www.encari.com Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015
www.encari.com 2 The Problem Cyber attacks are not just a risk, they are a reality. Cyber attacks that get past the perimeter must be detected to be stopped. Cyber attackers are not stupid or clumsy. Cyber attackers are patient and persistent.
www.encari.com 3 The Problem (continued) Critical Infrastructure control systems are attractive targets. There is no data of value, so the goal of an attack is to cause disruption or damage. Manual operation is not possible in most cases shutting down control systems is not an option.
www.encari.com 4 Mitigation Activities First Steps Isolate the control system, establish a secure perimeter. Shrink the vulnerable attack surface; remove all unneeded hardware and software from the control system enclave. Understand all processes and network activities that occur inside the perimeter.
www.encari.com 5 Mitigation Activities Ongoing Detect unusual or anomalous activities or events. Identify activities or events that are malicious or may indicate an attack. Provide information to those who can act to stop the attack.
www.encari.com 6 Detect Configure systems to create logs. Configure logging for events of interest. Successful and unsuccessful login attempts. Administrative changes accounts; elevation of privileges. Configuration changes, new hardware. Process state changes. Changes in critical directories. Malware detection. Synchronize system time; use timestamps in logs.
www.encari.com 7 Identify First Step send logs to central Log Management server. Simplifies retention and review. Advanced systems can apply retention policies. More advanced systems can parse logs, correlate events and generate alerts.
www.encari.com 8 TECHNOLOGY USING MONITORING, SOLUTIONS LOGGING, FOR NERC AND ALERTING CIP COMPLIANCE TO IMPROVE ICS SECURITY Identify The Next Level Security Information and Event Management (SIEM). Collects logs and other operational data from a wide variety of systems. Parses logs and correlates events, including IDS and Netflow data. Generates alerts and reports, dashboards, highly customizable, can aid forensics and investigation of events. There is a continuum from log management to SIEM as functionality increases. Products: ArcSight NetIQ Sentinel IBM Security QRadar RSA Security Analytics LogRythm SolarWinds SIEM McAfee Enterprise Security Manager Splunk
www.encari.com 9 SIEM Challenges Expensive, complicated and requires specialized expertise to implement. Effective implementation requires customized correlation rules; without correlation all you have is expensive log management.
www.encari.com 10 SIEM and IDS Intrusion Detection System (IDS) vs. Intrusion Prevention System (IPS) IDS detects, identifies and notifies suspected intrusions IPS takes the additional step of blocking traffic. Similar to SIEM but uses raw network traffic and malware signatures (as well as known malicious sites and sources) as inputs. Can work in conjunction with SIEM as an input to SIEM.
www.encari.com 11 Actions and Activities to Identify New devices on the network Administrative activity New network traffic patterns Increased network traffic Increased rate of failed logins Changes in system directories Attempts to communicate Malware activity externally
www.encari.com 12 Final Step - Alerting Detection and Identification have no value if no action is taken. Action requires a person to know that there is a need for action. Dashboards and on-screen alerts can be effective but only if there is constant monitoring. If email is used for alerts, provisions must be made to make sure they are delivered to somebody who can act on them. Emails should be sent to groups; members of the group must have a protocol for determining who will act. Emails must be clearly marked as alerts of a possible attack.
www.encari.com 13 Start With What You Have Enable logging of important events. Use built in capabilities, such as syslog. Use inexpensive or free log managers. Configure alerting in systems when available (anti-malware for example).
www.encari.com 14 Q & A SESSION Q & A THANK YOU!
www.encari.com 15 CONTACT US (847) 947-8448 webinars@encari.com; demos@encari.com; contactus@encari.com http://www.encari.com https://www.facebook.com/encari.powersecure https://twitter.com/encarips http://bit.ly/encarilinkedin
www.encari.com 16 Encari Provides Control System Security and Compliance Solutions, Focusing on Critical Infrastructure