Integrating Cyber Security Alerts into the Operator Display
2 likes1,524 views
The document discusses the integration of cybersecurity alerts into industrial control systems (ICS) operations, highlighting the similarities between cybersecurity operations (SecOps) and ICS. It emphasizes the need for effective monitoring, clear identification of cyber security events, and developing actionable procedures for operators. Properly integrating cybersecurity into operational frameworks can improve situational awareness and response times to incidents, while the document also outlines methods for identifying and prioritizing security conditions for operator alerts.
![Ñ Lack of Understanding and Confusion about
Computer Security
Ñ Owner A]itude is that Security has nothing to
Do with Operations
Ñ Leads to Reduction in Situational Awareness
Ñ Operators Don’t Know What Actions To Take
The Problems](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-9-320.jpg)
![Identify Specific Clear Cyber Security Events
Determine Events Appropriate for Operator
A]ention
Create Operations Procedures for Actions
Develop a Detection and Presentation Strategy
The Process](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-14-320.jpg)
![{
Ñ CIP-‐‑007 R4 – Malicious Software Prevention
Ó Paraphrase: ~..shall use anti-‐‑virus software
to detect malware on all Cyber Assets within
the ESP~
Ó Conclusion: I should alert on anti-‐‑virus
detections
Ñ CIP-‐‑007 R5 – Monitoring Electronic Access
Ó Paraphrase: ~monitoring processes shall
detect and alert for a]empts at or actual
unauthorized access~
Ó Conclusion: A]empts at unauthorized access
include incorrect passwords, alert on that.
Regulations,
such as NERC
CIP, may
provide clues
as to what
events should
be monitored
Regulations
Well, I did say clues…
Source: NERC CIP Standards, V3](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-19-320.jpg)
![{
Ñ Section 3.2.2 – Signs of an Incident
Ó ~Too many indicators exist to
exhaustively list them~
Ó ~Common ones include multiple failed
login a]empts, deviations from
normal network traffic, filenames with
unusual characters..~
Standards can
help as well,
but still are
clues not firm
guidance
Standards
Source: NIST SP-‐‑800-‐‑61](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-20-320.jpg)
![{
• Start with from general
security conditions
• Trim to Specific Events
within those categories
Top
Down
• Start with Every Potential
Event that Could Be
Generated
• Trim to Specific Events from
the Potentials
Bo]om
Up
There are Two
Main Methods
for Identifying
Events
Methods to Identify](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-24-320.jpg)
![{
Ñ Enumerate the Security Capabilities of
the Device. Examples:
Ó Provides Specific Syslog Evidence
Ó Sets a Point when a Login Threshold
has been reached
Ñ Useful for Devices, where Capability
is often limited
BoYom Up is
Good for
Systems with
Limited
Capability for
Security
Bo]om Up Approach](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-27-320.jpg)
![{
Review of Manuals and Datasheets can identify
detectable Cyber Security Events
Bo]om Up Example
Source: S&C IntelliRuptor Instruction Sheet 766-‐‑560](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-28-320.jpg)
![{
Ñ Top Down
Ó Allows you to set criteria, and then delve
into system to find triggers to meet it
Ó Avoids the complexity of ge]ing into the
weeds of system events
Ó May miss important conditions due to
avoiding those same weeds
Ñ Bo]om Up
Ó Complex, but most Detailed
Ó Requires analysis of many events that will
likely never make it in front of an operator
There are
advantages and
disadvantages
of each
Approach
Compare and
Contrast](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-29-320.jpg)
![{
Condition
Detection
Method
Reliability
Anti-‐‑Virus
Detection
Windows Event
Log
Very Reliable, Test Indicates
an event generated on each
detection in SYSTEM log
Security Log
Deleted
Windows Event
Log
Very Reliable, an explicit
event is created on clearing
Excessive
Incorrect Login
Windows Event
Log
Reliable, so long as the
account lockout se]ings in
SECPOL.msc are set correctly
Use of
Removable
Media
May require 3rd
party program.
Not Always Possible without
3rd Party Program
How Reliable
are the
Detection
Methods? Do
they have
potential false
positives?
Reliable and Unreliable
Conditions
Note: This list is far from comprehensive](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-37-320.jpg)
![{
List of
Conditions has
been
generated,
what next?
