Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


ics security tools series 3.3: network traffic detection tools

Posted by ulberg at 2020-03-03

ICs security has been taken seriously, but it is not clear what commercial security tools are available. According to a research report of Idaho National Laboratory, we list some security tools that can be found in the international market and give a brief introduction.

Deja vu: overview of environmental safety tools for industrial control system

This is a series of articles, this article mainly introduces "network traffic detection tools".

Bro - bro is an open source intrusion detection system (IDS), which can run on standard hardware of Linux based operating system. It is a network intrusion detection system (NIDS) specialized in traffic analysis. Bro maintains comprehensive logs and provides a range of analysis and detection capabilities, including signature based exception detection. Bro's signature engine is not based on Snort, but it can match details like snort. There are currently attempts to convert snort signatures to bro signatures. Bro supports independent port analysis of application layer protocols, including DNP3 and modbus, as well as file content analysis. Bro support can be obtained in a variety of ways, including mailing lists, and broalo also provides business support.

Conpot - conpot is an ICS honeypot. Its purpose is to collect information about the motives and methods of attacks against ICs. This ICs private honeypot based on docker container supports modbus, S7, HTTP, SNMP, BACnet and lpmi protocols. Conpot has built-in support for hpfeeds, the general data sharing protocol used by the Honeynet Project. The original data of conpot is in JSON format, and the python client uses hpfeeds library. Users who want to access conpot data must create an hpfriends account, send data through hpfeeds, and users agree to share with third parties.

Cyberx xsense - xsense continuously monitors ot threats and vulnerabilities in the network, such as unauthorized remote connections, unpatched or unknown devices, and provides alerts and actionable Threat Intelligence. Xsense supports rest APIs and claims to support all ICs vendors, industrial protocols, or SiEMs.

Darktrace ICs - darktrace analyzes raw network data and uses machine learning algorithms to form a continuous understanding of organizational behavior patterns, discovering subtle changes in behavior. These behavioral changes are correlated and filtered to detect threats and anomalies. Darktrace should connect physical devices outside the span or tap port in the customer's network to passively monitor the original network data in real time without interrupting normal business operation, and provide real-time visibility of all network activities, discover attacks or new abnormal phenomena and inform users in time.

Fortinet nozomi networks - this joint solution combines the scadaguardian of nozomi networks with Fortinet's FortiGate. Scadaguardian is placed on ot network to passively monitor network traffic and create internal representation of the status and behavior of the whole network, each node and each device in the network. With predefined and constantly updated signatures, FortiGate can identify and manage most common ICS / SCADA protocols and define them as "pipes.". By configuring security policies, you can map multiple services (such as IPS, antivirus, and application control) to each protocol separately. In addition to protocol security, additional vulnerability protection is provided to applications and devices of major ICs manufacturers through a set of complementary signatures. Provides finer application level control of traffic between regions, enabling FortiGate to detect known vulnerabilities related to supported vendor solutions. The solution can understand the behavior of all protocols and some private protocols.

Gridpot - gridpot is a symbolic information storage system CPS honeypot kit. It simulates the symbol of information physical system, and simulates the protocols of SCADA, HMI and ICs. Gridpot uses Etsy's skyline project to detect anomalies and display real-time attacks.

MB connect line mbsecbox - the mbsecbox PLC security solution detects malware similar to Stuxnet and other possible threats on the S7 controller. When a threat is detected, the mbsecbox PLC malware detector will alert the operator before device damage occurs. The order number and serial number of PLC can be read and stored in memory. Based on these data, the PLC malware detector continuously monitors the static storage area of S7-300 and S7-400 controllers. The blocks are read at user specified intervals and compared with reference backups at any time. When changes are made to program data, the system operator is notified by an email, text message, warning light, or alarm triggered from the output interface. Malware and viruses can also alert you of unauthorized changes to controller programs. Establish the connection with the controller through MPI - / PROFIBUS or Ethernet. For security reasons, the device cannot be accessed through a corporate network connected to the Internet.

MSI sentinel and MSI 1 - MSI sentinel and MSI 1 together conduct continuous multi-layer system monitoring at the IP layer, digital and analog signal layer to provide security for the plant, facilities and control system. The MSI suite provides vertical analysis to ensure that critical control system components are not compromised. The system can carry out real-time analysis and automatic event detection for multi-layer signals, establish a secure special communication system with reliable system operators or network security professionals, and collect parameters from digital and analog sensors, actuators and controllers for auditing and forensics. Allows automatic or operator led restoration of control equipment to a known good condition.

