Best things in life are for free. That's what they say and sometimes I agree.
I read a post from EduHacker talking about Google fusion tables and it network graph functionality, so I decided give it a try.
I always try to quickly draw the traffic matrix from the network we are assessing since bandwidth between eyes and brain is the biggest you can get, and frankly most of the times I need it.
As ICS engineers we always use passive methods to assess through mirroring network traffic on switches. (By the way, this is a risky business since you have to be completely sure switch is not going to restart by configuring that).
Once you have your mirror port you can then plug your laptop and begin gathering IP traffic. It is amazing what you can get in a few minutes.
I took one ten minutes pcap file from one of our last OASyS SCADA assessments and follow the instructions from the post I read.
First of all you have to convert your pcap file to comma separated values (CSV) to import it in a Google fusion table.
To do this I made a quick and dirty csh script (I know, but I am a classic sir):
#!/bin/csh -f
###########################################################
#
# (c) 2015 - Kaostopper
#
# pcap_to_csv.csh: Quick and dirty way of getting a CSV file
# from a pcap file
#
#
# Enrique Martin Garcia
#
###########################################################
if ( $#argv != 1 ) then
echo "Usaage: $0 pcap_file"
exit 1
endif
set fichero_pcap = "$1"
set TSHARK = /usr/local/bin/tshark
echo "src_ip,src_port,dst_ip,dst_port,ip_proto"
$TSHARK -n -r $fichero_pcap -T fields -E separator=, -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e _ws.col.Protocol | grep -v ",," | sort -u
$TSHARK -n -r $fichero_pcap -T fields -E separator=, -e ip.src -e udp.srcport -e ip.dst -e udp.dstport -e _ws.col.Protocol | grep -v ",," | sort -u
exit 0
You can use any other way to convert your pcap files and you can choose any other fields, of course.
You have to be careful after uploading your CSV file to a fusion table since it is necessary to fix the type of value for your src_ip and dst_ip columns to text.
To do so, you have to click on the column header to access the change option:
You have to fix the type to text on those columns (src_ip and dst_ip)
With those two changes done, you can create your network graph:
As you can see, it was easy to detect a big misconfiguration in the Operation Workstation that was trying to connect to Google DNS servers. (8.8.8.8 and 8.8.4.4). This came from a temporary movement of this station due to civil works on the control room, but .....
You can play a lot with the other different types of graph, but this one is very easy to get and you don't need any other tool.
Beware with the data you upload and do like me: I have changed everything on the CSV file except public Google addresses and the SCADA System name.
No more excuses to update a very simple but useful network diagram for your SCADA Network.
