Automated Asset Discovery in Industrial Control Systems - Exploring the Problem

Vulnerabilities within Industrial Control Systems (ICS) and Critical National Infrastructure (CNI) represent a significant safety, ecological and economical risk to owners, operators and nation states. Numerous examples from recent years are available to demonstrate that these vulnerabilities are being exploited by threat actors. One of the first steps required when securing legacy infrastructures is to obtain a complete asset (device) inventory, as is it impossible to protect a system without first understanding its content and connectivity. ICS environments offer significant challenges to the automated and safe discovery of network connected devices. Legacy ICS-based network services are often very fragile and networks are often sensitive to increased traffic, latency or interference, precluding the use of active scanning technologies. The decentralised nature of ICS traffic flows alongside the lack of capability of legacy network equipment make the use of standard passive scanning technologies difficult. This paper presents an overview and understanding of passive ICS discovery and provides the results of an experiment to show how existing passive scanning tools fare in an ICS environment in which port mirroring technologies are not ubiquitously supported.

Content

Author and article information

Contributors

Adam Wedgbury

Kevin Jones

Conference

Publication date: September 2015

Publication date (Print): September 2015

Pages: 73-83

Affiliations

[0001]Airbus Group Innovations

Quadrant House

Celtic Springs

Newport, NP10 8FZ

UK

Article

DOI: 10.14236/ewic/ICS2015.8

SO-VID: c8c355b7-473c-4eb8-a012-9d62d72c7dfc

License:

This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

Conference name: 3rd International Symposium for ICS & SCADA Cyber Security Research 2015 (ICS-CSR 2015)

Conference acronym: ICS-CSR

Conference number: 3

Conference location: Germany

Conference date: 17 - 18 September 2015

Conference sponsor: Electronic Workshops in Computing (eWiC)

Conference theme: Industrial Control System & SCADA Cyber Security Research (ICS-CSR)

History

Product

1477-9358 BCS Learning & Development

Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2015.8

Self URI (journal page): https://ewic.bcs.org/

References

Tenable passive vulnerability scanner data sheet 2013 Sept Tenable Network Security White Paper
Optimizing it technology refresh policies 2015 An approach to balancing capital spending, operating efficiency, and risk mitigation Archstone Consulting White Paper Available from http://www.archstoneconsulting. com/services/it-strategyopeations/white-papers/ optimizing-it-technology.jsp
R. C Bodenheim 2014 Mar Impact of the Shodan computer search engine on internet-facing industrial control system devices M.S. thesis, Air Force Institute of Technology Wrightpatterson AFB Oh Graduate School of Engineering and Management
E Byres 2012 July #1 ICS and SCADA security myth: Protection by air gap Tofino Security White Paper
M Choi 2013 Wireless communications for SCADA systems utilizing mobile nodes Int. J. Smart Home 7 5 1 8
C Dumont 2014 Jan NERC (CIP-002) identification of critical cyber assets
B GallowayG Hancke 2013 Introduction to industrial control networks IEEE Commun. Surveys Tuts 15 2 860 880
ICS-CERT 2014 Feb The ICS-CERT year in review 2013. USA Homeland Security ICS-CERT, Tech Rep
G LiuN Neufeld 2009 Nov Management of the LHCB network based on SCADA system CERN The European Organization for Nuclear Research Technical Report
V Mohan 2013 Nov It asset management benefits & best practices SolarWinds Worldwide LLC White Paper
A Nicholson H JanickeA Cau 2014 Safety and security monitoring in ICS/SCADA systems Proceedings of the 2nd International Symposium for ICS & SCADA Cyber Security Research
A Nicholson 2012 SCADA security in the light of cyber-warfare Comput. Secur 31 4 418 436
S. A OlivaB Crowe 2003 Feb Network system and method for automatic discovery of topology using overhead bandwidth
A PaunaK Moulinos 2013 Dec Window of exposure a real problem for SCADA systems? recommendations for Europe on SCADA patching European Union Agency for Network and Information Security (ENISA), Tech Rep
M. R PermannK. C Rohde 2005 Assessment methods for SCADA security Proceedings of 15th Annual Joint ISA POWID/EPRI Controls and Instrumentation Conference
D Peterson 2006 Nov Using the Nessus vulnerability scanner on control systems Digital Bond White Paper
D Peterson 2012 Using cyber security assessment tools on industrial control systems Digital Bond White Paper
A Scott 2012 Apr SCADA security and the data link layer Available from http://blog.cimation.com/ blog/scada-security-and-theosi-data-link-layer
J Stirland 2014 Dec Developing cyber forensics for SCADA industrial control systems Proceedings of the International Conference on Information Security and Cyber Forensics Universiti Sultan Zainal Abidin Kuala Terengganu, Malaysia
Z TrabelsiW El-Hajj 2010 On investigating ARP spoofing security solutions Internet Protocol Technology 5 1/2
C Valladares 2012 Dec 20 critical security controls control 1: Inventory of authorized and unauthorized devices
R van der Knijff 2014 Control systems/SCADA forensics, what’s the difference? Digital Investigation 11 3 160 174 Special Issue: Embedded Forensics
K. C Wiberg 2006 Sept Identifying supervisory control and data acquisition (SCADA) systems on a network via remote reconnaissance M.S. thesis, Naval Postgraduate School Monterey, California
P Williams 2014 June Distinguishing internet-facing ICS devices using PLC programming information M.S. Thesis, USA Air Force Institute of Technology
T Wu 2013 Towards a SCADA forensics architecture Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research
F ZhuM MutkaL Ni 2002 Sept Classification of service discovery in pervasive computing environments Michigan State University

