How isolated are control system networks?
There is a prevailing view by many that corporate firewalls and DMZ's provide adequate screening and protection to minimize "hits" on control system networks. Consequently, there is an expectation that control system firewalls (if they even exist) will see very little traffic.
I was recently provided a screen snapshot of the SNORT (intrusion detection system) logs from the firewall protecting a control system network. The control system network included generation, distribution, and transmission. In this case, there were more than 18,000 hits over a 30 hour time period. I then contacted a small utility. This particular utility had a network monitoring their substations. Depending on the time cycle, the utility would see on the order of 2500 hits over a 48 hour period when the technicians would be doing maintenance at the substations with laptop connectivity.
There are several caveats to the data:
- Much of the data is internally generated. However, internally generated data can provide an ideal "cloak" for malicious packets. Additionally, internally generated data if it includes scans can create unintentional broadcast storms affecting field equipment such as PLCs.
- The data is a function of the configuration, training, and SNORT profiles used.
- The data has not been analyzed.
The intention is to analyze the data and present the results at the Applied Control Solutions Control System Cyber Security Conference in the Chicago area the week of August 4th. As with firewalls, SNORT configuration rule sets are critical to obtaining appropriate and meaningful data. Consequently, a hands-on "SNORT for control systems" class is planned. Further information on the Conference will be coming soon - check the www.realtimeacs.com website for details.
Joe Weiss
Leaders relevant to this article: