The Portaledge team is pleased to announce the beta release of the Enumeration Event Class. Portaledge is Digital Bond’s Dept. of Energy program that leverages OSISoft’s PI ACE engine to provide Security Event Management, detecting, alerting and logging of security events on SCADA and DCS.
The Enumeration Event class currently has modules for detecting common port scans and other enumeration scans; TCP, FIN, SYN, UDP, ICMP and for detecting account enumeration via Finger. These scans are often the first part of an attack scenario, and therefore by detecting and alerting on these attacks an asset owner is better able to stop the attack before it is successful or at least limit the impact of the attack.
Most of these events will identify scanning two ways. The first is a single system being scanned on multiple ports, the default is 3, and these alerts are labelled by Portaledge as a “scan” such as TCP scan, FIN scan, SYN scan, … The second way is multiple systems being scanned on the same port. For example, a scanner looking for web servers or ICCP servers. If three systems, the default but this can be changed, being monitored are scanned on the same port a “port sweep” alert is issued.
In addition to detecting common enumeration scans, the Enumeration Event Class provides a Traffic Monitor that monitors for anomalous communications. The Traffic Monitor allows the user to profile normal communications on the system and add the “allowed” communications on a per system basis. Portaledge will then monitor and alert on communications outside of those allowed. As communications patterns on control systems under normal conditions are very repetitive, the detection of abnormal communications is a strong indicator of enumeration and other malicious activities.
The Enumeration Release include the Enumeration Event Class event (see last weeks discussion of Event Class Events and Event Chains) that correlates events on four types of commonalities, and links events into chains to provide a better understanding of what is occurring on the system.
The Enumeration and previously released Availability events are available for download to Digital Bond content subscribers. Any feedback on Portaledge is appreciated.