The hardware used in both the Internet of Things (IoT) and Industrial Control Systems (ICS) have many similarities; both often involve older systems incapable of running detection tools or monitoring agents due to outdated operating systems, resource limitations, proprietary systems and odd protocols such as Modbus and DNP3, amongst other restrictions.
The lack of visibility into these enclaves means that there is little-to-no way to identify if, and when, ICS and/or IoT devices have been compromised until it is too late – but there is hope.
The Bro Network Security Monitor ships with built-in scripts to monitor both DNP3 and Modbus traffic. These scripts make Bro an excellent choice for detecting attacks within ICS networks. It also has the ability to monitor typical traffic seen on IoT networks, such as HTTP, HTTPS, DNS and many more.
The results of its analysis, not to mention any attacks it happens to detect, are written to log files on the local disk, which can then be collected and normalized by a log management product such as Tripwire Log Center. Finally, threat intelligence can be added onto network security monitoring and/or log management products to enhance Bro’s data by providing additional analysis against known attack vectors. For example, the folks at Critical Stack have worked hard on getting an ARM-based agent available for the Raspberry Pi architecture in both an RPM and a DEB package.
While this is a possible deployment route in data centers and enterprise grade networks, ICS and IoT networks have space and cost limitations that prevent adding in new servers to handle this processing. The advantage of Bro, Critical Stack and even the ELK stack is the amount of resources they require to run. As a result of this, the Raspberry Pi is a suitable candidate to deploy these technologies.