//
you're reading...
IT & TECHNOLOGY, Palo Alto Networks

PAN-OS 8.0: New Non-IP Protocol Control Feature Secures ICS Layer-2 Networks


PANW-New-Logo-2

A key reason for the growing adoption of our Next-Generation Firewall within OT environments is our App-ID technology, which enables Layer-7 visibility and control over many ICS/SCADA protocols and applications, both standards-based and vendor-specific.  Furthermore, through App-ID decoders, users can create dozens of command- and/or function- level custom App-IDs to bring even deeper insight and control.

So far, our ICS/SCADA protocol security capabilities have been for IP-based traffic, but with our new PAN-OS 8.0 release, we are excited to announce a new feature called non-IP protocol control for controlling ethernet traffic. This feature enhances the zone protection profile with the ability to create and apply a filter to any zone to block or explicitly permit traffic based on the header’s ether-type value.

An example of where this could be applied in ICS is in the growing area of IEC 61850 substation automation. IEC 61850 is a family of protocols that includes both IP-based and ethernet-based protocols. One of these ethernet-based protocols is GOOSE (ether type of 0x88b8). Without getting into the details, due to strict real-time performance requirements with IEC 61850, encryption was excluded from the standard. Furthermore, although GOOSE message authentication was defined via the IEC 62351-6 standard, there is still an associated complexity and also a loss of performance with the authentication enforced. Hence, most practical implementations will not have either of these security features turned on and are therefore vulnerable to cyberattacks. In fact, several research studies have validated the feasibility of GOOSE-related cyberattacks across different attack classes, such as modification, denial of service and replay.

As a basic example of attack and defense, consider a scenario where an attacker has successfully made his way to a business/engineering area of a substation network. This could be via a pivot from the control center or perhaps from a WiFi network at the substation, used for maintenance.  Once present on the LAN, the attacker could initiate a GOOSE DoS attack or send specially crafted GOOSE packets into the IEC 61850 VLAN that may cause erratic behavior, poor performance, loss of service (opening relays), or even damage to equipment. With the non-IP protocol control feature, users can define a zone protection profile that blocks GOOSE traffic into the IEC 61850 zone, thereby preventing the attack and associated undesirable events. Attack scenarios from the IEC 61850 that zone “upstream” to the business zone seem to be less of a concern, but a zone protection profile in that direction could also be easily applied.

Although less research has been published on attack cases for sampled values and GSE management – the other protocols under IEC 61850 with specific ether types – the non-IP control feature can also be applied by simply filtering their respective ether types of 88b9 and 88ba. This could be useful as future attack cases for SV and GSE management are discovered.

If you are interested in learning more about how you can better secure your industrial control systems with App-ID and the other elements of our platform, please check out our Security Reference Blueprint White Paper for ICS/SCADA and tech brief for App-ID for ICS/SCADA. If you are interested in learning about all that the new PAN-OS 8 has to offer, please visit to our PAN-OS 8.0 page.

[Palo Alto Networks Research Center]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 123,271 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,484 other followers

Twitter Updates

Archives

February 2017
M T W T F S S
« Jan   Mar »
 12345
6789101112
13141516171819
20212223242526
2728  
%d bloggers like this: