Industrial Cyber Security
Recent Posts
- Encari NERC CIP Compliance Webinar: CIP-002 - Critical Asset Identification for Generation Owners and Operators
- Encari NERC CIP Compliance Webinar: CIP-008 Incident Reporting and Response Planning
- Public Information Monitoring for ICS, How to Stay Up to Date!
- Critical Infrastructure Protection Recommendations
- Heightened Concern Regarding Evidence Supporting Critical Asset Identifications (NERC CIP Compliance - CIP-002-1)
- Encari Webinar - NERC CIP Technical Feasibility Exceptions
- Cybersecurity Bill Proposes Unprecedented Government Power Over the Internet
- Three Notable Activities Impacting Industrial Control Systems Security Requiring Your Attention
- Encari Interviews Conducted During the SANS Process Control and SCADA Security Summit 2009
- Virtually Securing Your Control System
Recent Comments
- ForexTeacher on Encari Interviews Conducted During the SANS Process Control and SCADA Security Summit 2009
- Steven Hamburg on Encari Creates New NERC CIP Compliance LinkedIn Group
- David on Encari Creates New NERC CIP Compliance LinkedIn Group
- Steve Hamburg on Encari's New NERC CIP Compliance Webinar Series
- phughes on Encari's New NERC CIP Compliance Webinar Series
Most Commented On
- The Importance of 24x7 Event Monitoring in Process Control Systems (4)
- Control systems continue to prove to be hard to “secure” (3)
- Encari Creates New NERC CIP Compliance LinkedIn Group (2)
- Encari's New NERC CIP Compliance Webinar Series (2)
- Security Awareness – Changing the Behavior of Your Workforce (2)
Archives
Blog
The Importance of 24x7 Event Monitoring in Process Control Systems
November 12, 2008
The Importance of 24x7 Event Monitoring in Process Control Systems
Well, I (Steve here) finally succumbed to my temptation and saw the blockbuster hit Eagle Eye. (http://www.eagleeyemovie.com/ and http://www.fandango.com/eagleeye_110111/movieoverview). I’ll do my best not to ruin this movie in the event that you have not yet seen it while trying to make the key point of this blog.
Eagle Eye is based on the premise that someone, well in actuality, something (okay, I’ll stop with the hints) has extensively hacked into the power grid. While watching the movie, you’ll witness remote control of public transportation systems, cranes, demolition equipment, electricity transmission lines, etc. While the extent of exposure conveyed in the movie is quite far fetched, it does bring up a very important consideration: What are you doing in regards to your event monitoring operations?
In Eagle Eye, several severe breaches transpired before any one involved in several of our critical infrastructures became aware that such breaches had occurred. Further, a considerable amount of time following the point at which the breaches became known elapsed before the root cause of the breaches was identified. Pursuant to my previous consideration, it is critical to understand the implications associated with SCADA and process control systems security.
Unlike several professions, many aspects of critical infrastructure operations and other business operations involving SCADA and process control systems can be life threatening if a security breach occurs. For example, what could happen to a patient receiving radiation therapy from a device that is accessible from within a hospital’s wireless network? What could happen to passengers in a subway if the operations of the rail system were somehow overtaken by malicious parties? Similar questions are numerous.
While it is not possible to achieve 100% security; that is, to be impenetrable to malicious attack or inadvertent human error, it is possible to achieve robust and sufficient monitoring capabilities. However, what continues to plague this aspect of companies’ business operations is the perception that it is too costly and impractical to implement and execute sufficient 24x7 event monitoring and notification capabilities. The question is, “Is it really impractical to implement and execute sufficient 24x7 event monitoring and notification capabilities?” Matt, take it from here…
Steve, you bring up a very significant and valid point. The answer is, “No, it is not impractical as long as the organization understands what their critical business operations and their underlying support systems are.” And, Eagle Eye does depict some things entirely far-fetched, such as the transmission line over voltage scenario. What was that? For some reason I hear power engineers scoffing.
Nonetheless, commonly a lack of clarity exists between traditional business operations, information technology, and industrial control. The challenge is to understand the business’ role and then map this in to technology appropriately.
For instance, what does a failed access attempt mean to business operations?
1. Someone is attempting to log into an email account
2. Someone is attempting to log into the corporate VPN
3. Someone has attempted to open a door
4. Someone is attempting to log into the operator HMI
5. A new system is attempting to interact with the historian
6. A new remote host is polling via ICCP
7. …
All of these situations have varying corporate responses that may differ with association and event context. For instance, whose email account? Log into the corporate VPN with what laptop or from what IP address? Open the door at what time? Log into the operator HMI before or after opening a door? Another directly related example would be your home. Would you respond differently to someone knocking on your front door versus your backdoor? Absolutely!
