We bring order to the engineering networks
Industrial facilities as a target for cyber attacks
Cybersecurity of industrial infrastructure is an increasingly pressing issue in the modern world. Digital technologies have penetrated all spheres of life and issues of protection against cyber attacks are becoming key to ensuring the stability and safety of production processes.
One of the main threats to industrial infrastructure is hacker attacks. Thus, according to according to Kaspersky ICS Certthe share of automated control systems computers in Russia on which malicious objects were blocked during the first quarter of 2024 is 23.6%. At the same time, building automation systems remain among the most susceptible to cyberattacks, which can lead to disruption of engineering systems: heating, air conditioning, ventilation, lighting, fire extinguishing, access control, etc. Therefore, companies are increasingly aware of the need to invest in protecting their infrastructure.
Start of the project
The project began with an appeal to us by a potential customer – a small, by Russian standards, company whose activities are related to the operation of a complex of buildings equipped with management systems (BMS). It was important for the customer's business to ensure the correct and continuous operation of the building's engineering systems. After several incidents related to communication failures and unstable operation of devices in engineering networks, which led to financial losses in the form of disruption of the functioning of individual buildings, the information security department was tasked with reducing the risk of such situations recurring. Taking this into account, we, together with the customer, defined the following project goals:
putting the engineering infrastructure in order: inventory of all networks and devices;
increasing the level of security of operating automation systems and reducing the risk of negative consequences of cyber attacks;
organization of continuous monitoring of utility networks.
Description of the solution
After an initial analysis of the customer's requirements and an inspection of its infrastructure, we proposed protection measures based on a number of products from Russian vendors. We came to the conclusion that a specialized solution that meets the following criteria is needed to detect cyberattacks and anomalies at the network level of engineering systems:
inventory of network nodes and connections, identification of unauthorized devices and interactions in the network that can be used as entry points into utility networks bypassing the firewall;
analysis of industrial data transmission protocols Modbus TCP and Siemens S7, monitoring of control network commands and process parameters;
identifying and assessing risks such as misconfigurations, vulnerabilities, network architecture issues;
minimal impact of the solution on the operation of engineering systems and equipment;
the ability to integrate with solutions already existing in the customer’s infrastructure (Kaspersky Security Center).
During the review of products available on the market, the customer chose a solution from Kaspersky Lab – Kaspersky Industrial Cybersecurity for Networks (KICS for Networks) as the most suitable for the specified criteria.
KICS for Networks belongs to the class of IDS (Intrusion Detection System) solutions designed to operate in industrial networks.
Its main functions are:
passive analysis of network traffic for signs of computer attacks and network anomalies;
automatic inventory of nodes and connections in the network;
collecting information about device configuration;
identification of information security risks;
process telemetry analysis (DPI);
displaying information about network interactions:
network interaction table;
network interaction maps displaying existing devices and interactions between them with the ability to view the network status at a specified time interval;
physical connection diagram of devices;
Security incident analysis:
storing traffic archive, storing event information archive;
display of detected information security incidents using a web interface.
Deployment diagram
The main component of KICS for Networks is the Server. It allows you to:
generate lists of assets and their network interactions;
process and store events;
perform device audits;
correlate events to detect attacks;
connect to external sources using connectors and data exchange.
To analyze traffic on switches with connected equipment, support for the port mirroring function (SPAN) is required. In the customer's network, some industrial switches did not support this technology. In order not to change the switches, it was decided to use traffic taps – TAP devices, the traffic from which was sent to the broker and then for analysis in KICS for Networks.
After deployment, the KICS for Networks server was put into “Learn” mode for a period of time to allow the system to collect information about the current network configuration, protocols used, and industry tags.
During this period, KICS for Networks collected information about devices and traffic in the industrial network in full. After that, they were audited, and then the server was switched to the “Monitoring” mode, in which the system will generate security events in the event of the appearance of foreign devices, non-compliance of traffic with the created rules, or detection of signs of cyber attacks.
KICS for Networks interface
Monitoring
The KICS for Networks web interface has a Monitoring section that displays dashboards with system performance indicators, events, and problematic assets.
Assets
The Assets menu displays all devices detected in network traffic. The system automatically detects the device type and collects additional information about it, such as the operating system version, model, and manufacturer.
KICS for Networks allows you to manually edit the device parameters and change its name for ease of use. With a large number of devices, this approach is not very convenient, and the system provides the functionality of exporting and importing device parameters of tags from SCADA projects:
If you are using unsupported management systems, the easiest way to change the parameters of several devices is to export the data from KICS for Networks to a file, then process it, for example, in Excel, and import it back into the system.
This method allows you to significantly reduce the time spent on changing device parameters and avoid errors when manually editing each one.
Network map
The functionality of KICS for Networks allows you to display devices and their network interactions in the form of visual maps: a network interaction map and a topology map.
Network interaction maps display all devices and their interactions detected during traffic analysis. The map allows arbitrary distribution of nodes, grouping of nodes, creation of nested groups, and switching between saved device display types.
The topology map shows the physical connection of devices. KICS for Nodes allows you to collect information from managed switches if you have a license for active device polling. If you do not have a license or cannot obtain data from switches, then you can create a topology manually; no additional license is required for this.
Version 4.1 adds the ability to view network sessions by asset, which significantly simplifies setup and investigations.
Since our system has several subsystems, groups were created in the settings menu in accordance with their address spaces:
The creation of groups and the functionality of automatic distribution of devices by subnets allowed us to group all devices and “collapse” the huge map into several groups. As you can see in the screenshot below, several hosts that did not fall into any of the subnets remained ungrouped:
Thus, the graphics card allows you to quickly detect unknown network interactions, devices and incorrect device configurations.
Process control
KICS for Networks allows you to control process parameters and commands directed to devices. Our network uses Modbus and Siemens protocols. The solution helps analyze protocols, detect tags and their values. To do this, together with the operation service, the devices and tags that need to be controlled were defined in the ACS.
For each tag, it is possible to fine-tune the control rules:
If the tag value does not match the specified rule, a security event is generated.
Permissive rules
In training mode, KICS for Networks automatically generates a list of allowable rules for network interactions based on network traffic between devices.
After switching from the learning mode to the monitoring mode, the system monitors network traffic in accordance with the created rules. If a new device or network interaction appears in the network, the system generates a corresponding security event. When changing the industrial network configuration, you can manually add new rules or edit existing ones.
Risks
In this menu, KICS for Networks displays the risks detected.
When selecting a risk, the system provides recommendations for its elimination. After taking measures to eliminate it, the risk can be transferred to the “Accepted” state:
Export events
To organize the process of event transmission, KICS for Networks allows using the built-in API and various connectors for communication with external systems (e-mail, SIEM, syslog). In our case, events are sent to the Kaspersky Security Center server. For this interaction, there is no need to configure connectors, since this option was enabled during installation. For each type of event, you can select a connector to which events of this type will be sent.
Cases
So, what was discovered in the customer’s network using KICS for Networks.
Unauthorized hosts in industrial networks
An unknown host was detected in the ACS network and the following incidents were recorded:
During the investigation, it was found that the contractor who was performing the work on setting up the automation systems had made an unauthorized connection to the industrial network from his laptop. Following the investigation, explanatory work was carried out with the contractor and the access switches were reconfigured to prevent similar situations.
ME configuration errors and suspicious activity
An unauthorized interaction was found between one of the devices located in the IT network and a device in the ACS networks. This is a consequence of an error in the configuration of the firewall located on the border of the ACS and IT networks. Such interactions should not occur. The host also showed suspicious activity.
Following the investigation, the network architecture and firewall rules were modified accordingly.
“Forgotten” devices
It is quite common that during construction of large facilities, for various organizational or technical reasons, the network ports of uninterruptible power supplies are not configured. After analyzing the traffic, we managed to find several “forgotten” UPSs:
Once detected, the UPSs were configured and moved to the appropriate network segment.
Hardware configuration errors
Devices were found that had multiple IP addresses on one interface, which could have been used by intruders to carry out computer attacks.
After conducting an investigation, the network interfaces of some workstations were configured.
Inconsistency with design documentation
During the inventory of assets, discrepancies were found in the actual configuration of the ACS and the design documentation. We found several hosts in the network for which there was no information in the source data, some assets had incorrect IP addresses, which led to their conflicts. We also identified devices with incorrect configuration of system settings.
The collected information on assets helped to find discrepancies and update the documentation for the operated automated control systems.
Conclusions
The implementation of KICS for Networks in automation systems networks has made it possible to achieve significant results in ensuring their security:
It was possible to conduct a full inventory of network assets and identify devices with incorrect configuration. This allowed us to prevent failures in the operation of the ACS network and improve its stability.
We identified information about discrepancies between design documentation and the actual picture of interaction of components in industrial networks. We found errors in the organization (architecture) of interaction of the automated control system and incorrect policies on the firewall.
The customer was able to promptly respond to emerging risks and information security events in building automation systems. Increasing the level of awareness of network activity allowed to reduce the number of incidents and take measures to eliminate them, as well as speed up the investigation.
It became possible to control the work of contractors servicing the components of the automated control system, prevent unauthorized actions and improve the overall security of the system.
The implementation of IDS in industrial networks of automated process control systems is an important step in ensuring their security and allows achieving significant results in preventing and eliminating information security incidents.
Based on the experience of implementing KICS for Networks, we would like to highlight possible ways to develop the product interface. For example, in the asset information (workstation, server), we would like to see information about users and applications. For tasks of active device polling, we would like to see a corresponding manager that can be carried out according to a schedule with a specified frequency, and not only on demand. For allowing rules, it would be convenient to use filtering by device name and address. We hope that Kaspersky Lab will supplement these mechanisms in future releases, which will improve the usability of the system.
