SlideShare a Scribd company logo

Taking a closer look at level 0 and level 1 security

M
Matt Loong

Notwithstanding the importance of network monitoring in protecting industrial control systems, it is also important to understand the nuts and bolts of Level 0 and Level 1 devices to defend the system holistically. This presentation provides a brief introduction to process anomaly detection, which complements network anomaly detection.

Related slideshows

ICS security
ICS securityICS security
ICS security
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
1 of 18
Download to read offline
Taking a Closer Look at Level 0 and Level 1 Security © Matthew Loong
Content 1. Purdue Model 2. Devices in Level 0 & 1 3. Network Anomaly Detection 4. Process Anomaly Detection 5. Evolution to Industry 4.0 4 of 19 © Matthew Loong
1. Purdue Model 5 of 19 Industrial Control System (ICS) © Matthew Loong Source: ICS-CERT
1. Purdue Model – Level 2 to Level 5 Devices: • Servers • Workstations • Switches • Routers • Firewalls Protocol: • Ethernet-based • LAN • IP addressing To level 1 Traditional IT cybersecurity solutions 6 of 19© Matthew Loong
1. Purdue Model – Level 0 and 1 From level 2 Devices: • Level 1  Controllers e.g. PLC • Level 0 - electromechanical  Field devices e.g. actuators  Sensors Protocols: • Fieldbus e.g. Modbus, DNP3, IEC • Current or voltage signals:  Analog (4 to 20mA)  Digital (+/- 24VDC) • HART • Wireless e.g. w-HART, RF, ZigBee Level 1 is like the brain while Level 0 are like the hands and nerves © Matthew Loong
2. Level 0 Device - Actuator Power Supply Loop Signal Loop PCB Card LCD Display 8 of 19Physical security is important © Matthew Loong Source: Rotork
2. Level 0 Device - Sensor Simultaneous transmission of analog data, such as pressure or temperature, as well as digital data, such as sensor status. 9 of 19Physical security is important © Matthew Loong Source: HART
2. Level 1 Device – PLC Main Circuit Breakers (MCB) Power Supply Unit (PSU) Surge Protection Devices (SPD) Central Processing Unit (CPU) Digital or Analog Input / Output (I/O) Modules Terminal Blocks Ground Bus 10 of 19Physical security is important. Packets sent to PLC should be checked © Matthew Loong
3. Network Anomaly Detection - SIEM 11 of 19Asset Monitoring e.g. Claroty, Nozomi SCADAguardian Able to detect devices with IT and ICS protocols © Matthew Loong Source: Claroty
E.g. Deep Inspection of Modbus Traffic Request from Master Response from Slave 13 of 19 3. Network Anomaly Detection – AI Response Interval Slave ID Function Code Data Addressing Payload Checksum Byte Size Behavioural Baselines in: Development in Machine Learning for Advance Threat Prevention © Matthew Loong
Ladder Logic 14 of 19 4. Process Anomaly Detection Input Checking PLC © Matthew Loong
4. Process Anomaly Detection - Out-of-Band 15 of 19Keeping process variable within limits © Matthew Loong
4. Process Anomaly Detection - Rate-of-Change 16 of 19Keeping process variable increase/decrease gradual © Matthew Loong
4. Process Anomaly Filtering - Timer-on-Delay Before After Time(5sscale) Time(5sscale) Current (2mA scale) Current (2mA scale) Red Line – Sensor feedback signal (from device) Blue Line – Actuator output signal (to device) current dip current dip Output signal energized No effect 17 of 19Preventing abnormal spikes or dips from affecting process © Matthew Loong
5. Evolution to Industry 4.0 More level 0 devices connected to cloud. Ethernet-based communication to field © Matthew Loong Source: Analog.com
Conclusion • Need for mindset shift – Availability is priority in ICS • Aim of cyberattack on ICS is to cause: • Max damage – catastrophic failure • Max downtime – component with longest lead time • Security by design and graceful degradation: • Correlate malicious cyber activities with physical impact • Network anomaly detection vs process anomaly detection • Keep process parameters within band • Hence physical security and verification is important 19 of 19© Matthew Loong
Annex - Comparison of Various ICS Programmable Logic Controller (PLC) Distributed Control System (DCS) Supervisory Control And Data Acquisition (SCADA) Localized Localized Geographically dispersed Closed loop communication Closed loop communication Long distance communication e.g. via RTU and leased lines Limited I/Os (<300) Numerous I/Os (>2000) Limited I/Os (<300) Single controller Multiple controllers Not necessarily have controllers Discrete applications Integrated applications Integrated applications E.g. Allen Bradley, Siemens, Mitsubishi, Omron E.g. Emerson Delta V, Yokogawa Centum E.g. Invensys Wonderware, WinCC, Factorytalk Annex A© Matthew Loong
Annex – Serial vs Ethernet Serial Fieldbus Industrial Ethernet Transmitted in series bit by bit Transmitted randomly in packets Via RS-232/422/485 cables, with D-sub connectors e.g. DB-9 Via Ethernet cables e.g. Cat 5e, with RJ45 connector Deterministic Packet switching with latency & collision Not as fast as Ethernet Faster than Serial No encryption or authentication – clear text data, subject to spoofing & replay TLS implemented over TCP layer Limited scope for diversification Network flexibility – Ethernet cable can be used for various data e.g. video, voice © Matthew Loong