Context is very important to detecting events of interest. It is also very important to understand a system’s normal behavior. Specifically, how it operates normally - what processes are running, how much memory and CPU are utilized and to what does it normally communicate. Identifying system normalcy provides a valuable baseline to analyze against and, luckily, our process control systems are very deterministic in nature in one of two operating states - normal and emergency conditions.
We recommend starting with very specific monitoring criteria for control systems. Typically the focus is on access attempts and with what a system communicates; exactly how to architect this depends on the control system, network, and vendor. We have recommended on many occasions using a modified network IDS to only track conversations and system event log generation, followed by sending these events to a correlation and log engine for real-time monitoring and event archival. It is recommended to start simple with the following event monitoring:
1. System logging of authentication system events directly from the HMI, FEP, and Historians; and
2. Generating netflow communications data between nodes to monitor approved and therefore unapproved system to system communications.
Some of our peers recommend using IDS signatures that are unique to control networks; however, our experience shows that this is not necessarily the best solution. Traditional signature based IDSs have proven repeatedly to fail in their implementations. Many vendors exist for monitoring traditional IT systems – and you can use this same environment for control systems. Make sure to ask your control system vendor about what they will support; you do not want to void your support agreement by modifying the system or network and you do not want the extent of such an investment to collect dust as ‘shelf ware’.
The best option is to reference Department of Homeland Security’s “Cyber Security Procurement Language for Control Systems”. Of course, this is most helpful when you are in the initial procurement stages of a system or support agreement; however, it can also be used to identify appropriate security controls for your specific environment. Note that caution has been continuously urged by Rita Wells of Idaho National Laboratory to use the procurement language as a tool for the process, but do not simply staple the language to a vendor order. The language is provided as a reference for selecting security options and if simply added to a vendor contract will include many conflicting alternatives.
Posted by Matt Luallen and Steve Hamburg of Encari on November 12, 2008 | Comments (4)
Reader Comments
at 11/12/2008 11:56:37 AM, Mark Fabro commented:
Although the suggestion of netflow is important, it cannot be overstated that SCADA/ICS domains should leverage determinism and predictable system dynamics to create operational envelopes. Indeed, many of the commercail IDS solutions often fail, the challenge is of course tuning the devices to specific allowed operations. There are simple and effective ways to develop signatures that are both resource based and content based. However, it is also important to develop all-traffic systems that can (a) initially be used to trigger on _possibly_ malicious traffic and (b) be used as core datasets to popuate active prevention systems that may use traffic shaping/scrubbing methods. Many asset owners have difficulty in managing previusly unseen system traffic that upon deploying IDS looks nefarious (as it exceeds thresholds) but is really benign vendor specific traffic (broadcast, multicast, device enrollment etc.) So, knowing what you are supposed to have vs' waht you are not supposed to have is a vital first step. Remember, business will usually trump security everytime. Using the procurment language is a great start for looking at defining 'security must-haves' in control solutions, but for existing deployments also check out CSSP Defesne in Depth as well as the CS2SAT toolkit which, for some asset owners and government organizations, is free of chrage. Each of these products can be leverged to accomodate almost any need by an asset owner trying to understand and improve their SCADA/ICS security profile. MF
at 11/13/2008 12:03:56 PM, James Arlen commented:
Following up on this, it's yet another case of the inappropriate application of "do what we did yesterday, again." -- too often, that mentality leads to making the same mistake over again, yet here it's an example of the need to do integrative work between IT and Control systems folks -- IT people really don't "get" determinism or situational awareness, and Control Systems folks really *do*. Everybody, huggle up and get to know each other, it'll be good for both of you.
at 11/13/2008 12:04:48 PM, James Arlen commented:
Oh, and blogs work better with functioning RSS feeds. Looking forward to good stuff from you both.
at 11/13/2008 9:22:22 PM, Brad Hegrat commented:
You guys are absolutely on the right track with the G.I. Joe method for managing security in a ICS/SCADA environment (knowing is half the battle). And Mark is dead on with the IDS comments. Knowing what is present in a nominal system is key to setting up and deploying not just monitoring solutions, but any security solution in this space. Once you have functional security zones (i.e. EZ vs DMZ vs MZ), this concept goes even further as you can restrict and monitor traffic to an almost deranged level of granularity - should you want to. Obviously, this leaves the only avenues of attack through the protocols allowed, which at this point should be a very, very short list. Unfortunately, many control protocols are insanely open. Which is why I always recommend that absolutely no proprietary or control protocols traverse your security zones (firewalls). Keep up the good work - this is a great starting piece. That and lil'Jimmy is right - RSS feeds are definitely in order. cheers. -bhh