What Comes Next?
Condition
Detection
Method
Reliability
Anti-‐‑Virus
Detection
Windows
Event Log
Very Reliable, Test
Indicates an event
generated on each
detection in SYSTEM log
Event Log
Was Cleared
Windows
Event Log
Very Reliable, an explicit
event is created on
clearing
Excessive
Incorrect
Login
Windows
Event Log
Reliable, so long as the
account lockout se]ings
in SECPOL.msc are set
correctly](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-42-320.jpg)
![{
Ñ Case in Point – Conficker (MS08-‐‑67)
Ó Highly Aggressive Worm which
impacts network communication
Ó Makes use of very reliable exploit in
Server service
Ó A]empts to brute force accounts
Ó Spreads over USB and removable
media as well
Some Cyber
Security Events
may Cause
Production
Impacts
Worst Case Scenario](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-49-320.jpg)
![{
Ñ Most Cited:
Ó The Alarm Management Handbook
The High-‐‑Performance HMI
Handbook.
Ñ Wri]en by Bill Hollifield and Paul
Gruhn
Ó Of Course, Nothing Specific on
Security
There is
already a lot of
guidance on
development
of Operator
Displays
Operator Displays](https://image.slidesharecdn.com/day2-michaeltoeckerpresentation-130924194829-phpapp02/85/Integrating-Cyber-Security-Alerts-into-the-Operator-Display-52-320.jpg)
Integrating Cyber Security Alerts into the Operator Display
- 1. { Integrating Cyber Security Alerts into the Operator Display Digital Bond, Inc. Michael Toecker, PE ddddddddd EnergySec 9th Annual Security Summit
- 2. Ñ Michael Toecker Who Am I?
- 3. Monitoring and Response of Cyber Security Events Originating from the Control System Parallels the Monitoring and Response of Process Events The Premise
- 4. { Ñ ICS Operations was similar to Security Operations Ó ICS had alarms, SecOps had alarms Ó ICS had events, SecOps had events Ó ICS had historical points, SecOps had voluminous logs Ó ICS had 24/7 Operators, SecOps had Analysts (some 24/7, others not) Ó ICS had a responsibility for monitoring safe and effective productions, SecOps had responsibility for ensure secure and trusted operations I Spent a Year working as a Security Guy in an Operations Environment ICS Ops vs. SecOps
- 5. { Task SecOps ICSOps Visualizing Data using Graphs, Charts, etc X X Providing Status Indicators when parameters went out of normal X X Directed Field Personnel to Take Specific Actions based on Events or Alarms X X Reviewing of Logs, Records, and Other Data to Improve Efficiency and Locate Problem Areas X X Investigate for Compliance and Effect on Process, and find ways to Prevent, Detect and Respond X X What I Often Saw in ICS Operations was Paralleled in What I was Doing Parallels
- 6. { Ñ …was the data. Ó My data was security logs, their data from process points. Ó But we were both identifying conditions that could impact our production or compliance, and taking some action to correct I was an Engineer with Specialized Knowledge of Specific Equipment What was Different…
- 7. { Ñ There is an emphasis on procedure, and process when faced with issues Ñ Troubleshooting where advanced knowledge is required is conducted by those with the knowledge Ñ Operators follow known actions that will return a system to a stable state, usually developed by process engineers. Operators Monitor & Respond, but Do Not Always Possess Specific Knowledge The Role of Operators
- 8. Why not add some Security?
- 9. Ñ Lack of Understanding and Confusion about Computer Security Ñ Owner A]itude is that Security has nothing to Do with Operations Ñ Leads to Reduction in Situational Awareness Ñ Operators Don’t Know What Actions To Take The Problems
- 10. Ñ Proper Notification Reduces Response Time to Security Incidents Ñ Regulatory Requirements can be Met With Existing Personnel Ñ Alerts and Events directly to 24/7 Personnel look Awesome as Compensating Controls The Benefits
- 11. { Cyber Security Events & Incidents Detectable w/ Security Monitoring Security Events Operators Could Respond To Not a Substitute for a Focused Security Monitoring Program The Limitations
- 12. { Monitor, and Analyze Identify Security Conditions Identify Operational Events Develop Procedures for Action Implement Condition and Procedure Security Monitoring Program Should Feed into Conditions for Operator Alerts The Role of Security
- 13. { Monitor Data Points Identify Process Conditions Identify Operational Events Develop Procedures for Action Implement Condition and Procedure This looks a lot like Process Intelligence Process, the only difference is the Analysis and Knowledge ….wait a minute.
