Internship Program

Capturing and analyzing network traffic in Industrial Control Systems (ICS) environments, which include PLCs (Programmable Logic Controllers) and SCADA (Supervisory Control and Data Acquisition) systems, can provide valuable insights into the behavior and security of these critical systems. However, handling ICS networks requires additional care due to their critical nature. Here's a tailored guide for capturing and analyzing packets in an ICS environment using Wireshark:

1. Obtain Proper Authorization: Capturing network traffic in an ICS environment should only be done with proper authorization. ICS networks often control critical infrastructure, and unauthorized packet capturing can disrupt operations and violate security protocols.

2. Set Up a Separate Environment (Optional): For training purposes, consider setting up a lab environment that mimics your ICS network. This will allow you to experiment and capture packets without affecting the actual production environment.

3. Install Wireshark: Ensure you have Wireshark installed on a machine within the ICS network or a machine that can access the ICS network.

4. Identify Target ICS Devices: Identify the PLCs, SCADA systems, and other ICS devices you want to monitor. Determine the IP addresses or hostnames of these devices.

5. Choose Capturing Point: Decide whether you'll capture packets from a specific device, a network segment, or a switch's mirror port. Be cautious about introducing extra load or congestion on production networks.

6. Capture Traffic: Follow the general steps mentioned earlier to start capturing packets using Wireshark. Remember to capture only the relevant traffic and avoid overloading the capture machine.

7. Focus on ICS Protocols: In ICS environments, you'll encounter specialized protocols like Modbus, DNP3, IEC 60870-5-104, OPC, etc. Research and understand these protocols to effectively interpret captured packets.

8. Use Capture Filters: Apply filters to capture only traffic related to ICS devices and protocols. For instance, you can filter by IP address, port number, or protocol name.

9. Analyzing ICS Packets: When analyzing ICS packets:

• Look for communication patterns between PLCs, RTUs (Remote Terminal Units), and SCADA systems.

• Pay attention to commands, responses, and data exchanges.

• Analyze timing and delays, as real-time communication is crucial in ICS.

• Understand how different protocols handle error detection and correction.

10. Follow Best Practices:

• Ensure your packet capturing doesn't interfere with the normal operation of ICS systems.

• Don't capture sensitive or confidential data.

• Capture traffic during a maintenance window if possible, to minimize disruption.

• Regularly review Wireshark documentation and resources to stay updated on new features and techniques.

11. Security Considerations: Be mindful of security concerns. ICS networks are often isolated and have unique security requirements. Ensure your capturing activities don't introduce vulnerabilities or expose critical systems.

12. Training and Certification: Consider formal training and certification in ICS cybersecurity if you plan to work extensively in this field. Organizations like GIAC offer certifications related to ICS security.