OT and Cybersecurity — Part III, Network Monitoring and Intrusion Detection using Zeek

SOCFortress
5 min readNov 1, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

See previous blog entries, OT and Cybersecurity — Part I, Introduction,

OT and Cybersecurity — Part II, Recommendations and Best Practices

Operational Technology (OT) environments, which manage industrial systems like manufacturing, energy, and critical infrastructure, face unique cybersecurity challenges. These systems are increasingly connected to IT networks, exposing them to potential cyber threats.

Industrial control systems (ICS) have historically been isolated and less interconnected. Isolation was one of the things that kept these systems more secure behind air gaps, at the cost of lost coordination and collaboration. This is rapidly changing with the rise of Industry 4.0 with increased interconnectivity and integration of smart technologies like Industrial IoT (IIoT) and cloud computing in modern industrial processes.

OT intrusions have spiked since last year.

Network Monitoring and Intrusion Detection in OT Environments

Most attacks against the OT devices utilise the networks on which they are connected. This makes network security monitoring one of the key aspects of the OT security programs. However, combining IT and OT technologies and protocols makes this aspect a challenging one.

Many traditional intrusion detection systems (IDS) may struggle with the unique devices and protocols in OT networks. Proprietary protocols are more common, and they may not be able to be parsed by even OT-specific IDS tools. Additionally, many OT networks are particular to an organisation, and defining what is impactful may vary greatly, even if the same devices and protocols are in use.

When working with OT devices that can have physical impacts, their intended use must be understood to identify any deviations and potential dangers.

Protocols in IT and OT Environments

Enterprise-level IT environments are implemented in various ways, but the devices on the network are most likely using the same protocols, like DNS, HTTP, and SMB, with servers hosting databases or SSH and FTP services.

Traditional IDS systems focus on IT protocols that may not be present on an OT network. As the cyber-threats have emerged, the anti-virus, firewall, and intrusion detection system have been designed as security solutions for the general IT environment.

Depending on the business, operational technology (OT) environments can be much more unique. A factory may have hundreds of Programmable Logic Controllers (PLCs), while an electrical substation may have only a handful of Protective Relays. Amongst the same type of businesses, each OT environment could be achieving similar results with different devices from different vendors. It’s common for vendors to create their own protocol suite for them to use.

While there are enterprise-level OT IDS products, the proprietary protocols they support are not guaranteed to match what exists in an organisation's environment.

Anomaly Detection

Many IDS detections focus on specific attack patterns, like matching on a byte sequence for a known buffer overflow exploit or looking for SQL injection keywords in web requests.

Implementing a monitoring system to determine changes in the operational state of devices should be a part of an ICS/OT cyber security management program. Tools can attempt to detect this activity by looking at patterns in the traffic and alerting on deviations from the normal.

Many OT networks run autonomously, with users logging on only for troubleshooting or data collection. Devices stay in place for years and sometimes are not updated. Because these networks are more static than traditional IT networks and the commands used on the network are repetitive, it can be easier to detect changes from normal in the behavior of devices. If open-source tools understand these devices’ proprietary protocols, anomalous activity can be detected by tracking the communications over time.

Intrusion Detection in OT Environments using Zeek

Zeek has grown to support a range of Operational Technology (OT) and Industrial Control System (ICS) protocols. The ability to decode these protocols provides a substantial advantage in monitoring OT environments. By supporting these additional protocols, Zeek can assist security teams in detecting unusual traffic, unauthorised commands, or potential exploits that could compromise critical infrastructure. Additionally, Zeek’s scripting capabilities allow analysts to extend its capabilities further, providing more tailored insights and detections for unique OT/ICS environments.

Some additional OT-related protocols that can be decoded and analysed by Zeek include:

  • Modbus TCP: Modbus messages to be transmitted over Ethernet networks. Commonly used in manufacturing, building automation, and energy sectors.
  • DNP3 (Distributed Network Protocol 3): Used primarily in electrical and utility sectors for SCADA applications, enabling communication between control centers and substations. DNP3 Secure Authentication (DNP3-SA) adds layers of security to help prevent attacks, which is crucial in critical infrastructure.
  • EtherNet/IP (Ethernet Industrial Protocol): It uses the Common Industrial Protocol (CIP) to structure data and handle messaging between devices like PLCs, sensors, and actuators.
  • S7comm: Facilitates data exchange between Siemens PLCs and other devices, enabling program control, data monitoring, and system diagnostics. Typically works over TCP/IP but is restricted to Siemens devices. It’s generally not secured (no encryption or authentication in native S7comm), so it’s often recommended to use it only in isolated, secure network segments.
  • MQTT (Message Queuing Telemetry Transport): Lightweight messaging protocol designed for machine-to-machine (M2M) communication. It works over TCP/IP and is known for its efficiency and low bandwidth usage. MQTT also supports SSL/TLS for secure communication.
  • BACnet (Building Automation and Control Networks): Widely used for building automation applications like HVAC (Heating, Ventilation, and Air Conditioning), lighting, and security systems. Communicates over UDP/IP and Ethernet, making it suitable for building management systems where interoperability is crucial.
  • CIP (Common Industrial Protocol): Underlies multiple industrial protocols like EtherNet/IP and DeviceNet, used in manufacturing and automation.
  • IEC 60870–5–104: Primarily used in the electrical and utility industries, especially in Europe, for SCADA systems in energy transmission and distribution. It works over TCP/IP and is widely used for monitoring and controlling substations.
  • TASE.2 (ICCP — Inter-Control Center Communications Protocol): It is used for data exchange between control centers in the utility sector, especially in energy production and distribution.

Building additional parsers in Zeek

While there are enterprise-level OT IDS products, the proprietary protocols they support are not guaranteed to match what exists in an organisation’s environment.

Zeek’s Spicy is a parser generator that makes it easy to create robust C++ parsers for network protocols, file formats, and more. Spicy is an all-in-one system enabling developers to write attributed grammars that describe both syntax and semantics of an input format using a single, unified language.

The Spicy toolchain turns such grammars into efficient C++ parsing code that exposes an API to host applications for instantiating parsers, feeding them input, and retrieving their results. At runtime, parsing proceeds fully incrementally — and potentially highly concurrently — on input streams of arbitrary size. Compilation of Spicy parsers takes place either just-in-time at startup (through a C++ compiler); or ahead-of-time either by creating pre-compiled shared libraries, or by giving you generated C++ code that you can link into your application.

Reference: https://docs.zeek.org/projects/spicy/en/latest/

MITRE Enrichment

Cybersecurity analysts are familiar with Mitre applied to enterprise environment. Mitre has also published the “ICS Matrix” allowing analysts using a similar framework and common knowledge while dealing with OT related events.

Reference: https://attack.mitre.org/matrices/ics/

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).