Anomaly Detection For Process Control Systems. Ron Derynck Director, Product Strategies, Verano

Transcription

1 Anomaly Detection For Process Systems Ron Derynck Director, Product Strategies, Verano

2 About Verano Industrial software company Headquarters in Mansfield, Mass. Software development in Calgary, Canada In 2000 acquired automation software business from HP 15-year history of providing SCADA and process control software for critical infrastructure industries First industrial operations cyber-security solutions provider 2

3 Availability is our #1 Goal Traditional IT Systems Confidentiality Integrity Systems Availability Integrity Availability Priority Confidentiality Based on ISA SP99 Part 1 Draft Standard 3

4 Introduction System performance, application health, network integrity and security combine to determine availability Compared to enterprise networks, control networks are relatively stable Once baseline has been established alerts can be generated only when anomalies occur 4

5 Simple Example 5

6 What Causes Anomalies? Disgruntled Employee Trojan Virus Prohibited Software Vendor update Software malfunction Hacker Reconnaissance Contractor Performance Degradation New file New socket New process Removable media insertion File modification Process Termination NIDS Alert Rogue Device CPU/RAM/Disc Usage 6

7 You Can t Manage What You Don t Measure Corporate Network Security Management Console Perimeter Protection Appliance App Client Office PCs Plant Network Network Sensor Network DMZ Historian Web I/O Network 7

8 Protection Appliance Metrics Corporate Network Security Firewall Per Port Management Console Violations Network Traffic Anti-Virus Events App Resource Use Client Perimeter Protection Appliance Office PCs Plant Network Network Sensor Intrusion Attempts Failed login attempts Network Device Status Rule Set Modifications I/O Network DMZ Historian Web 8

9 Host Metrics Corporate Network Security Management Console Network Sensor App Client Network I/O Network Windows Perimeter Protection Appliance File System Event Modification Logs Application Logs Host Firewall Logs OS Security Logs Windows Registry Changes Historian Office PCs Plant Network DMZ Removable Media Detection Platform Performance Web Socket Status Process Status Host Status 9

10 File Modification Anomaly 10

11 Network Sensor Metrics Corporate Network Security Management Console Perimeter Protection Appliance App Client Office PCs Plant Network Network Sensor Network Intrusion Attempts Rogue Device Detection Prohibited Protocol Detection DMZ Historian SNMP Device Status Web I/O Network 11

12 Intrusion Detection Corporate Network Border Intrusion Detection Security Management System Perimeter Protection Appliance Host Intrusion Detection App Client Office PCs Plant Network Network Sensor Network Intrusion Detection Network DMZ Historian Web I/O Network Host Security & Performance Agents 12

13 Example Scenario 13

14 Isolate the Suspicious Activity 14

15 Check the logs 15

16 Investigate 16

17 Save the Incident Report 17

18 Network Security Management System Security Management Console Corporate Network Perimeter Protection Appliance Firewall Virus Protection Intrusion Prevention Content Filtering VPN Data Aggregation Anomaly Detection Incident Notification Reporting & Analysis Network Sensor Network Intrusion Detection (NIDS) Rogue Device Detection App Client Network I/O Network Historian Office PCs Plant Network DMZ Web Health, Performance & Security Agents 18

19 Conclusions What you don t know can hurt you More visibility of control infrastructure operation needed Availability is determined by system performance, application health and network integrity as well as security Security Management Systems can detect, analyze and report control system anomalies 19

20 Questions?