Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Transcription

1 Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks

2 35,000 kilometers of electric power, which feeds around 740,000 clients... Branislav Kostal Network Development Specialist: Without a stable network infrastructure, the supply of our electricity would stop, leaving us literally in the dark. Network monitoring by Flowmon helps to ensure the transmission and reliability of the network infrastructure of one of the largest energy suppliers in Slovakia.

3 Deployment Topology It is very important for us to mirror the traffic from all three main locations of the company Zilina, Varin and Banos in order to analyze it in detail. Thus, we appreciate Flowmon Traffic Recorder features. What is more, Flowmon ADS allows us to trigger traffic capture process at the moment when anomaly occurs so we avoid storing huge amounts of data.

4 SIMPLIFIED COURSE OF SECURITY EVENTS 1 Penetration of the network (phishing, transfer of media, exploits) 2 Movement of attacker across network and collection of information 3 Attack (deleting logs, configurations, gaining control over the system)

5 Attacker is looking for potential victims And starts SSH attack That turns out to be successful

6 Few minutes after that breached device starts to communicate with botnet C&C

7 Botnet identification using Flowmon Threat Intelligence

8 Flow data on L2/L3/L4

9 Including L7 visibility

10 Full packet capture and packet trace (PCAP file)

11 Analysis of PCAP file with botnet C&C communication in Wireshark

12 Data exfiltration command via ICMP

13 Command to discover RDP servers

14 ICMP anomaly traffic with payload present

15 PCAP available, what is the ICMP payload?

16 Linux /etc/ passwd file with user accounts and hash of passwords

17 Looking for Windows servers with RDP Attack against RDP services

18 Attacker activity (port scan, SSH authentication attack)

19 More security events forensics used by ADS There is another malicious code inside the LAN There were found also very old malicious code that exploits the vulnerabilities of Windows 2000 and Windows XP

20 Crypto-jacking detection by ADS Based on the BPATTERNS view detail, the system has alerted us to a few devices in network which are visited web sites that exploit cryptomining code and abuse of device performance

21 Recommendations & Takeouts Firewall and ADS Integration for ability to block suspicious communication Visibility before and behind the proxy server

22 Recommendations & Takeouts SCADA/ICS extended visibility Visibility into separate SCADA/ ICS environment communication: PLC-server-HMIinternet

23 Flowmon Probes Take the best from full packet & flow monitoring Convert packets to enriched flow data (L2-L7) Un-sampled export in NetFlow v5/v9 or IPFIX Wire-speed, Full packet capture (PCAP) when needed L2 MAC VLAN MPLS SPB GRE tunnel OVT L3/L4 Standard items NPM metrics RTT, SRT, VxLAN TTL, SYN size, ASN Geolocation L7 NBAR2 HTTP DNS DHCP SMB/CIFS VoIP (SIP)

24 IEC (ICS/SCADA) Protocol used for telecontrol (supervisory control and data acquisition) in electrical engineering and power system automation applications. Application layer (L7) Transport layer (L4) Network layer (L3) Link layer (L2) Physical layer (L1) Application Service Data Units Application Protocol Control Information Selection of TCP/IP Protocol Suite (RFC 2200) Physical transfer medium Application visibility Traditional flow data Flow records L2 Src MAC, Dst MAC L3/L4 Src IP, Src Port, Dst IP, Dst Port, Protocol L7 APCI, ASDU

25 IEC Monitoring Scenario Master Port mirror Flowmon Probe Flow export (IPFIX) Time L2 L3/L4 L7 Flow start Duration Src MAC address Dst MAC address Src IP address Src port Protocol Dst IP address Dst port APCI type Information object type Number of objects Cause of transmission Originator address ASDU address file Analysis Visualization Reporting Anomaly Detection Performance Troubleshooting Slave Volume Packtes Bytes

26 Rolling Capture Buffer In memory buffer for recent packets Buffering of first N (configurable) packets of each flow Rolling buffer with defined capacity (GB) and history (minutes) Integration with packet capture Capture task will also extract packets from buffer Improved triggered capture based on anomaly detection # Flow cache (bidirectional flows) Packet buffer 1 UDP : :53 2 TCP : :80 3 ICMP : :769 4 TCP : :443 CAPTURE TASK STARTED ip

27 Packet Analysis Flowmon SNMP Monitoring The complexity of such systems puts high demands on the knowledge/experience of administrators. These tools are simply to heavy for daily use and majority of use case. Packet analysis tools do not scale to current backbone bandwidth and available budget. Flow-based easy to use and affordable solution to enable network visibility and easy to use troubleshooting. Extendable to application monitoring and security means single platform and lower costs. Flow enriched with L7 visibility and on-demand packet capture is the future of Network Performance Monitoring and Diagnostics. Basic IT infrastructure monitoring to provide network, device and service status. Limited flow support technically inadequate commodity solution. Does not help to troubleshoot, track user experience or contribute to network security.