Part I covered identifying security events in a very diverse set of data sources. The next step is to get those security events into OSIsoft’s PI or other historian so we can aggregate and correlate to detect attacks. Fortunately this is an area where PI really shines through a wide variety of interfaces.

The most popular PI interface is the OPC interface. Think of this as the universal translator. If a control system device can send data to an OPC server or a gateway device that converts an obscure protocol to an OPC server, then PI’s OPC interface can get the security events into PI.

However this universal translator is often not necessary since there are hundreds of PI interface nodes. There are interfaces for SCADA and DCS systems - - Bailey, Emerson, Foxboro, GE, Honeywall, … There are interfaces for field devices, Modicon, Allen Bradley, Siemens, … There are interfaces for protocols Modbus, DNP3, ICCP, … There are a lot of classic control system interfaces to get data from almost any control system device to the PI server. The only thing we haven’t found that we wanted so far is an easy way to get IEC 61850 events into PI, but even that seems to be possibly by mapping them to DNP3 and using that interface.

There are also a set of more ‘IT’ interfaces that we can use to get firewall, router, server or other IT component security events into PI. There are SNMP, Syslog, Netflow [and another interface that creates Netflow-like data from a span port], a variety of database interfaces, PERFMON, …

So the good news for Portaledge is that if we can identify the security events anywhere in the control system, we should be able to get them into PI via an interface node.

Next: Tags and Tag Creation Templates