Detection of mis-configuration and hostile attacks in industrial control networks using active querying
10261489 ยท 2019-04-16
Assignee
Inventors
Cpc classification
Y02P90/02
GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
G05B2219/31436
PHYSICS
G05B2219/13197
PHYSICS
G06F21/572
PHYSICS
G05B2219/31203
PHYSICS
International classification
G05B19/05
PHYSICS
G06F21/51
PHYSICS
G05B19/418
PHYSICS
Abstract
A method includes requesting a controller, which controls one or more field devices in an industrial control network, to report code currently used by the controller for controlling the field devices. The code reported by the controller is compared with a stored baseline version of the code, and a notification is issued upon detecting a discrepancy between the code reported by the controller and the baseline version.
Claims
1. A method, comprising: in a management appliance that is connected to an industrial control network in which a controller controls one or more field devices, running in parallel a passive monitoring process and an active querying process, wherein the passive monitoring process comprises (i) continuously intercepting traffic exchanged over the industrial control network, (ii) checking whether the intercepted traffic comprises a code-update transaction that is sent to the controller and based on which the controller updates a code currently used for controlling the field devices, (iii) if the traffic comprises the code-update transaction, checking whether the code-update transaction is legitimate, and (iv) if the code-update transaction is legitimate, using the code-update transaction to update an up-to-date trustworthy baseline version of the code stored in the management appliance, and wherein the active querying process comprises (i) requesting the controller to report the code currently used by the controller for controlling the field devices, and (ii) comparing the code reported by the controller with the baseline version of the code; and interacting between the passive monitoring process and the active querying process, including issuing a notification (i) if the active querying process detects a discrepancy between the code reported by the controller and the baseline version that is being continuously updated by the passive monitoring process, or (ii) if the passive monitoring process detects that the code-update transaction is illegitimate.
2. The method according to claim 1, wherein the code comprises at least one code type selected from a group of types consisting of firmware, application logic and configuration parameters of the controller.
3. The method according to claim 1, wherein comparing the reported code to the baseline version comprises comparing a first digest of the reported code with a second digest of the baseline version.
4. The method according to claim 1, wherein requesting the controller to report the code comprises emulating an engineering protocol used for configuring the controller.
5. A management appliance connected to an industrial control network in which a controller controls one or more field devices, the management appliance comprising: a memory; and a processor, which is configured to: run in parallel a passive monitoring process and an active querying process, wherein the passive monitoring process (i) continuously intercepts traffic exchanged over the industrial control network, (ii) checks whether the intercepted traffic comprises a code-update transaction that is sent to the controller and based on which the controller updates a code currently used for controlling the field devices, (iii) if the traffic comprises the code-update transaction, checks whether the code-update transaction is legitimate, and (iv) if the code-update transaction is legitimate, uses the code-update transaction to update an up-to-date trustworthy baseline version of the code stored in the management appliance, and wherein the active querying process (i) requests the controller to report the code currently used by the controller for controlling the field devices, and (ii) compares the code reported by the controller with the baseline version of the code; and interact between the passive monitoring process and the active querying process, including issuing a notification (i) if the active querying process detects a discrepancy between the code reported by the controller and the baseline version that is being continuously updated by the passive monitoring process, or (ii) if the passive monitoring process detects that the code-update transaction is illegitimate.
6. The management appliance according to claim 5, wherein the code comprises at least one code type selected from a group of types consisting of firmware, application logic and configuration parameters of the controller.
7. The management appliance according to claim 5, wherein the processor is configured to compare the reported code to the baseline version by comparing a first digest of the reported code with a second digest of the baseline version.
8. The management appliance according to claim 5, wherein the processor is configured to request the controller to report the code by emulating an engineering protocol used for configuring the controller.
9. A computer software product, the product comprising a tangible non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a processor in a management appliance connected to an industrial control network in which a controller controls one or more field devices, cause the processor to: run in parallel a passive monitoring process and an active querying process, wherein the passive monitoring process (i) continuously intercepts traffic exchanged over the industrial control network, (ii) checks whether the intercepted traffic comprises a code-update transaction that is sent to the controller and based on which the controller updates a code currently used for controlling the field devices, (iii) if the traffic comprises the code-update transaction, checks whether the code-update transaction is legitimate, and (iv) if the code-update transaction is legitimate, uses the code-update transaction to update an up-to-date trustworthy baseline version of the code stored in the management appliance, and wherein the active querying process (i) requests the controller to report the code currently used by the controller for controlling the field devices, and (ii) compares the code reported by the controller with the baseline version of the code; and interact between the passive monitoring process and the active querying process, including issuing a notification (i) if the active querying process detects a discrepancy between the code reported by the controller and the baseline version that is being continuously updated by the passive monitoring process, or (ii) if the passive monitoring process detects that the code-update transaction is illegitimate.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
(1)
(2)
DETAILED DESCRIPTION OF EMBODIMENTS
Overview
(3) Embodiments of the present invention that are described herein provide improved methods and systems for managing industrial control networks. In a typical industrial control network, one or more controllers implement a desired industrial process by controlling field devices. Each controller typically runs code, which comprises firmware, application logic and/or configuration parameters. The firmware is typically installed by the controller manufacturer, whereas the application logic and configuration parameters are typically configured in accordance with the specific industrial process being performed.
