Yesterday I gave a presentation to about 200 SCADA users at the Telvent User Group Conference. It always is a pleasure to talk to and learn from actual end users of these systems. My presentation focused on adapting security monitoring and intrusion detection for process control networks.

Why monitor the cyber security of your SCADA network? For the same reason you have cameras, security guards, and alarms monitor your physical security – - to identify and stop intrusions. Classic IT security monitoring includes realtime log review for firewalls and servers and network based intrusion detection systems (NIDS). These NIDS will identify attacks such as hacker scanning, worms, denial of service attacks, and other published vulnerabilities and attacks.

Security monitoring requires a team of highly skilled IT security experts and sophisticated correlation software. Most organizations find it much more cost effective to outsource this monitoring to a third party managed security service provider (MSSP). We are frequently updating our analysis of MSSP offerings, and the good news is there are a number of great solutions available. Cyber security monitoring is happening today in leading edge critical infrastructure organizations, and the results are impressive.

So what is different with SCADA networks? Two things.

First, the SCADA application logs have a wealth of information to be added to the solution. These logs include entries for elevation of privileges, database and display changes, bringing sensors on and off line, failed login attempts, and much more. The MSSPs need to understand these logs and incorporate the security events into their processes and correlation software.

Second, the NIDS need to identify attacks related to the process control protocols such as Modbus. We have an active research project working on this issue, and we should be issuing some additional information and sample code in the next six months. Contact me, peterson@digitalbond.com, if you are interested in participating.