ics performance lab
DESCRIPTION
Presented @ ISA Process Control & Safety Symposium October 8, 2014 Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.TRANSCRIPT
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
ICS Performance Lab
Jim GilsinnKenexis Security
2
Jim Gilsinn - Bio
• Senior Investigator, Kenexis Security• ISA-99 Committee (ISA/IEC 62443 Standards)
– Co-Chair, ISA99 Committee– Co-Chair, ISA99 WG2, Security Program
• 23 years engineering experience– Last 13 doing ICS networks and cyber security
• MSEE specializing in control theory
3
INTRO TO ICS NETWORK PERFORMANCE
4
Industrial Network Types & Metrics:Publish/Subscribe
• Publish/subscribe or peer-to-peer communications• Main performance metric: Cyclic frequency variability/jitter• Real-time EtherNet/IP™ uses publish/subscribe
– Requested/Accepted Packet Interval (RPI/API)– Measured Packet Interval (MPI)
5
Industrial Network Types & Metrics:Publish/Subscribe
• Difference between TPub_Com_Init & TSub_Com_Init is network roundtrip delay
• TPub_Com_Init, TSub_Com_Init not important
• Variability in TPub much more important
• Theoretically, TPub doesn’t need to match TSub
– In production systems, they are the same
TPub_Com_Init
Subscriber Publisher
TPub_1TPub_2
TPub_N-1TPub_N
TSub_Com_Init
TSub_M...
6
Performance Testing Methodology:Performance Metrics
• Command/response or master/slave communications• Main performance metric: Latency• Large numbers of protocols use this
– Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP, etc.
– Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc.
7
Industrial Network Types & Metrics:Command/Response
• Difference between TCom_Delay & TRes is network roundtrip delay
• Latency in TCom & TRes
important
TRes_1
Commander Responder
TRes_2
TCom_Delay_1
TCom_1
TCom_2
TCom_Delay_2
8
Isolating Traffic Streams
• Isolating traffic streams can be tricky• 10’s – 100’s of traffic streams in production environment• Your Wireshark Fu must be strong!• Usually requires additional post-processing• Multiple streams can exist between same devices
9
Isolating Traffic Streams
• Traffic pairs– Source IP/MAC address– Destination IP/MAC address– Source TCP/UDP port– Destination TCP/UDP port
• Publish/Subscribe– Communication stream ID– Sequence number (optional)
• Command/Response– Command message/field– Response message/field– Message ID (optional)
10
Test Time vs. Packet Interval
Test Time (s)
Measured Packet Interval (ms) ~62 sec testMean MPI = 2msMin ~ 1.2Max ~ 2.9
11
Time Plot for Command/Response
Regular Pattern to Delayed Packets
Regular Pattern of Minimal Delayed Packets
12
Command/Response Timing Plots
• Quick succession of command/response packets• Minimal delay in command/response sequence• Apparently large delay in a single packet• Example: Rockwell tag reads
Quick Succession Read Commands
Delay Until Next Time Sequence
13
BUILDING AN ICS LAB
14
Building an ICS Lab
• Goals– Develop a portable lab– Capable of demonstrating ICS security– Use real ICS equipment to analyze ICS protocol performance
• Purpose– Training– Demonstration– Potential Sales
15
Control System
• Equipment– PLC– Digital & Analog I/O– Industrial PC– Layer 2+ network switch
• Protocols– EtherNet/IP– Modbus/TCP
• PLC I/O Lighted Buttons• Buttons have isolated light from NO/NC switch action• Ladder logic to light button on push
16
Performance & Security Testing
• Denial of service testing• Performance analysis• Control lights separate from button pushes• Spoof button push signals• Issue Run/Stop commands to controller• Test IP reassignment via industrial protocols• Demonstrate pivoting
Questions
• Contact Me– Jim Gilsinn– 301-706-9985 or 614-323-2254– [email protected]– Twitter – @JimGilsinn– LinkedIn – http://www.linkedin.com/in/jimgilsinn/– SlideShare – http://www.slideshare.net/gilsinnj
17