Efficient Passive ICS Device Discovery and Identification by MAC Address Correlation

Owing to a growing number of attacks, the assessment of Industrial Control Systems (ICSs) has gained in importance. An integral part of an assessment is the creation of a detailed inventory of all connected devices, enabling vulnerability evaluations. For this purpose, scans of networks are crucial. Active scanning, which generates irregular traffic, is a method to get an overview of connected and active devices. Since such additional traffic may lead to an unexpected behavior of devices, active scanning methods should be avoided in critical infrastructure networks. In such cases, passive network monitoring offers an alternative, which is often used in conjunction with complex deep-packet inspection techniques. There are very few publications on lightweight passive scanning methodologies for industrial networks. In this paper, we propose a lightweight passive network monitoring technique using an efficient Media Access Control (MAC) address-based identification of industrial devices. Based on an incomplete set of known MAC address to device associations, the presented method can guess correct device and vendor information. Proving the feasibility of the method, an implementation is also introduced and evaluated regarding its efficiency. The feasibility of predicting a specific device/vendor combination is demonstrated by having similar devices in the database. In our ICSi testbed, we reached a host discovery rate of 100% at an identification rate of more than 66%, outperforming the results of existing tools.

Content

Author and article information

Contributors

Matthias Niedermaier

Thomas Hanka

Sven Plaga

Alexander von Bodisco

Dominik Merli

Conference

Publication date: August 2018

Publication date (Print): August 2018

Pages: 21-30

Affiliations

[1 ]Hochschule Augsburg Augsburg, Germany

[2 ]Fraunhofer AISEC Munich, Germany

Article

DOI: 10.14236/ewic/ICS2018.3

SO-VID: b63def0e-71ff-46cc-96cd-5a61da3ab026

License:

This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018

Conference acronym: ICS-CSR 2018

Conference number: 5

Conference location: University of Hamburg, Germany

Conference date: 29 - 30 August 2018

Conference sponsor: Electronic Workshops in Computing (eWiC)

Conference theme: ICS & SCADA Cyber Security Research

History

Product

1477-9358 BCS Learning & Development

Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2018.3

Self URI (journal page): https://ewic.bcs.org/

REFERENCES

P. Auffret 2010 ‘SinFP, unification of active and passive operating system fingerprinting’ Journal in Computer Virology 6 3 197 205 URL: https://doi.org/10.1007/s11416-008-0107-z
O. BilodeauD. LaPorteE. Kollman 2018 ‘FingerBank’. 11 03 2018 URL: https://fingerbank.org/
Browse Vulnerabilities By Date 2018 11 03 2018 URL: https://www.cvedetails.com/browse-by-date.php
M. CaselliD. HadŽiosmanovićE. ZambonF. Kargl 2013 On the Feasibility of Device Fingerprinting in Industrial Control Systems
I. E. Commission. (2003 ‘IEC 62264-1 Enterprise-control system integration–Part 1: Models and terminology’, IEC, Genf.
CORE Security 2018 ‘Pcapy’ 11 03 2018 URL: https://github.com/CoreSecurity/pcapy
R. Droms 1997 ‘RFC 2131-Dynamic Host Configuration Protocol, March 1997’, Obsoletes RFC1541. Status: DRAFT STANDARD 3 1)
Z. DurumericD. AdrianA. MirianM. BaileyJ. A. Halderman 2015a A Search Engine Backed by Internet-Wide Scanning ‘Proceedings of the 22nd ACM Conference on Computer and Communications Security’
Z. DurumericD. AdrianA. MirianM. BaileyJ. A. Halderman 2015b A Search Engine Backed by Internet-Wide Scanning ‘Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security’, ACM 542 553
A. HahnM. Govindarasu 2011 An evaluation of cybersecurity assessment tools on a SCADA environment ‘Power and Energy Society General Meeting, 2011 IEEE’, IEEE 1 6
E. Hjelmvik 2008 ‘Passive Network Security Analysis with NetworkMiner’, IN) Secure 18 1 100
IEEE Registration Authority 2018 11 03 2018 URL: http://regauth.standards.ieee.org/standardsra-web/pub/view.html
IEEE Standard for Local and Metropolitan Area Networks (2014), IEEE Std 802-2014 (Revision to IEEE Std 802-2001) pp. 1 74
I. KellnerL. Fiege 2009 Viewpoints in Complex Event Processing: Industrial Experience Report ‘Proceedings of the Third ACM International Conference on Distributed Event-Based Systems’, DEBS ’09 ACM 9:1 9:8 URL: http://doi.acm.org/10.1145/1619258.1619271
G. Lyon 2009 ‘Nmap–Free Security Scanner For Network Exploration & Security Audits’
J. C. Matherly 2009 ‘SHODAN the computer search engine’. URL: http://www.shodanhq.com/help
M. NiedermaierJ.-O. MalchowF. FischerD. MarzinD. MerliV. RothA. von Bodisco n.d. You Snooze, You Lose: Measuring PLC Cycle Times under Attacks ‘12th USENIX Workshop on Offensive Technologies (WOOT 18)’
M. Niedermaier, von A. BodiscoD. Merli 2018 CoRT: A Communication Robustness Testbed for Industrial Control System Components ‘4th International Conference on Event-Based Control, Communication, and Signal Processing EBCCSP 2018’
p0f v3 2018 11 03 2018 URL: http://lcamtuf.coredump.cx/p0f3/
PLCScan the Internet 2018 04 01 2018 URL: http://scadastrangelove.blogspot.de/2012/11/plcscan.html
D. C. Plummer 1982 ‘RFC 826: An Ethernet Address Resolution protocol’, InterNet Network Working Group
RiskViz 2018 11 03 2018 URL: https://www.riskviz.de
K. StoufferJ. FalcoK. Scarfone 2011 ‘Guide to Industrial Control Systems (ICS) Security’ NIST special publication 800 82 16 16
A. WedgburyK. Jones 2015 Automated Asset Discovery in Industrial Control Systems: Exploring the Problem ‘Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research’, ICS-CSR ’15 BCS Learning & Development Ltd., pp. 73 83 URL: https://doi.org/10.14236/ewic/ICS2015.8
B. ZhuA. JosephS. Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems ‘Internet of things (iThings/CPSCom), 2011 international conference on and 4th international conference on cyber, physical and social computing’, IEEE 380 388

