> This is detectable based on traffic matrix changes, even when all traffic is > encrypted.
With good encryption you can only know that A connected to B. You cannot know that A connected to B and attempted to read configuration data. > Certificates are typically tied to the identities of devices in ways that are > verifiable. This could be the detected with encrypted traffic since it would have to check the certificates used during key negotiation. > Could you explain what a PLC is? Programmable Logic Controller. It typically is connected to other devices that use non-IP interfaces to control some physical system. e.g. a temperature sensor who current reading is proportional to amount of current that flows in the connecting wire. > Also, I don't understand how plaintext traffic would prevent writes at > inopportune times? It is not about preventing writes. That has to be handled by access control (i.e. the PLC would reject the attempt to write). But the fact that the write was even attempted is a red flag that needs investigation. The only way to detect these kinds of red flags is if the message contents can be analyzed. That said, logging on PLC could also be used to detect this particular issues. Doing it with network wide packet analysis is a feature offered by numerous off the shelf threat detection packages (e.g. https://www.dragos.com/platform/threat-detection/) so factory owners often look for solutions that work with these kinds of packages. It is also a lot less intrusive to monitor network traffic in real time than configure all the OT devices to publish their logs to a central location for analysis. -----Original Message----- From: Lars Eggert <[email protected]> Sent: Friday, September 30, 2022 7:39 PM To: Randy Armstrong (OPC) <[email protected]> Cc: Eliot Lear <[email protected]>; Phillip Hallam-Baker <[email protected]>; [email protected] Subject: Re: Request for Authenticated but not Encrypted Traffic Hi, thanks for describing scenarios! On 2022-9-30, at 13:32, Randy Armstrong (OPC) <[email protected]> wrote: > Scenario 1) A device with a trusted certificate is compromised and starts > probing other devices in the network in ways that make no sense given its > role. This is detectable based on traffic matrix changes, even when all traffic is encrypted. > Scenario 2) A connection from a device is established using a valid > certificate that was not assigned to that device. Certificates are typically tied to the identities of devices in ways that are verifiable. > Scenario 3) A device is misconfigured and attempts a valid write to a PLC at > a time when the configuration of the PLC should not be changing. Could you explain what a PLC is? Also, I don't understand how plaintext traffic would prevent writes at inopportune times? Thanks, Lars
