Deep Packet Inspection approaches to OT network security
Originally published on February 26, 2021 by Shaun Behrens
Last updated on August 31, 2021 • 7 minute read
In a recent article, I wrote about how cybersecurity is one of the top challenges that industrial IT faces over the next few years. Aside from the exponential rise in cyberattacks, such as DoS, ransomware and trojan attacks, IT/OT convergence places industrial IT networks at more risk than in the past.
The main reason is that OT networks are being opened up to connect with new systems and devices, and this gives the outside world more access to OT. At the same time, standard security concepts from the IT world do not necessarily apply to OT. For example: patching devices is a fundamental part of IT security, but is more difficult to execute for OT.
Additionally, OT networks have their own requirements, such as prohibiting third parties from introducing traffic in the network. This makes it harder to introduce traditional IT security strategies like network monitoring.
But while opening up OT due to digitization and convergence makes protecting OT challenging, it is possible with the correct strategies. Let's take a look at a concept called Deep Packet Inspection, and how it can be applied as part of a Defense in Depth approach for more granular control in OT networks.
Defense in Depth in industrial IT
In order to protect OT networks, several specialized defense layers are required. This concept, known as “Defense in Depth”, operates on the assumption that if you have multiple layers of security, you keep your core network safer.
For OT, network segmentation can offer one layer of protection. This might mean that the OT network is separated from the IT network by an industrial demilitarized zone (vertical segmentation), or the OT network itself is separated into several “zones” (horizontal segmentation). Segmentation makes it harder for threats to get to the network, and if they do, it’s harder still to compromise other areas of the network.
Industrial firewalls commonly provide another layer. Just like firewalls in IT networks, these protect Industrial Control Systems by preventing unwanted traffic from entering the network.
Defense in Depth requires more than just segmentation and firewalls. This is because more granular control is required. A firewall simply allows certain traffic or blocks it; however, for OT networks, you need to go a step further. For example: you might need to be able to allow only read functions for data transmitted with a certain protocol, and to block any write functions for that protocol.
This need for more granular control is where Deep Packet Inspection comes in.
Deep Packet Inspection (DPI)
This is a mechanism where the contents of data packets are examined, from the packet header down to payload, to identify the protocol and the functions associated with that data packet. The data can also be checked against a set of rules to ensure that it is not anomalous. This allows more complex and detailed rules to be applied than what a firewall can manage.
DPI forms the basis for two specific cybersecurity strategies for OT: Industrial Intrusion Prevention Systems, and Industrial Intrusion Detection Systems. In an OT environment, both IPS and IDS are devices or systems that operate within the network, and are intended to either prevent or trigger a notification when anomalous data is discovered, depending on the system in use.
Industrial Intrusion Prevention System (IPS)
Industrial Intrusion Prevention Systems provide the ability for users to define granular rules as to what protocols and functions (such as read and write) are permitted in the network. Data packets are analyzed using DPI, and if unauthorized protocols or functions are found based on the defined rules, the activity is blocked and is reported.
Industrial Intrusion Detection System (IDS)
An IDS, on the other hand, monitors traffic in the OT network by examining the packet header and payload of data packets (again using DPI) to understand where the packet originated, where it’s headed, and what functions it will perform. When anomalous data (such as newly connected devices, unknown data types, malware behavior, unexpected PLC programming, and so on) is identified, a notification is triggered. Parameters that trigger notifications can be tuned, and notifications can be filtered by type.
The difference between IPS and IDS
The core difference between an IPS and IDS is that an IPS can block certain traffic or even modify packets based on predefined rules, while an IDS functions primarily as a network monitor and notification tool. The option that you deploy in your architecture will depend on your specific requirements and infrastructure.
While this article is a fairly simplified, high-level overview of Deep Packet Inspection and IPS and IDS, the issue of cybersecurity in OT is far more nuanced and complex. In the near future, we’ll take a more detailed look at how IPS and IDS work, as well as cover other OT cybersecurity topics. Make sure you subscribe to our blog newsletter so you don’t miss those posts, or any of our other industrial IT articles.