Industrial Control Systems Monitoring

Improve Legacy Critical Infrastructure Protection with Automated Monitoring and Anomaly Detection for DNP3

By Jessica Ohnona | June 2nd, 2021

DNP3 – Distributed Network Protocol 3.0 – is the second most-widely used serial communications protocol in Industrial Control Systems (ICS), after Modbus. As EPRI (Electric Power Research Institute) mentioned in a 2019 technical update: “it is the most widely used utility communications protocol in North America” and is used to enable communication between components in process automation systems.

It is used in SCADA systems for data acquisition equipment to communicate with control equipment. It was originally built for the electrical grid but is now also used for oil and gas, water and sewage, transportation, and more. DNP3 empowers operators to track device levels such as current, voltage, alarm status, device control or breaker status in order to detect any issue arising. The protocol was developed in 1993 with no built-in security (no authentication nor encryption) and with the common set of function codes and data types, making it an attack vector of interest for hackers to plan spoofing or eavesdropping attacks. Up to now, there hasn’t been automated intrusion and anomaly detection solution for DNP3, but keep reading…

In terms of cybersecurity for Operation Technology (OT) networks, people tend to focus on the TCP/IP level because that is what most commercial solutions are offering today. In the past, it was easier to just ignore serial communications security because there was no way to safely or securely identify what was happening at that lower level since data being polled from SCADA was often from TCP/IP connected devices such as PLCs and RTUs. Recent attacks on critical energy have underscored the importance of re-examining utility cybersecurity – an important aspect of this effort are the DNP3-connected devices widely used across the utility sector.

The problem we face with digital transformation is that all assets are being connected to the Internet. This means that nothing is fully secure and if an adversary gains access to any part of your network, they can traverse into your more critical operations and cause significant downtime, damage assets, or even become a threat to human safety. Following the recent attacks on the water supply chain in Oldsmar, Florida and now the Colonial Pipeline, we evidently need to improve our cyber security posture regarding critical infrastructure. According to reports, Colonial Pipeline did not need to take their system offline but could have done so as a precaution if their IT/OT systems are inter-connected. In this scenario, the ransomware attack targeted the IT side but could have pivoted to the pipeline operations on the OT side. Can we be sure that once Mandiant/FireEye have concluded their investigation, the attackers no longer have a foothold in the network? It is known that hackers like to stay in systems they worked so hard to get control of.

One step to improve cyber security for critical systems that rely on legacy controls is to monitor serial communications, level 0/1 of the Purdue Model, to help with early detection. It is one way to detect an attack if a system is already compromised. As Jonathan Baeckel stated in a SANS paper: The increased situational awareness resulting from the collection and analysis of serial data in Layer 1 would not only provide earlier detection, but it would also help to speed investigation and troubleshooting of unexpected values, thereby allowing a return to normal operations in a more expedient and safe manner.

Those communications at the lower level can be trusted to carry reliable, untouched data because that is where the physical devices are communicating, rather than at the Level 2 and above where the data could have been altered. That data could show the direct communication between a PLC and a breaker, such as directing it to open or close that breaker. If you are monitoring it, it is possible that a bad actor has already modified it; meaning it is n­ot representative of what is happening at the physical process level. For example, Stuxnet carried out a false feedback attack on an HMI (Human Machine Interface) that targeted the nuclear program in Iran. It is a computer worm that targets PLCs (Programmable Logic Controllers) that had ordered the centrifuges to run at a faster pace than normal. However, because the feedback to the HMI was falsified, the operators observed normal traffic and were not able to see how fast they were running. Another example is the BlackEnergy attack on the Ukrainian power grid in December 2015. The attacker took control of the HMI, switched off breakers and changed the password so that the operator wouldn’t be able to log in. This caused over 230,000 people to lose electricity for up to 6 hours. The operators had to control the breakers manually to restore power. In the US, many power grid control systems don’t have manual backups, which would make it even more challenging to restore service in such a situation.

Critical infrastructure has become a big target and we realize more and more how insecure it is by the day. The SolarWinds and Microsoft hacks have also proven, yet again, that we are not prepared to defend ourselves against such threats. SolarWinds infected many companies but “has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries”. Evidently, we are far from being cyber-secure and need to upgrade our cyber practices to fight the increasing number of attacks we face today. Those attacks are become more and more harmful and a threat to human safety. Hence, we should update cyber security procedures towards new options that can help close the loop to monitor and protect all levels of the Purdue model to be more secure, without ignoring the lower levels. We need a solution that encompasses the lower-level architecture as well, which is now feasible as we can monitor serial communications with OT OptICS. The platform is a passive and fail-safe serial data tap – SerialGuard, accompanied by an aggregate software solution – the AnalytICS Engine, that represents the data gathered from those serial communications with data visualizations and analysis that present a clear and easy to understand representation of the data.

The technology that drives OT OptICS is a machine learning monitoring and anomaly detection system for serial networks. It is a first of its kind as AI-driven cybersecurity platforms did not exist for serial communications until now. OT OptICS harnesses the power of the SerialGuard AnalytICS Platform to autonomously detect anomalous traffic in your serial-connected ICS. It learns the network’s behavior and establishes a dynamic baseline of typical operations and will continuously monitor the operational state of the devices in the network. It identifies lower-level compromises to prevent asset downtime and physical damage, which improves incident response times. In a Stuxnet-like attack, OT OptICS would display the authentic data from the serial bus that is transmitted from the PLC to the field device. The HMI will not display the changes that are happening in the system as the data sent to it has been manipulated but given its monitoring level 0/1 communications, OT OptICS would see the real values on the serial bus that would be reflected on our platform. The operator would notice that the field devices are running at a high and dangerous speed and would then recognize that the HMI is not displaying accurate data as it has been compromised.

As seen with SolarWinds, many organizations are already compromised, and attackers are lurking in your networks while planning an attack. Even after an attack, there is always a possibility that hackers may stay in your environment to steal more files, read e-mails or even plan another attack. Do not just assume that you are safe because any system could be targeted.

To be secure, at a minimum, you should monitor what is happening in your network as much as possible in order to detect such stealthy compromises. OT OptICS is a state-of-the-art technology that enables the use of machine learning on level 0/1 serial communications data such as with DNP3. It brings a new layer of security by providing visibility into your physical processes using a passive and fail-safe device to tap serial communications – something that was not possible before. OT OptICS can help detect attacks – such as DoS-style attacks, analog/digital inputs and outputs manipulation, or non-prescribed function codes – in various sectors of critical infrastructure that have insecure implementations of DNP3 serial. Monitoring those serial communications with machine learning technology will ensure that you know what your devices are doing in real-time with the added security of automated alerts. The machine learning component will automatically baseline your normal operations and removes the need for human rule-based alerts to give you round-the-clock surveillance of your critical assets.

Take action and enquire about protecting yourself before ending up as tomorrow’s headline.

This article also featured in Industrial Cybersecurity Pulse, August 13, 2021

Subscribe to Newsletter