Portaledge Release Package
From SCADApedia
Portaledge is a Digital Bond research project that aggregates security events from a variety of data sources on the control system network and then correlates the security events to identify cyber attacks. Portaledge leverages the aggregation and correlation capability of OSIsoft's PI server, and its large installed base in the energy sector to provide this cyber detection capability in a system many control system owner / operators already have deployed.
Contents |
Release Schedule
The first beta release of Portaledge will take place on 13 January 2009. It will include the Availability Event Class aggregation, correlation and cyber event detection display capabilities for OSIsoft's PI Server. It may also include the Enumeration Event Class, but this will be determined in early January.
PI users will require the following OSIsoft software to use the Portaledge release:
- PI Server
- PI ACE
- PI SMT (System Management Tools)
- PI ProcessBook
- Microsoft Excel is also required to utilize the point, module and alias templates (planned)
- Other components as specified by each Event Class. For example data collection interfaces
Portaledge is an ongoing research project and the schedule is subject to change.
Release Package Contents
The release package consists of a variety of components that are used by the PI server.
Alias Creator
The Alias Creator provides the method to aggregate security event information in the form of asset owner tags into the normalized tags that Portaledge will use to correlate data and detect attacks. This is the part of the project that will require the most work by the asset owner, but creating tags is something PI users are very used to doing.
The Alias Creator is provided as an Excel spreadsheet. The Alias Name is in one column and the Asset Owner Tag Name is in an adjacent column. Each row will include a description of the Asset Owner Tag that should be paired with the Alias Name. For example, an Alias Name could be CPU Utilization from the Windows performance monitor or Firewall Syslog from the firewall.
The completed spreadsheet is imported into the PI server and then the PI server has the data that it will run event, event class event and meta event correlation rules on in the proper Alias Name format.
ACE Modules
The Advanced Computing Engine (ACE) modules are where the correlation takes place. Each Event has at least one ACE module and may have multiple ACE modules if there are multiple Event Triggers; each Event Class Event has an ACE module; and there is an ACE module for Meta Events. Each Event Class will have a zip archive that will include all Event ACE modules in that Event Class and an Event Class Event ACE module.
Event Modules are imported into the PI server using the PI ACE Scheduler.
Process Book Displays
Once the Event, Event Class Events and Meta Events are identified by an ACE module, the name and chain are available in the PI Server. There are a tremendous amount of ways to present this information, and creating displays, sending pages, and other methods of visualization and notification are regular control system activities by PI users.
One method of visualizing Portaledge Events, Event Class Events and Meta Events is populating a display page using OSIsoft's Process Book. Digital Bond may develop a number of Process Book display pages and other methods of tracking the security status of a control system as part of Portaledge and other projects. This is an interesting area of research. However, in the first release a simple Process Book display page will be included that will list the Events and Event Class Events in scrolling windows and may include some general security status indicators or trends.
Documentation
The documentation for Portaledge is located on the SCADApedia. In the future Digital Bond will gather the SCADApedia pages in a logical manner and provide PDF documentation files.
