Using PI to Aggregate & Correlate Security Events to Detect Cyber AttacksDale PetersonDigital Bond, Inc.
Agenda
• Hardening the PI Server– Architecture considerations– Using Bandolier to audit PI server security
• Using PI to Detect Cyber Attacks– Dept of Energy funded research project– Digital Bond’s Portaledge
PI Security 101
• Architecture– Put PI servers in the right zone or zones• Do not allow access to control center for PI• Do not use two Ethernet cards and become a bridge• Leverage PI to PI communication to move between
zones of different security levels• Is access to your PI data mission critical?
PI Security 101
• OSIsoft provides guidance on securing PI
• Digital Bond has yet to see it followed!!!– piadmin username and
password for PI trusts • Bandolier
– A Dept. of Energy funded research project
Identifying the Problem• How do we establish an optimal /
best possible secure configuration for our control system servers?
• How do we verify that this configuration has not changed over time?
• Can we do this using existing security tools at a low or no additional cost?
Solution: Bandolier
Multiple Levels of Audit Tests
Bandolier Security Audit File
• Batch file extracts security parameters from PI– Runs piconfig and a few other programs and
dumps results to a file that can be audited
• ~222 Security Audit Checks– 26 Application Checks– 196 Operating System Checks
NERC CIP Compliance Aid
• CIP-007 R1: Test Procedures• CIP-007 R2: Ports and Services• CIP-007 R5: Accounts and Services• CIP-007 R8: Vulnerability Assessment• See the SCADApedia Page
Nessus Compliance Check Plugin
• Only uses one Nessus plugin!• Safer than traditional scanning
– Secure management connection. NOT a Nessus scan!• Evaluates the “known good” not “known bad”• Exporting to OVAL/XCCDF for use in other vulnerability
scanners and security tool
Bandolier Costs and Requirements
• Prerequisites– Digital Bond Site Subscription• $100 / Year
– Nessus Professional Feed Subscription• $1,200 / Year• Many organizations already have a Nessus subscription
– Administrator credentials for PI server
Questions
Detecting Cyber Attacks
• Security log events are everywhere– Firewalls, routers, switches– IDS/IPS– Server and workstation operating systems– SCADA and DCS applications, field devices, …
• Aggregate and evaluate events– Multiple events can decrease false positives– Multiple events can better
Security Event Managers (SEM)
• A class of IT security product– ArcSight and LOGIIC
• Aggregates & correlates security events– Used to detect attacks and forensics
• Weakness – Does not have interfaces to bring in control system information
Question?
What do we use in control systems to aggregate and analyze information?
A HistorianA PI Server
PI Historian Advantages over SEM
• Already exist on many control systems– Especially in the energy sector
• Already interface to control system devices and applications
• Interface to IT devices and applications• Has an advanced correlation capability, ACE
Portaledge
• A Digital Bond research project– Funded by the US Department of Energy– OSIsoft is a major partner and contributor
• Goal: Use PI Server as a SCADA SEM– Aggregate security events– Correlate security events using ACE– Alert when cyber attacks are detected
Event Taxonomy
AvailabilityAvailability ProcessManipulation
ProcessManipulation ReconnaissanceReconnaissance
Meta EventsMeta Events
Process Manipulation Event Triggers
Process Manipulation Event Triggers
Availability Event Triggers
Availability Event Triggers
- Computer System- Field Device- Network Device- Perf Degradation- …
- Computer System- Field Device- Network Device- Perf Degradation- …
ReconnaissanceEvent Triggers
ReconnaissanceEvent Triggers
- Change in Scale- Change in Display- Firmware upload- …
- Change in Scale- Change in Display- Firmware upload- …
-Web Crawling- File Probing- Error Reaction- ...
-Web Crawling- File Probing- Error Reaction- ...
Event Class
Trigger
Event
Meta Event
CC
Event Class Events
• One or more Events in an Event Class with a commonality generate an Event Class Event– Commonalities: time, IP address, …
• Will contain a chain of Events– Length and diversity of chains can be used to measure
confidence– Chains can be used for escalation process
Event Classes
• Availability• Communication• Enumeration• Escalation
• Exploitation• Obfuscation• Process Manipulation• Reconnaissance
Release Packages
• Subscriber content on digitalbond.com– $100 / year, YES that’s all– Business model is to get research deployed– FREE for 3 months for event attendees who ask me for
a free subscription• Requires appropriate PI licenses– PI Server, SMT, ACE, Datalink, Excel
Release Package - I
• Spreadsheet to create PI Tags with SMT plugin– Will require some customization for IP address– Will require copy / paste for multiple data sources
• Spreadsheet to create modules, alias and properties in the Module Database– Alias PI Tag names for use in ACE
These are common functions for PI Admins
Release Package - II
• ACE Modules– ACE Module DLL and related files– VB.NET files for customization if desired– Context spreadsheet to load ACE module using the
SMT Module Database Plugin• Documentation– Detailed Portaledge documentation on SCADApedia– Notes and instructions available
Release Package - III
• DataLink Display– Basic display that shows a scroll of Events– Customers can display results in a variety of ways• PI Users are highly experienced on displaying data
– Future research to build security dashboard• Better way to display alerts so operators can escalate• Security metrics to show the security state of the system
Release Schedule• Released Today – Availability Event Class– Computer System Availability Event– Field Device Availability Event– Network Device Availability Event– Performance Degradation Availability Event [3]– Simple Network Availability Event
• Next – Enumeration Event Class• All complete in 2009
Questions
Contact Info
Dale Peterson, [email protected]
www.digitalbond.com for - Bandolier, Portaledge and other research- SCADA Security Blog and SCADApedia- Whitepapers, podcasts, presentations, …
