The Government/Industry project known as LOGIIC aggregated and correlated security events from SCADA applications, IDS, firewalls and other systems in a Security Event Mangagement (SEM) product to attempt to identify attacks on SCADA networks.  Loyal blog readers know I’m a fan of this approach and their use of our SCADA Data Dictionary.  I rated it number 7 in our 2006 Top Ten List.

I do have one complaint about the LOGIIC program – - why aren’t the results published?  Not the high level presentation on the goals and approach, but the list of meta events and the scripts to detect them.  If I have missed them and they are published please send me the link, and we will review, link to and publicize at this space.

So in the absence of these events and scripts, I asked Ron Gula of Tenable Network Security Inc, and past Dragon fame, to provide SCADA attack detection scripts as part of an invited paper at S4.  The good news is creating scripts for SEM products like Tenable’s or other vendors is not difficult.  The challenge is to identify the meta event and the log entries from various sources you want to correlate as a detection of the meta event.

In Ron’s S4 paper he has five different scripts, written in TASL, that can be used to detect events such as DNP3 unsolicited response storms and distinguishing between a ‘normal failover’ and cyber attacks leading to SCADA server failover.  These are scripts you can use today in Tenable’s product or easily convert to the scripting language in another product.  I’ll leave it to Ron to explain how fast and easy it is to create these scripts, but it shows the potential of SEM and the LOGIIC approach in a more technically detailed and specific manner.  Hopefully at S4 it will lead to the attendees identifying additional meta events that can be scripted on the spot.

Ron also includes four additional suggestions for SCADA attack detection scripts and shows how the SCADA community can leverage the large libraries of existing Windows, malware, IDS and other scripts. 

Complete S4 Agenda

Register for Physical or Virtual Attendence at S4

Full Disclosure:  Tenable Network Security is a Digital Bond client.  Digital Bond developed SCADA plugins for Tenable’s Nessus Vulnerability Scanner.