Quickdraw Security Events
From SCADApedia
Quickdraw is an application that passively monitors traffic to and from PLC's and other field devices, identifies security events, extracts parameters and creates the security event, and sends the security event to a log server, historian, SEM or other log aggregation server. It helps address the logging deficiency in field devices. A total of 50 events will be identified and defined in the project.
Contents |
[edit]
Security Event Definition Format
The table below is a work in progress for Quickdraw that documents the current set of security events. Each row represents one of the security events and the columns are defined as follows:
- No. = event number
- Name = event name
- Category = event category
- Extracted Parameters = The parameters extracted from the packets sent to and from the PLC. Each parameter is listed in the following format: parameter_name:request or response packet:format
Notes:
- The terms request or response packet in the Extracted Parameters column may not be applicable in all cases. In all cases request packets are packets sent to the field device, and response packets are packets sent from the PLC.
- Extracted parameters for a security event may come from multiple request or response packets. The packets will be labeled request1, request2, etc. to designate the order of the packets.
- The format in the Extracted Parameters field indicates the format of the parameter in the Quickdraw generated event, not necessarily the format of the parameter in the request or response packet.
[edit]
Security Event Definition
| No. | Name | Category | Extracted Parameters |
|---|---|---|---|
| 1 | Failed Login | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, access_level:request1:string, login_result:response1:integer, failure_reason:response1:string |
| 2 | Successful Login | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, access_level:request1:string, login_result:response1:integer |
| 3 | User Account Creation Attempt | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, new_userID:request1:string, requester_ID:request1:string, result:response1:string |
| 4 | User Account Deleted | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, deleted_userID:request1:string, requester_ID:request1:string, result:response1:string |
| 5 | Password Change Attempt | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, change_result:response1:string |
| 6 | PLC Locked | Accesss Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, client_request:request1:string |
| 7 | Remote Mode Change Attempt | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, client_request:request1:string, result:response1:string |
| 8 | Change Time | System | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, new_time:request1:string, result:response1:string |
| 9 | Change Date | System | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, new_date:request1:string, result:response1:string |
| 10 | Change Access Level | Access Control | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, requested_access_level:request1:string, result:response1:string |
| 11 | Request Points List | Reconnaissance | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, control_protocol:request1:string, result:response1:string |
| 12 | Request Controller ID | Reconnaissance | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, controller_ID:response1:string |
| 13 | Station Number Error | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, station_number:request1:string, error_code:response1:string |
| 14 | |||
| 15 | Failed Checksum | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, error_code:response1:string |
| 16 | File Does Not Exist | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, file_name:request1:string, error_code:response1:string |
| 17 | Attempt To Change Write Protected File | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, file_name:request1:string, error_code:response1:string |
| 18 | Memory Unavailable | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, function_code:request1:string, error_code:response1:string |
| 19 | Function Not Available | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, function_code:request1:integer, error_code:response1:string |
| 20 | Point Not Available | Request Error | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, point_type:request1:string, point_value:request1:string, error_code:response1:string |
| 21 | |||
| 22 | |||
| 23 | |||
| 24 | |||
| 25 | |||
| 26 | |||
| 27 | |||
| 28 | Change Modem Status | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, new_status:request1:string, result:response1:string |
| 29 | Collection Period Change | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, request_period:request1:string, affected_points:request1:string, result:response1:string |
| 30 | Control Protocol Change | Configuration | |
| 31 | IP Address Change | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, new_IP_address:request1:string, result:response1:string |
| 32 | Config File Change | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, config_file_name:request1:string, result:response1:string |
| 33 | Config File Change Failure | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, config_file_name:request1:string, result:response1:string |
| 34 | Firmware Change | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, firmware_name:request1:string, result:response1:string |
| 35 | Firmware Change Failure | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, firmware_name:request1:string, result:response1:string |
| 38 | Software Download | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, file_name:request1:string, result:response1:string |
| 39 | Software Download Failure | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, file_name:request1:string, result:response1:string |
| 38 | Software Upload | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, file_name:request1:string, result:response1:string |
| 39 | Software Upload Failure | Configuration | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, file_name:request1:string, result:response1:string |
| 40 | Clear Audit Log Attempt | Audit | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, result:response1:string |
| 41 | Audit Log Full | Audit | time_date:response1:string, IP_address:response1:string, IP_controller:response1:string, controller_port:response1:string, action_on_full:response1:string |
| 42 | Audit Policy Change | Audit | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, change_request:request1:string, result:response1:string |
| 43 | |||
| 44 | |||
| 45 | Reboot or Restart | Availability | time_date:request1:string, IP_address:request1:string, IP_controller:request1:string, controller_port:request1:string, userID:request1:string, result:response1:string |
| 46 | |||
| 47 | |||
| 48 | |||
| 49 | |||
| 50 |
[edit]
Security Event Examples
[edit]
