Portaledge
From SCADApedia
Portaledge is a Digital Bond research project that aggregates security events from a variety of data sources on the control system network and then correlates the security events to identify cyber attacks. Portaledge leverages the aggregation and correlation capability of OSIsoft's PI server, and its large installed base in the energy sector to provide this cyber detection capability in a system many control system owner / operators already have deployed.
Portaledge is funded by the Department of Energy (DOE) and is Objective 2 of a larger effort known as the Cyber Security Audit and Attack Detection Toolkit.
Contents |
Security Events
Events are logged in most components of a control systems.
- SCADA and DCS applications such as realtime servers, historians, HMI and engineering workstations.
- Supporting control system applications such as OPC server and ICCP server applications
- Workstation and Server operating systems
- IT applications used by a control system component such as database or web server
- PLC's, RTU's and other field devices or a PLC log generation application such as Quickdraw
- Security systems such as firewalls, honeynets or IDS
- Infrastructure equipment such as routers and switches
Some logged events are specifically categorized as security events and are easy to identify. Other events are not labeled as security events but they could provide evidence of an attack. For example, a firmware change or file modification to a PLC are not strictly speaking a security event, but it could be the end goal of an attacker. Adding a new user to a SCADA application is typically not listed as a security event, but it one possible goal of an attacker.
One of the first steps of Portaledge is to identify data sources and the log events in those data sources that could provide useful attack detection information.
Aggregation
The security events from multiple data sources must be gathered or aggregated into a system both for storage purposes and for attack detection correlation. The PI Server has for decades developed interfaces to aggregate data from a wide range of data sources in the PI server. There are hundreds of PI interfaces, and to date Digital Bond has not found any security event data that could not be aggregated in the PI server.
PI interfaces are often loaded on a dedicated computer, although it is common for multiple interfaces to be on a single PC. Each PI interface has a different method for acquiring data from the data source, but they all forward data to the PI Server on TCP 5450 using a proprietary OSIsoft protocol. The interfaces can be grouped in categories similar to the components described in the Security Event section.
- OPC Interface - The OPC Interface is the most frequently used PI interface, primarily because OPC has become sort of a universal language that most control systems applications and devices support.
- IT Monitor Interfaces - This is a set of interfaces used to get most non-control system data sources, the traditional IT data sources, into PI servers. Some examples of IT Monitor Interfaces include a Syslog Interface, IP Flow Interface, SNMP Interface, and Windows Event Log Interface.
- Control System Application Interfaces - OSIsoft has developed interfaces for most SCADA and DCS applications such as Bailey, ESCA, Foxboro, SNC, Telegyr and many more.
- Field Device Interfaces - While most field device data is sent via OPC, there are interfaces for Allen Bradley, GE, Siemens and other field devices.
- Control System Protocol Interfaces - OSIsoft has interfaces that can pull data directly from DNP3, ICCP, Modbus, OPC and other servers.
Tags and points are set up for the security events in each PI Interface. The security events collected from data sources are placed in tags and sent to PI server.
Correlation
Once the security events from a variety of data sources are in the PI Server, they can be analyzed together to detect cyber attacks, the end goal of the attack, and the criticality of the attack. This is done with the PI Advanced Computing Engine (ACE). The ACE capability is used today by asset owners to calculate and track key performance indicators, preventive maintenance measures and other complex, multi-tag based values. The Portaledge project will use ACE to correlate security events from multiple sources to identify meta events.
The correlation can be simple or complex. For example, If certain events are seen in a firewall, IDS sensor, Windows event log and SCADA application log within one minute log a specific meta event and send out alerts and alarms. Complexity can be added by requiring the events occur in a sequential order or by requiring an event to appear a greater than a certain number of times in a specific time period. For example, if a firewall log shows an IP address blocked by the ruleset ten or more times in one minute, followed by the same IP passing through the firewall, followed by an IDS alert with the same source address, followed by ... The ruleset is only limited by the programmers knowledge and imagination.
ACE calculations are generated by creating ACE templates. The ACE templates are programmed in Visual Basic using the available tags in a PI Server. Essentially any combination or sequence of events one can think of can easily be programmed into an ACE template and calculated by PI.
Portaledge Event Taxonomy
Digital Bond has taken a composite approach to build a hierarchical set of events. This is defined in a Portaledge Event Taxonomy.
There are four levels to this hierarchy:
- Trigger - an individual point or piece of information from a data source
- Event - an item created when one or more triggers occur with a commonality
- Event Class Event - an item created when one or more events in an event class occur with a commonality
- Meta Event - an item created when two or more Event Class Events from different Event Classes occur with a commonality
The commonalities will vary by event / event class / meta event. Examples of commonalities are time, source IP address and destination IP address
Alarms and Alerts
Once the PI Server has identified a meta event it is important the appropriate people be notified on a timely basis based on the meta event criticality. The PI Server supports a wide variety of notification methodologies, and these notifications are currently being used by most asset owners. Digital Bond expects asset owners to determine the appropriate method of notifications, and notifications are outside the scope of Portaledge.
Digital Bond is considering developing a sample Cyber Security Dashboard or Display for OSIsoft's Process Book that many asset owners use.
Schedule and Deliverables
Portaledge is part of a two year project running from October 2007 to September 2009.
The first beta release is scheduled for January 13th. See the Portaledge Release Package page for more detail.
See Also
Cyber Security Audit and Attack Detection Toolkit
PI System as SEM for IEC 61850 Security Events
