Industrial Control System Monitoring Based on ...

Journal Review

Journal of Chemical Engineering of Japan, Vol. 48, No. 8, pp. 619–625, 2015

Industrial Control System Monitoring Based on Communication Profile Masafumi Matta, Masato Koike, Wataru Machii, Tomomi Aoyama, Hidemasa Naruoka, Ichiro Koshijima and Yoshihiro Hashimoto Nagoya Institute of Technology, Gokiso-cho, Showa-ku, Nagoya-shi, Aichi 466-8555, Japan Keywords: Industrial Control System, Cyber Security, Network Monitoring, Communication Profile Industrial control systems (ICS) have hidden vulnerabilities that cannot be usually solved by IT security tools, because of their 24 h 365 d non-stop, non-update and non-patch operation. There is, however, very limited report of cyber-attacks, so that owners of critical infrastructures do not have much attention for their ICS protection. This is a kind of misunderstanding of the current situation caused by a lacking of capability to detect a cyber-intrusion. In order to apply an Intrusion Detection System (IDS), it is difficult to make the complete white list of communication packets, and it is also difficult to perform anomaly detection by checking the payload of packet one by one. This paper defines characteristics of communication in the ICS network and proposes a methodology to visualize the ICS network behavior. An illustrative example of pseudo cyber-attack is also prepared for understanding our proposed method.

Introduction Current industrial control systems (ICS) are designed with Commercial Off-The-Shelf (COTS) hardwares, operating systems (OS), applications and open protocols to emphasis cost-performance on the system. Through this approach, ICS exposes itself to the same IT vulnerabilities that trigger cyber-attacks from external systems, because the operated ICSs have some difficulties to apply security patches and updates that may affect the stability of plants. For solving the above-mentioned problem without making any additional changes to the ICS system an Intrusion Detection System (IDS) is applied to monitor network traffics, detect suspicious activities and alert them to the system or network administrator (Bradley, 2014). There are two detection methods. One is the Signature-based IDS and another is the Anomaly-based IDS. The Signature-based IDS monitors packets on the network and compares them to a signature or attribute database created from known malicious threats. However, this approach includes a possibility to overlook a cyber-attack of an unknown that is not in the database. The Anomaly-based IDS monitors packets on the network and compares them to an established baseline. Because of a sophisticated attack from a manipulated control unit by using normal packets, this approach also includes a possibility to overlook cyber-attack. It is, therefore, necessary to focus on the ICS network not to overlook abnormal Received on October 20, 2014; accepted on May 1, 2015 DOI: 10.1252/jcej.14we323 Presented at the 5th World Conference on the Safety of Oil and Gas Industry (WCOG12014) at Okayama, June 2014 Correspondence concerning this article should be addressed to M. Matta (E-mail address: [email protected]). Vol. 48  No.©8 2015  Copyright 2015The Society of Chemical Engineers, Japan

communication based on ICS specific network architectures. This paper proposes a methodology for detecting on anomaly of ICS’s “Communication Profile” without inspecting each payload inside network packets. Communication Profile is a characteristics of partial data included in packets between target host A and B. To make this communication profile, there are the following two problems related to hardware and software, respectively. Hardware problem: A packet monitoring device should have invisibility from a connected network in order to capture target packet data without showing its presence to the network. Software problem: A packet monitoring device should have a capability to assure normal operation and to recognize normal communication patterns among ICS devices. When out of pattern packet traffic is captured by the device, it should be as an abnormal communication that should be alarmed to plant operators. In this approach, cyber incidents inside the ICS network can be equivalently handled with sensor malfunctions and poor controllers that are familiar troubles for the plant operators. A practical example of capturing packets in ICS is also demonstrated under steady-state operation and a penetration test to evaluate the proposed method.

1. Methodlogy 1.1 Hardware development Network taps are indispensable to capture packets on the target network without disturbing network communication (Matta, 2013). A simple network tap is wired as shown in Figures 1 and 2. LAN cables of the target equipment are connected to the “HOST” ports. While HOST A communicates with HOST B, TAP A is connected to a packet capture 619

