ICS Performance Lab
-
Upload
jim-gilsinn -
Category
Technology
-
view
137 -
download
0
description
Transcript of ICS Performance Lab
![Page 1: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/1.jpg)
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
ICS Performance Lab
Jim GilsinnKenexis Security
![Page 2: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/2.jpg)
2
Jim Gilsinn - Bio
• Senior Investigator, Kenexis Security• ISA-99 Committee (ISA/IEC 62443 Standards)
– Co-Chair, ISA99 Committee– Co-Chair, ISA99 WG2, Security Program
• 23 years engineering experience– Last 13 doing ICS networks and cyber security
• MSEE specializing in control theory
![Page 3: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/3.jpg)
3
INTRO TO ICS NETWORK PERFORMANCE
![Page 4: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/4.jpg)
4
Industrial Network Types & Metrics:Publish/Subscribe
• Publish/subscribe or peer-to-peer communications• Main performance metric: Cyclic frequency variability/jitter• Real-time EtherNet/IP™ uses publish/subscribe
– Requested/Accepted Packet Interval (RPI/API)– Measured Packet Interval (MPI)
![Page 5: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/5.jpg)
5
Industrial Network Types & Metrics:Publish/Subscribe
• Difference between TPub_Com_Init & TSub_Com_Init is network roundtrip delay
• TPub_Com_Init, TSub_Com_Init not important
• Variability in TPub much more important
• Theoretically, TPub doesn’t need to match TSub
– In production systems, they are the same
TPub_Com_Init
Subscriber Publisher
TPub_1TPub_2
TPub_N-1TPub_N
TSub_Com_Init
TSub_M...
![Page 6: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/6.jpg)
6
Performance Testing Methodology:Performance Metrics
• Command/response or master/slave communications• Main performance metric: Latency• Large numbers of protocols use this
– Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP, etc.
– Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc.
![Page 7: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/7.jpg)
7
Industrial Network Types & Metrics:Command/Response
• Difference between TCom_Delay & TRes is network roundtrip delay
• Latency in TCom & TRes
important
TRes_1
Commander Responder
TRes_2
TCom_Delay_1
TCom_1
TCom_2
TCom_Delay_2
![Page 8: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/8.jpg)
8
Isolating Traffic Streams
• Isolating traffic streams can be tricky• 10’s – 100’s of traffic streams in production environment• Your Wireshark Fu must be strong!• Usually requires additional post-processing• Multiple streams can exist between same devices
![Page 9: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/9.jpg)
9
Isolating Traffic Streams
• Traffic pairs– Source IP/MAC address– Destination IP/MAC address– Source TCP/UDP port– Destination TCP/UDP port
• Publish/Subscribe– Communication stream ID– Sequence number (optional)
• Command/Response– Command message/field– Response message/field– Message ID (optional)
![Page 10: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/10.jpg)
10
Test Time vs. Packet Interval
Test Time (s)
Measured Packet Interval (ms) ~62 sec testMean MPI = 2msMin ~ 1.2Max ~ 2.9
![Page 11: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/11.jpg)
11
Time Plot for Command/Response
Regular Pattern to Delayed Packets
Regular Pattern of Minimal Delayed Packets
![Page 12: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/12.jpg)
12
Command/Response Timing Plots
• Quick succession of command/response packets• Minimal delay in command/response sequence• Apparently large delay in a single packet• Example: Rockwell tag reads
Quick Succession Read Commands
Delay Until Next Time Sequence
![Page 13: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/13.jpg)
13
BUILDING AN ICS LAB
![Page 14: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/14.jpg)
14
Building an ICS Lab
• Goals– Develop a portable lab– Capable of demonstrating ICS security– Use real ICS equipment to analyze ICS protocol performance
• Purpose– Training– Demonstration– Potential Sales
![Page 15: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/15.jpg)
15
Control System
• Equipment– PLC– Digital & Analog I/O– Industrial PC– Layer 2+ network switch
• Protocols– EtherNet/IP– Modbus/TCP
• PLC I/O Lighted Buttons• Buttons have isolated light from NO/NC switch action• Ladder logic to light button on push
![Page 16: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/16.jpg)
16
Performance & Security Testing
• Denial of service testing• Performance analysis• Control lights separate from button pushes• Spoof button push signals• Issue Run/Stop commands to controller• Test IP reassignment via industrial protocols• Demonstrate pivoting
![Page 17: ICS Performance Lab](https://reader036.fdocuments.in/reader036/viewer/2022081514/555d269cd8b42ab2228b5665/html5/thumbnails/17.jpg)
Questions
• Contact Me– Jim Gilsinn– 301-706-9985 or 614-323-2254– [email protected]– Twitter – @JimGilsinn– LinkedIn – http://www.linkedin.com/in/jimgilsinn/– SlideShare – http://www.slideshare.net/gilsinnj
17