Monitoring common Operational Technology protocol ports

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Operational Technology (OT) environments commonly use specific ports and protocols when communicating with Industrial Control Systems (ICS) and industrial OT devices like programmable logic controllers (PLCs) and remote terminal units (RTUs). Identifying and labeling this traffic can be helpful to understand communications across the network, and can also help you remove ambiguity around the intent of the traffic.

Since many OT protocols lack authentication mechanisms, most OT devices allow any device to read values from these devices or issue commands. Identifying industrial protocols can help organizations to identify the nature of the traffic, and could also be used to detect unauthorized communication to an OT device.

It is strongly recommended to use more secure alternatives to RDP, such as solutions with multi-factor authentication (MFA) or specialized remote access software that is designed for OT environments.

Data required

Traffic data from your network is required for this use case. This traffic data can come from any router, switch, or networking device. In some cases, the specific industrial protocol might already be identified by the devices depending on the individual network device capabilities.

Leveraging fields from the Common Information Model (CIM) will make implementing this use case easier. Splunk add-ons often provide data which is already CIM compliant.

How to use Splunk software for this use case

Stage 1: Identify OT devices

In this stage, you'll identify source or destination hosts located within the OT environment. This is done by creating a macro called is_ot_device which takes in a host and then returns true or false to confirm whether the device is in the OT environment.

To do this, you can:

Use a lookup table that has a list of OT hosts.
Use a lookup table that has a list of IP ranges for OT devices (for example, when VLANs are used).
Use a static list of OT devices or characteristics (such as host name pattern or asset type).

Stage 2: Create a lookup for common OT protocol ports and transport information

In this example, the organization uses a lookup to identify ports and transport (TCP/UDP) information to determine the protocol. This lookup contains the following fields:

port_number
transport
app
protocol_tag

The included example below names the lookup file ot_protocol_definitions.csv. The protocol_tag field in the lookup can be used for tagging OT protocols for filtering purposes. In the example below, the tag field is set to industrial for filtering purposes.

One of the most straightforward ways to populate this lookup is by leveraging existing repositories like GitHub for a JSON or CSV file containing this information. This lookup could also be updated dynamically based on these repositories; however, because many OT environments are isolated from direct internet connectivity, it might be necessary to manually populate this table from other sources, such as a manual download.

The following example shows what that lookup might look like populated from the awesome-industrial-protocols GitHub repository.

unnamed - 2024-07-05T093038.114.png

Stage 3: Identify traffic from OT protocols

Run the following search. You can optimize it by specifying an index and adjusting the time range.

tag=network tag=communicate
| `is_ot_device(src)`=”true” OR `is_ot_device(dest)=true
| lookup ot_protocol_definitions.csv port_number AS dest_port, transport OUTPUTNEW app,protocol_tag 
| search protocol_tag="industrial"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`tag=network tag=communicate`	Search data tagged as network traffic. You can also specify a source type, source, and index to search untagged data.
\| `is_ot_device(src)`=”true” OR `is_ot_device(dest)=true	Identify whether the destination or source of the traffic resides within the OT environment.
`\| lookup ot_protocol_definitions.csv port_number AS dest_port, transport OUTPUTNEW app,protocol_tag`	Takes the existing traffic and attempts to map the port number and transport to the lookup table. `OUTPUTNEW` is used because it won’t override any existing entries from the data that specify the app.
`\| search protocol_tag="industrial"`	Filter for data tagged as `industrial`. You can set this to whatever is used in the lookup file for `protocol_tag`.

Next steps

You can use or modify the search above to create a dashboard like this:

unnamed - 2024-07-05T095503.970.png

Being able to identify industrial traffic can be helpful when trying to understand the devices within an OT environment; however, focusing on changes can be more practical to help teams sift through the noise of the network. One way to accomplish this is by tracking regular traffic volumes over a time period (either in a summary index or lookup table) and looking for significant increases or decreases in network traffic. Additionally, you could use Splunk’s Machine Learning Toolkit to identify anomalous traffic patterns using various methods.

Other resources you might be interested in include:

The OT Security Add-on for Splunk contains dashboards, knowledge objects, and key security indicators to identify industrial protocols. Leveraging the add-on helps provide a more out-of-the-box experience using the Splunk platform to identify industrial protocols.
The CISO’s guide to complete security for industrial control systems might be useful to identify key areas of focus for protecting OT and industrial control system environments.