When you consider the experience Robert M. Lee, co-founder at Dragos Security, brings to the industrial control system (ICS) cybersecurity discussion, you quickly realize his approach will entail more than the usual IT cybersecurity best practices. In addition to his involvement with Dragos Security, Lee is an active-duty U.S. Air Force Cyberspace Operations Officer, teaches in the ICS program at SANS, and is an adjunct lecturer at Utica College where he teaches in the M.S. Cybersecurity program. As part of his work as a U.S. Air Force Cyberspace Operations Officer, Lee has been a member of multiple computer network defense teams that included leading a first-of-its-kind ICS/SCADA threat intelligence and intrusion analysis mission.
Based on his experience, one of the issues Lee focuses on—with regard to the mapping of industrial networks as part of an ICS cybersecurity approach—is the practice of active scanning, i.e., sending data to a device and reading the response. He contends that active scanning can damage or deny service to sensitive network-enabled devices, such as programmable logic controllers (PLCs) and remote terminal units (RTUs). As such, he promotes the use of passive scanning to ensure real-time network visibility without impacting operations.
Passive scanning is a key aspect of CyberLens, which Dragos Security is planning to release in the first quarter of 2015. Lee says that CyberLens is a stand-alone client that can be installed on a computer or in a virtual machine for local or cloud use. It can connect to a local interface or to a mirrored port on a network switch to enable real-time asset identification and network visualization.
Lee notes three key aspects of CyberLens:
* Asset and network identification is accomplished via deep packet inspection of network traffic and protocols based on “knowledge of protocols such as DNP3, ModbusTCP, Ethernet/IP , Profinet, BACNet, AB-PCCC, CIP, and others to identify what is going on inside the protocols and where I/O is located,” he says.
* The network is “visualized instead of just displaying information,” says Lee. “This visualization is a user-friendly way to take a look at the network and how it is configured as a sort of HMI for the network.”
* Its modular coding allows for Cyberlens’ open API (application programming interface) and Lens (plugins) model to have features added by users. “Our approach was to create a product where people could add their own data, extend its functionality, or otherwise modify it to fit their unique needs—which is vital given that ICS is deployed by such a wide and varied group,” Lee says.
While in beta testing, CyberLens has been tested at “a small flour mill, a nuclear operations facility, a car manufacturing facility, an electric utility, two oil pipelines, a hydroelectric facility, and a few other locations,” says Lee. “In each case, CyberLens was either deployed as a virtual machine in already established hardware on-site to collect traffic real-time, deployed on a laptop connected to a mirrored port on a network switch, or (most commonly) deployed on a standalone computer not hooked up to the network and the testers took packet captures from the network using existing infrastructure to process through the tool.”
In addition to mapping and visualizing assets, CyberLens maintains flow records and statistical data for the network, allowing users to identify all the protocols on their network, the amount of bandwidth being used, and data transferred between specific links. A timeline bar allows users to scroll backwards in time throughout the data to identify and visualize changes made throughout the network.
One thing is clear, cybersecurity approaches to ICSs are becoming increasingly specialized, as evidenced not just by CyberLens, but also by Tempered Networks’ use of virtualized, private overlay networks that leverage existing industrial network infrastructures and NexDefense’s network anomaly detection system called Sophia.