More Related Content

Taking a closer look at level 0 and level 1 security

  • 1. Taking a Closer Look at Level 0 and Level 1 Security © Matthew Loong
  • 2. Content 1. Purdue Model 2. Devices in Level 0 & 1 3. Network Anomaly Detection 4. Process Anomaly Detection 5. Evolution to Industry 4.0 4 of 19 © Matthew Loong
  • 3. 1. Purdue Model 5 of 19 Industrial Control System (ICS) © Matthew Loong Source: ICS-CERT
  • 4. 1. Purdue Model – Level 2 to Level 5 Devices: • Servers • Workstations • Switches • Routers • Firewalls Protocol: • Ethernet-based • LAN • IP addressing To level 1 Traditional IT cybersecurity solutions 6 of 19© Matthew Loong
  • 5. 1. Purdue Model – Level 0 and 1 From level 2 Devices: • Level 1  Controllers e.g. PLC • Level 0 - electromechanical  Field devices e.g. actuators  Sensors Protocols: • Fieldbus e.g. Modbus, DNP3, IEC • Current or voltage signals:  Analog (4 to 20mA)  Digital (+/- 24VDC) • HART • Wireless e.g. w-HART, RF, ZigBee Level 1 is like the brain while Level 0 are like the hands and nerves © Matthew Loong
  • 6. 2. Level 0 Device - Actuator Power Supply Loop Signal Loop PCB Card LCD Display 8 of 19Physical security is important © Matthew Loong Source: Rotork
  • 7. 2. Level 0 Device - Sensor Simultaneous transmission of analog data, such as pressure or temperature, as well as digital data, such as sensor status. 9 of 19Physical security is important © Matthew Loong Source: HART
  • 8. 2. Level 1 Device – PLC Main Circuit Breakers (MCB) Power Supply Unit (PSU) Surge Protection Devices (SPD) Central Processing Unit (CPU) Digital or Analog Input / Output (I/O) Modules Terminal Blocks Ground Bus 10 of 19Physical security is important. Packets sent to PLC should be checked © Matthew Loong
  • 9. 3. Network Anomaly Detection - SIEM 11 of 19Asset Monitoring e.g. Claroty, Nozomi SCADAguardian Able to detect devices with IT and ICS protocols © Matthew Loong Source: Claroty
  • 10. E.g. Deep Inspection of Modbus Traffic Request from Master Response from Slave 13 of 19 3. Network Anomaly Detection – AI Response Interval Slave ID Function Code Data Addressing Payload Checksum Byte Size Behavioural Baselines in: Development in Machine Learning for Advance Threat Prevention © Matthew Loong
  • 11. Ladder Logic 14 of 19 4. Process Anomaly Detection Input Checking PLC © Matthew Loong
  • 12. 4. Process Anomaly Detection - Out-of-Band 15 of 19Keeping process variable within limits © Matthew Loong
  • 13. 4. Process Anomaly Detection - Rate-of-Change 16 of 19Keeping process variable increase/decrease gradual © Matthew Loong
  • 14. 4. Process Anomaly Filtering - Timer-on-Delay Before After Time(5sscale) Time(5sscale) Current (2mA scale) Current (2mA scale) Red Line – Sensor feedback signal (from device) Blue Line – Actuator output signal (to device) current dip current dip Output signal energized No effect 17 of 19Preventing abnormal spikes or dips from affecting process © Matthew Loong
  • 15. 5. Evolution to Industry 4.0 More level 0 devices connected to cloud. Ethernet-based communication to field © Matthew Loong Source: Analog.com
  • 16. Conclusion • Need for mindset shift – Availability is priority in ICS • Aim of cyberattack on ICS is to cause: • Max damage – catastrophic failure • Max downtime – component with longest lead time • Security by design and graceful degradation: • Correlate malicious cyber activities with physical impact • Network anomaly detection vs process anomaly detection • Keep process parameters within band • Hence physical security and verification is important 19 of 19© Matthew Loong
  • 17. Annex - Comparison of Various ICS Programmable Logic Controller (PLC) Distributed Control System (DCS) Supervisory Control And Data Acquisition (SCADA) Localized Localized Geographically dispersed Closed loop communication Closed loop communication Long distance communication e.g. via RTU and leased lines Limited I/Os (<300) Numerous I/Os (>2000) Limited I/Os (<300) Single controller Multiple controllers Not necessarily have controllers Discrete applications Integrated applications Integrated applications E.g. Allen Bradley, Siemens, Mitsubishi, Omron E.g. Emerson Delta V, Yokogawa Centum E.g. Invensys Wonderware, WinCC, Factorytalk Annex A© Matthew Loong
  • 18. Annex – Serial vs Ethernet Serial Fieldbus Industrial Ethernet Transmitted in series bit by bit Transmitted randomly in packets Via RS-232/422/485 cables, with D-sub connectors e.g. DB-9 Via Ethernet cables e.g. Cat 5e, with RJ45 connector Deterministic Packet switching with latency & collision Not as fast as Ethernet Faster than Serial No encryption or authentication – clear text data, subject to spoofing & replay TLS implemented over TCP layer Limited scope for diversification Network flexibility – Ethernet cable can be used for various data e.g. video, voice © Matthew Loong