Fig. 1 Sample network tap

Fig. 3 Correlation matrix Table 1 Typical packet in test bed

Fig. 2 Wiring diagram of Network tap

device (called “probe,” after in here) that captures packets transmitted from HOST A to HOST B. TAP B is connected to another probe to capture packets transmitted from HOST B to HOST A. 1.2 Software development Wireshark is well-knoen packet capture software available today (Cappell, 2013). It has a lot of functions including live capturing, dumping and filtering, and it works on Windows and UNIX operating systems. In this research, however, a small packet capture program was developed for our ARM based one board PC, because of its limited CPU power and memory. This program just dumps captured packets as a file in the promiscuous mode (Komata, 2011). 1.3 Characteristics of ICS communication In a typical ICS network, there are IP communications between OLE for Process Control (OPC) Server and SingleLoop Controller (SLC). Types of IP communication protocols installed in our test bed are summarized as shown in Table 1. In order to verify the above-mentioned characteristics of ICS communication which transfer the Modbus/TCP packet (Modicon, 1996) at certain time intervals, packet information is analyzed with Latent Semantic Analysis (LSA) in this paper. For this analysis, the correlation matrix is created based on transmitted packet and its information. It should be noted that rows of the matrix comprises 43 packet information, and its columns consists of 200 packets. A part of the correlation matrix is shown in Figure 3. As a consequence of execution of LSA for the created correlation matrix, the two results are obtained as follows. The first one is similarity among transmitted packets in ICS communication. With observing the elements in the correlation matrix, it can be seen that most of the correlation coefficients mark 620

From

To

OPC SLC

SLC OPC

OPC

OPC

Protocol type Query to read register value (Modbus/TCP) Response register value (Modbus/TCP) asa-appl-proto (TCP) Request tag value (DCE/RPC) Response tag value (DCE/RPC) ACK response (TCP)

high value, and this result can be regarded as limited kinds of packet being transferred through ICS communication. The second one is periodical transmission of packets. In the correlation matrix, it can be observed that elements which have the correlation value 1 appear at specific intervals, and this result indicates that specific packets are periodically transmitted at a certain time interval through ICS communication. Based on these obtained results of analysis, the following two characteristics of ICS communication are verified, and these are corresponded with the abovementioned characteristics. 1) Low probability to transmit event-occurring packet through communication 2) Specific time interval to transmit limited kind of packet through communication Hence, with observing time interval of specific packet transmission, it would become possible to detect anomalous communication in ICS network. 1.4 “Communication profile” based on packet intervals In order to monitor packet time intervals, they are expressed by a two-dimensional vector. Continuing packets are assumed as P1, P2, P3, ..., Pn. The arrival intervals are defined as ΔT1, ΔT2, ΔT3, ..., ΔTn, plot that ΔT1 and ΔT2 coordinates are plotted in the x–y, twodimensional plane. In the same way, ΔT2n−1 and ΔT2n are also plotted in the same two dimensions as follows.

( x , y ) = (ΔT2n−1 , ΔT2n )

(1)

A communication pattern formed by x and y is plotted as a Journal of Chemical Engineering of Japan

sample PPD and the other one from observed PPD. Further, this algorithm identifies the distance between two average vectors, which exceeds value of the valence matrix from sample PPD. The average vector from sample PPD is defined as μ, and the average vector from observed PPD is defined as μi. The distance D(x) between these vectors is calculated as follows. D( x ) = ( μi − μ)T Σ −1( μi − μ)

Fig. 4 Packet pattern diagram

scatter diagram (called packet pattern diagram “PPD,” after in here) as shown in Figure 4. One plot on PPD is created with two arrival times of the adjacent packets. The characteristics of plots are determined with the combination of three continuing packet arrivals. Communication traffic in regular ICS communication would create sample PPD. In order to quantify the regularity of the packet communication pattern based on created “Communication profile,” the average vector and valence matrix are calculated from a sample PPD, which would be created from regular ICS communication. Vectors are assumed as X(x1, x2, ..., xm). The average vector of X is defined as μ, The valence matrix of X is defined as Σ, and these value are calculated as follows. μ= Σ=

m

1 m

 xi

1 m

 (xi − μ)(xi − μ)T

(4)

The second algorithm focuses on detecting variation of the valence matrix, which would be caused by anomalous packet transmission. This algorithm has the function of comparing two valence matrixes; the one from sample PPD and the other one from observed PPD. This algorithm identifies the valence matrix which exceeds threshold value. Functional demonstration was executed to verify the effectiveness of these approaches.

(2)

1.6 Visualization of “Communication profile” In our test bed, OPC1 and OPC2 transfer 8 and 9 packets/s, respectively, based on a scheduled query to get SLC’s registers. The arrival times of this Modbus/TCP communication are averaged around 0.1–0.2. In the case of packets transferred from SLCs to the OPC Server, asa-applproto packet often interrupts Modbus/TCP communication, and it would plot a point less than 0.1 s in PPD. Therefore, four quadrants are defined as follows. 1st quadrant 0.1≤x and 0.1≤y 2nd quadrant 0≤x