Comments

Comment on this article

[1] Tenable passive vulnerability scanner data sheet 2013 Sept Tenable Network Security White Paper

[2] Optimizing it technology refresh policies 2015 An approach to balancing capital spending, operating efficiency, and risk mitigation Archstone Consulting White Paper Available from http://www.archstoneconsulting. com/services/it-strategyopeations/white-papers/ optimizing-it-technology.jsp

[3] R. C Bodenheim 2014 Mar Impact of the Shodan computer search engine on internet-facing industrial control system devices M.S. thesis, Air Force Institute of Technology Wrightpatterson AFB Oh Graduate School of Engineering and Management

[4] E Byres 2012 July #1 ICS and SCADA security myth: Protection by air gap Tofino Security White Paper

[5] M Choi 2013 Wireless communications for SCADA systems utilizing mobile nodes Int. J. Smart Home 7 5 1 8

[6] C Dumont 2014 Jan NERC (CIP-002) identification of critical cyber assets

[7] B GallowayG Hancke 2013 Introduction to industrial control networks IEEE Commun. Surveys Tuts 15 2 860 880

[8] ICS-CERT 2014 Feb The ICS-CERT year in review 2013. USA Homeland Security ICS-CERT, Tech Rep

[9] G LiuN Neufeld 2009 Nov Management of the LHCB network based on SCADA system CERN The European Organization for Nuclear Research Technical Report

[10] V Mohan 2013 Nov It asset management benefits & best practices SolarWinds Worldwide LLC White Paper

[11] A Nicholson H JanickeA Cau 2014 Safety and security monitoring in ICS/SCADA systems Proceedings of the 2nd International Symposium for ICS & SCADA Cyber Security Research

[12] A Nicholson 2012 SCADA security in the light of cyber-warfare Comput. Secur 31 4 418 436

[13] S. A OlivaB Crowe 2003 Feb Network system and method for automatic discovery of topology using overhead bandwidth

[14] A PaunaK Moulinos 2013 Dec Window of exposure a real problem for SCADA systems? recommendations for Europe on SCADA patching European Union Agency for Network and Information Security (ENISA), Tech Rep

[15] M. R PermannK. C Rohde 2005 Assessment methods for SCADA security Proceedings of 15th Annual Joint ISA POWID/EPRI Controls and Instrumentation Conference

[16] D Peterson 2006 Nov Using the Nessus vulnerability scanner on control systems Digital Bond White Paper

[17] D Peterson 2012 Using cyber security assessment tools on industrial control systems Digital Bond White Paper

[18] A Scott 2012 Apr SCADA security and the data link layer Available from http://blog.cimation.com/ blog/scada-security-and-theosi-data-link-layer

[19] J Stirland 2014 Dec Developing cyber forensics for SCADA industrial control systems Proceedings of the International Conference on Information Security and Cyber Forensics Universiti Sultan Zainal Abidin Kuala Terengganu, Malaysia

[20] Z TrabelsiW El-Hajj 2010 On investigating ARP spoofing security solutions Internet Protocol Technology 5 1/2

[21] C Valladares 2012 Dec 20 critical security controls control 1: Inventory of authorized and unauthorized devices

[22] R van der Knijff 2014 Control systems/SCADA forensics, what’s the difference? Digital Investigation 11 3 160 174 Special Issue: Embedded Forensics

[23] K. C Wiberg 2006 Sept Identifying supervisory control and data acquisition (SCADA) systems on a network via remote reconnaissance M.S. thesis, Naval Postgraduate School Monterey, California

[24] P Williams 2014 June Distinguishing internet-facing ICS devices using PLC programming information M.S. Thesis, USA Air Force Institute of Technology

[25] T Wu 2013 Towards a SCADA forensics architecture Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research

[26] F ZhuM MutkaL Ni 2002 Sept Classification of service discovery in pervasive computing environments Michigan State University

Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65