Documente Academic
Documente Profesional
Documente Cultură
White Paper
Page 2
WHITE PAPER
Introduction
Executives at industrial organizations, especially those dealing with sensitive manufacturing
processes or critical infrastructure, are paying closer attention to increasing ICS cyber security
incidents and threats that can disrupt operations while causing physical and financial
damage.
Securing industrial networks poses unique challenges resulting from the dichotomy between
control-plane and data-plane communications. While many are familiar with the data-plane
(a.k.a. user-plane) communications, less are familiar with the industrial control-plane. A critical
part of the industrial network activity, the control-plane is invariably overlooked. However,
control-plane activity consists of all the engineering activities related the maintenance lifecycle
of the industrial controllers. Since most threats to ICS systems materialize in the industrial
control-plane, it is essential to monitor these activities.
Protecting ICS networks begins and ends with gaining visibility and
control over control-plane activities.
Here are five things you should know about the industrial control-plane:
Control-Plane Definition:
The control-plane carries
the control information in
the network. In industrial
networks, control-plane
activity consists of any
engineering activity related
the maintenance lifecycle
of the industrial controllers,
including any read/change
of controller state,
control-logic, configuration
settings, or firmware.
Page 3
WHITE PAPER
Data Plane
Process Parameters
Logic
Control Plane
(includes the Management Plane)
Configuration
Firmware
Page 4
WHITE PAPER
PLC/RTU
HMI
Data Plane
Industrial Furnace
SCADA
Control Plane
Logic
Configuration
Engineering
Firmware
Page 5
WHITE PAPER
However, an attack via the control-plane that shuts down a controller or alters its logic, can
cause various disruptions, ranging from minor process glitches to major physical catastrophes,
including the leakage of dangerous materials, contamination, and even explosions. Therefore,
when adversaries want to cause operational damage - they target industrial controllers via the
control-plane. Acting within the control-plane gives adversaries another advantage: it allows
them to hide their malicious activities and remain undetected until the damage is done.
Contrary to what many believe, attacking industrial controllers using control-plane activities
doesnt require special expertise: basic knowledge of control system engineering is enough to
enable someone to make changes to controllers.
HMI
PLC/RTU
Industrial Furnace
SCADA
Error Message
Control Logic:
If val < MAX_FT
Set FT = val
Else
Ignore
Send Error Message
Image 3: In a properly configured system, the control logic includes safety restrictions to
prevent the execution of unsafe instructions
The ease of the attack execution together with potential damage that might
be caused, make control-plane activities critical to secure.
Page 6
WHITE PAPER
Unknown
HMI
Request
change FT to val
PLC/RTU
Set FT to
1000 * MAX_FT
Industrial Furnace
SCADA
Control Logic:
If val < MAX_temperature
Set FT = 1000 * MAX_FT
Else
Ignore
Send Error Message
Image 4: Example of unauthorized changes made to the control logic: In this case
someone deleted the safety restrictions and replaced them with malicious instructions
to cause operational damage
Page 7
WHITE PAPER
Control-Plane Protocols which are used for communicating control-plane activities (e.g.
firmware download/upload, configuration updates, code and logic changes). These protocols
are mostly proprietary and undocumented. Each vendor uses their own unique implementation of the IEC-61131 standard for programmable controllers. Therefore, they vary based on the
vendor and device models. Usually these control-plane protocols are unnamed because of
the fact they were meant to be used internally only via the vendors engineering software.
HMI
Data Plane:
Standard HMI/SCADA
application protocols like
MODBUS, PROFINET and DNP2
PLC/RTU
SCADA
Control Plane:
Engineering
Proprietary
vendor-spacific
engineering
protocols
Logic
Configuration
Firmware
Page 8
WHITE PAPER
Accurate, informative real-time alerts make it possible to quickly respond to and mitigate
operational issues before they cause disruptions.
Real-time identification of unauthorized changes to controller logic, configuration or
firmware: Custom security and change management policies enable the quick identification
of unauthorized changes made to controllers - whether they are mistakes made by employees
and contractors, or malicious activity executed by an attacker. Quick response can help
enforce internal policies and minimize the impact and potential disruptions caused by these
activities.
Comprehensive audit trail that fully logs engineering activities: Monitoring control-plane
activity also gives you a full audit trail of activities executed by employees as well as contractors and integrators that connect to your network to work. Until today, there was no way to
supervise their work. With control-plane monitoring you know exactly what they did, when,
and where. And if problems occur later on, you can identify what changes caused the problem.
Note that neither the Historian nor the engineering software keeps any record of control-plane
changes.
Page 9
WHITE PAPER
Backup and recovery support: full logging of all changes made to controllers including
configuration changes, logic changes, and firmware updates enable you to recover controllers
to a previous good known state.
Page 10
WHITE PAPER
Conclusion:
The industrial control-plane is a critical component of the network activity in industrial
control systems. Control-plane activities include all the activities taken by industrial engineers
to program and maintain the automation controllers which manage the industrial lifecycle.
However, since most industrial networks do not have authentication or encryption controls
that can restrict these activities to privileged users, anyone with access to the network can
leverage control-plane activities to change the control-logic and cause operational disruptions.
Monitoring the proprietary control-plane protocols is necessary for detecting unauthorized
changes to controllers (malicious or erroneous), and generating real-time alerts when
suspicious events occur. It provides accurate details on these activities, including the username
who made the change, date and time, the device that was changed, the actual change made,
and the previous state which might be needed if there is a need to revert back to a previously
known good configuration.
Monitoring control-plane activities enables you to effectively identify suspicious
reconnaissance activity, respond to events that may compromise your control system before
damage is done, or mitigate problematic changes, whether malicious in nature, or operational
mistakes, and minimize their impact.
About Indegy:
Indegy provides real-time situational awareness, visibility and security for Industrial Control
Systems (ICS) used across critical infrastructures energy, water utilities, petrochemical plants,
manufacturing facilities, etc. The Indegy platform monitors control-plane activity to ensure the
reliability of ICS networks and protect against cyber attacks, malicious insiders and operational
mistakes. The company was named one of the 10 Most Promising Cyber Security Startups by
Forbes Israel, is a TiE50 winner and Network World Hot Security Startup to Watch. For more
information visit www.indegy.com, and follow us on Twitter and LinkedIn.
INTERNATIONAL
HEADQUARTERS
126 Yigal Alon, Building C
Tel Aviv, 6744332, Israel
indegy.com
2016 Indegy, Inc. All rights reserved. Indegy is a registered trademark of Indegy, Inc. All other brands, products, or service
names are or may be trade-marks or service marks of their respective owners.