Industrial Protocol Actions Whitelisting

  • November 15, 2010
  • News
By Randy Reeves, Secure CrossingIntrusion Detection and Intrusion Prevention Systems (IDS/IPS) normally rely on signature comparisons such as the wildly popular Snort (maintained by Sourcefire). Currently, most vendors use this in some variation where they have modified or tuned it for their specific product offering. Digital Bond took it one step further with the “Quick Draw” project, which was originally funded by a Department of Homeland Security (DHS) grant to provide “Preprocessors” for Industrial Protocols as an enhancement to Snort. This approach of comparing a known signature to multiple packets that have been parsed and reassembled for comparison is a major problem. Some of the objects within CIP (Common Industrial Protocol), for example, have multiple embedded objects, and thus cannot be properly handled by a signature comparison even with the use of protocol specific preprocessors. This method is very inaccurate and easily evaded, leading to considerable false positives and false negatives – completely unsuitable in the Industrial Automation and Critical Infrastructure arena.Secure Crossing Research & Development developed a new advanced way to protect Industrial Control Systems with an emphasis on protecting Critical Infrastructure. Our product filters Industrial Protocols including CIP (Common Industrial Protocol) delivered over Rockwell Automation’s EtherNet/IP. Other filtered industrial protocols are DNP3 (Distributed Network Protocol), primarily used by in the SCADA industries; Modbus (Serial Communication Standard, developed by Modicon and updated to work over TCP/IP and UDP/IP), and used in many control systems; and OPC (OLE for Process Control) with two standards: OPC classic and OPC UA (Unified Architecture). Now, we added ProfiNET which is PROFIBUS & PROFINET International (PI) for industrial automation.A stateful firewall is able to hold significant attributes of each connection in memory, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded. DPI combines the functionality of an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) with a traditional stateful firewall. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot on their own catch events that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, Denial of Service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet. Today, this is an inadequate means of controlling security on complex industrial networks.The scan engine in Secure Crossing’s Zenwall line of products, known as the ZenD, was built from the ground up with one purpose in mind – to filter Industrial Protocols. Secure Crossing’s products are built on top of the FreeBSD operating system which is much more secure than Linux or Windows. Additionally, FreeBSD handles the parsing of data packets with a different and more efficient method far more suitable for fast Industrial Protocol filtering.The protocol filters (one for each Industrial Protocol) parse, assemble and look at the respective protocols based on the standards to which each protocol conforms. At this level of inspection, the ZenD is able to precisely set filters to allow specific traffic into the control system environment. By controlling functions such as Reads, Writes, Stops, Resets sent to the PLCs, RTUs, etc., threats to the Industrial Control environment can be eliminated.From the standpoint of configuration, the ZenD can analyze the complete data stream and pull out only the protocol you select. Once confirmed as legitimate actions the ZenD will auto write the filters for you based on this input. This greatly accelerates implementation of new filters and saves time for the customer.Secure Crossing’s methodology is to use the whitelisting (Allow known good protocol specific actions and disallow everything else) approach. By disallowing all traffic and allowing only the selected protocols and specific actions within those protocols, Zenwall provides the level of filtering needed for a customer to solve SCADA, Remote Location or Zone Level Security. Where other products attempt to detect the bad, ZenD can specifically allow the known good and block everything else. This is a win in any security context, as the number of bad possibilities almost always vastly outweighs the legitimate known good traffic. Along with source/destination authentication, advanced reporting, remote connectivity and audit tools, you have a winning solution to securing your critical infrastructure. Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..