Quickdraw

From SCADApedia

Jump to: navigation, search

Quickdraw is the project name for Digital Bond's PLC Passive Security Log Generator. This project is funded by a research contract from the U.S. Department of Homeland Security (DHS). Quickdraw is an application that sits passively on the network, captures data sent to and from a PLC, and creates the security events that a PLC or other field device would ideally log.

Contents

[edit]

PLC Logging Problem

Security events in any device, operating system or application are very helpful to detect cyber attacks and for after incident investigation. Unfortunately PLC's, RTU's and other field devices traditionally have little or no security event logging. Even current, high end PLC's or PAC's have minimal security event logging. Since the lifetime of field devices is often measured in decades rather than years, this security event log deficiency is going to be around for a long time.

[edit]

Quickdraw Approach

Quickdraw passively monitors and collects network traffic to and from a field device. It analyzes multi-packet communication to identify security events that would ideally be logged by a field device.

Quickdraw then extracts the appropriate parameters from the packets and constructs a security event. This security event can then be sent to a log server, historian, security event manager or any other aggregation or correlation server. Quickdraw security events will be aggregated and correlated in a PI server as part of the Portaledge project.

Consider a failed login event as an example. Quickdraw will identify the login request packet and extract the userID, date/time, and IP address. Quickdraw will identify the corresponding login response packet and identify if the login failed and the reason for failure if provided. With the security event being triggered and the parameters available, Quickdraw will then create a failed login event.

[edit]

Security Events

A critical part of the Quickdraw project is identifying what security events a field device would ideally log. More than 50 security events have been identified and defined.

This list of security events are also a resource for field device vendors trying to determine what security events should be logged. While the security events defined in Quickdraw do not represent a complete list, they do represent security events that the Digital Bond Quickdraw team believe are the most important.

[edit]

PLC Support

The DHS project funding included support for 10 field devices. The following field devices are supported by Quickdraw:

  • Control Microsystems SCADApack
  • GE D20 DNP3
  • GE D20 Modbus TCP
  • Johnson Controls CK 720
  • Koyo / DirectLOGIC DL 405
  • Prosoft DNP3
  • Prosoft Modbus TCP
  • Rockwell Automation ControlLogix
  • Schweitzer SEL 2032
  • Schweitzer SEL 2032 DNP3

Additional devices may be supported. Contact info@digitalbond.com if you are interested in additional device support.

[edit]

Deliverables

  • The Quickdraw application with versions available for Linux and Windows (versions TBD). The initial Quickdraw application will include fifty security events and support for ten PLC's / RTU's / IED's.
  • An integration toolkit for Historians, Security Event Managers, and other Log Aggregators to accept and process Quickdraw security events

See Quickdraw Release Packages for more information.

[edit]

See Also

Quickdraw Architecture

Quickdraw Detection Plugins

Quickdraw Output Plugins

Quickdraw Release Packages

Quickdraw Security Events

Quickdraw Snort Rules

SCADA IDS Preprocessors

[edit]

External Links

Download the Quickdraw Package

Retrieved from "http://www.digitalbond.com/wiki/index.php/Quickdraw"
Personal tools