Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of analyzing these protocols.
1. You Name It,
We Analyze It!
Jim Gilsinn & Bryan Singer
Kenexis Consulting Corporation
You Name It, We Analyze It!
2. ndustrial Network Types & Metrics:
Publish/Subscribe
• Publish/subscribe or peer-to-peer communications
• Main performance metric: Cyclic frequency variability/jitter
• Real-time EtherNet/IP uses publish/subscribe
• Requested/Accepted Packet Interval (RPI/API)
• Measured Packet Interval (MPI)
You Name It, We Analyze It!
3. ndustrial Network Types & Metrics:
Publish/Subscribe
• Difference between
TPub_Com_Init & TSub_Com_In
is network roundtrip dela
• TPub_Com_Init, TSub_Com_Init
not important
• Variability in TPub much
more important
• Theoretically, TPub does
need to match Tsub
• In production systems, th
are the same
You Name It, We Analyze It!
TPub_Com_Init
Subscriber Publisher
TPub_1
TPub_2
TPub_N-1
TPub_N
Com_Init
TSub_M
.
.
.
4. Performance Testing Methodology:
Performance Metrics
• Command/response or master/slave communications
• Main performance metric: Latency
• Large numbers of protocols use this
• Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP, etc
• Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc.
You Name It, We Analyze It!
5. ndustrial Network Types & Metrics:
Command/Response
• Difference between
TCom_Delay_# & TRes_# is
network roundtrip delay
• Latency in TCom & TRes
important
You Name It, We Analyze It!
TRes_1
Commander Responder
TRes_2
Delay_1
TCom_1
TCom_2
Delay_2
6. solating Traffic Streams
• Isolating traffic streams can be tricky
• 10’s – 100’s of traffic streams in production environment
• Your Wireshark Fu must be strong!
• Usually requires additional post-processing
• Multiple streams can exist between same devices
You Name It, We Analyze It!
7. solating Traffic Streams
• Traffic pairs
• Source IP/MAC address
• Destination IP/MAC address
• Source TCP/UDP port
• Destination TCP/UDP port
• Publish/Subscribe
• Communication stream ID
• Sequence number (optional)
• Command/Response
• Command message/field
• Response message/field
• Message ID (optional)
You Name It, We Analyze It!
8. Test Time vs. Packet Interval
You Name It, We Analyze It!
Test Time (s)
Measured Packet Interval (ms)
~62 sec test
Mean MPI = 2ms
Min ~ 1.2
Max ~ 2.9
9. ime Plot for Command/Response
You Name It, We Analyze It!
Regular Pattern to Delayed Packets
Regular Pattern of Minimal Delayed Packets
10. Command/Response Timing Plots
• Quick succession of command/response packets
• Minimal delay in command/response sequence
• Apparently large delay in a single packet
• Example: Rockwell tag reads
You Name It, We Analyze It!
Quick Succession Read Commands
Delay Until Next Time Sequence
11. Next Steps
• Streamline traffic stream processing
• Develop better command/response code
• Build more mathematical statistical models
• Add graphical modeling of time & frequency domain
• Add more industrial protocols and obtain example files
• Modbus
• Profinet
• DNP3
• 61850
• And others…
You Name It, We Analyze It!
12. Questions
• Contact Me
• Jim Gilsinn
• 301-706-9985 or 614-323-2254
• jim.gilsinn@kenexis.com
• Twitter – @JimGilsinn
• LinkedIn – http://www.linkedin.com/in/jimgilsinn/
• SlideShare – http://www.slideshare.net/gilsinnj
You Name It, We Analyze It!