Monitoring network activity is key to securing any production environment. Keeping tabs on the activities of the users, applications and the devices enables operators to ensure expected and normal operations. Monitoring also allows problems to be detected and corrected before damage can occur.
However, not all networks are created equal. Monitoring industrial control system activity is difficult for two reasons. First, they use different protocols than IT networks. Second, separate protocols are used for performing data-plane and control-plane activities:
Data-Plane: sometimes referred to as the user plane, carries the user-data traffic. The data-plane is used by the HMI and SCADA applications to communicate process parameters and physical measurements between the human operator and the industrial equipment (I/Os).
Control Plane: carries the control information. In industrial networks the control-plane activities including all the engineering activity related to the maintenance lifecycle of industrial controllers, such as any read/change of: controller firmware, control-logic, configuration settings, or state. It also includes the administration and operations traffic. [Note that the term ‘control-plane’ is a general networking term, and isn’t related to the control layer of the Purdue Model or controllers in ICS networks]
The protocols used for data-plane activities, are those used by HMI/SCADA applications to communicate with control-devices. These protocols which include MODBUS, PROFINET, DNP3 and more, are well known and fully documented.
However, many are unaware of the fact that in ICS networks the control-plane activities use different protocols - a separation that does not exist in IT networks!
Unlike the data-plane protocols, control-plane protocols are vendor specific proprietary protocols that are mostly unknown, undocumented and often unnamed. This is because they were designed to be used only by the vendor’s engineering software tools. But over the years, other tools that utilize these protocols have been developed and can be used for control-plane activities and changing critical industrial controllers.
While many companies are concerned about cyber threats to their operations, most do not understand the difference between data plane and control plane protocols. Fewer understand the implications of the use of proprietary vendor specific protocols for control plane activity therefore don’t monitor them leaving a dangerous security gap in their networks.
The Importance of Monitoring Control-Plane Activities
Unlike the Data Plane which contains information relating to the systems’ process parameters (i.e. current temperature in a tank, or the RPM of a turbine), core functions are carried out via the control plane. These include changes to controller logic, firmware uploads/downloads and configuration changes.
Industrial controllers (PLCs, RTUS, DCS) are critical devices that are responsible for the entire process lifecycle in industrial environments. They are proprietary computers provided by vendors like Rockwell Automation, Siemens, GE, Schneider Electric and others.
In IT networks, activities like changing a server configuration or the software code it executes, are highly privileged activities. They can only be executed by a select group of users, typically systems administrators. Hackers need to compromise privileged access credentials in order make operational changes on an IT network.
In contrast, industrial controllers do not have any authentication mechanisms or encryptions mechanisms. This enables anyone with network access to access these critical devices and make changes to their configuration and logic, changes that can lead to severe operational disruptions. These can range from process glitches to major leaks of dangerous materials, physical catastrophes, and even explosions. Therefore, when adversaries want to cause operational damage — they target industrial controllers via the control plane.
To make things worse, control plane activities aren’t logged or registered anywhere - not on the device, or the Historian, or any other component in the ICS network. This allows adversaries to hide their actions and remain undetected until the physical damage is detected.
The combination of these shortcomings - lack of authentication mechanisms, access controls, change logs and the ability to monitor changes - may come as a surprise to those in the IT community. Unfortunately, it’s a fact.
Contrary to what many believe, attacking industrial controllers using control plane activities doesn’t require special expertise. Basic knowledge of control system engineering is enough.
Protection Starts with Visibility
Industrial organizations — especially those involved with sensitive manufacturing processes or critical infrastructures — are paying close attention to ICS cybersecurity incidents that can disrupt operations while causing physical and financial damage.
Since most threats to ICS systems occur in the control plane, it is essential to monitor these activities. Protecting ICS networks begins and ends with gaining visibility and control over control plane activities.
Easier said than done, because (as I mentioned earlier) the protocols for the controllers are mostly proprietary and undocumented.
Fortunately, new ICS network monitoring technologies that focus on the control-plane protocols can provide early detection of reconnaissance activities, such as requests to read the controller firmware or logic from an unknown laptop, or requests to list open ports on a controller. Such activities may indicate the presence of a malicious actor seeking to compromise the system.
Monitoring the control-plane activities in industrial networks will also identify attempts to tamper with control devices in real-time, allowing ICS cyber security professionals to quickly respond and prevent, or at least minimize, damage to operational systems.
Finally, monitoring control plane activities provides a full audit trail of actions executed by employees, contractors, and integrators that have unfettered access to ICS networks. This audit trail also helps supervise insiders’ activities and enables detection of unauthorized changes and human error.