Today we released the CIP-5 Monitoring Modules in our Dept of Energy funded Portaledge. These modules work with the PI server to monitor and alert on security log events in access devices at the electronic security perimeter. They will provide the monitoring and alerting required in CIP-5 R3 and the access log retention required in CIP-5 R5.3.
While they are called CIP-5 Monitoring Modules for marketing reasons, they are actually valuable to any security program that wants to monitor security perimeter firewall logs, and currently the modules support Cisco and Juniper firewalls. We identified the security related events in the logs, send them to PI using syslog, and then store and alert in the PI server. The existing PI server becomes an ICS SIEM.
All of the security log events are put into one of five categories:
- Inbound Blocked – Firewall log events can be generated when a packets are blocked or dropped on an external interface. This would tell you if a person or program on the enterprise network is getting blocked at the firewall. This can be evidence of an early stage of an attack, but it could innocuous communication that happens to hit the firewall. Worth investigating in either case.
- Suspicious Activity – Firewall security log events that could be generated in an attack, but also could happen innocently. Examples are authentication failures and malformed or illegal packets.
- Attack Activity – This is a relative small category that are almost certainly attacks, such as the old LAND and teardrop attacks. We have not yet integrated firewall IDS/IPS log events into the module, but many of those log events would fit here.
- Outbound Blocked – Log events generated from packets blocked or dropped that were initiated from the most secure zone. This would be something in the control center or inside an ESP trying to initiate communication with something outside the zone that was not approved. This could be an operator trying to reach a corporate web server, but it also could be a compromised system trying to reach an external command and control server.
- Authenticated Access – The security log events related to logins that must be retained for at least 90 days.