Monitoring Industrial IoT/Scada Traffic with nDPI and ntopng

Posted · Add Comment

Monitoring Industrial IoT and SCADA traffic can be challenging as most open source monitoring tools are designed for Internet protocols. As this is becoming a hot topic with companies automating production lines, we have decided to enhance ntop tools to provide our user community traffic visibility even in industrial environments. This has required to enhance nDPI to detect these protocols and enhance ntopng, our monitoring console, to visualize this traffic by providing enhanced protocol dissection on top of which alerts can be triggered.

To date, nDPI supports modbus, DNP3 and IEC60870 protocols. In particular IEC 60870 is very important as it can be used to detect issues such as

  • Unknown telemetry addresses
  • Connection loss and restore
  • Loss of data coming from remote systems

The standard is quite complex and if you want to monitor this traffic to trigger alerts using open source software your choice is limited to custom scripts for the suricata IDS or Zeek/Malcom. As ntopng has the ability to trigger alerts by means of user-scripts when specific events happen, we have decided to enhance ntopng to dissect this traffic so that it is possible to emit custom alerts when specific communications are detected. In Scada in fact companies usually monitor traffic passively instead of actively dropping specific communications when something goes wrong: this is because the risk to drop a wrong packet is too high compared to the benefit and it is much better to trigger and alert and handle it rather than take the risk.

ntopng has been extended to continuously (i.e. not just the first few packets of a communication) monitor IEC 60870 communications and dissect individual PDUs. This way users can trigger alerts by means of ntopng user scripts. The flexibility introduced in ntopng 4.1.x that scripts can be bound to host pools, allow custom script configurations to be created for specific devices so that each device family has (potentially) its custom ruleset.

The above picture shows how a IEC 60870 is detected and reported by ntopng that in addition to usual latency, throughput, retransmissions… metrics it complements it with specific protocol information that can be used to detect anomalies and trigger alerts.

You can generate alerts when specific unexpected messages are reported (ntopng Enterprise L is required). This is done in a few steps:

  • Edit the flow scripts clicking on the button shown below

 

  • Make sure the IEC script is enabled and specify in a comma separated value the list of allowed typeIDs for your traffic.

 

From this time on, ntopng will report communications with unexpected TypeIDs that you can export to email. slack. discord… using the ntopng endpoint/recipient mechanism of version 4.1.x

In the alerts page you can also see how many times a certain unexpected TypeIDs has been reported (Count column) and other alarm details.

ntop acknowledges swtich.ch for introducing and assisting us while developing IoT/Scada extensions.

Happy IoT and Scada monitoring!