I&C Exercise 3 - Baseline Operations Analysis

Scenario

As a computer security specialist for your organization you are tasked with investigating abnormal I&C process behaviors and determining a possible cause.


Objective

After performing a baseline of normal operational behavior of the system by using trend graphs and network fingerprinting, compare baselines to abnormal operations and identify the malicious source. Methods to monitor, identify, respond, mitigate, and prevent attacks on your own environment will be demonstrated.

Setup and Background

Before continuing with this exercise, be familiar with the following:

  • I&C Human Machine Interface (HMI) operation
  • Pump operation
  • Tank level indicators
  • How valve position affects system flow
  • Emergency stop (E-STOP) functionality

Knowing the basic operation of the process will help you better understand the baseline concept of this exercise. If you encounter any problems please ask for help.

Operating the test system (i.e. High and Low tank alarms, tank level operation, valve positioning, trends, etc.) will provide an understanding of normal operations. By documenting baseline system operations you can recognize when something changes that could be the result of hardware failure, human error, or malicious intent.

Exercise Steps & Questions

Step 1 - Baseline the Process Behaviour

Baseline the process using the Trend Graph (Trend_1) tool:

  1. On the EWS, start with the tank in the full state (95 liters).
  2. Empty the tank: Enter 100 for Valve-01 and turn on Pump-01B.
  3. Click the F2 button at the bottom of the HMI screen to open the Trend 1 tank level graph.

hmi-f2-trend-button

  1. When the tank is empty (steady horizontal line at 10 liters) click the Stop button at the bottom of the Trend 1 graph window.

hmi-stop-button

  1. Save a screenshot of the graph by selecting the graph window and then using the keyboard combination Alt+PrtScn.

  2. Open Microsoft Paint from the desktop or Start menu and paste the screenshot into Paint by clicking the paste icon:

paint-paste-icon

Your screenshot should be similar to the following:

hmi-example-trend

  1. Save the new screenshot to the desktop for future reference by clicking the Menu button in the upper left corner and selecting Save As. Name the file and save it to the desktop. You have now documented the baseline trend behavior for emptying the tank.

paint-save-as

Step 2 - Baseline the PLC Network Traffic

Baseline the process PLC network traffic using the network finger printing technique learned in the previous I&C exercise.

  1. Start a network capture: Open Wireshark and double click on Local Area Connection.

  2. Fill the tank: Turn on Pump-01A.

  3. Once the tank reaches the high limit and shuts off Pump-01A, stop the Wireshark capture.

  4. Filter the network traffic to only show the packets sent by/from the PLC by entering the following display filter into Wireshark: ip.addr == 192.168.0.1

  5. In Wireshark, click the Statistics menu and then click Conversations. In the Conversations windows select the IPv4 tab at the top. At the bottom of the window, select the checkbox Limit to display filter to only show PLC conversations.

Questions

Note: Once completed, this list of unique conversations is the baseline for PLC communications. Any communications outside this list should be cause for concern.

Step 3 - Identifying Abnormal Process Behaviour

In this step, you will use the screenshot of the trend baseline to identify abnormalities in the process:

  1. With the tank filled, select Trend (F2) and start a live trend (play button).
  2. Empty the tank: Enter 100 for Valve-01 and turn on Pump-01B.
  3. Once the tank level begins to trend down, from the Automated Lab Exercise Web Server click I&C Exercise 4.1 and then click Run Exercise.
  4. Monitor the trend graph for variances from the baseline as the exercise executes.

Note: This could be done from the I&C touch panel, allowing you to have the baseline screenshot open on the EWS for easy comparison.

Questions

Step 4 - Identify Abnormal PLC Communications

In this step, you will use the baseline of PLC conversations table from Step 2 to identify out-of-band conversations with the PLC:

  1. Start a network capture: Open Wireshark and double click on Local Area Connection.
  2. Fill the tank: Turn on Pump-01A.
  3. From the Automated Lab Exercise Web Server click Run Again on I&C Exercise 4.1.
  4. When the pump automatically shuts off, stop the Wireshark capture.
  5. Filter the network traffic to only show the packets associated with the PLC by entering the following display filter into Wireshark: ip.addr == 192.168.0.1
  6. In Wireshark, click the Statistics menu and then click Conversations. In the Conversations window select the IPv4 tab at the top. At the bottom of the window, select the checkbox Limit to display filter to only show PLC conversations.

Note: Feel free to go back and re-run I&C Exercise 4.1 to try and figure out what the attack is trying to do.

Reference

COTP is an ISO 8073 based protocol that stands for Connection Oriented Transport Protocol. The Siemens specific protocol used in this I&C system is based upon COTP, so Wireshark is able to identify it as such. Understanding the higher layer protocol requires specific knowledge and decoding of the Siemens protocol contained in the data portion of the packet.

COTP Source @ wireshark.org

S7COMM is a Siemens proprietary protocol that communicates between PLCs. It is used for PLC programming, exchanging data between PLCs, accessing PLC data from SCADA (Supervisory Control and Data Acquisition) systems and diagnostic purposes. The S7COMM data comes as a payload of COTP data packets. The first byte is always 0x32 used as a protocol identifier.

S7Comm Source @ wireshark.org

Step 5 - More Attack Analysis (Optional)

Perform the same steps in this exercise with I&C Exercise 4.2 and 4.3 and determine what those attacks are attempting to do.

Exercise Control

Baseline Analysis

  • Form submitted
  • Exercise completed