Selected ICS-SCADA Network Security Questions Answers

tcpdumpis a powerful command-line packet analyzer used primarily in UNIX and UNIX-like operating systems; it allows the capture and display of TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Unlike graphical tools like Wireshark,tcpdumpprovides raw output of the packet captures directly to the terminal or a specified file, making it ideal for deep dive network analysis, especially in environments where a graphical user interface is unavailable.

tcpdumpuses the libpcap library to capture packet data, which allows it to support a wide range of command-line options to filter and display packet information according to user needs.

References

"tcpdump manual page," by the Tcpdump Group.

"Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems," by Chris Sanders, No Starch Press.

An Intrusion Detection System (IDS) is designed to monitor network or system activities for malicious activities or policy violations and can perform several functions:

Monitor:Observing network traffic and system activities for unusual or suspicious behavior.

Detect:Identifying potential security breaches including both known threats and unusual activities that could indicate new threats.

Respond:Executing pre-defined actions to address detected threats, which can include alerts or triggering automatic countermeasures.References:

Cisco Systems, "Intrusion Detection Systems".

Modbus TCP is a variant of the Modbus family of simple, networked protocols aimed at industrial automation applications. Unlike the original Modbus protocol, which runs over serial links, Modbus TCP runs over TCP/IP networks.

Port 502 is the standard TCP port used for Modbus TCP communications. This port is designated for Modbus messages encapsulated in a TCP/IP wrapper, facilitating communication between Modbus devices and management systems over an IP network.

Knowing the correct port number is crucial for network configuration, security settings, and troubleshooting communications within a Modbus-enabled ICS/SCADA environment.

References

Modbus Organization, "MODBUS Application Protocol Specification V1.1b3".

"Modbus TCP/IP – A Comprehensive Network protocol," by Schneider Electric.

The WannaCry ransomware primarily exploited vulnerabilities in the SMB (Server Message Block) version 1 protocol to propagate across network systems. Microsoft had identified vulnerabilities in SMBv1, which were exploited by the EternalBlue exploit to spread the ransomware. This led to widespread infections, particularly in systems that had not applied the security updates released to patch the vulnerability.References:

Microsoft Security Bulletin MS17-010, "Security Update for Microsoft Windows SMB Server".