- 14. Identify Specific Clear Cyber Security Events Determine Events Appropriate for Operator A]ention Create Operations Procedures for Actions Develop a Detection and Presentation Strategy The Process
- 15. { Part 1 Identify Operational Events
- 16. { …Clear • No Ambiguity • Straightforward Yes/No Decision Point …Derivable • Sourced Directly from Control Systems Security Data, not from Intuition or Analysis …Actionable • Specific Actions can be taken on receipt of the Event • Not Dependent on Other Events, or on Further Analysis An Operational Cyber Security Event Should Be.. Identify and Define
- 17. { Ñ Questions to Ask Ó What do my regulations tell me to be concerned with? Ó What do various standards bodies tell me to be concerned with? Ó Do I have specific policy statements that suggest alerting, or 24/7 response? Ó What Lessons Learned Do I have related to Cyber Security? Identify Cyber Security Conditions to Alert On Identifying Events This is my polite way of saying “If You Got Hacked, How Did it Happen?”
- 18. List of Security Conditions Regulations Require Monitoring and Action Standards suggest an Approach Security Policy may Specify Conditions Lessons Learned from Security Incidents Determine Conditions
- 19. { Ñ CIP-‐‑007 R4 – Malicious Software Prevention Ó Paraphrase: ~..shall use anti-‐‑virus software to detect malware on all Cyber Assets within the ESP~ Ó Conclusion: I should alert on anti-‐‑virus detections Ñ CIP-‐‑007 R5 – Monitoring Electronic Access Ó Paraphrase: ~monitoring processes shall detect and alert for a]empts at or actual unauthorized access~ Ó Conclusion: A]empts at unauthorized access include incorrect passwords, alert on that. Regulations, such as NERC CIP, may provide clues as to what events should be monitored Regulations Well, I did say clues… Source: NERC CIP Standards, V3
- 20. { Ñ Section 3.2.2 – Signs of an Incident Ó ~Too many indicators exist to exhaustively list them~ Ó ~Common ones include multiple failed login a]empts, deviations from normal network traffic, filenames with unusual characters..~ Standards can help as well, but still are clues not firm guidance Standards Source: NIST SP-‐‑800-‐‑61
- 21. { Ñ What I’ve seen in the past: Ó ~Addition and Modifications of Users shall be conducted through the change control process~ Ó ~New Software on Control Systems requires approval by the Senior Manager~ Conditions may exist in your corporations IT Security Policies Policy Remarks
- 22. { Ñ Good Security Comes with Experience, Ó Most Experience Comes from Failures in Security Ñ ….but it doesn’t have to be YOUR Failures in Security Ó Talk, Listen, Learn Why Information Sharing is Important. Lessons Learned
- 23. { There are tons of events available, but not all are relevant or appropriate for Operations Complex, Irrelevant
- 24. { • Start with from general security conditions • Trim to Specific Events within those categories Top Down • Start with Every Potential Event that Could Be Generated • Trim to Specific Events from the Potentials Bo]om Up There are Two Main Methods for Identifying Events Methods to Identify
- 25. { Ñ Specific Classes of Computer Security Events Ó Virus Detection, Failed Logins, Disallowed Ports, etc Ó Good Source of Some Classes – NIST SP-‐‑800-‐‑53 Ñ Useful for PC based systems, which often have a huge amount of capacity for security Top Down is Good For Systems with Many Potential Events Top Down Approach
- 26. { Cyber Security Event Class: Virus Detection Top Down Example
- 27. { Ñ Enumerate the Security Capabilities of the Device. Examples: Ó Provides Specific Syslog Evidence Ó Sets a Point when a Login Threshold has been reached Ñ Useful for Devices, where Capability is often limited BoYom Up is Good for Systems with Limited Capability for Security Bo]om Up Approach
- 28. { Review of Manuals and Datasheets can identify detectable Cyber Security Events Bo]om Up Example Source: S&C IntelliRuptor Instruction Sheet 766-‐‑560
- 29. { Ñ Top Down Ó Allows you to set criteria, and then delve into system to find triggers to meet it Ó Avoids the complexity of ge]ing into the weeds of system events Ó May miss important conditions due to avoiding those same weeds Ñ Bo]om Up Ó Complex, but most Detailed Ó Requires analysis of many events that will likely never make it in front of an operator There are advantages and disadvantages of each Approach Compare and Contrast
- 30. { Ñ Windows Based Computers are the obvious systems to use Top Down Ó Event Heavy, Highly Complex Ó Events were designed from an incident response perspective, not from an alert perspective Use Top Down when a system is highly capable of reporting security events to narrow your range When to Use an Approach
- 31. { Ñ Systems like PLCs, Controllers, some Network Devices have limited capability to report security status Ó Won’t be able to simply define events, you’ll have to work with what’s there Use BoYom Up when working with devices that report on few security conditions When to Use an Approach
- 32. { Condition Source Anti-‐‑Virus Detection NERC CIP-‐‑007 R4 User Modified or Added NERC CIP-‐‑007 R5 Security Logs Deleted NERC CIP-‐‑007 R6 Security Logs Full NERC CIP-‐‑007 R6 Excessive Incorrect Login NERC CIP-‐‑007 R6 Use of Removable Media Good Practice New Software Installed IT Policy Logging Options Changed IT Policy The End Result of this Analysis is a List of Conditions to Alert On List of Conditions Note: This list is far from comprehensive
- 33. { Part 2 Appropriate for Operators
- 34. { Ñ Is the Condition a Clear Cyber Security Event? Ñ Is the Condition Derivable directly from Logs, Alerts, and other evidence? Ñ Is the Condition Actionable by Operators? Not Every Condition is Appropriate for Operator Notification Appropriate for Operators
- 35. { Condition Source Anti-‐‑Virus Detection NERC CIP-‐‑007 R4 User Modified or Added NERC CIP-‐‑007 R5 Security Logs Deleted NERC CIP-‐‑007 R6 Security Logs Full NERC CIP-‐‑007 R6 Excessive Incorrect Login NERC CIP-‐‑007 R6 Use of Removable Media Good Practice New Software Installed IT Policy Logging Options Changed IT Policy Unclear Conditions are Removed from the List Is it Clear? Note: This list is far from comprehensive
- 36. { Condition Source Anti-‐‑Virus Detection NERC CIP-‐‑007 R4 Security Logs Deleted NERC CIP-‐‑007 R6 Security Logs Full NERC CIP-‐‑007 R6 Excessive Incorrect Login NERC CIP-‐‑007 R6 Use of Removable Media Lesson Learned Remove Conditions Incapable of being Derived from Evidence, or Require Analysis Is it Derivable? Note: This list is far from comprehensive
- 37. { Condition Detection Method Reliability Anti-‐‑Virus Detection Windows Event Log Very Reliable, Test Indicates an event generated on each detection in SYSTEM log Security Log Deleted Windows Event Log Very Reliable, an explicit event is created on clearing Excessive Incorrect Login Windows Event Log Reliable, so long as the account lockout se]ings in SECPOL.msc are set correctly Use of Removable Media May require 3rd party program. Not Always Possible without 3rd Party Program How Reliable are the Detection Methods? Do they have potential false positives? Reliable and Unreliable Conditions Note: This list is far from comprehensive
- 38. { Remove Conditions that an Operator cannot Realistically take Action On Is it Actionable? Condition Source Anti-‐‑Virus Detection NERC CIP-‐‑007 R4 Security Logs Deleted NERC CIP-‐‑007 R6 Security Logs Full NERC CIP-‐‑007 R6 Excessive Incorrect Login NERC CIP-‐‑007 R6
- 39. { Why were some of the conditions removed? An Aside… Ñ User Modified or Added Condition Reason for Removal User Modified or Added Not Clear, as there are legitimate reasons for adding, or modifying a User and these reasons aren’t apparent without analysis. Security Log Full Not Actionable, as operators should be doing maintenance and admin functions. Removable Media Not Derivable, on most systems as is. May require a 3rd Party program to do a decent job of this.
