Profinet, DNP3, Modbus and BACnet: Using DPI to decode IIoT traffic

Sebastian Müller portrait

By Sebastian Müller
Published on: 27.10.2022

Operational technology (OT) involves the gathering, storage and transmission of information in industrial environments. OT operates on specific traffic protocols such as Profinet, Profibus, Modbus and BACnet. These OT protocols are used to link up machines and sensors with controllers to manage information flows in real time over a customized, closed data network. OT protocols can be IP or non-IP-based, and are used primarily to monitor and control production processes, as well as to enable industrial and building automation and manage industrial safety.

Advancements in cellular networks (such as 4G and 5G) and low-power wide area networks (LPWANs), such as narrowband (NB) IoT, Long Range (LoRA) WAN, sigfox and LTE-m, coupled with big data capabilities and unprecedented computing speeds facilitated the rise to the Internet of things (IoT). Industries were quick to catch on, extending the IoT into the Industrial IoT (IIoT). This saw the emergence of IIoT protocols such as

  • Message Queuing Telemetry Transport (MQTT)
  • Constrained Application Protocol (CoAP)
  • OPC Unified Architecture (OPC UA)
  • Advanced Message Queuing Protocol (AMQP) and
  • DNP3

With IIoT protocols, localized industrial networks now connect to remote servers in the cloud, allowing enterprises to manage a pool of industrial equipment or a swarm of cattle sensors from anywhere in the world.

Machine visibility

Both OT and IIoT networks need visibility, and this is where deep packet inspection (DPI) tools such as R&S®PACE 2 come in. DPI tools classify protocols and applications in real time by using pattern matching as well as behavioral, statistical and heuristic analysis. Our DPI engine also leverages machine learning and deep learning. In the context of IIoT, R&S®PACE 2 can deliver real-time network intelligence by identifying IIoT protocols and applications.

The information on the classified IIoT protocols can be used to deliver traffic analysis of the different IIoT applications, devices, OT networks, plants and regions. The use of identifiers in the adapters connecting non-IP networks to IP networks enables enterprises to deploy R&S®PACE 2 across virtually any IIoT network as long as it is backhauled through an IP-based protocol. Based on their IIoT network design, enterprises can choose to deploy R&S®PACE 2 in any of these points – the enterprise LAN; an edge cloud that is connected via 5G or an IP edge network; a data center connected via the enterprise WAN or an IP backbone network; or a public cloud.

Network and machine troubles

The biggest use of DPI software in IIoT will be network management. R&S®PACE 2’s granular insights cover speeds, bandwidth, latency, jitter, packet loss and round-trip times. These metrics can be used to identify the performance of various networks powering an enterprise IIoT application. This can be a specific LAN, edge, WAN or data center network, or a route on a public network. Network issues such as congestion, routing errors, bottlenecks, network function errors and hardware malfunction covering CPEs and gateways become clear by analyzing traffic attributes along these different pathways and processing nodes.

R&S®PACE 2’s granular insights also enable enterprises to identify machine performance. Traffic pattern analysis reveals changes in a machine’s communication in terms of packet sizes, frequency, throughput, speeds and latencies. A sudden change in these patterns can allude to power or hardware issues, software errors, congestion or mechanical breakdown in the IIoT network.

Application jitters

Interestingly, in IIoT, the performance of the factory floor is now decided by remotely controlled cloud-based applications. Issues with these applications, spanning code errors, non-responsive APIs, database mix-ups, insufficient storage space or congested web servers, can impact ground operations. The DPI engine R&S®PACE 2, with its ability to single out specific application flows, can measure application performance and responsiveness across different tasks and events.

Fear of Devil’s Ivy

Security requirements for legacy OT networks differ from those of today. While traditional OT revolves around the circulation of information between equipment that is only meters apart, today, a machine in a remote part of Brazil could send sensitive and confidential information, or crucial instructions and real-time commands to another machine in the center of Amsterdam. This significantly augments the cybersecurity risks of OT networks given that points of network entry and manipulation now span the entire machine-to-cloud network. As a consequence, threat actors can now target industrial assets. The Rube Goldberg Attack (RGA) for example uses a chained attack dubbed ‘Devil’s Ivy’ to move from one IIoT device to another before entering the enterprise’s servers.1 In 2014, hackers used spear phishing on a German steel mill’s corporate network to gain access to its OT network. From there, they manipulated OT software to corrupt the plant’s machinery, leading to an explosion2.

Our deep packet inspection software R&S®PACE 2 can help secure IIoT networks by equipping security tools with real-time deep insights on traffic that is anomalous, malicious or suspicious. These tools include firewalls, multi-protocol device and access management, security gateways, data protection, intrusion detection/prevention and anti-malware. R&S®PACE 2 metadata extraction provides an understanding of detailed low-level information including message types and their associated values. Combined with the device ID, R&S®PACE 2 can pinpoint the source of such attacks – whether it is within the production environment, the enterprise network or the Internet. A malware attack that aims to corrupt a plant’s Safety Instrumented System (SIS) for example, can reveal itself in the form of a surge in traffic from its physical controllers. These controllers can be communicating with unrecognized IP addresses in greater frequency, or they can be actively sending and receiving information during irregular hours.

A particularly important aspect to securing IIoT is the implementation of access control. Given that cloud-based applications can be accessed from any public connection, using R&S®PACE 2 to analyze login patterns against accessors’ IP address and location data in real time can determine if unauthorized persons have penetrated the network. Similarly, a sudden surge in requests from distributed sources atypical of an enterprise user network can point to DDoS attacks. Insider threats, while difficult to detect, can become apparent via irregularities in file downloads, file transfers and login attempts, which can be detected using R&S®PACE 2’s protocol and application classification analysis on employee traffic.

An improved network plan

A large part of IIoT still relates to ground-level communication between machines. As such, a vital part in ensuring an efficient IIoT network is the network design and architecture within the production environment. Within the constraints of fixed infrastructure and layouts, data from our DPI engine R&S®PACE 2 can be used to design better networks in terms of the choice of last mile LPWAN and Personal Area Network (PAN) technologies and the placement of network devices such as wireless access points, in-building routers, CPEs and network gateways. As different wireless technologies transmit data at different ranges and intensities, R&S®PACE 2’s analysis helps to minimize latencies and bottlenecks, especially in traffic-intensive environments that involve mobile machines and mobile tracking (for example in underground coal mines).

Be it an oil drilling site, a dairy factory or a high-end precision manufacturing plant – real-time DPI analysis by tools such as R&S®PACE 2 will enable enterprises to use the power of IIoT to scale and automate their production, introduce new levels of intelligence in machines and improve overall production efficiencies while safeguarding their investments. With their IIoT networks fully monitored and secured, enterprises can sit back and let the machines run the show.


Sources

[1] https://www.turn-keytechnologies.com/blog/article/from-stuxnet-to-industroyer-the-biggest-hacks-in-the-history-of-the-industrial-iot/
[2] https://www.turn-keytechnologies.com/blog/article/from-stuxnet-to-industroyer-the-biggest-hacks-in-the-history-of-the-industrial-iot/

Sebastian Müller portrait

Sebastian Müller

Contact me on LinkedIn

Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.

Email: Seb.Mueller@rohde-schwarz.com
ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility