Increasingly, security teams are tasked with identifying, understanding, and managing risk around devices that may live outside the traditional IT umbrella. Operational Technology (OT) refers to computing systems that are used to manage and process operational functions as opposed to administrative operations, with Industrial Control Systems (ICS) being a major segment of that OT sector. These devices include building controls & automation, the various components of critical infrastructure (power grid, water treatment, etc.), manufacturing, and similar applications.
We consistently hear that our customers need better visibility into the ICS/OT devices and protocols on their networks for awareness, inventory management, incident triage, and forensics. The more specific use cases for this visibility range from traditional security/IR (perhaps an ICS device is involved in an incident) to improved device inventory for the security and network teams (it’s hard to protect what you don’t know about), to monitoring network behavior for specific risks (why is a lighting controller talking to a payroll server?). All of these are reasons that security teams need to maintain awareness and visibility of those ICS/OT protocols, even on traditional IT networks. Moreover, many of these protocols are unauthenticated and unencrypted, allowing easy visibility but also presenting significant risks to protect against unauthorized access and abuse.
For several years, Corelight has provided built-in analyzers from Zeek (Modbus, DNP3), along with a set of analyzers written by Amazon, to help our customers achieve better ICS/OT visibility. The ICSNPP collection, an improvement and extension of these analyzers by CISA, was developed in collaboration with several Corelight customers.
With our version 27.5 update, we are excited to announce the launch of Corelight’s ICS/OT Collection, which now includes many of the most common ICS/OT protocols currently in use. Each of the analyzers can be easily enabled with a simple option. Detailed protocol logs are generated for each package, and the new services are also identified in the connection log.
Some example protocols currently available in the Corelight ICS/OT collection include:
BACnet: Protocol for building automation and control systems
DNP3: Protocol for utility industry control system communication
Ethercat: High-speed industrial Ethernet protocol for real-time control
Ethernet/IP and CIP: Protocols for industrial automation and device integration
Modbus: Widely used protocol for serial communication between devices
PROFINET: Ethernet-based protocol for industrial automation and process control
S7Comm: Siemens' protocol for communication with S7 programmable logic controllers
TDS: Tabular Data Stream, a protocol used by Microsoft SQL Server for database communication
This new collection solidifies our commitment to ICS/OT visibility and makes it easy for all Corelight customers to mitigate the risks associated with unmanageable and critical infrastructure devices. We’re already planning our next installments for the ICS/OT collection, including some novel analyzers from Corelight to expand protocol coverage and summarization for some of the more commonly used protocols. This summarization will make it easier to understand how controllers and devices are interacting with each other, and identify unusual patterns.
We welcome your feedback on the new ICS/OT collection, and would love to hear what other protocols or data you’d like to see. Contact your Corelight representative to learn more, or check out our website.