Comments

Comment on this article

[1] P. Auffret 2010 ‘SinFP, unification of active and passive operating system fingerprinting’ Journal in Computer Virology 6 3 197 205 URL: https://doi.org/10.1007/s11416-008-0107-z

[2] O. BilodeauD. LaPorteE. Kollman 2018 ‘FingerBank’. 11 03 2018 URL: https://fingerbank.org/

[3] Browse Vulnerabilities By Date 2018 11 03 2018 URL: https://www.cvedetails.com/browse-by-date.php

[4] M. CaselliD. HadŽiosmanovićE. ZambonF. Kargl 2013 On the Feasibility of Device Fingerprinting in Industrial Control Systems

[5] I. E. Commission. (2003 ‘IEC 62264-1 Enterprise-control system integration–Part 1: Models and terminology’, IEC, Genf.

[6] CORE Security 2018 ‘Pcapy’ 11 03 2018 URL: https://github.com/CoreSecurity/pcapy

[7] R. Droms 1997 ‘RFC 2131-Dynamic Host Configuration Protocol, March 1997’, Obsoletes RFC1541. Status: DRAFT STANDARD 3 1)

[8] Z. DurumericD. AdrianA. MirianM. BaileyJ. A. Halderman 2015a A Search Engine Backed by Internet-Wide Scanning ‘Proceedings of the 22nd ACM Conference on Computer and Communications Security’

[9] Z. DurumericD. AdrianA. MirianM. BaileyJ. A. Halderman 2015b A Search Engine Backed by Internet-Wide Scanning ‘Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security’, ACM 542 553

[10] A. HahnM. Govindarasu 2011 An evaluation of cybersecurity assessment tools on a SCADA environment ‘Power and Energy Society General Meeting, 2011 IEEE’, IEEE 1 6

[11] E. Hjelmvik 2008 ‘Passive Network Security Analysis with NetworkMiner’, IN) Secure 18 1 100

[12] IEEE Registration Authority 2018 11 03 2018 URL: http://regauth.standards.ieee.org/standardsra-web/pub/view.html

[13] IEEE Standard for Local and Metropolitan Area Networks (2014), IEEE Std 802-2014 (Revision to IEEE Std 802-2001) pp. 1 74

[14] I. KellnerL. Fiege 2009 Viewpoints in Complex Event Processing: Industrial Experience Report ‘Proceedings of the Third ACM International Conference on Distributed Event-Based Systems’, DEBS ’09 ACM 9:1 9:8 URL: http://doi.acm.org/10.1145/1619258.1619271

[15] G. Lyon 2009 ‘Nmap–Free Security Scanner For Network Exploration & Security Audits’

[16] J. C. Matherly 2009 ‘SHODAN the computer search engine’. URL: http://www.shodanhq.com/help

[17] M. NiedermaierJ.-O. MalchowF. FischerD. MarzinD. MerliV. RothA. von Bodisco n.d. You Snooze, You Lose: Measuring PLC Cycle Times under Attacks ‘12th USENIX Workshop on Offensive Technologies (WOOT 18)’

[18] M. Niedermaier, von A. BodiscoD. Merli 2018 CoRT: A Communication Robustness Testbed for Industrial Control System Components ‘4th International Conference on Event-Based Control, Communication, and Signal Processing EBCCSP 2018’

[19] p0f v3 2018 11 03 2018 URL: http://lcamtuf.coredump.cx/p0f3/

[20] PLCScan the Internet 2018 04 01 2018 URL: http://scadastrangelove.blogspot.de/2012/11/plcscan.html

[21] D. C. Plummer 1982 ‘RFC 826: An Ethernet Address Resolution protocol’, InterNet Network Working Group

[22] RiskViz 2018 11 03 2018 URL: https://www.riskviz.de

[23] K. StoufferJ. FalcoK. Scarfone 2011 ‘Guide to Industrial Control Systems (ICS) Security’ NIST special publication 800 82 16 16

[24] A. WedgburyK. Jones 2015 Automated Asset Discovery in Industrial Control Systems: Exploring the Problem ‘Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research’, ICS-CSR ’15 BCS Learning & Development Ltd., pp. 73 83 URL: https://doi.org/10.14236/ewic/ICS2015.8

[25] B. ZhuA. JosephS. Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems ‘Internet of things (iThings/CPSCom), 2011 international conference on and 4th international conference on cyber, physical and social computing’, IEEE 380 388

Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65