Enabling OT continuous monitoring

When the developers of Modbus began enabling communications from heterogeneous devices leveraging the RS-485 standard in 1979, it was off to the races for fieldbus communications interoperability. RS-485 defines the electrical characteristics of drivers and receivers used in serial communications systems to connect a wide range of controllers, sensors, instrumentation, PID controllers, motor drives and more. DeviceNet, Profibus, SERCOS, ASi, Foundation Fieldbus and HART followed suit — all of which remain unencrypted.

OPC UA (IEC 62541), a unifying technology that bridges industrial automation and modern computing technologies, serves as the background for the interoperability spawned by vendors and suppliers, industrial and enterprise software and, yes, cloud service technologies. OPC UA standards allow sensors to communicate with many types of controllers and devices to coordinate sensor data within a historian. This functionality allows enterprise layers to correlate process data with business functions without redundant software for translation. But how can all of this connectivity and data be networked and managed?

Hubs, switches and modern networking

Before network switches, hubs were the main way to interconnect Ethernet-based networks. A hub is a quite simple device that physically copies each packet from its source port to each destination port and connects them to a single hub in a multicast manner.

While cheap and simple, this technology does not scale well because even a small network with a low number of clients has many packets transferring between computers, causing too much traffic and potential packet collisions on the hub. For example, if a client behind port 1 was exchanging packets with a client behind port 10, in principle, only these two ports should have seen those packets.

The solution for this predicament was the introduction of Ethernet switches. A switch is more sophisticated than a hub, as its hardware can better understand and route packets on a local network. It can read the Ethernet layer (the first 14 bytes, 6x2 for the MAC addresses and 2 for the EtherType, stating the protocol of the next layer; eg, IP), and some upper layers like ARP, and understand which MAC addresses are connected to each single port. With that, it builds what is called an ARP table and uses that to forward packets only to the right port(s), similar to the old switchboard used for telephone communications.

Broadcast packets, sent to all clients on a network, still require forwarding to all ports, but the switch remains a huge improvement compared to the all-speak-to-all situation that is a reality with early hub technology.

Modern network switches have adopted increased capabilities to deal with complex network design complexities like VLANs and QoS and can even do router-like jobs if defined as ‘Layer 3 switches’, where packets are routed to their default MAC address gateways. Layer 3 switches support Virtual Router Redundancy Protocol (VRRP) and Open Shortest Path First (OSPF). VRRP provides automatic assignment. When a master router fails to connect, the backup router is automatically switched to the new master router. OSPF is often used in large network-like substations; it can calculate the shortest route for data transmission and make the process more efficient.

All of the functions described above are designed to work at high speeds: originally at speeds of 10 Mbps, then 100 Mbps or 1000 Mbps. Today, certain switches can operate at tens of gigabits. To achieve that, an ASIC (application-specific integrated circuit) is usually employed. This hardware circuit is dedicated solely to the purposes of a switch, and while less flexible (it cannot be reprogrammed or used as a generic processing unit), it can transmit data at wire speed, where full gigabit traffic can be transmitted without packet loss and collision. Another CPU (central processing unit) remains to orchestrate other functions, configuration, set-up, etc.

SPAN ports enter the chat

SPAN (switched port analyser) ports, also known as mirror ports, were originally introduced by Cisco to allow network engineers to troubleshoot network issues around switches. With hub technology, it was quite easy to understand what was going on in a network. All you needed to do was connect to a free port, and all packets flowing in that network were visible for inspection. But with switches, that is no longer possible.

A SPAN port is basically a configuration of one or more ports so that they can receive a copy of the traffic transferred on the switch, or in a specific VLAN, or on a set of ports. Nowadays, configurations are certainly more complex than in the beginning.

The beauty of SPAN port technology is that this capability is included in the ASIC unit discussed above; therefore, it does not affect network performance by eating into other tasks and services. For example, SPAN configurations will not cause the switch to drop packets on the other ports or introduce latency.

While there are no major concerns about performance when it comes to setting up SPAN ports, certain limitations can apply. Some older models may omit some packets to the SPAN port under certain situations, but the main and core functionalities of the switch won’t introduce delays in its wire speed.

Enabling monitoring for OT/ICS networks

In the early days of industrial cybersecurity network monitoring, an early milestone was to produce a third-party certified review of SPAN port technology. The report confirmed that no impact on performance is observed when SPAN or mirror ports are used.

In that test, different kinds of switches of different brands and prices were tested to show that it was not essential to upgrade to the latest and greatest brand and model to enable network monitoring capabilities and introduce cybersecurity tools and controls.

Industrial control system (ICS) environments, largely comprising heterogeneous components with custom operating systems and network protocols, historically have had fewer cybersecurity tools designed to interrogate customised protocols and behaviours. This is especially true for areas of cyber-physical systems architecture closest to the field and I/O devices. Customised sensors, installed at a SPAN or TAP port within the customer network, passively monitor raw network data in real time without disrupting business operations, which provides real-time visibility into all network activity and the ability to alert on vulnerabilities, potential attacks in progress and emerging anomalies.

Modern networking, SPAN port evolution and protocol interoperability paved the way for operational technology (OT) and ICS network monitoring and cybersecurity. Today, security solution providers have expanded their software capabilities to interrogate the analysed traffic to include:

• complete database matching of known vulnerabilities and indicators of compromise;
• deep packet inspection to analyse packet traffic, commands and connectivity;
• threat intelligence feeds; and
• machine learning engines to define baseline network traffic and alert on anomalies in communications and process variables.
   

Such third-party security offerings offer holistic security awareness where vendor-specific options cannot cover heterogeneous systems across an environment. They enable continuous monitoring of multi-vendor OT systems and help secure otherwise insecure network traffic.

*Moreno Carullo is the technology expert behind Nozomi Networks’ cybersecurity solution for industrial control networks, and has a PhD in artificial intelligence and an extensive background in systems engineering and software development.

Image credit: iStock.com/sankai