SCADApedia
AAA  AAA 

Portaledge Event Taxonomy - New Approach

Portaledge is a Digital Bond research project that uses OSIsoft’s PI server to aggregate security events, correlate these events, and detect cyber security attacks. It is funded by the Department of Energy.

We have a major shift in our approach to this project. The initial approach was to generate meta events through a series of expert systems approaches. It was a two-tiered taxonomy with events and meta events. This approach was working, but we didn’t feel it was getting the coverage we had hoped for. So we have moved to a composite approach that is discussed in detail in SCADApedia Portaledge Event Taxonomy pages.

In brief, the new, hierarchical composite approach is:

  • Triggers - are individual instances of security information from a data source.
  • Event - an Event is created when one or more triggers for that Event are seen in the PI server. Each Event has a corresponding event chain of the triggers with a commonality that caused the event to be created. Each Event also belongs to an Event Class, such as Availability, Communication or Reconnaissance.
  • Event Class Events - an Event Class Event is generated when one or more events in an Event Class, and with a commonality, occur. The chain of Events related to the Event Class Event is also captured.
  • Meta Events - A Meta Event is generated when two or more Event Class Events with a commonality are identified. For example, a Reconnaissance and Exploitation Event Class Event with the same source IP address. Meta Events do not have names. Instead the chain of Event Class Events defines the Meta Event.

    • Each Event, Event Class Event and Meta Event will have its own correlation rules based on appropriate commonalities. A time period is an example of a simple commonality. Source IP is another example.

    Other advantage of this approach is interim results and selective event class deployment. For example, our initial efforts are on the Availability, Reconnaissance and Enumeration Event Classes, and we will be able to issue those as separate ACE templates.

    Asset owners will be able to implement one or all of the Event Classes. For example, we believe the Availability Event Class will be very popular in this control system space. So an asset owner with PI could download and implement just the Availability class and use PI to identify when workstations, servers, routers/switches, PLC’s, etc. performance is degraded.

    This approach also raises the issue of confidence in any identified attack. The length of chains is a crude measure of confidence, and we will be considering more sophisticated and accurate methods. The confidence measure could include the variety of data sources and Event / Event Class Events in the chain. The confidence measure could be based on Events and Event Class Events that themselves have differing levels of confidence. It is an interesting work in progress.

    Next week will blog in more detail on the Availability Event Class to illustrate the Event Taxonomy and also highlight what will be the first part of Portaledge that will be released.

    Author: Dale Peterson
    Posted: September 11th, 2008 under Portaledge.
    Comments: none

    Write a comment