The present invention is directed to methods and apparatus for analyzing communication protocols to prevent network intrusion.
Deep Packet Inspection (DPI) for anti-intrusion security combines the functionality of an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) with a traditional stateful firewall. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. However, stateful firewalls, which can detect the beginning and end of a packet flow, cannot, on their own, detect events that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability to block such an attack. DPIs can be used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, Denial of Service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet. However, a greater level of security control is required for complex industrial networks.
Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) normally rely on signature comparisons such as the SNORT program maintained by Sourcefire. Most security vendors use some variation of this program modified for their specific product offering.
SNORT, an intrusion detection and intrusion prevention product, has been used in products that can interpret industrial protocols and do a signature-based comparison on a portion of a data stream. However, a problem arises because programs like SNORT do not convert the data stream into meaningful data. Rather, tests indicate that signature based systems are, at best, about 30% accurate in detecting attack vectors. The tests produced large numbers of false positives and false negatives. The present inventor believes that this inaccuracy is a result of the difficulty of accurately performing a bit set comparison against an industrial protocol.
At least one vendor, Digital Bond, is known to supply a product that compares a known signature to multiple packets that have been parsed and reassembled for comparison. However, some objects within, for example, CIP (Common Industrial Protocol) have multiple embedded objects, and thus cannot be properly analyzed by a signature comparison even with the use of protocol specific preprocessors. False positive and false negative detections of threats and intrusions occur in numbers that may be unacceptable in some industrial automation and critical infrastructure systems.
Industrial automation and critical infrastructure can include plant automation on the plant floor, pipeline, power plants, power distribution, water, waste water, formalized science manufacturing, food manufacturing and packaging, mining, minerals, and cement. All of these and others fall within the spectrum of industrial automation in critical infrastructure, so this list is not intended to be complete or all inclusive. The production of a physical product, or a tangible product like electricity, is also considered to fall within industrial automation and/or critical infrastructure. A common feature of this infrastructure is that, on the plant floor, programmable logic controllers (PLCs) control robots. Most of these PLCs can be held in one's hand and are typically programmed using ladder logic. PLCs can be programmed by industrial engineers.
There are many manufacturers, such as Alan Bradley, GE, Coryell, Emerson, ABB, Siemens, etc., that build these PLC controllers. In one plant, step one of a ladder logic program may be, for example, to raise a robot arm 17.2° in 1.3 seconds and then to rotate the hand 63° in 3.2 seconds. This logic cascades down, as control passes to a next logic controller, which, for example, may swing an entire robot assembly around. Additional logic controllers may perform other steps in sequence down an assembly line. Down the line further, another logic controller may write data to a logic controller in the assembly line to make that logic controller speed up or slow down due to the number of manufactured items coming through the assembly line. Other devices, such as process servers, control processes that are very high speed or which may utilize numerous variables. Other devices found on a plant floor can include HMIs, which are human-machine interfaces such as display screens that allow a process engineer to see that a process is running properly and to enter data to change something.
At one time, all process controllers ran on proprietary protocols. For example, some process controllers used a serial driven protocol with proprietary hardware. Thus, the controllers had unique electrical connectors that were proprietary to the individual manufacturers, and the whole control loop, including the process controllers, was completely isolated. Management need for efficiency and ERP data was handled by floor operators using manual paper and pencil techniques. However, these techniques became inadequate as real-time efficiency measurements, inventory numbers, and supplier delivery orders based on supplier lead times were desired. Furthermore, CEOs wanted to know why, for example, their company's plant in India operated at high efficiency except on Tuesdays while their plant in Malaysia operated in high efficiency except every fourth Wednesday of the month.
A solution to these data needs was to converge real-time data from different locations on to Ethernet. One such protocol is known as CIP, the common industrial protocol. Another such protocol is known as PROFINET. DNP3 is a master-slave serial protocol used predominantly in chemical plants, in power substations and in power plants. For example, a DNP3 protocol can be used to shut off or turn on breakers and/or motors.
At a higher level, the ICCP (inter control center protocol) is used to provide communication between electrical grids. Another protocol known as OPC is an open source standard interpretive language that can be used for communication between a plant floor and a database server. This language allows transformation of data sets between different protocols.
The use of such diverse protocols can lead to the vulnerability of industrial plants. For example, the Stuxnet worm, which many believe will be adapted from a vector spread by a USB key to possibly server side scripts or e-mail, and change protocol from, for example, PROFINET to CIP so that it is able to attack other types of controllers.
The security of critical infrastructure has become such a major concern that the NSA, the Department of Homeland Security, and the Department of Defense have their own laboratories, and are now are under a directive by presidential order to implement various security measures.