(4) In some embodiments, a management appliance identifies suspected operational mis-configurations and/or hostile attacks on a controller (e.g., a Programmable Logic ControllerPLC) by detecting that some code of the controller has been changed unexpectedly. In a typical flow, the appliance requests the controller to report at least part of the currently-used code, e.g., firmware, application logic and/or parameters. The appliance compares the code reported by the controller to a trustworthy baseline version of the code (possibly comprising separate baseline versions of the firmware, application logic and parameters). A mismatch between the two versions may indicate an erroneous but legitimate mis-configuration, or a hostile attack.
(5) In some embodiments, the appliance continually verifies that the baseline version it holds is indeed trustworthy and up-to-date. In an example embodiment, the appliance passively listens for any code-update transactions exchanged with the controller, verifies that such transactions are legitimate, and updates the baseline version as needed. This passive process complements the above-described active querying of the controller.
System Description
(6)
(7) In the example of
(8) Controllers 28 may comprise, for example, Programmable Logic Controllers (PLCs). Each controller 28 typically controls one or more of field devices 24. A controller typically communicates with a field device using a suitable (e.g., serial) interface so as to instruct the field device to perform various actions and/or to collect data and measurements from the field device.
(9) Controllers 28 are typically connected by a Local Area Network (LAN) 32. LAN 32 may be wired and/or wireless, and may operate in accordance with any suitable communication protocol, e.g., Ethernet. Additional network nodes that may be connected to LAN 32 comprise, for example, a Human-Machine Interface (HMI) station 36, a historian 40 and an engineering station 44.
(10) HMI station 36 is used by an operator for monitoring and controlling the industrial process via controllers 28. Historian 40 is used for collecting and logging relevant data relating to the process for later analysis. Engineering station 44 is used by technical staff for controlling and configuring network 20, and particularly controllers 28.
(11) In the disclosed embodiments, network 20 further comprises a management appliance 48. Appliance 48 detects changes made in the firmware, application logic and/or configuration parameters of one or more of controllers 28, so as to detect mis-configuration and/or hostile attacks on controllers. As such, the appliance can be used as a management tool, as a security tool, or both. The functionality of appliance 48 is described in detail further below.
(12) In the example of
(13) The configurations of network 20 and management appliance 48 shown in
(14) The different elements of appliance 48 may be implemented using suitable software, using hardware, e.g., using one or more Application-Specific Integrated Circuits (ASICs) or Field-Programmable Gate Arrays (FPGAs), or using a combination of software and hardware elements. Database 64 may be implemented using any suitable memory, such as a solid-state or magnetic storage device.
(15) Typically, processor 60 comprises a general-purpose processor, which is programmed in software to carry out the functions described herein. The software may be downloaded to the processor in electronic form, over a network, for example, or it may, alternatively or additionally, be provided and/or stored on non-transitory tangible media, such as magnetic, optical, or electronic memory.
Active Detection of Mis-Configuration or Hostile Attack on Controller Firmware, Logic and/or Parameters
(16) A controller 28, e.g., PLC, is typically configured with firmware code that implements the basic controller functions and operating system. When deployed to perform a particular process in network 20, each controller 28 is configured with suitable application logic and configuration parameters to perform the desired process. In the context of the present patent application and in the claims, the controller firmware, application logic and configuration parameters are referred to collectively as code or controller code.
(17) The application logic typically specifies sequences of operations, rules and conditions, and/or other logic for operating field devices 24. The configuration parameters typically specify numerical values for the application logic, e.g., temperature thresholds and time durations. As another example, configuration parameters may specify memory addresses and/or protocol attributes for communication between controller 28 and field devices 24. Typically although not necessarily, the firmware is configured by the controller manufacturer, whereas the application logic and parameters are configured in network 20, e.g., by engineering station 44 or HMI station 36.
(18) In some embodiments, it is possible to modify and reconfigure the firmware, logic and/or parameters of a given controller 28 by communicating with the controller over LAN 32. As such, controllers 28 are prone to hostile attacks that illegitimately attempt to modify their firmware, logic and/or parameters. Controllers 28 are also prone to innocent but erroneous firmware, logic and/or parameter reconfigurations.
(19) In some embodiments, management appliance 48 detects such hostile attacks and/or mis-configuration of code of a controller 28, and initiates or takes appropriate action. The detection is based on actively querying the controller to report its current code version, and comparing the code version reported by the controller with a baseline version stored in database 64. In some embodiments, appliance 48 verifies that the baseline version in database 64 is indeed trustworthy and up-to-date by passively monitoring LAN 32 for transactions that update the code version.
(20) The description that follows refers to a single version, for the sake of clarity. In a real-life implementation, database 64 may hold multiple baseline code versions, e.g., separate baseline versions of firmware, logic and/or parameters, and/or separate baseline code versions for different controllers or controller types in network 20. In such embodiments, processor 60 chooses the appropriate baseline version for comparison when querying a given controller 28.
(21)
(22) The active querying process begins with processor 60 of appliance 48 querying a given controller 28 to report its current code version, by communicating over LAN 32 via interface 56. The description that follows refers to querying for the entire code version, for the sake of clarity. Alternatively, processor 60 may query for, and receive, any suitable portion of the controller code, e.g., at least a portion of the firmware, at least a portion of the application logic and/or at least a portion of the configuration parameters. As will be described further below, processor 60 may receive a compact-form digest computed over the code, or both code and digest.
(23) Processor 60 may use any suitable criterion or policy for deciding which controller to query and at what time. For example, processor 60 may query the various controllers at periodic intervals, or in response to some triggering event. A triggering event may comprise, for example, installation of a new controller in network 20, an access to network 20 by a third party, or any other suitable event.
(24) In some embodiments, controllers 28 support at least two separate communication protocols over LAN 32A protocol for ongoing communication during operation of network 20, and an engineering protocol for code configuration. In some cases the engineering protocol already supports a command for querying the controller to report its code version. In an embodiment, processor 60 queries the controller at step 70 by emulating this command of the engineering protocol.
(25) At a reception step 74, processor 60 receives the current code version reported by the controller, over LAN 32 via interface 56. At a comparison step 78, processor 60 compares the current code version reported by controller 28 with a corresponding baseline version stored in database 64.
(26) Processor 60 may compare the reported code version with the baseline version in any suitable way. In some embodiments, each controller code version is represented using some compact-form digest, which may be generated from the code using any suitable cryptographic or non-cryptographic means. A digest may comprise, for example, a cryptographic signature or certificate, or a hash value computed over at least a portion of the code. In another embodiment, the digest may simply comprise a version number or code assigned to the code.
(27) In an embodiment, when controller 28 is queried, it returns the code version along with the respective digest. Processor 60 compares the digest of the reported code version with the digest of the baseline version stored in database 64.
(28) More generally, database 64 may hold only digests of baseline code without the actual code, only baseline code without the digests, or both code and digests. All of these options are regarded as holding a baseline version in memory. When queried, controller 28 may return only the digest of its code without the actual code, only the code without the digest, or both code and digest. All of these options are regarded as reporting the code used by the controller.
(29) Depending on the chosen implementation, processor 60 may perform the comparison after computing the digest over the code received from controller 28 and/or over the baseline code version in database 64, in case the digest is not stored or provided a-priori.
(30) In alternative embodiments, processor 60 compares the actual code, e.g., performs a bit-wise comparison of the entire code or of selected portions thereof. In some embodiments, different parts of the code may be compared in different ways. For example, processor 60 may compare application logic versions using bit-wise comparison of the actual code, and compare firmware versions by comparing version numbers. Further alternatively, processor 60 may compare the reported code version with the baseline version in any other suitable way.
(31) At a match checking step 82, processor 60 checks whether the comparison at step 78 indicates that the reported code version and the baseline code version match. If the versions match, processor 60 concludes that no mis-configuration or hostile attack has occurred, and the method loops back to step 70 above.
(32) Otherwise, i.e., upon detecting a discrepancy between the code version reported by the queried controller and the baseline code version stored in database 64, processor 60 declares a suspected attack or mis-configuration of the controller, at a detection step 86. In such a case, processor 60 may take or initiate any suitable action, e.g., send a notification to HMI station 36, shut down or isolate the controller in question, or take any other suitable action.
(33) The passive monitoring process, shown on the right-hand-side of
(34) At a monitoring step 94, processor 60 monitors the communication traffic exchanged over LAN 32. At a code-update checking step 98, processor 60 checks whether the monitored traffic contains a transaction that involves a change of controller code version. If not, the method loops back to step 94 above.
(35) If a code-update transaction is detected in the traffic, processor 60 checks whether the update is legitimate, at a legitimacy checking step 102. A code-update transaction may be considered legitimate, for example, if it is performed by an authorized user (e.g., the plant control engineer) during a shift replacement. A code-update transaction may be considered illegitimate, for example, if it is performed by an unrecognized entity in network 20.
(36) If processor 60 suspects that the code update transaction is illegitimate, e.g., part of a hostile attack, the method moves to detection step 86, in which processor 60 sends a notification to the user or takes other action.
(37) If the code update is regarded legitimate, processor 60 updates database 64 with the updated code version, at an updating step 106. The method then loops back to step 94 above, in which processor 60 continues to monitor the traffic in LAN 32. From this point, comparisons with the baseline version (step 78 of the active querying process) will be performed using the updated baseline version.
(38) Although the embodiments described herein mainly address controllers in industrial control networks, the methods and systems described herein can also be used in other applications, such as for management and security of other types of controllers, e.g., in medical equipment, aerospace equipment, automotive equipment and the like.
(39) It will thus be appreciated that the embodiments described above are cited by way of example, and that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and sub-combinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art. Documents incorporated by reference in the present patent application are to be considered an integral part of the application except that to the extent any terms are defined in these incorporated documents in a manner that conflicts with the definitions made explicitly or implicitly in the present specification, only the definitions in the present specification should be considered.