.pdf

Possibly Related Articles:
16796
SCADA
Industrial Control Systems
SCADA Snort Tools Cyber Security Network Security NESCO ICS-CERT Resources Industrial Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.