Non-invasive intrusion and network anomalies detection systems and BlackEnergy3

As pointed many times, to increase the operations security levels, it’s not enough to add preventive countermeasures. Specific systems must be implemented to enable detection, response, information and recovery.

Among the systems that help to detect, response and report early about possible threats, there are non-invasive intrusion and network anomalies detection systems, which are specific for OT environments.

These are solutions which implemented as an appliance (HW + SW) that allow the intruders to be detected in the OT network by means of a non-invasive approach – no hosts/agents are installed in real-time systems – as well as to find malware-based attack vectors, and anomalies in industrial protocols and operation activities.

The system performs these activities in an intelligent way. This feature is a key. The system depends on the operation network performance – sniffing traffic by enabling a switch port in mirroring mode – and sets a series of valid patterns. If the system detects a behavior in the network that does not matches what it has learned, it launches immediately an alert reporting that anomaly.

What have these systems to do with BlackEnergy3? And by the way, what is BlackEnergy3?

As discussed some years ago in this post, BlackEnergy was the malware associated to the APT Sandworm, which infected the SCADA Web servers of the General Electric Cimplicity solution. By then, the ICS-CERT published the ICS-ALERT-14-281-01A alert. If the systems haven not been updated, many of them are likely that be still infected since 2012.

Currently, the systems involved can be affected by the behavior described below.

Usually, if a SCADA Web is necessary for remote access, the organizations have undertaken network segmentation projects by adding firewalls between operation/critical networks and transactional networks (IT). In addition to this, a demilitarized zone with Internet access is often created. The following figure outlines the architecture without the IT network and representing the OT/critical network, and a network on which the SCADA Web servers converge.

The B team is infected by BlackEnergy. The attacker, that takes advantage of this situation, wants to access the A team, which is placed in the OT network. That’s why it uses the SMB protocol, usually authorized in firewalls to segment LANs to allow file exchange and sharing. The two machines exchange RPC on SMB. This Exchange enables BlackEnergy3 by using the RPCs to access the critical network equipment, and from that point take the control of the process, retrieve confidential information, etc.

As can be clearly seen, this behavior of the SMB protocol and the RPC exchange cannot be considered as normal. If an organization had implemented a system able to detect these traffic and communication anomalies between devices and/or protocols, it could take the appropriate steps to isolate the equipment, reset firewalls, and update if possible the SCADA Web system.

From Logitek, we prescribe the LK CyberSense solution as a non-invasive network intrusion and anomalies detection system. For further information about its benefits, please contact us.