- CONFIDENTIAL -

5 Things You Should Know

About The Industrial Control-Plane

White Paper

Page 2

WHITE PAPER

Introduction
Executives at industrial organizations, especially those dealing with sensitive manufacturing
processes or critical infrastructure, are paying closer attention to increasing ICS cyber security
incidents and threats that can disrupt operations while causing physical and financial
damage.
Securing industrial networks poses unique challenges resulting from the dichotomy between
control-plane and data-plane communications. While many are familiar with the data-plane
(a.k.a. user-plane) communications, less are familiar with the industrial control-plane. A critical
part of the industrial network activity, the control-plane is invariably overlooked. However,
control-plane activity consists of all the engineering activities related the maintenance lifecycle
of the industrial controllers. Since most threats to ICS systems materialize in the industrial
control-plane, it is essential to monitor these activities.

Protecting ICS networks begins and ends with gaining visibility and
control over control-plane activities.
Here are five things you should know about the industrial control-plane:

1. What is the control-plane?

Generally speaking, each network conceptually consists of
three parts, or planes, each carrying a different type of traffic:
The Data Plane - sometimes referred to as the user plane,
carries the user-data traffic. In industrial networks the
data-plane is used by the HMI and SCADA applications
to communicate process parameters and physical
measurements between the human operator and the
industrial equipment (I/Os).
The Control Plane - carries the control information.
In industrial networks the control-plane activities include all
the engineering activity related to the maintenance lifecycle
of the industrial controllers, including any read/change of
controller firmware, control-logic, configuration settings, or
state.
The Management Plane - carries the operations and
administration traffic. Since the management plane is
considered a subset of the control-plane, we will refer to
it as part of the control-plane and not refer to it separately.

Control-Plane Definition:
The control-plane carries
the control information in
the network. In industrial
networks, control-plane
activity consists of any
engineering activity related
the maintenance lifecycle
of the industrial controllers,
including any read/change
of controller state,
control-logic, configuration
settings, or firmware.

Page 3

WHITE PAPER

The Industrial Control Plane

In industrial networks, industrial controllers (e.g. PLCs, RTUs, DCS) are the brains responsible
for the continuous execution of the entire industrial process lifecycle. These controllers are
specialized computers, provided by vendors like Rockwell Automation, Siemens, GE, Schneider Electric and others. These industrial solid-state computers monitor inputs and outputs,
and make logic-based decisions.

Data Plane

Process Parameters

Logic
Control Plane
(includes the Management Plane)

Configuration
Firmware

Image 1: The logical architecture of an industrial controller

Industrial controllers are programmed and maintained via engineering activities that are
executed within the control-plane. Since industrial controllers are the brains managing the
process lifecycle, they are the most critical assets in the ICS network.
The controllers are programmed by industrial engineers to execute a specific control-logic that
determines how the process should operate, and contains safety thresholds to prevent
dangerous situations. For example, if an operator requests to set the process temperature to
exceed the safe temperature threshold, the control-logic can determine that the request
should be ignored.

Control-plane activities are used by industrial engineers to program

and maintain the critical controllers that manage the industrial process
lifecycle, and ensure operational safety and continuity.

Page 4

WHITE PAPER

2. Why is it important to monitor control-plane activities?

Control-Plane activities are used by engineers for programming and maintaining industrial
controllers. These include firmware downloads/uploads, configuration changes and updates
to the control logic.

PLC/RTU
HMI

Data Plane

Industrial Furnace

SCADA

Control Plane

Logic
Configuration

Engineering

Firmware

Image 2: Control-plane activities include all firmware downloads/uploads, configuration

changes and updates to the control logic.
In IT networks, activities like downloading a new version of an operating system to a server,
changing its configuration or the software/code it executes, are considered privileged
activities. They can only be executed by a select group of privileged users like system
administrators - thats why privileged credentials are so valuable to hackers.
However, in ICS environments, there are typically no authentication or encryption
mechanisms. This means that there are no restrictions preventing those operating in ICS
networks from making changes to the controllers: anyone with network access, whether a
trusted employee or malicious attacker, has unfettered access to these devices.
It is important to emphasize that in a properly designed system, an attempt to cause
disruption via the data-plane will probably not result in catastrophic outcomes due to
the safety restrictions that are contained in the control logic.

