Intelligent intrusion detection systems for critical infrastructure alphaWatch System
Laurin Dörr TGalpha GmbH
© 2022 TG alpha GmbH, All rights reserved.
Intelligent intrusion detection systems for critical infrastructure (1) Incidents in critical infrastructures (2) NIS 2.0 EU regulation for critical infrastructure (3) How an IDS works (4) Example in a traffic light control system
© 2022 TG alpha GmbH, All rights reserved.
Critical vulnerability in traffic light controller • In July 2019, a vulnerability in a traffic light controller was discovered • It was discovered during a security audit for the city of Darmstadt • A non-deactivated debugging port leads to full system access with admin rights
© 2022 TG alpha GmbH, All rights reserved.
Open Wifi in traffic systems • Open WLAN interfaces are regularly discovered • e.g. interfaces to traffic monitoring cameras were reported several times 2021 • These can be caused by misconfiguration or firmware bugs
© 2022 TG alpha GmbH, All rights reserved.
NIS 2.0 EU Directive for critical infrastructure •
Directive for securing critical infrastructures – EU directive(expected 2022) • Not adopted yet • National law within 18 months after adoption – New limits • >50 employees • >10 million annual turnover – New areas • Manufacturers Industry: mechanical engineering, electronics manufacturers, automotive engineering • ... – Intrusion Detection System (IDS) required
© 2022 TG alpha GmbH, All rights reserved.
Intrusion Detection System (IDS) Konzept
•
Finding irregular activities
•
Reporting irregular activities to a Security Event and Incident Management (SIEM) for further correlation and processing
•
Combined with automated reactions -> Intrusion Prevention System (IPS)
© 2022 TG alpha GmbH, All rights reserved.
Intrusion Detection Structures • Central system
• Distributed system • Hierarchical system
© 2022 TG alpha GmbH, All rights reserved.
Intrusion Detection Rulesets •
Whitelisting vs. blacklisting approach – Whitelisting • Defined ruleset for “normal” network traffic • Report of undefined traffic • For static networks (industrial environment)
– Blacklisting • Defined ruleset for known attacks • Unknown attacks can not be covered • For dynamic networks (office environment)
© 2022 TG alpha GmbH, All rights reserved.
Intrusion Detection Rule Generation •
Classic rule generation for IDS-Systems – alert tcp ![10.111.20.10,10.0.50.102] any -> any any ( msg:“unknown IP recognized!"; sid:51000000; ) – alert tcp !10.111.20.10 any -> 10.34.20.10 any ( msg:“not allowed IP talks to 10.34.20.10 IP"; sid:55000010; )
© 2022 TG alpha GmbH, All rights reserved.
Intrusion Detection Rule Generation Intelligent rule generation
Network data
Network data over a specified time frame (depended on network size and architecture)
© 2022 TG alpha GmbH, All rights reserved.
Statistic
The rules are generated based on the behavior of the network connections
IDS rules
Rules are stored in the IDS and alerts are generated based on the rules
Visualization of Incidents •
IDS-Alerts on console level
portvar TankPortPLC 102 var TankPLC 192.168.0.1 var TankC [192.168.0.2] alert tcp !$TankC any -> $TankPLC $TankPortPLC (msg: "Invalid Source for Setup Connection"; \ content:"|32 01|"; offset: 7; depth: 2; \ content:"|F0|"; offset: 17; depth: 1; \ sid:80000000; rev:1;) alert tcp !$TankC any -> $TankPLC $TankPortPLC (msg: "Invalid Source for ReadVar"; \ content:"|32 01|"; offset: 7; depth: 2; \ content:"|04|"; offset: 17; depth: 1; \ sid:80000001; rev:1;) alert tcp !$TankC any -> $TankPLC $TankPortPLC (msg: "Invalid Source for WriteVar"; \ content:"|32 01|"; offset: 7; depth: 2; \ content:"|05|"; offset: 17; depth: 1; \ sid:80000002; rev:1;)
© 2022 TG alpha GmbH, All rights reserved.
Visualization of Incidents •
Operator view
© 2022 TG alpha GmbH, All rights reserved.
Visualization of Incidents •
Expert view
© 2022 TG alpha GmbH, All rights reserved.
Real World Example •
Traffic light control network of a midsize town
© 2022 TG alpha GmbH, All rights reserved.
Real World Example •
Network of a single traffic light controller
© 2022 TG alpha GmbH, All rights reserved.
Real World Example •
Secured Traffic light Controller
© 2022 TG alpha GmbH, All rights reserved.
Real world example •
Network communication in a single traffic light controller with camera
•
Detected by an IDS sensor
© 2022 TG alpha GmbH, All rights reserved.
Real World Example
© 2022 TG alpha GmbH, All rights reserved.
Conclusion
•
• •
Connected Infrastructure needs to be secured against cyber-security risks Increasingly tightened government regulations Intrusion detection systems helps to reach the goals
© 2022 TG alpha GmbH, All rights reserved.
Thank you for your attention.
Questions?
© 2022 TG alpha GmbH, All rights reserved.
TG alpha GmbH Ulrichsberger Str. 17 94469 Deggendorf T +49 (0) 991 40 22 71-0, E-Mail: office@tgalpha.de
Intertraffic booth 01.200AV
© 2022 TG alpha GmbH, All rights reserved.