Last week I attended, presented and tweeted at the Dept of Energy Cybersecurity For Energy Delivery Systems Peer Review. The idea is DoE funds all these research projects, and they would like a group of owner operators and other industry guru’s to help determine if the projects will help secure the energy sector’s critical control [...]

Last week I went to Pacific Northwest National Laboratory to assist them with Portaledge. The Department of Energy thought it would be a good idea to include Portaledge output in PNNL’s National SCADA Test Bed Real-Time Security State Visualization Project, I hope they find a good acronym or project name for that. When I arrived [...]

This week’s blog post is going to somewhat be a “geeking out” entry as I get into some of the details and performance issues associated with the design and implementation of bringing the syslog events into Portaledge. It will be somewhat trending towards geek speak, so consider yourself forewarned.
While studying to be a good little [...]

In integrating IDS events into Portalegde one question becomes paramount. Namely: “Which events do we include?” As Portaledge will perform correlation and aggregation on all of the events “fed” to it, choosing a set of events that provides critical network information, without overwhelming the administrator is important.
To include every IDS event, especially on an [...]

On Monday Tenable Security released Security Center 4. The update includes a number of new features including user tracking, database activity monitoring, anomaly detection and forensics. The new release includes improved integration with the Nessus vulnerability scanner, the Log Correlation Engine and the Passive Vulnerability scanner.
The database activity monitor uses [...]

If a control system is hacked and there are no mechanisms in place to forensically trace the attack, you have no idea how the attack occurred and no clues on what to do to close/remediate the attack pathway. This lack of forensics leaves the system open and vulnerable to the repetition of the exact same [...]

Charles and I have generated a set of functions, scripts and documents for producing normalized Security Event Monitor (SEM) output and integrating the output with SEMs. Our target for this release was Tenable’s Security Center but the concepts and output will be similar for most SEMs. For more information see the Portaledge SEM Integration page on Digital [...]

Last week I introduced our normalized output for enterprise SEMs. Once we created this new format, we had to get the output from Portaledge to Tenable’s Security Center.
Portaledge runs within OSIsoft’s PI Advanced Computing Engine (ACE) and generates the normalized logs on the system that executes the ACE modules. Tenable has a log correlation client [...]

For the past two weeks we have been working on integrating Portaledge with enterprise SEMs.  We added an outputSEM funtion in all of the Portaledge modules that writes normalized output to a file. The outputSEM function is designed to be easy to alter if an enterprise SEM does not have a method of interpreting log [...]

Two weeks ago I brought up the topic of sending data from control networks to a Security Event Manager (SEM) on the enterprise network. This week I would like to discuss reasons why you would want to send security data from the control network to the enterprise network.
One of the more obvious reason to send [...]