Page 5

WHITE PAPER

However, an attack via the control-plane that shuts down a controller or alters its logic, can
cause various disruptions, ranging from minor process glitches to major physical catastrophes,
including the leakage of dangerous materials, contamination, and even explosions. Therefore,
when adversaries want to cause operational damage - they target industrial controllers via the
control-plane. Acting within the control-plane gives adversaries another advantage: it allows
them to hide their malicious activities and remain undetected until the damage is done.
Contrary to what many believe, attacking industrial controllers using control-plane activities
doesnt require special expertise: basic knowledge of control system engineering is enough to
enable someone to make changes to controllers.

Request set change

FT to 1000* MAX_FT

HMI

PLC/RTU

Industrial Furnace

SCADA

Error Message

FT= Furnace Temperature

Control Logic:
If val < MAX_FT
Set FT = val
Else
Ignore
Send Error Message

Image 3: In a properly configured system, the control logic includes safety restrictions to
prevent the execution of unsafe instructions

The ease of the attack execution together with potential damage that might
be caused, make control-plane activities critical to secure.

Page 6

WHITE PAPER

Change Controller Logic

Unknown

HMI

Request
change FT to val

PLC/RTU

Set FT to
1000 * MAX_FT

Industrial Furnace
SCADA

FT= Furnace Temperature

Control Logic:
If val < MAX_temperature
Set FT = 1000 * MAX_FT
Else
Ignore
Send Error Message

Image 4: Example of unauthorized changes made to the control logic: In this case
someone deleted the safety restrictions and replaced them with malicious instructions
to cause operational damage

3. Why are control-plane activities difficult to

monitor and secure?
The communication protocols used in ICS networks are not only different from those used
in IT networks, there is also a dichotomy between data-plane protocols and control-plane
protocols:
Data-Plane Protocols include known industrial protocols like Modbus, PROFINET and DNP3.
These protocols are used by HMI/SCADA applications to communicate physical measurements and process parameters (e.g. current temperature, current pressure, valve status, etc.).
These protocols are typically well documented and standardized.

Page 7

WHITE PAPER

Control-Plane Protocols which are used for communicating control-plane activities (e.g.
firmware download/upload, configuration updates, code and logic changes). These protocols
are mostly proprietary and undocumented. Each vendor uses their own unique implementation of the IEC-61131 standard for programmable controllers. Therefore, they vary based on the
vendor and device models. Usually these control-plane protocols are unnamed because of
the fact they were meant to be used internally only via the vendors engineering software.

HMI

Data Plane:
Standard HMI/SCADA
application protocols like
MODBUS, PROFINET and DNP2

PLC/RTU

SCADA

Control Plane:

Engineering

Proprietary
vendor-spacific
engineering
protocols

Logic
Configuration
Firmware

Image 5: Different communication protocols used in ICS networks

Since control-plane activities are executed using proprietary vendor-specific protocols, there
is no standard way to monitor them. Most ICS network monitoring tools only have visibility into
standard industrial HMI/SCADA applications protocols, like MODBUS, PROFINET and DNP3.
They do not monitor the sensitive control-plane activities.
Unfortunately there are no built-in mechanisms in ICS networks or controllers that provide
event-logs or an audit trail to support forensic investigations. This allows adversaries, malicious
insiders and human error to go unnoticed until disruptions and damage starts to occur.

Monitoring the proprietary control-plane protocols is necessary for

detecting unauthorized changes to controllers (malicious or erroneous),
and generating real-time alerts when suspicious events occur.

Page 8

WHITE PAPER

4. What are the benefits of monitoring control-plane activities?

As mentioned above, monitoring control-plane activities provides visibility and control over
the critical controllers that manage industrial processes. Here are some of the benefits:
Early Detection of reconnaissance activities: Monitoring control-plane activities can
provide early detection of suspicious activities. These could include requests to read the
controller firmware or logic from an unknown laptop, or requests to list open ports on a
controller. Such activity may indicate the presence of a malicious actor that is looking for a
way to compromise the system. Monitoring control-plane activities enables the detection of
these suspicious requests which otherwise would go unnoticed. It enables security
professionals to prevent attacks from being carried or at least minimize the damage.
Accurate and informative alerts quickly pinpoint the source of problems: Monitoring
control-plane activities enables the delivery of accurate alerts based on real activity and not
based on statistical calculations or attempts to find anomalies. The alerts include detailed
information about:

Which device/controller was impacted?

What changes were made to the industrial controller logic?
Who made the changes?
What was the previous configuration?

