OpenICS Decodes Control System Traffic, Builds Data Dictionaries

An ICS protocol sniffer has been released to GitHub. OpenICS builds data dictionaries, rather than signatures, from the packets it captures in order to help business leaders make security decisions.

Industrial control system security has been called archaic, laughable and even non-existent. Most ICS and SCADA systems weren’t built with the Internet in mind, much less security, but yet they are at the forefront of manufacturing, building automation and critical infrastructure operations.

Operators and engineers are generally tasked with one thing: uptime. Service availability is king and that often comes at the expense of patching systems, for example, that might require a service to be temporarily taken down.

The processes for monitoring and analyzing incidents are even less refined, experts say. That’s the gap Scott Weston sought to backfill with OpenICS, a project sponsored by EnergySec, short for Energy Sector Security Consortium. Released to GitHub recently, OpenICS is a library that decodes sniffed control network traffic; it currently supports three widely used ICS protocols: MODBUS; DNP3; and EIP/CIP.

“These are special-purpose components that know how to interpret control system traffic and build data dictionaries from traffic that can be used to script specific situations that are of interest in an information security context,” Weston said.

The data dictionaries, or metadata repositories, are the key differentiator to OpenICS’ success, Weston said. Rather than developing signatures that can be dumped into an intrusion detection system, data dictionaries can help bridge the expansive gap between security-aware engineers and business operators in critical infrastructure operations.

“Because we operate on a data dictionary, we can write complex predicate expressions against it,” said Weston, who works for a utility in the Pacific Northwest. “You can write complicated, scripted rules to inspect traffic versus signatures that look for a blob within a blob. This is much more powerful for highly technical people and business people.

“I think there’s a divide between highly technical people and business people.”

Technical people understand TCP/IP packets and layers, and business people understand what control systems are supposed to do,” Weston said. “I’d like to get these guys talking by giving them a data dictionary that says ‘These are data artifacts from traffic; use them to make decisions about what is happening and should not be happening. I see huge potential here.”

The signature-based model is a foundational IT security technology that requires analysis and manpower to decipher what’s happening; and there isn’t much of a business context to it. Weston said that OpenICS hopes to ease that stressor.

“Signatures treat opaque data as opaque data,” Weston said. “Signatures are very low level and counter intuitive; it requires technical expertise to put signatures together. If you have a module that builds a data dictionary for you, you have it in front of you, and you can write scripted statements about what is and isn’t a security problem.”

Weston said he’s working on adding support for more protocols, but the first three were natural starting points given their ubiquity in ICS operations in the United States. He said while EnergySec’s principal sponsorship is crucial, he hopes making it available on GitHub will help it gain traction and act as a gateway for feedback that eventually makes it a commodity feature in many traffic inspection products.

“Definitely the biggest plus I see is that it gets the business involved in security, not just computer geeks,” Weston said. “It’s the business people who know what is and what is not normal on network, but they know it from a high level perspective, not a bits and bytes perspective. I’m hoping this bridges that gap.”

Suggested articles