b'Protocol Analytics to EnableNew methods to capture, identify, and translate traffic from any Forensics of Industrialindustrial control system network regardless of communication Control Systems protocol expand the effectiveness of existing cybersecurity tools.C ybersecurity tools available today are effective at monitoring traffic within information technology and operational technology networks standardized around Ethernet communication. However, although considered part of the operational technology network, many embedded and industrial control systems utilize proprietary or legacy communication protocols or both that are not compatible with Ethernet. This complicates efforts to secure PROJECT NUMBER:operational technology networks against cyberattack because existing tools are 20A44-032 unable to monitor or interface with devices that are in direct control of machinery, TOTAL APPROVED AMOUNT:equipment, and processes. This visibility gap affords attackers an opportunity to $1,157,000 over 3 years operate within industrial control systems networks undetected until they cause an observable change or disruption to systems.PRINCIPAL INVESTIGATOR: Keith Mecham The primary objective of this research project was to eliminate the industrial control systems visibility gap by capturing traffic from the various industrial control CO-INVESTIGATORS: systems networks and proving the feasibility of a universal industrial control Daniel Hearn, INL systems translator. Researchers analyzed 13 key industrial control systems protocols Devin Vollmer, INL representing the diverse spectrum of electrical and signal encoding attributes Tanmay Bhagwat, INL commonly used within United States critical infrastructure. Identifying electrical Ted Tracy, INL signatures were developed along with algorithms to identify target signals as they were acquired. Once successfully identified, researchers developed decode algorithms for each protocol capable of determining the data represented by the acquired signal. This is noteworthy because the decode algorithm was realized entirely in software, and researchers eliminated hardware transceivers from the signal digitization path completely. Although hardware transceivers are ubiquitous across devices employing serial and Ethernet based communication, eliminating the need for dedicated hardware is a key prerequisite to a truly universal communication device. The next step was the development of a hardware prototype capable of capturing all the target communication signals, executing the developed identification and decode algorithms in real-time, and re-transmitting the captured data over Ethernet to an existing cybersecurity sensor/aggregator. Initial bench-top testing and evaluation within simulated industrial control systems environments prove that the methods, algorithms, and circuitry that researchers designed support the development of a scaled-up device capable of capturing traffic from any industrial control systems network. Currently, the technology is patent pending, is in the process of being licensed for commercialization as OmniTap, and will lead to enhanced protection of control systems within critical infrastructure.94'