I am currently working on the Availability Event Class for the Portaledge project.  This event class will measure the performance of computer systems, network devices and control system devices on a network.  The modules will then alert the user if the performance of either a system or device reaches a threshold or degrades over time.  The modules will also determine if a system is simply up and can be used to monitor failover.  Alerts in the System Availability Event Class could be an indication that hardware is failing, that there is an increased load on the system due to a control system event (especially if the PI server is seeing more traffic than is normal) or that an attacker is using this machine.

The module I have been working on most recently is what we are calling the Computer System Availability Event.  This event will monitor the following triggers: CPU usage, memory usage, hard disk space, network bandwidth, network latency.  Currently, this is done with the Windows Performance Monitor interface and the Ping interface for PI.  A similar version should be available for Linux/Unix systems using the SNMP Interface.  This module checks to see if system resources have reached a threshold (e.g. the CPU usage is above 90% for more than 5 minutes) and will notify the control system administrator.  We will be adding similar events for network switches, firewalls and field devices using using the SNMP interface or the field device interface.

There are a few other events we have thought of for the Availability Event Class.  One of the other events in this class is a Performance Degradation Event that uses the same triggers as the Computer System Availability Event but compares the systems current performance against it’s performance during the previous day.  If the system is under a significantly higher load, an alert is triggered.  Other events that we are looking into for this event class include a simple system up versus down event and a failover event.  The failover event will look at systems that are setup in a redundant pair and monitors when a failover happens, how often it occurs and the system that is being used the most.

We had the opportunity to see a demo with an electric utility asset owner that had implemented similar availability detection measures in the PI server, and they raved about the visibility it provided and the problems it identified. Interestingly, they did not really think of it as a security module. Based on our experience, interviews with participants and this demo, we believe the Availability Event Class module will be one of the most frequently deployed modules in Portaledge.

Remember that asset owners will be able to select what Event Class modules to deploy, and Portaledge will also generate Meta Events when multiple Event Class events occur. For example an attack may trigger availability, reconnaissance, enumeration and exploit event class events. The Portaledge trigger > event > event class > meta event taxonomy is explained in the SCADApedia.

If you have suggestions for other Availability Event Class events, please post them in the comments or email them to us.