N-dimension's n-platform 340s or 440d solution - n-platform software has two modes - monitoring mode and gateway mode. Monitoring mode functions include SCADA intrusion detection, vulnerability scanning, port scanning, availability monitoring and performance monitoring. Gateway mode has routing, firewall, anti-virus, proxy filter, network device control, VPN and LDAP functions.

The functions of ossec - ossec include host intrusion detection system (HIDS), log monitoring, signature analysis (based on snort2 engine), exception detection, file integrity check and central log service. It consists of a central management server and an agent running on the monitoring system. Osec runs on standard hardware of Linux based operating system.

Security onion - this is an open source tool suite for network security monitoring (NSM), which is a compilation of all the open source solutions mentioned above. It includes NIDS, HIDS, and complete packet capture and analysis tools. Security onion includes Suricata or snort, bro, ossec, squirt, snorbyg, Elsa and many other tools. A complete list of the tools included can be found at It is usually deployed as a client server model, but it can also run independently.

Senami IDS - senami is a customized IDs for Siemens S7 Series control system environment. With the combination of traditional NIDS and "active" intrusion detection, senami can directly request monitoring value from PLC to monitor. It introduces the concept of "selective, non-invasive active monitoring" to avoid overloading of traditional ICs equipment. Senami has two core components. First, passive IDS checks the number of packets received by function code, their arrival time, source IP, destination IP and transmitted packets. These passive checks are heuristically compared with the system settings and are performed at set intervals. Secondly, selective non-invasive active monitoring IDS reads specific values and compares the differences between these values every five seconds. Differences beyond acceptable limits indicate an attempt to tamper with monitoring. Both components generate alerts, generate real-time reports in IDS terminals and save them to log files for further analysis using Siem.

Snort - snort is an open source network IDS / IPS. It is known for its signature and signature engine, and it also performs protocol analysis, content search / analysis, and exception detection. The signature can be obtained free of charge or through a paid subscription, the difference being whether the signature is up-to-date. Software support is available in a variety of ways, including mailing lists, blogs, webcasts, email, and paid subscriptions. Snort was acquired by Cisco and used in its products; however, it continues to support the open source model. Using snort for business purposes requires a license agreement with Cisco.

Suricata - Suricata is an open source next generation intrusion detection and prevention engine. It is intended to be used with snort signatures, but emerging threads provides Suricata optimization rules. Suricata features include multithreading (speed up), protocol detection, gzip decompression, traffic analysis, IP reputation, log analysis, IP geographic information location geoip and exception detection. It runs on standard hardware of Linux based operating system. Usually, use one of Suricata or snort, rather than both.

Symantec ICs exception detection system - ics exception detection for industrial control systems provides visibility to ICS devices and their communications, and performs deep packet detection dpi for all ICs protocols. Its advanced machine learning algorithm can analyze small behavior changes to capture subtle attacks, prioritize events according to their criticality, and provide forensic data for event handling. The solution can be deployed internally using existing hardware without access to the Internet.

Tofino xenon security appliance (Tofino SA) - Tofino SA provides a simple and efficient way to create security zones, providing customized protection for PLC, DCS, RTU, IED and HMI according to the recommendations of ISA / iec-62443 standard. It's plug-n-protect Gamma The product can be installed in the field network quickly, without pre configuration, network change or downtime. It provides pre emptive threat detection, threat termination, and threat reporting. Tofino is compatible with almost all DCS, PLC, SCADA, network and software products, and protects the network in safe areas according to NERC, ANSI / ISA and IEC standards. It also protects connections to corporate and wireless networks, improving the performance and reliability of SCADA and process control networks. ontrol´╝ů20Systems.pdf

T-pot - t-pot can combine docker honeypots such as conpot, cowrie, Dionaea, elasticpot, emoblity, glasopf and honeyrap with Suricata. All events can be visualized by NSM engine and elk stack. These events are associated by data submission tool ewsposter of t-pot. T-pot project provides users with the necessary tools and documents to build their own honeypot system, and contributes to their community data view. The tool also supports hpfeeds honeypot data sharing of Honeynet Project.

Trufflehog - from an internal project of Karlsruhe Institute of technology, trufflehog needs a modified version of Snort and develops a protocol parser for PROFINET to collect "truffles", which represents the semantic analysis of a PROFINET network package. It tracks all incoming truffles, uses semantic information to build network topology (or network map), displays it, and realizes quasi real-time topology viewing.