Some DPI Is Only A Single Byte Inspection Deep

How Deep Is Your ICS Deep Packet Inspection (DPI)

The industrial firewall and ICS anomaly detection markets are getting very crowded. The industrial firewall market is older, but it is still expanding both in specialized ICS firewalls and enterprise firewalls adding ICS protocol support. The ICS anomaly detection market has exploded with a new entrant almost every month and millions of dollars of funding.

The benefits of these product categories are heavily based on their ability to perform deep packet inspection (DPI) of ICS protocols. Firewalls do this for more granular control of a security perimeter (and some IDS/IPS), and anomaly detection rely on DPI to identify unusual or potentially damaging use of ICS protocols.

These products are typically promoted by the breadth and depth of the ICS protocol support. The breadth is easy to compare and somewhat useless. A vendor can easily list the protocols they support at some unspecified level of depth. I say breadth is somewhat useless because an ICS asset owner doesn’t care if the vendor supports 10 or 30 protocols; the ICS asset owner only cares if the product supports the protocols they use.

Depth in DPI of the protocols an asset owner uses should be one of the key decision factors, along with company viability, ease of use, reporting, support, interoperability with SIEM’s, … Depth can vary figuratively from inches to a mile deep, and depth can vary a lot per protocol in the same product. We worked with one client considering an enterprise firewall with tremendous breadth of ICS protocol support. The firewall vendor was only checking the TCP port number and a single byte in the request packet, inches deep, in the protocol our client was most concerned with. We know that the same vendor has very deep DPI for other ICS protocols including proprietary extensions of the protocol to cover engineering work station actions.

Talk to the anomaly detection vendors and they will typically tell you not only how completely they inspect the ICS protocol, but also how they do this to a much greater degree than their competitors. When asked for more details and reasoning it devolves into emphatic assertion, and they cannot all be right. It is likely that simple protocols have similar levels of depth, but more complex protocols will vary as will support for proprietary extensions.

At S4x17 we are trying to help asset owners and the ICS community compare and contrast ICS DPI with two sessions on Stage 2 titled How Deep Is Your ICS DPI? The speakers have been challenged with developing a structured method to evaluate the depth and value of the DPI of an ICS protocol. Ideally this would come down to a method of comparatively score the solutions. Given the number of vendors and asset owners looking at this issue we are hopeful we can at least narrow down the approach to comparisons.

Check out the S4x17 Agenda At A Glance and Register Now

Originally published at on November 21, 2016.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.