What Is Deep Packet Inspection, and Why Is It Needed for Industrial Cybersecurity?

Summary

Communication within an industrial network is what brings the entire system to life. An industrial power plant, manufacturing facility, or processing plant contains a vast number of interconnected devices working together; but the diversity of vendors and lack of standardization results in a myriad of industrial control system (ICS) protocols being transmitted and received between different vendor equipment, as well as between the same vendor’s equipment.

Akin to listening to a cacophony of foreign languages, while simultaneously searching for hidden messages being sent between spies, distinguishing normal communications from abnormal communications is a daunting task. Because control signals to devices are sent via these ICS protocols, effective industrial cybersecurity technology must be able to understand and interpret the meaning and impact of all the different protocols to prevent blind spots in an industrial cybersecurity approach.

To gain an understanding of ICS protocols and the inherently valuable data within them, deep packet inspection (DPI) is a necessary component of a comprehensive industrial cybersecurity technology. DPI enables in-depth insight into the device communications occurring on a network and allows analysts to dig through the layers of data in a specific packet to get a view of the underlying application information- -allowing analysts to determine if a device is communicating in a way it shouldn’t. Solutions without this level of visibility will have an incomplete view of how devices are communicating with each other, resulting in suspicious or malicious activity getting overlooked. DPI provides a deeper layer of device communications, so threats can be identified quicker and more comprehensively.

In industrial environments, however, there is more to consider besides ICS protocols. Many attack vectors observed recently surround IT-centric protocols, such as Microsoft’s Server Message Block (SMB) used for file sharing, HTTP protocol used for web communication, secure shell (SSH), and others. Being focused only on the ICS protocols could create visibility gaps in your security posture. The ability of DPI for passive identification of systems and software, such as engineering workstations, HMIs, historians, and the suite of applications in DCS or SCADA environments provides valuable contextual information to assess appropriate responses to threats.

An in-depth understanding and knowledge of industrial environments, collectively, is the first step in establishing an effective industrial cybersecurity approach; however, industrial cybersecurity technologies must also have an in-depth understanding of individual industrial environments in order to establish the most effective industrial cybersecurity approach. DPI not only provides defenders with visibility of different device types, roles, and relationships that exist in the industrial environment (e.g., the role a human-machine interface (HMI) plays, how that HMI’s role differs from an engineering workstation, and how those different device roles can influence the potential consequence of an attack), but it also provides visibility of the different device types in each specific industrial environment. For example: understanding the environment of and differences between a power plant owned by Company A; oil refineries 1, 2, and 3 owned by Company B; or a manufacturing plant owned by Company C.

Because different types of devices in various industrial environments have different exposures, they have different attacks associated with them. Effective ICS cybersecurity technologies should utilize DPI, so these differences are understood and analysts can focus on the attacks that are most relevant to the various types of devices. This is especially critical as an increasing number of adversaries use “living off the land” techniques that leverage native system commands, applications, and software to gain access to systems and move throughout the network undetected. Living off the land can allow adversaries to execute behaviors ranging from conducting research to executing an attack on a target while evading many signature- and blacklist-based detection methods. While detecting living off the land techniques seems straightforward, it often fails by traditional IT security approaches because of the complex nature and mission requirements of operations environments.

Industrial environments can have highly heterogeneous natures; therefore, in order for industrial cybersecurity technologies to be truly effective, they must have in-depth understanding and visibility of those environments, including devices and communications, as well as the differences of those devices and communications in specific facilities. Though there are many components of an effective industrial cybersecurity technology, deep packet inspection is among the most critical, because it allows industrial defenders to look beyond the foundational layer of data in their networks in order to gain a deeper understanding of the environment and to establish effective, resilient cybersecurity approaches for their organizations.

This feature originally appeared in Automation 2022: Cybersecurity & Connectivity Volume 2.