Use “Tap Mode” To See ICS/SCADA Traffic and Risks More Clearly

Jul 08, 2015
6 minutes

A firewall by any other name…

I often speak with ICS asset owners who are just at the beginning of their next-generation firewall learning curve.  They are usually pleasantly surprised at the capabilities it provides in identifying traffic at Layer 7, i.e. application, users and threat/content.

Beyond just being able to see network traffic at this very detailed level, the fact that these key pieces of information are intrinsically correlated -- a unique advantage of our single-pass, parallel processing architecture (SP3) -- is a major draw.  The proverbial “light bulb” turns on very quickly and they understand why this approach means easier anomaly detection, faster forensics and better auditability in their ICS environment.

Understandably, the word “firewall” in the product name often invokes the question of whether the device can be used in a more passive, detection-only model.  To support such monitor-only deployments, the Palo Alto Networks Next-Generation Firewall offers a deployment mode called “Tap Mode.”  Using this deployment, the next generation firewall can be connected to a SPAN/mirror port on a network device, like a switch or router, to passively monitor the traffic going through this “hub.” Doing this provides not only better visibility, but more importantly, correlated visibility into useful pieces of network traffic information.

Why “monitor-only”?

Why not deploy the device inline as a firewall is meant to be deployed?  A common reason in ICS is that the owner has a monitor-only mindset or policy for critical areas of the ICS.  Consider, for example, the core of a Distributed Control System (DCS) where there may be zero tolerance for any potential accidental blocking of traffic.  They want to avoid any additional inline devices aside from the main equipment needed to run the process and provide connectivity.  While this organization may put a security device inline at the IT-OT perimeter, they would never do so within the DCS core.  However, a non-invasive visibility tool could prove useful and hence could be considered for deployment.

Another reason for putting the device in passive mode, even at the perimeter of the ICS, such as between corporate and the PCN (process control network), is because the asset owner is not quite ready to do a rip-and-replace of his existing security architecture.  While the asset owner may admit that the existing system will need to be replaced eventually due to lagging capabilities, he still prefers a more gradual migration path that feels less disruptive.  A device that can be easily dropped in with minimal impact to the current production system, while providing high value, is ideal.  Eventually the owner may swap out the old with the new as he validates the new product and gets more comfortable with the technology.

Shedding the light on plant floor traffic

Users of Palo Alto Networks next-generation firewalls now have access to a variety of rich and natively correlated network traffic information including the following:

  • ICS Protocols and Applications – For example to Modbus, DNP3, OPC, ICCP, OsiSoft Pi, Schneider OASyS, Cygnet, etc. For some protocols, the visibility is provided at the function code level (i.e. Modbus Reads and Writes)
  • Business/Administrative Applications – Database applications like MSSQL, Remote management, Network management,
  • SaaS & Social Media – Applications which typically should not be allowed in ICS environments but are sometimes found, e.g. Dropbox, P2P file sharing, TeamViewer due to irresponsible use by employees
  • Custom Traffic – Custom “App-IDs” can be easily created using the firewall itself to identify homegrown applications.
  • User / User Group – The next-generation firewall can utilize different sources of IP-to-user mappings and events to enable user and user-group visibility. These include directory services, authentication events, and even via the API.  The user-information will be tied to the application/protocol traffic thereby providing user-based access logs.
  • Content – The firewall can be used to identify files, strings, URLs.
  • Known Threats – Network-borne known exploits, malware, and command and control traffic. Again threat information is contextually tied to application/protocol and user information.
  • Zero-day Malware – If the firewall is connected to the Wildfire service, the device can also be used to identify zero-day malware in as little as 5 minutes for the on-premises Wildfire offering.

Several areas where users are typically interested in gaining more situational awareness and capabilities for auditing traffic include:

  • ICS core – Monitor traffic off of a switch interconnecting the HMIs, workstations and automation servers on the plant floor. This should mostly be repetitive machine-to-machine traffic so anything out of the ordinary is likely to jump out.
  • IT-OT perimeter – Use the Next-generation firewall to augment any existing access control device like a Router (ACL) or stateful inspection firewall (limited visibility at the port and IP address level)
  • 3rd party connections – Similar to the IT-OT perimeter, make sure to monitor the connectivity you have with third parties like partners and ICS vendors and systems integrators

Moving beyond monitor-only

In practice, many users start off in tap mode then eventually move into one of two inline deployments modes (VWIRE “bump-in-the-wire”, L2/L3 Firewall Replacement), realizing the powerful network segmentation capabilities of the device.  In other scenarios they may deploy the devices in a hybrid model where  some areas the firewall is inline with access controls and in some areas the device is in tap mode.

Not all organizations have the same network architecture or the same view on security posture.  Our next-generation firewall’s support for multiple deployment modes highlights one of the ways our platform provides flexibility.  In fact the multiple ports on a Palo Alto Networks firewall could be configured to support multiple deployment modes simultaneously (Tap, VWIRE, and L2/L3).

Practicing What We Preach – Application Visibility and Risk Report

Interestingly enough, Palo Alto Network field teams often use the firewall in tap mode when conducting free Application Visibility and Risk (AVR) assessments.  We basically connect the device in passive mode to the network cluster of interest then provide a report back to the end user on what applications and risks may be present in their network today.

It’s rare to have an AVR which does not result in immediately useful information regarding security risks. It is free and is an easy way to understand the value of correlated, layer-7 visibility and also perhaps to discover any exposures to your organization.  Contact your local Palo Alto Networks representative to learn more or sign up for an AVR online.

To learn more about our platform approach to securing industrial control systems, please access the free white paper on 21st century SCADA security.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.