The software provided here serves as a PoC implementation. The corresponding paper was presented at the ICS-CSR 2018.
Owing to a growing number of attacks, the assessment of Industrial Control Systems (ICSs) has gained in importance. An integral part of an assessment is the creation of a detailed inventory of all connected devices, enabling vulnerability evaluations. For this purpose, scans of networks are crucial. Active scanning, which generates irregular traffic, is a method to get an overview of connected and active devices. Since such additional traffic may lead to an unexpected behavior of devices, active scanning methods should be avoided in critical infrastructure networks. In such cases, passive network monitoring offers an alternative, which is often used in conjunction with complex deep-packet inspection techniques. There are very few publications on lightweight passive scanning methodologies for industrial networks. In this paper, we propose a lightweight passive network monitoring technique using an efficient Media Access Control (MAC) address-based identification of industrial devices. Based on an incomplete set of known MAC address to device associations, the presented method can guess correct device and vendor information. Proving the feasibility of the method, an implementation is also introduced and evaluated regarding its efficiency. The feasibility of predicting a specific device/vendor combination is demonstrated by having similar devices in the database. In our ICSi testbed, we reached a host discovery rate of 100% at an identification rate of more than 66%, outperforming the results of existing tools.
The device discovery is working completely passive with ARP requests broadcasted to the network. From these broadcasts, the MAC address is used to look up devices with a similar MAC address in the database of macDetec. If the found device is within a certain range of a known device, it is likely that these devices are the same product.
With the above information a vulnerability mapping is done by querying the cve-details web API.
The testbed used for the evaluation can be seen in the following figure.
Install libpcap-dev for the analyzis of network captures (pcap).
sudo apt install libpcap-dev
Install all dependencies necessary to run macDetec.
python3 -m pip install .
The paper can be accessed over BCS.
@inproceedings{niedermaier2018efficient,
title={Efficient Passive ICS Device Discovery and Identification by MAC Address Correlation},
author={Niedermaier, Matthias and Hanka, Thomas and Plaga, Sven and von Bodisco, Alexander and Merli, Dominik},
booktitle={5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)},
year={2018}
}