The hardware used in both the Internet of Things (IoT) and Industrial Control Systems (ICS) have many similarities; both often involve older systems incapable of running detection tools or monitoring agents due to outdated operating systems, resource limitations, proprietary systems and odd protocols such as Modbus and DNP3, amongst other restrictions.
The lack of visibility into these enclaves means that there is little-to-no way to identify if, and when, ICS and/or IoT devices have been compromised until it is too late – but there is hope.
As part of the research into my Black Hat Briefing, I found that the Bro Network Security Monitor is well-suited to detect such attacks.
The Bro Network Security Monitor ships with built-in scripts to monitor both DNP3 and Modbus traffic. These scripts make Bro an excellent choice for detecting attacks within ICS networks. It also has the ability to monitor typical traffic seen on IoT networks, such as HTTP, HTTPS, DNS and many more.
The results of its analysis, not to mention any attacks it happens to detect, are written to log files on the local disk, which can then be collected and normalized by a log management product such as Tripwire Log Center. Finally, threat intelligence can be added onto network security monitoring and/or log management products to enhance Bro’s data by providing additional analysis against known attack vectors. For example, the folks at Critical Stack have worked hard on getting an ARM-based agent available for the Raspberry Pi architecture in both an RPM and a DEB package.
While this is a possible deployment route in data centers and enterprise grade networks, ICS and IoT networks have space and cost limitations that prevent adding in new servers to handle this processing. The advantage of Bro, Critical Stack and even the ELK stack is the amount of resources they require to run. As a result of this, the Raspberry Pi is a suitable candidate to deploy these technologies.
The Raspberry Pi Model B+ is $33.99 on Amazon and comes with a 700 MHz processor and 512MB of RAM, both of which are enough to run Bro in real-time. The limited amount of RAM does limit the Raspberry Pi from running the ELK stack in parallel but this can be overcome by running a second Raspberry Pi or by sending the logs to a centralized log management product via syslog.
For a more condensed hardware footprint, the Raspberry Pi 2 Model B was released in February 2015 and is only slightly higher priced on Amazon, coming in at $42.87. However, the upgraded version comes with a 900 MHz quad-core processor and 1GB of RAM. The additional resources allow both Bro and the ELK stack to run in parallel on the same piece of hardware.
As a proof-of-concept, I built a Raspberry 2 Model B running Bro, Critica-Stack, Losgstash, Elastic Search and Kibana and placed it in-line on my own home network between the router and the rest of my internal network. This setup has been running for more than a month without any issues, using less than half of the available CPU and memory resources on the Raspberry Pi.
This has been an affordable and easy deployment of security detection, alerting, and visualization. Next I will be integrating the threat intelligence into active blocking with the local Raspberry Pi firewall or API hooks into the perimeter firewall.
Title image courtesy of ShutterStock