Portaledge is a Digital Bond research project that aggregates security events from a variety of data sources on the control system network and then correlates the security events to identify cyber attacks. Portaledge leverages the aggregation and correlation capability of OSIsoft’s PI server, and its large installed base in the energy sector to provide this cyber detection capability in a system many industrial control system (ICS) owner / operators already have deployed.
On March 15th Digital Bond released the CIP-5 Monitoring Modules for Cisco and Juniper firewalls. These devices provide the alerting of security events at the electronic security perimeter (ESP) as well as store the logs to meet the CIP requirement and provide forensic evidence.
Events are logged in most ICS components.
- SCADA and DCS applications such as realtime servers, historians, HMI and engineering workstations.
- Supporting ICS applications such as OPC server and ICCP server applications
- Workstation and server operating systems
- IT applications used by a control system component such as database or web server
- PLC’s, RTU’s and other field devices, although this information is very limited
- Security systems such as firewalls, honeynets or IDS/IPS
- Infrastructure equipment such as routers and switches
Some logged events are specifically categorized as security events and are easy to identify. Other events are not labeled as security events, but they could provide evidence of an attack. For example, a firmware change or file modification to a PLC is not strictly speaking a security event, but it could be the end goal of an attacker. Adding a new user to a SCADA application is typically not listed as a security event, but it one possible goal of an attacker.
One of the first steps of Portaledge is to identify data sources and the log events in those data sources that could provide useful attack detection information.
The security events from multiple data sources must be gathered or aggregated into a system both for storage purposes and for attack detection correlation. The PI Server has for decades developed interfaces to aggregate data from a wide range of data sources in the PI server. There are hundreds of PI interfaces, and to date Digital Bond has not found any security event data that could not be aggregated in the PI server.
PI interfaces are often loaded on a dedicated computer, although it is common for multiple interfaces to be on a single PC. Each PI interface has a different method for acquiring data from the data source, but they all forward data to the PI Server on TCP 5450 using a proprietary OSIsoft protocol. The interfaces can be grouped in categories similar to the components described in the Security Events section.
- OPC Interface – The OPC Interface is the most frequently used PI interface, primarily because OPC has become sort of a universal language that most control systems applications and devices support.
- IT Monitor Interfaces – This is a set of interfaces used to get most non-control system data sources, the traditional IT data sources, into PI servers. Some examples of IT Monitor Interfaces include a Syslog Interface, IP Flow Interface, SNMP Interface, and Windows Event Log Interface.
- Control System Application Interfaces – OSIsoft has developed interfaces for most SCADA and DCS applications such as Bailey, ESCA, Foxboro, SNC, Telegyr and many more.
- Field Device Interfaces – While most field device data is sent via OPC, there are interfaces for Allen Bradley, GE, Siemens and other field devices.
- Control System Protocol Interfaces – OSIsoft has interfaces that can pull data directly from DNP3, ICCP, Modbus, OPC and other servers.
PI tags are set up for the security events in each PI Interface. The security events collected from data sources are placed in tags and sent to PI server.
Once the security events from a variety of data sources are in the PI Server, they can be analyzed together to detect cyber attacks, the end goal of the attack, and the criticality of the attack. This is done with the PI Advanced Computing Engine (ACE). The ACE capability is used today by asset owners to calculate and track key performance indicators, preventive maintenance measures and other complex, multi-tag based values. The Portaledge project will use ACE to correlate security events from multiple sources to detect cyber attacks.
The correlation can be simple or complex. For example, if certain events are seen in a firewall, IDS sensor, Windows event log and SCADA application log within one minute log a specific meta event and send out alerts and alarms. Complexity can be added by requiring the events occur in a sequential order or by requiring an event to appear a greater than a certain number of times in a specific time period. For example, if a firewall log shows an IP address blocked by the ruleset ten or more times in one minute, followed by the same IP passing through the firewall, followed by an IDS alert with the same source address, followed by … The ruleset is only limited by the programmer’s knowledge and imagination.
ACE calculations are generated by creating ACE modules. The ACE modules are programmed in Visual Basic using the available tags in a PI Server. Essentially any combination or sequence of events one can think of can easily be programmed into an ACE module and calculated by PI.
Portaledge Event Taxonomy
Digital Bond has taken a composite approach to build a hierarchical set of events. This is defined on the Portaledge Event Taxonomy page.
There are four levels to this hierarchy:
- Trigger – an individual point or piece of information from a data source
- Event – an item created when one or more triggers occur with a commonality
- Event Class Event – an item created when one or more events in an event class occur with a commonality
- Meta Event – an item created when two or more event class events from different event classes occur with a commonality
The commonalities will vary by event / event class / meta event. Examples of commonalities are time, source IP address and destination IP address.
Alarms and Alerts
Once the PI Server has identified an Event, Event Class Event or Meta Event it is important the appropriate people be notified on a timely basis based on the criticality. The PI Server supports a wide variety of notification methodologies, and these notifications are currently being used by most asset owners. Digital Bond expects asset owners to determine the appropriate method of notifications, and notifications are outside the scope of Portaledge.
Digital Bond has a simple Datalink Display as an example, and visualization is likely to be a major goal of the next phase of the Portaledge project.
Schedule and Deliverables
Portaledge is part of a four year project running from October 2007 to September 2011, although there was a one-year gap in funding. To date Digital Bond has released and Availability Event Class, Enumeration Event Class and CIP-5 Monitoring Module. A CIP-7 Monitoring Module will be released in the summer of 2011.
The release packagers and a great deal of information on the modules is available in the pages linked below.