Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.

Published byDestini Menter Modified over 9 years ago

Similar presentations

Presentation on theme: "Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc."— Presentation transcript:

1 Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.

2 Agenda Hardening the PI Server – Architecture considerations – Using Bandolier to audit PI server security Using PI to Detect Cyber Attacks – Dept of Energy funded research project – Digital Bond’s Portaledge

3 PI Security 101 Architecture – Put PI servers in the right zone or zones Do not allow access to control center for PI Do not use two Ethernet cards and become a bridge Leverage PI to PI communication to move between zones of different security levels Is access to your PI data mission critical?

4 PI Security 101 OSIsoft provides guidance on securing PI Digital Bond has yet to see it followed!!! – piadmin username and password for PI trusts Bandolier – A Dept. of Energy funded research project

5 Identifying the Problem How do we establish an optimal / best possible secure configuration for our control system servers? How do we verify that this configuration has not changed over time? Can we do this using existing security tools at a low or no additional cost?

6 Solution: Bandolier Collaborate with vendor and asset owner partners to identify the optimal security configuration Assess and extract security configuration data Create audit files that can be used in Nessus and other scanners Deliver through subscriber content and vendor support channels

7 Multiple Levels of Audit Tests Operating System Settings Policies Account Management Logging Ownership and Permissions Services Processes Windows Registry Configuration Files Supporting Application Settings Web Servers Application Servers Database Servers SSH Servers LDAP Servers Authentication Libraries Control System Application Settings Authentication and Authorization Configuration Files Default Accounts Logging Application File Ownership and Permissions Services

8 Bandolier Security Audit File Batch file extracts security parameters from PI – Runs piconfig and a few other programs and dumps results to a file that can be audited ~222 Security Audit Checks – 26 Application Checks – 196 Operating System Checks

9 NERC CIP Compliance Aid CIP-007 R1: Test Procedures CIP-007 R2: Ports and Services CIP-007 R5: Accounts and Services CIP-007 R8: Vulnerability Assessment See the SCADApedia Page

10 Nessus Compliance Check Plugin Only uses one Nessus plugin! Safer than traditional scanning – Secure management connection. NOT a Nessus scan! Evaluates the “known good” not “known bad” Exporting to OVAL/XCCDF for use in other vulnerability scanners and security tool

11 Bandolier Costs and Requirements Prerequisites – Digital Bond Site Subscription $100 / Year – Nessus Professional Feed Subscription $1,200 / Year Many organizations already have a Nessus subscription – Administrator credentials for PI server

12 Questions

13 Detecting Cyber Attacks Security log events are everywhere – Firewalls, routers, switches – IDS/IPS – Server and workstation operating systems – SCADA and DCS applications, field devices, … Aggregate and evaluate events – Multiple events can decrease false positives – Multiple events can better

14 Security Event Managers (SEM) A class of IT security product – ArcSight and LOGIIC Aggregates & correlates security events – Used to detect attacks and forensics Weakness – Does not have interfaces to bring in control system information

15 Question? What do we use in control systems to aggregate and analyze information? A Historian A PI Server

16 PI Historian Advantages over SEM Already exist on many control systems – Especially in the energy sector Already interface to control system devices and applications Interface to IT devices and applications Has an advanced correlation capability, ACE

17 Portaledge A Digital Bond research project – Funded by the US Department of Energy – OSIsoft is a major partner and contributor Goal: Use PI Server as a SCADA SEM – Aggregate security events – Correlate security events using ACE – Alert when cyber attacks are detected

18 Event Taxonomy Availability Process Manipulation Reconnaissance Meta Events Process Manipulation Event Triggers Availability Event Triggers - Computer System - Field Device - Network Device - Perf Degradation - … - Computer System - Field Device - Network Device - Perf Degradation - … Reconnaissance Event Triggers Reconnaissance Event Triggers - Change in Scale - Change in Display - Firmware upload - … - Change in Scale - Change in Display - Firmware upload - … -Web Crawling - File Probing - Error Reaction -... -Web Crawling - File Probing - Error Reaction -... Event Class Trigger Event Meta Event C C

19 Event Class Events One or more Events in an Event Class with a commonality generate an Event Class Event – Commonalities: time, IP address, … Will contain a chain of Events – Length and diversity of chains can be used to measure confidence – Chains can be used for escalation process

20 Event Classes Availability Communication Enumeration Escalation Exploitation Obfuscation Process Manipulation Reconnaissance

21 Release Packages Subscriber content on digitalbond.com – $100 / year, YES that’s all – Business model is to get research deployed – FREE for 3 months for event attendees who ask me for a free subscription Requires appropriate PI licenses – PI Server, SMT, ACE, Datalink, Excel

22 Release Package - I Spreadsheet to create PI Tags with SMT plugin – Will require some customization for IP address – Will require copy / paste for multiple data sources Spreadsheet to create modules, alias and properties in the Module Database – Alias PI Tag names for use in ACE These are common functions for PI Admins

23 Release Package - II ACE Modules – ACE Module DLL and related files – VB.NET files for customization if desired – Context spreadsheet to load ACE module using the SMT Module Database Plugin Documentation – Detailed Portaledge documentation on SCADApedia – Notes and instructions available

24 Release Package - III DataLink Display – Basic display that shows a scroll of Events – Customers can display results in a variety of ways PI Users are highly experienced on displaying data – Future research to build security dashboard Better way to display alerts so operators can escalate Security metrics to show the security state of the system

25 Release Schedule Released Today – Availability Event Class – Computer System Availability Event – Field Device Availability Event – Network Device Availability Event – Performance Degradation Availability Event [3] – Simple Network Availability Event Next – Enumeration Event Class All complete in 2009

26 Questions

27 Contact Info Dale Peterson, 954-303-7560 peterson@digitalbond.com www.digitalbond.com for -Bandolier, Portaledge and other research -SCADA Security Blog and SCADApedia -Whitepapers, podcasts, presentations, …

Download ppt "Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc."

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Department of Energy PI for Security and Securing PI Dale Peterson Digital Bond, Inc. © 2008 Digital Bond, Inc.

Department of Energy PI for Security and Securing PI Dale Peterson Digital Bond, Inc. © 2008 Digital Bond, Inc.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.

CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
OPC Alarm.NET.

OPC Alarm.NET.
Tripwire Enterprise Server – Getting Started Doreen Meyer and Vincent Fox UC Davis, Information and Education Technology June 6, 2006.

Tripwire Enterprise Server – Getting Started Doreen Meyer and Vincent Fox UC Davis, Information and Education Technology June 6, 2006.
Vulnerability Types And How to Use Them.

Vulnerability Types And How to Use Them.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Welcome to the Minnesota SharePoint User Group. Introductions / Overview Project Tracking / Management / Collaboration via SharePoint Multiple Audiences.

Welcome to the Minnesota SharePoint User Group. Introductions / Overview Project Tracking / Management / Collaboration via SharePoint Multiple Audiences.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Similar presentations

Ads by Google