This presentation will review lessons learned from a deployment of behavior-based intrusion detection system (IDS) on a SCADA network that was part of a large-scale energy management system. The IDS architecture, sensor features, and sensor placement within the target SCADA environment proved to be key for successful detection of malicious activity. Challenges included simultaneous monitoring of multiple SCADA protocols (DNP3 and ICCP) across multiple network segments; monitoring of both encrypted and unencrypted network traffic; adapting to slow environment changes to minimize false positive output; and integration of the behavior-based IDS output into an existing monitoring system/SIEM
Genislab builds better products and faster go-to-market with Lean project man...
Lessons Learned for a Behavior-Based IDS in the Energy Sector
1. LESSONS LEARNED
FOR A BEHAVIOR-BASED IDS
IN THE ENERGY SECTOR
Jerry Crowley, PhD, Boeing
Cliff Gregory, PhD, SecurityMatters
Presentation to the 10th EnergySec Security Sumit8/23/2014
2. Background
Boeing and a Regional Transmission Operator cooperated under a
DOE-1304 project to demonstrate advanced technology
solutions focused on cybersecurity in an energy management
environment on the US regional power grid
DOE Benefits:
Increased grid reliability
Greater grid security
Baseline for national grid replication
3. Background (cont)
As a result of a Boeing cyber risk-based assessment, it was
determined to reduce uncovered risks by complementing an
existing signature-based IDS with a behavior-based IDS
The SecurityMatters SilentDefense ICS product was selected as
an advanced yet mature technology
5. Monitoring Objectives
Monitor communications from members to control centers
IP addresses of the members (including public IPs)
Who initiates the connection (datacenter or member)
Only ICCP and DNP3
Unexpected behavior
Monitor communications within the control centers
What non-SCADA services/protocols are in use (e.g., SSH, SMTP, etc.)
Unexpected traffic patterns
7. How it was deployed
Phase 1: Initial learning
Capture traffic on site (PCAP files)
Playback traffic in offline mode
Use SilentDefense in learning mode
Inspect the captured traffic
Detect misconfigurations (e.g., non-compliant data)
Evaluate learned traffic patterns
Phase 2: Detection model fine-tuning
Capture more traffic on site
Process with SilentDefense in detection mode;
Analyze generated alerts
Refine model
Phase 3: Live detection
Deploy SilentDefense in detection mode to monitor live traffic.
Initial Learning
Fine-tune
Detection
Model
Live detection
Three-phase deployment minimized impact to operational system
8. DNP3 in depth
SilentDefense ICS monitoring:
Assures only “well-formed” DNP3 messages are passed
Detects buffer overflow attacks
Monitors health of remote RTUs - inspects internal indicators
Validates MTUs do only intended operations - inspects function codes & data
point addresses
Detects suspicious datalink communications - scanning RTU destinations
Applies high-level access control - checking what data points are accessed
Detects anomalous traffic to the lowest level
9. SilentDefense ICS monitoring:
Assures only well-formed ICCP messages are exchanged by control centers
Detects buffer overflow attacks
Insures only intended messages are exchanged at all layers - no dangerous
COTP, session presentations, ACSE, MMS functionalities are used
Applies “high-level” access controls - only allowed MMS domains, services and
domain name formats are used
Detects malformed data structures - the structure of variables shared between
control centers changes
ICCP in depth
SilentDefense forwards alters to industry standard SIEMs
10. Detection Lessons Learned an IPS must:
Be able to detect abnormal behavior
Malicious and non-malicious
Be able to detect behavior in multiple dimensions
Protocol parameters
Session
Information
Be able to detect across protocol stack layers (layers 3 thru 7)
Detection Model is automatically created for each SCADA environment
11. Operator training is key to success
General SilentDefense overview
For SCADA engineers and security analysts
Presentation of the findings obtained with the tool so far
In depth SilentDefense training
Security analysts only
Configure/operate/maintain structure
Hands-on using the live system
SCADA Engineer’s involvement was critical
SilentDefense alerted to abnormal, non-malleolus behavior
e.g., obtain early warnings of when a device degradation or misconfiguration
Allowed explanation to security analysts why they were observing certain
events
Misconfigured devices
Effects of devices restarting
Operational Lessons Learned
Detection Model is automatically created for each SCADA environment
12. General Operational Lessons Learned
A sensor must contain features to accommodate slow
changes in traffic behavior and
Be able to aggregate alerts that are generated for the same
reason
Be able to easily analyze alerts, including raw traffic PCAPs
Be able to easily update detection model(s) with “trim”
mechanisms
SilentDefense provides a simple intuitive user interface for analysis and forensics
13. Project demonstrated Energy Sector needs
Easy Setup and Management
• Configuration with self-learning technology
• Legitimate input values automatically learned
• Be traffic non-blocking – keep human in the loop
Compatible with technology solutions
• Natively interface with SIEM solutions:
• Understand ICS/SCADA Protocols
Be Scalable & Adaptable
• Multiple Sensors for each command center
• Small form factor – 1U or smaller
• Compatible with environmentally hardened platform
• Deployable in redundant architectures
14. Contact Information
Jerry S. Crowley, PhD,
Sr Security System Engineer
The Boeing Company
Jerry.s.crowley@boeing.com
Clifford H. Gregory, PhD,
CEO – USA
SecurityMatters, LLC
Cliff.gregory@secmatters.com
Editor's Notes
A team comprised of Boeing and SecurityMatters engineers undertook the deployment of SilentDefense ICS into a major RTO in 2013, this discussion explains the challenges and advantages gained and the lessons learned about threat to critical infrastructure and mitigation of it in real time.
Jerry talks
Jerry talks
Jerry Talks
Jerry talks If place happens to be available mention that SilentDefense was designed specifically for this function.
Cliff – this is the logical lay out of our system, we use a one to many relationship between the command center and an array of sensors. You can build a redundant system depending on the need for reliability. In general silent defense uses a web client to provide information to operators and can feed status data to SEM/SIEM devices.
Jerry Talks. What we heard from the customers in the US and EU was that it is critical to know when something is not normal, but also that SCADA and ICS networks change, and any system must adapt to those changes easily.
Jerry talkls
Jerry talks
Jerry talks
Jerry talks
Kind of the bottom line of our deployment at a large RTO is that the energy sector needs these things for any IDS system to be accepted and for it to be an effective tool. Summarily, it needs to be easy to setup and manage; it needs to be compatible with the technologies that are being used within the existing network, it must be scalable and adaptable to both weather and deployment location. We also found that any system has to make it easy for the security analyst and SCADA engineers to do their job with greater efficiency. A learning system which build whitelists and does not block necessary traffic but does notify operators of the abnormal behavior is the kind of system that is needed. SilentDefense ICS was built for this exact concept
If you have questions or want to receive any information please feel free to contact either of us.