Quickdraw Security Events
From SCADApedia
Quickdraw is an application that passively monitors traffic to and from PLC's and other field devices, identifies security events, extracts parameters and creates the security event, and sends the security event to a log server, historian, SEM or other log aggregation server. It helps address the logging deficiency in field devices. Quickdraw was developed under a DHS S&T funded research contract.
More than fifty security events have been defined and are supported by the Quickdraw application. This page lists and defines the Quickdraw security events.
Security Event Definition
The table below defines the security events supported by Quickdraw. Each field device then will support a subset of these security events. There are a variety of reasons that a security event is not be supported by the field device. The field device may not support the feature the security event would record such as user login, lock PLC or firmware change. In other cases the protocol the field device uses may not support the feature. As field devices add security features more of the security events will become applicable.
| No. | Name | Category |
|---|---|---|
| 1 | Failed Login | Access Control |
| 2 | Successful Login | Access Control |
| 3 | Logout | Access Control |
| 4 | Auto Logoff Timeout Parameter Change | Access Control |
| 5 | Failed Login Attempts Parameter Change | Access Control |
| 6 | Lockout Time Parameter Change | Access Control |
| 7 | User Account Creation Attempt | Access Control |
| 8 | User Account Deletion Attempt | Access Control |
| 9 | Password Change Attempt | Access Control |
| 10 | Lock PLC Attempt | Accesss Control |
| 11 | Unock PLC Attempt | Accesss Control |
| 12 | Remote Mode Change Attempt | Access Control |
| 13 | Change Access Level Attempt | Access Control |
| 14 | File Permission Change Attempt | Access Control |
| 15 | Station Number Error | Request Error |
| 16 | Failed Checksum Error | Request Error |
| 17 | File Does Not Exist Error | Request Error |
| 18 | Attempt To Change Write Protected File Error | Request Error |
| 19 | Memory Unavailable Error | Request Error |
| 20 | Function Not Available Error | Request Error |
| 21 | Point Not Available Error | Request Error |
| 22 | Remote Diagnostic Self Test | System |
| 23 | Forced Failover | System |
| 24 | View Device Status | System |
| 25 | Database Synchronization | System |
| 26 | Flash Erase | System |
| 27 | Firmware Change | System |
| 28 | Firmware Change Failure | System |
| 29 | Software Upload | System |
| 30 | Software Upload Failure | System |
| 31 | Reboot or Restart | System |
| 32 | Change Time Attempt | Configuration |
| 33 | Change Date Attempt | Configuration |
| 34 | Change Time Source Attempt | Configuration |
| 35 | Change Modem Status Attempt | Configuration |
| 36 | Change Port Configuration Attempt | Configuration |
| 37 | Collection Period Change Attempt | Configuration |
| 38 | Control Protocol Change Attempt | Configuration |
| 39 | IP Address Change Attempt | Configuration |
| 40 | TCP/UDP Port Change Attempt | Configuration |
| 41 | Config File Change | Configuration |
| 42 | Config File Change Failure | Configuration |
| 43 | Buffer Size Change Attempt | Configuration |
| 44 | Display Access Change Attempt | Configuration |
| 45 | Software Download | Reconnaissance |
| 46 | Software Download Failure | Reconnaissance |
| 47 | Device Poll All | Reconnaissance |
| 48 | Request Points List | Reconnaissance |
| 49 | Request Controller ID | Reconnaissance |
| 50 | Feature Request | Reconnaissance |
| 51 | Clear Audit Log Attempt | Audit |
| 52 | Audit Log Full | Audit |
| 53 | Audit Policy Change Attempt | Audit |