- 40. { Ñ Example: Removable Media Detection Ó Wasn’t able to do this in Native Windows in a Clear and Derivable manner Ó Use of Third Party tools can change this, making it possible to monitor and alert A Previously Rejected Condition can become valid with New Information or Technology When Conditions Change
- 41. { Ñ USB Based Infection Lesson Learned Ó New USB Showed up in Registry Change Ó Auto-‐‑Run Shows up in Registry Change Ó Addition of Programs to the “Run” and “RunOnce” keys in the Registry Ó Copying of Files into “System”, “System32” Ñ Is this Clear? Definable? Actionable? Some of the More Advanced Conditions That We Can Define Let’s Get Crazy…
- 42. { List of Conditions has been generated, what next? What Comes Next? Condition Detection Method Reliability Anti-‐‑Virus Detection Windows Event Log Very Reliable, Test Indicates an event generated on each detection in SYSTEM log Event Log Was Cleared Windows Event Log Very Reliable, an explicit event is created on clearing Excessive Incorrect Login Windows Event Log Reliable, so long as the account lockout se]ings in SECPOL.msc are set correctly
- 43. { Part 3 Create Operations Procedures
- 44. { Ñ Notifying Operators of Cyber Security Events is useless if the Operator has no action to take Ñ This guidance typically takes the form of Operational Procedures Ñ Each Event must have an appropriate action to be taken This is Now a Procedure Exercise Operator Actions
- 45. { Ñ “Notify Lead I&C Engineer by Phone” Ñ “Isolate Infected System From Network by Disconnecting Ethernet” Ñ “Call Out via Radio to check if invalid login is from authorized user” Be Succinct and Specific Guidelines for Actions
- 46. { Ñ No IT Administrative Functions Ñ No Maintenance Functions Ñ Limit the Analysis Necessary Ñ …and don’t give them someone else’s work Keep the Guidance within Operator’s Authorized Abilities Guidelines for Actions
- 47. { Personnel Responsible Trigger Actions Documentation An Operating Procedure has a few common characteristics Operating Procedures
- 48. Example Operating Procedure Bring up Example Procedure
- 49. { Ñ Case in Point – Conficker (MS08-‐‑67) Ó Highly Aggressive Worm which impacts network communication Ó Makes use of very reliable exploit in Server service Ó A]empts to brute force accounts Ó Spreads over USB and removable media as well Some Cyber Security Events may Cause Production Impacts Worst Case Scenario
- 50. { Ñ A Highly Aggressive worm like Conficker can have production consequences. Ó Continuing to operate while this is going on is risky. Ó Who makes the decision to halt production? Operator? Shift Supervisor? Plant Manager? Ñ Make sure the information gets to those make the decision. What guidance would prepare an operator for these Alarms? Worst Case Scenario
- 51. { Section 5 Present to Operator
- 52. { Ñ Most Cited: Ó The Alarm Management Handbook The High-‐‑Performance HMI Handbook. Ñ Wri]en by Bill Hollifield and Paul Gruhn Ó Of Course, Nothing Specific on Security There is already a lot of guidance on development of Operator Displays Operator Displays
- 53. { Ñ Help Operators Perceive the Important Security Data Ñ Give Operators Data-‐‑in-‐‑Context Ñ Help Them Comprehend the Situation in Terms of the Process Ñ Help Predict Future Status by Providing Trending Guidelines for Cyber Security Displays Operator Displays -‐‑ Tough right now… At least without giving access to an SIEM
- 54. Cyber Security Master Display Anti-‐‑Virus Status Display Users Status Display Removable Media Status Display Event Log Status Display Concept Operator Display
- 55. Mock Up
- 56. { Ñ Many HMIs can accept SNMP Traps Ó Often used for alerting when hosts stop communicating Ó Security tools can feed this, in certain conditions Ñ Security Logs don’t Translate Well into traditional displays Ó How do you ‘trend’ when you have thousands of event ids? Summary: Limited, and Nowhere Near Ideal Integration with the HMI
- 58. More Research at S4 Ñ Digital Bond’s S4 Conference in Miami Beach, January 2014 Ñ Got an Idea? Ó Submit a presentation! Ñ Details on DigitalBond.com