Cyber Security Audit and Attack Detection Toolkit
From SCADApedia
The Cyber Security Audit and Attack Detection Toolkit is a Digital Bond research project funded by the Department of Energy. The goal to prevent and detect attacks on control systems by integrating control system intelligence into security products and security intelligence into control system applications. The Bandolier and Portaledge projects comprise the Toolkit.
Contents |
Objective 1: Identify Vulnerable Configurations in Control System Devices and Applications
Digital Bond's Bandolier Project extends Nessus and other popular vulnerability scanning tools to test the security configuration of SCADA, DCS and EMS application components, such as HMI, Historians and Realtime Servers, in a safe manner. The Digital Bond team works with the application vendor and asset owners to identify the most secure configuration possible for the application component. This configuration is captured in an audit file that can be used by vulnerability scanner compliance and audit engines.
The Bandolier audit templates are a safe and efficient way to verify a secure configuration is in place at deployment and has not degraded over time. In addition to playing an important role in a control system security program, meeting this objective will also help asset owners achieve and audit compliance with NERC CIP-005 and CIP-007.
Objective 2: Identify Attacks from Data in PI Server and Other Historians
OSIsoft’s PI Server is widely deployed in electric and oil/gas control systems in the United States with market penetration exceeding 50%. PI aggregates control system data from a wide variety of data sources, such as SCADA and DCS applications, PLC's, firewalls, and operating system logs, using hundred's of PI interfaces. The PI Server correlates the data to track Key Performance Indicators (KPI) and identify maintenance issues.
Digital Bond's Portaledge Project uses the PI's existing features to aggregate and correlates security events to detect cyber attacks. PI will be in effect a control system Security Event Manager (SEM). Since a large number of the energy sector already has deployed PI, there is no need to purchase and deploy an expensive IT Security SEM.
The results from Portaledge will be generalized in a set of meta events that are likely to be found in a Historian, and this generalized model will be applied to the custom historian developed by one of the project partners as a proof of concept.
Objective 3: Integrate PI SCADA SEM events with Enterprise SEM
Many participants in the energy sector have deployed SEM to analyze security information across the enterprise. However, SEM have minimal intelligence to understand SCADA, DCS and EMS events. Objective 3 will take the meta events identified in Portaledge and send those to enterprise SEM's. An integration toolkit will be developed that will make it easy for SEM vendors and MSSP's to import the Portaledge events and understand what those events mean.
The result will be a tiered SEM process that supports the boundary between control networks (PI and other historians acting as a control system SEM) and the enterprise (IT Security SEM with input from correlated control system SEM events).
