When we discuss security with many train operators, they often jump straight to deep packet inspection and firewalls. It is a well understood technology but we find that when we dig a bit deeper into their requirements, that actually they don’t need DPI at all, or what they think they get from DPI is quite different from the reality.
It is clear how this has come about, for years the next-generation firewall vendors have been talking about the benefits of DPI in enterprise environments, where usually they only detect threats that pass through areas of the network where they are installed.
When we discuss this with customers, we often start by asking “what do you hope to achieve from adding DPI to your network?”. The responses vary quite significantly, but it often comes back to three things:
Network and Asset Discovery
Network Traffic Routes
Detection of new devices on the network
And that is where the misunderstanding comes from, the technology needed to deliver that involves inspecting the packet but it isn’t really deep packet inspection.
DPI is a methodology used when a packet going through the network is analysed while passing through an inspect point. It is intended to allow the network to inspect data carried by the packet, and scan for data that may attribute it to signs of malware or intrusions. The packet would then be let through, blocked or redirected based on how your system is programmed to interact with it using a set of compiled pre-defined rules.
When we look at the anatomy of a packet, there are essentially two major components, the packet header and the payload. When we look at DPI as a technology, it focuses mainly on the payload which contains the actual data being transmitted. If an attacker is delivering malware, that is where the malware would sit.
The problems with deep packet inspection for cyber security
There is a big problem with trying to detect malware in the payload in the types of environment we work in.
In a hosting centre this approach works because there are teams of analysts generating signatures from attacks around the world. New attacks are detected quickly and signatures are distributed to firewalls, switches and other network appliances. When DPI is used to inspect and evaluate the contents of a packet going through the inspection points, it is based on rules and policies defined by people. This signature-based detection scrutinises the traffic based on a pattern or a string that corresponds to a known attack. This means the technique is limited to only detecting known attacks from previously analysed events. It is therefore important to remember that there is a lack of related threat intelligence within the railway industry due to its unique challenges, compared with the more commonly documented attacks on commercial premises. Signatures are also easily defeated by re-encrypting an attack or struggle to be applied to encrypted traffic.
As deep packet inspection determines what to do with these packets in real time, it does mean that computing power needs to increase with the amount of bandwidth. Deep packet inspection therefore can slow down your network by dedicating resources for your firewall to be able to handle the processing load.
We also found that industrial vendors are often not willing to share their protocols for decoding used in DPI style technologies. They feel that the obscurity of their industrial protocols gives them an element of security, we’ll let you make your own judgement on the wisdom of that thinking.
So, what about the rest of the packet, well there’s a large amount of data that is exceptionally relevant for an industrial environment. The packet header contains all the information about how a packet is transmitted, the source, destination, ports, payload length, protocols, packet flags and more! This data is exceptionally valuable for behavioural analytics and when we look back to the three needs that are brought up by customers, it all comes from the packet header information.
Detecting anomalous behavior with shallow packet inspection
At RazorSecure we made a conscious decision to not use deep packet inspection in our core technology. We don’t believe that it works well, and so we focused on “shallow packet inspection”, looking at just the packet header and using that available data.
This consequence of this decision is that we focus on the behavioural data rather than signatures, it is the best information that we have available to us as defenders. It also ensures we are able to detect both known and unknown attacks. Behavioral threat detection approaches will detect the erroneous data in the system by detecting anomalous behavior rather than just analysis of the packet data. In an industrial environment this behavioral data is typically quite consistent and can be used to accurately characterise the networks, particularly when we look at long-lived assets such as rolling stock.
Shallow packet inspection can be applied across a variety of assets, even when limited computing power is available, allowing us to find hidden security threats that operate in the areas of your infrastructure that traditional approaches can’t reach. We’ve been able to integrate our shallow packet technology into devices that are single core running chipsets that are over 10 years old, still managing to handle 100mbit+ of traffic.
Going back to our core technology principles, we do see cases where DPI can be used successfully for applying behavioural analytics and baselining, but it isn’t a broad-brush approach. It works best when applied in a highly targeted manner and with a specific end goal in mind.
Fundamentally for us it comes back to what the customer needs, and though they think they need DPI, actually there are better alternatives that give them what they actually wanted all along.