Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health...
-
Upload
jim-gilsinn -
Category
Technology
-
view
294 -
download
0
Transcript of Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health...
![Page 1: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/1.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Network Reliability Monitoring Using Statistical Modeling and Data
Analysis to Measure the Health and Security of ICS
Jim GilsinnKenexis
![Page 2: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/2.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Jim Gilsinn• Senior Investigator, Kenexis Consulting
– ICS Network & Security Assessments & Designs
– Developer, Dulcet Analytics, Reliability Monitoring Tool
• International Society of Automation (ISA)– ISA99 Committee, Co-Chair (ISA/IEC 62443
Standard Series)– ISA99-WG2, Co-Chair (ICS Security Program)
Kenexis
![Page 3: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/3.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Overview• Introduction• Communications Method Affects Metrics• Network Security Monitoring• Communications in ICS/SCADA Networks• What Can Network Reliability Monitoring
Show?• When & How to Test• ICS/SCADA Performance Metrics• MITM Example• Summary
![Page 4: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/4.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Introduction• Determinism is one key req. for ICS/SCADA• Determinism can be affected by many factors:
– Individual device performance– Network performance– Intra- & inter-system interactions– Security settings
• Some factors can be planned for• Some factors need to be measured in place• Network measurements need to be tailored
for ICS/SCADA
![Page 5: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/5.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Comm. Method Affects Metrics
Master/Slave Publish/Subscribe Report by Exception
![Page 6: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/6.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
What is NSM?• “the collection, analysis, and escalation of
indications and warnings to detect and respond to intrusions.”
• “a way to find intruders on your network and do something about them before they damage your enterprise.”
The Practice of Network Security Monitoring, Richard Bejtlich
![Page 7: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/7.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
When NSM Won’t Work?• “…if you can’t observe the traffic that you
care about, NSM will not work well.”
• “Node-to-node activity, though, is largely unobserved at the network level.”
The Practice of Network Security Monitoring, Richard Bejtlich
![Page 8: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/8.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Example ICS/SCADA Network: Upper-Level Architecture
• Most Traffic Crosses Zone Boundaries
• Less ICS-Specific Protocols
• More Common Platforms
![Page 9: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/9.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Example ICS/SCADA Network: Lower-Level Architecture
• Most Traffic Remains Within Zone
• Mostly ICS-Specific Protocols
• ICS-Specific Platforms
![Page 10: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/10.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
~1ms Mean Measured Packet Interval
±10µs Jitter*
Beat Patter @ ~30s
Total Test ~65s
So… What Can You See?
Expected Frequency *Jitter is Variation From Expected Frequency
![Page 11: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/11.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
So… What Can You See?• OS & application operations
– Garbage collection– Antivirus checks & updates– On-screen operator commands
• Network anomalies– Network EMI interference– Signal degradation– Flaky connections
• Security-related incidents
![Page 12: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/12.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
When & How To Test• Baseline Testing
– FAT, SAT, Commissioning– After major changes
• Periodic Testing vs. Real-Time Testing• Automated Testing & Analysis
![Page 13: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/13.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
ICS/SCADA Performance Metrics• Easy
– Mean– Minimum– Maximum
• Medium– Standard Deviation
• More Complex and/or Compute Intensive– FFT– Convolution– Correlation
![Page 14: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/14.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
MITM Example
![Page 15: Network Reliability Monitoring Using Statistical Modeling and Data Analysis to Measure the Health and Security of ICS](https://reader035.fdocuments.in/reader035/viewer/2022070511/58a3cab71a28ab98588b5537/html5/thumbnails/15.jpg)
71st Annual Instrumentation and Automation Symposium for the Process Industries
Summary• NSM is good
– If you are doing it great– If not, maybe you should
• NSM can’t detect everything, especially for ICS/SCADA networks
• There are ways to measure network reliability in the lower layers– ICS/SCADA networks are particularly well suited
to this– Relatively simple metrics are good enough to start
• Testing can show more than just security events