Quickdraw
From SCADApedia
Quickdraw is the project name for Digital Bond's PLC Passive Security Log Generator. This project is funded by a one-year contract from the U.S. Department of Homeland Security (DHS). Quickdraw is an application that will sit passively on the network, capture data sent to and from a PLC, and create the security events that a PLC or other field device would ideally log.
Contents |
PLC Logging Problem
Security events in any device, operating system or application are very helpful to detect cyber attacks and for after incident investigation. Unfortunately PLC's, RTU's and other field devices traditionally have little or no security event logging. Even current, high end PLC's or PAC's have minimal security event logging. Since the lifetime of field devices is often measured in decades rather than years, this security event log deficiency is going to be around for a long time.
Quickdraw Approach
Quickdraw passively monitors and collects network traffic to and from a field device. It analyzes multi-packet communication to identify security events that would ideally be logged by a field device.
Quickdraw then extracts the appropriate parameters from the packets and constructs a security event. This security event can then be sent to a log server, historian, security event manager or any other aggregation or correlation server. Quickdraw security events will be aggregated and correlated in a PI server as part of the Portaledge project.
Consider a failed login event as an example. Quickdraw will identify the login request packet and extract the userID, date/time, and IP address. Quickdraw will identify the corresponding login response packet and identify if the login failed and the reason for failure if provided. With the security event being triggered and the parameters available, Quickdraw will then create a failed login event.
Security Events
A critical part of the Quickdraw project is identifying what security events a field device would ideally log. 50 security events will be identified and defined. The definition will include the event parameters and a standard format. This standard format is a benefit for the log aggregators and correlation solutions because they will get security log events in the same format regardless of the field device.
This list of security events are also a resource for field device vendors trying to determine what security events should be logged. While the 50 events defined in Quickdraw do not represent a complete list, they do represent security events that the Digital Bond Quickdraw team believe are the most important.
PLC Support
The packet capture and analysis portion of Quickdraw will be configurable for different field devices essentially to identify the patterns in the network traffic that apply to each field device. The patterns are being entered into a data dictionary that then can be loaded into the Quickdraw application.
The data dictionary approach will also make it easy for a vendor, asset owner, consultant or Digital Bond to add field devices to the Quickdraw application. All that will be required is to generate the traffic related to each event, capture the packets, and identify the applicable patterns and parameters for the event.
The DHS project funding includes support for 10 field devices. These field devices will be announced as the decision is made in the project. The project team expects that not all 50 security log events will apply to all 10 selected field devices.
Deliverables
- The Quickdraw application with versions available for Linux and Windows (versions TBD). The initial Quickdraw application will include fifty security events and support for ten PLC's / RTU's / IED's.
- An integration toolkit so field device vendors, asset owners or other consultants can add additional field devices to the Quickdraw data dictionary.
- An integration toolkit for Historians, Security Event Managers, and other Log Aggregators to accept and process Quickdraw security events
