The threats of anomalies in Industrial Control Systems

During the Rhebo - Industry 4.0 Stability and Security Audit, industrial companies and operators of critical infrastructure gain complete transparency of their Industrial Control System (ICS). All suspicious componentes, connections and communication processes are identified. The results enable those responsible for cybersecurity to immediately eliminate threats and to secure their ICS.

The following examples showcase typical results from Rhebo audits and the identified technical error state anomalies.

Also, explore the anomalies that threaten the cybersecurity of ICS.

Remedying Communication Errors

  • Analysis

    Rhebo Industrial Protector identified devices which sent TCP packets with incorrect checksums. The checksum validates, if the respective communication has been transmitted correctly.

     

    TCP checksum errors usually indicate transmission problems due to faulty network components.

  • Productivity Threat

    Incorrect communication can endanger process stability.

     

    Threats:

    • costs due to technical disruptions
    • financial loss due to increased downtimes

Exchanging Damaged Equipment

  • Analysis

    The communication pattern shows errors in the transmission of cyclical messages in the ICS. The messages are sent too early, too late or are completely missing.

     

    Errors in cyclical messages indicate increased latencies in the network.

     

    The reasons can be misconfigurations, software errors or dysfunctional equipment.

  • Productivity Threat

    Errors in cyclical messages impair real-time processes in particular, which are dependent on a time-critical delivery of data. This can seriously disrupt production processes.

     

    Threats:

    • costs due to disruptions, troubleshooting and repairs
    • financial loss due to increased downtimes

Check Your ICS for Malfunctions

Securing Real-Time Processes

  • Analysis

    Individual communication shows a deviating round-trip time, either repeatedly or during certain network states. Stable round-trip times are an indicator for a consistent network quality and optimal functioning of the ICS.

     

    Increased round-trip times indicate overload conditions.

  • Productivity Threat

    Increased round-trip times impair real-time processes in particular. Amongst other, this can lead to interruptions, quality problems or downtimes in production.

     

    Threats:

    • financial loss due to quality problems
    • costs due to disruptions and troubleshooting
    • financial loss due to increased downtimes

Securing Process Stability

  • Analysis

    Rhebo Industrial Protector reported that communication is missing either the ACK or SYN-ACK packet in a TCP handshake. Several parameters suggest that this anomaly was not caused by malicious scanning activities.

     

    In particular, the anomaly may indicate regular packet losses in ICS communication.

  • Productivity Threat

    The process stability is endangered by misconfigurations or errors in the transmission channel. The packet losses can lead to process errors and thus to malfunctions or system downtimes.

     

    Threats:

    • financial loss due to quality problems
    • costs due to troubleshooting and additional quality control
    • financial loss due to increased downtimes

Eliminating Overload Conditions

  • Analysis

    Several devices (e.g. ports or other network components) show a TCP window size of 0.

     

    The affected device is probably overloaded or the respective application runs in an endless loop.

     

    The affected device can no longer receive and process data as planned.

  • Productivity Threat

    The anomaly endangers the process stability to a high degree. In particular, real-time processes are affected. This can lead to interruptions or downtimes in production.

     

    Threats:

    • cost due to disruptions, troubleshooting and repair
    • financial loss due to increased downtimes