Monitoring common Operational Technology protocol ports
Operational Technology (OT) environments commonly use specific ports and protocols when communicating with Industrial Control Systems (ICS) and industrial OT devices like programmable logic controllers (PLCs) and remote terminal units (RTUs). Identifying and labeling this traffic can be helpful to understand communications across the network, and can also help you remove ambiguity around the intent of the traffic.
Since many OT protocols lack authentication mechanisms, most OT devices allow any device to read values from these devices or issue commands. Identifying industrial protocols can help organizations to identify the nature of the traffic, and could also be used to detect unauthorized communication to an OT device.
It is strongly recommended to use more secure alternatives to RDP, such as solutions with multi-factor authentication (MFA) or specialized remote access software that is designed for OT environments.
Data required
Traffic data from your network is required for this use case. This traffic data can come from any router, switch, or networking device. In some cases, the specific industrial protocol might already be identified by the devices depending on the individual network device capabilities.
Leveraging fields from the Common Information Model (CIM) will make implementing this use case easier. Splunk add-ons often provide data which is already CIM compliant.
How to use Splunk software for this use case
Stage 1: Identify OT devices
In this stage, you'll identify source or destination hosts located within the OT environment. This is done by creating a macro called is_ot_device which takes in a host and then returns true or false to confirm whether the device is in the OT environment.
To do this, you can:
- Use a lookup table that has a list of OT hosts.
- Use a lookup table that has a list of IP ranges for OT devices (for example, when VLANs are used).
- Use a static list of OT devices or characteristics (such as host name pattern or asset type).
Stage 2: Create a lookup for common OT protocol ports and transport information
In this example, the organization uses a lookup to identify ports and transport (TCP/UDP) information to determine the protocol. This lookup contains the following fields:
port_numbertransportappprotocol_tag
The included example below names the lookup file ot_protocol_definitions.csv. The protocol_tag field in the lookup can be used for tagging OT protocols for filtering purposes. In the example below, the tag field is set to industrial for filtering purposes.
One of the most straightforward ways to populate this lookup is by leveraging existing repositories like GitHub for a JSON or CSV file containing this information. This lookup could also be updated dynamically based on these repositories; however, because many OT environments are isolated from direct internet connectivity, it might be necessary to manually populate this table from other sources, such as a manual download.
The following example shows what that lookup might look like populated from the awesome-industrial-protocols GitHub repository.
Stage 3: Identify traffic from OT protocols
Run the following search. You can optimize it by specifying an index and adjusting the time range.
tag=network tag=communicate | `is_ot_device(src)`=”true” OR `is_ot_device(dest)=true | lookup ot_protocol_definitions.csv port_number AS dest_port, transport OUTPUTNEW app,protocol_tag | search protocol_tag="industrial"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|---|---|
|
|
Search data tagged as network traffic. You can also specify a source type, source, and index to search untagged data. |
|
|
Identify whether the destination or source of the traffic resides within the OT environment. |
|
|
Takes the existing traffic and attempts to map the port number and transport to the lookup table.
|
|
|
Filter for data tagged as |
Next steps
You can use or modify the search above to create a dashboard like this:
Being able to identify industrial traffic can be helpful when trying to understand the devices within an OT environment; however, focusing on changes can be more practical to help teams sift through the noise of the network. One way to accomplish this is by tracking regular traffic volumes over a time period (either in a summary index or lookup table) and looking for significant increases or decreases in network traffic. Additionally, you could use Splunk’s Machine Learning Toolkit to identify anomalous traffic patterns using various methods.
Other resources you might be interested in include:
- The OT Security Add-on for Splunk contains dashboards, knowledge objects, and key security indicators to identify industrial protocols. Leveraging the add-on helps provide a more out-of-the-box experience using the Splunk platform to identify industrial protocols.
- The CISO’s guide to complete security for industrial control systems might be useful to identify key areas of focus for protecting OT and industrial control system environments.