Ty writes:

Say Company X’s CIRT deploys to an incident that was triggered by one of the SCADA IDS rules that DigitalBond has put out. What would be the best thing for the team to look for?

Talk to the operators? Look for netflows? Hope the IDS rule had a session tag or there was some kind of capture?If you were responding to an incident that involved a possible compromise on the control network what would you do? I imagine it depends quite a bit on the specific devices, etc?

First, each rule has a priority setting: the equivalent of high, medium and low. Obviously the high priority incidents should be considered more seriously.

Next, a number of the incidents identify rare commands that could be used in attacks. However these commands could be used legitimately. The CIRT should be checking with the system administrator to see if the identified activity is legitimate. For example, the System Admin may be rebooting many or all of the PLC’s in the network after a code upgrade, but in general widespread reboots are probably an attack.

Another set of signatures identify activity from unathorized clients. Here it would make sense to check with Operators to see if anything strange is taking place.

Finally, a good monitoring solution will also be looking at firewall logs, server logs and general IT attacks in an IDS. The CIRT should be looking for related evidence of attack. The PCSF Security Event Montoring Interest Group is looking at these correlation issues to create classes of meta attacks.

Interesting question. I’ll add some guidance for control system vendors working with their MSSP’s tomorrow.