Vulnerability monitoring options for PLC network

[TheWaterboy]

Though I am resistant, I am getting pressure to install some sort of vulnerability monitoring on the PLC network so that reports can be generated to make other feel better about it. I have the IT side well covered with proper AV and routine automated assessment for patches etc. But for the OT side which always contains old stuff that is sensitive to standard IT kinds of interrogation (I'm talking to you Altivar) there are limited options.

I recently got a quote for a hardware/software combo that gets its info passively using a mirrored switch port to a dedicated device that listens in on all conversations. It seemed like a good idea till I got the quote which, like everything that priced based on level of fear, was an order of magnitude more than is reasonable.

Is anyone using such a thing that they can recommend?

 

[TWS]

There is no quick solution.
This is a starting point: https://www.rockwellautomation.com/en-us/capabilities/industrial-networks/design-guides.html. There are links to white papers.
This would go in-between your IT and OT networks: https://www.rockwellautomation.com/...tratix-5950-security-appliance-in-action.html.
And finally this is an excellent resource: https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/draft.

Cisco has this as well: https://www.cisco.com/c/en/us/td/do...IA_Horizontal/DG/Industrial-AutomationDG.html
You may have to rethink legacy hardware on your network. Some devices can not be secured. You also need to look at disaster recovery plans. Your management needs to understand that OT network security is a multi layer approach. It has been my experience that OT security is a complex and expensive undertaking.

 

[James Mcquade]

we keep the plant network separate from the plant network and limit the laptops that can access the plant network. you need admin rights to set up the connection to the plant and wifi.
james

 

[TheWaterboy]

I agree OT is a tough thing to secure and often simply can't be for ... reasons. In that reality stateful reporting is all we can hope for. The time of an air gapped network is past.

I too have well segment networks for PLC/SCADA/Dev/Business and the few machines that must speak across the wall do so through a Firewall with DPI, IDS and several other acronyms.

I feel comfortable with the protection I have in place - but I have no reports to assure the folks further up the food chain so I'm trying to find something that does this but doesn't cost as much a full time employee.

 

[TWS]

I just recently got a quote for Claroty Software: Claroty security software. 8/5 Support Only
* Threat Detection Services AI and TD Subscription $19,990.00 Annually
* Threat Detection Appliance (Optional Hardware[SERVER]) $16,187.00
* CTD Site Installation (Optional) $11,300.00

 

[TWS]

Just an FYI we are just now building out the OT network. When complete we will have about 4500 devices on our network. I do not know if the Claroty software is less expensive for a smaller system.

 

[TheWaterboy]

This installation has less than 100 devices on this segment of the system, I will look them up next. Thanks.

 

[VAN]

I just recently got a quote for Claroty Software

How useful is the info coming out of Claroty?.

 

[Corsair]

For SOME SOME SOME situations streaming serial can be an answer. IF you really need data transmission in one direction only what you want is a 'data diode' - unidirectional air gap. One way to do this is to have a computer on one side streaming data through a old-fashioned RS-232 serial port to a computer on the other side. The receiving computer assembles the data and makes it available on that network. With some thought and modern port speeds it can be pretty quick. Multiple port paths can speed it up even more.

This can work if you are in a situation like a water plant where you want security from outside operation but the operating data is not sensitive. There is no need for updates to counter newly found threats, etc.

PM me if you want to discuss how we implement it

 

[TheWaterboy]

I have used a data diode before for a single case. It's an expensive thing. In a similar instance elsewhere I found that a protocol gateway between PLC's served well enough to get the job done for a lot less money. Each has its place.

But that's not what I need here. For me its mostly patch and firmware maintenance that would be the benefit. For the C-Level folks, they like to see reports about how well the system is protected.

The media blast regarding Log4j was effective in stirring up their knowledge/fear just enough so now they want info they are not built to understand. Charts and graphs with lots of green marks and no red marks is what they need to see. Executive Summary I believe is the term often used.

I have a call in to Claroty, Tenable was another option. I just found Lagner (the Stuxnet guy) has something.

 

[PreLC]

Though I am resistant, I am getting pressure to install some sort of vulnerability monitoring on the PLC network so that reports can be generated to make other feel better about it. I have the IT side well covered with proper AV and routine automated assessment for patches etc. But for the OT side which always contains old stuff that is sensitive to standard IT kinds of interrogation (I'm talking to you Altivar) there are limited options.

I recently got a quote for a hardware/software combo that gets its info passively using a mirrored switch port to a dedicated device that listens in on all conversations. It seemed like a good idea till I got the quote which, like everything that priced based on level of fear, was an order of magnitude more than is reasonable.

Is anyone using such a thing that they can recommend?

If you are port mirroring, and such an architecture is possible for you(I.E. All data goes through a port, or you have a limited number of ports) you can wireshark that and use that as a log?
You can trace incoming/outgoing IP addresses, and initially generate a list. Later if you see IPs in the network not from this list, alert?

This should be possible with Wireshark+ignition, or wireshark+programming in any flavor of language(even powershell, definitely python).

If you start an open source repository, I would like to contribute to it too.

 

[Holmux]

I like to keep things simple, the less communication I have on my network the better, maybe this is just Woo Doo in my brain, but I can’t help it.

If you have on hole to the outside world, I would use a firewall with the report options you are after.

This could be low budget with a IPcop or a more expensive solution like a Cisco meraki or similar, my experience is that the more money you spend on the firewall the less work you need to do to setup the reports.

Better yet, give the office upstairs access to the report section in the firewall and they can munch away in reports all day long

 

[TheWaterboy]

All the solutions I am looking at are mostly passive, sniffing the traffic and looking for a pattern of conversations it hasn't seen before. (i.e. why is this PLC talking to this PLC this much, it didn't used to do that) The better ones speak CIP and PCCC so can query the PLC for FW versions and even apply rules to alert on what they see in the traffic.

I already have a NetFlow like app monitoring the switchport traffic so if traffic increases or dies I know, but that's not likely to catch anything but failures.

As mentioned, current events have poked higher level folks that want to be involved so I expect these kind of things will be requested more and more readily available in the coming years for more reasonable cost than what we have now.

 

[TheWaterboy]

Here's an update for those who will care. I saw the Claroty demo and talked with them. I liked what they had so I attempted to buy.
Contacted my Rockwell distributor since they were a reseller.

After many delays where Rockwell reps kept trying to upsell their installation services along with it and I was not interested, Rockwell prevented my distributor from selling Claroty to me without the installation assessment services.

I'm looking for another reseller now. So if you want to use this software and are capable of installing and using it yourself... you can't buy it from your Rockwell Reseller. Its a pity that they can have this power over third party software.

 

[mk42]

I saw the Claroty demo and talked with them. I liked what they had so I attempted to buy.

Just about all the big players are investors in Claroty (Rockwell, Siemens, Schneider), so I figure they have to be at least somewhat legit.


Bummer Rockwell is hard to do business with.....