Accurate, informative real-time alerts make it possible to quickly respond to and mitigate
operational issues before they cause disruptions.
Real-time identification of unauthorized changes to controller logic, configuration or
firmware: Custom security and change management policies enable the quick identification
of unauthorized changes made to controllers - whether they are mistakes made by employees
and contractors, or malicious activity executed by an attacker. Quick response can help
enforce internal policies and minimize the impact and potential disruptions caused by these
activities.
Comprehensive audit trail that fully logs engineering activities: Monitoring control-plane
activity also gives you a full audit trail of activities executed by employees as well as contractors and integrators that connect to your network to work. Until today, there was no way to
supervise their work. With control-plane monitoring you know exactly what they did, when,
and where. And if problems occur later on, you can identify what changes caused the problem.
Note that neither the Historian nor the engineering software keeps any record of control-plane
changes.

Page 9

WHITE PAPER

Backup and recovery support: full logging of all changes made to controllers including
configuration changes, logic changes, and firmware updates enable you to recover controllers
to a previous good known state.

Monitoring control-plane activities enables you to effectively respond to

events that may compromise your control system before damage is done,
and mitigate problematic changes (whether malicious in nature, or operational mistakes) to minimize their impact.

5. What is the ROI for monitoring control-plane activity?

Beyond providing security benefits, monitoring control-plane activities also helps ensure
operational safety and continuity to deliver these ROI benefits:
Reduce or Eliminate the impact of operational disruptions caused by:
Errors made by employees, contractors and integrators which happen too often
Malicious insiders - disgruntled or politically-motivated employees can cause damage
Adversaries trying to cause disruptions, shutdown services or cause physical damage
Automate comprehensive logging of engineering activities:
Maintaining a complete log of all the engineering activities eliminates undocumented
changes
Compared to manual documentation of
engineering activities, automation:
Increases accuracy - no activities are left out
Frees up professional resources
Reduces costs

Improve incident response: Enhanced visibility, comprehensive logging and detailed

real-time alerts help pinpoint the source of problems, enable faster incident response and
reduce professional services expenditures.
Increase safety and reliability: documenting activities enables detailed reporting to monitor
and demonstrate safety and reliability improvements to the executives and management.

Page 10

WHITE PAPER

Faster disaster recovery: In the event of a disruption or disaster, a comprehensive

control-activity log provides a full history of changes that makes it easier to restore
controllers and resume operations.

Conclusion:
The industrial control-plane is a critical component of the network activity in industrial
control systems. Control-plane activities include all the activities taken by industrial engineers
to program and maintain the automation controllers which manage the industrial lifecycle.
However, since most industrial networks do not have authentication or encryption controls
that can restrict these activities to privileged users, anyone with access to the network can
leverage control-plane activities to change the control-logic and cause operational disruptions.
Monitoring the proprietary control-plane protocols is necessary for detecting unauthorized
changes to controllers (malicious or erroneous), and generating real-time alerts when
suspicious events occur. It provides accurate details on these activities, including the username
who made the change, date and time, the device that was changed, the actual change made,
and the previous state which might be needed if there is a need to revert back to a previously
known good configuration.
Monitoring control-plane activities enables you to effectively identify suspicious
reconnaissance activity, respond to events that may compromise your control system before
damage is done, or mitigate problematic changes, whether malicious in nature, or operational
mistakes, and minimize their impact.

About Indegy:
Indegy provides real-time situational awareness, visibility and security for Industrial Control
Systems (ICS) used across critical infrastructures energy, water utilities, petrochemical plants,
manufacturing facilities, etc. The Indegy platform monitors control-plane activity to ensure the
reliability of ICS networks and protect against cyber attacks, malicious insiders and operational
mistakes. The company was named one of the 10 Most Promising Cyber Security Startups by
Forbes Israel, is a TiE50 winner and Network World Hot Security Startup to Watch. For more
information visit www.indegy.com, and follow us on Twitter and LinkedIn.

USA SALES OFFICE

2600 El Camino Real,
Suite 601,
Palo Alto, CA 94306

INTERNATIONAL
HEADQUARTERS
126 Yigal Alon, Building C
Tel Aviv, 6744332, Israel

Tel (866) 801 5394

Tel +972 (3) 530 1783

For support contact

support@indegy.com
(866) 801 5394

indegy.com
2016 Indegy, Inc. All rights reserved. Indegy is a registered trademark of Indegy, Inc. All other brands, products, or service
names are or may be trade-marks or service marks of their respective owners.