Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Monitoring in ICS/SCADA environment

 

Information

 

Summary:

Possibilities of SCADA monitoring with Flowmon Probe/Collector and ADS module.

Environment:

Product: Flowmon OS, ADS

Version: Any

Platform: Any

Question/Problem Description:

Is it possible to monitor the SCADA environment with Flowmon products?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

Flowmon Probes are able to monitor L3 (IP layer) and above. All IP communication in SCADA networks can be monitored. 

Probes can offer visibility to the following IoT protocols:

  • IEC 104
  • COAP
  • GOOSE
  • MMS
  • DLMS

ADS module is able to detect suspicious behavior in the network with standard methods such as:

  • ALIENDEV - detection of new devices in the network
  • BLACKLIST - communication with blacklisted hosts
  • BPATTERNS - eg. communication of the malware with C&C servers
  • DICTATTACK - dictionary attacks
  • SCANS - network port scans
  • UPLOAD - suspicious upload activity
  • and many others

It is possible to use IDS Probe (Suricata) together with ADS for IDS detections. There is a default rule set for the SCADA environment and other rule sets are available (eg. https://github.com/CyberICS/Suricata-Rules-for-ICS-SCADA)

Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments