This presentation will review lessons learned from a deployment of behavior-based intrusion detection system (IDS) on a SCADA network that was part of a large-scale energy management system. The IDS architecture, sensor features, and sensor placement within the target SCADA environment proved to be key for successful detection of malicious activity. Challenges included simultaneous monitoring of multiple SCADA protocols (DNP3 and ICCP) across multiple network segments; monitoring of both encrypted and unencrypted network traffic; adapting to slow environment changes to minimize false positive output; and integration of the behavior-based IDS output into an existing monitoring system/SIEM

1. LESSONS LEARNED
FOR A BEHAVIOR-BASED IDS
IN THE ENERGY SECTOR
Jerry Crowley, PhD, Boeing
Cliff Gregory, PhD, SecurityMatters
Presentation to the 10th EnergySec Security Sumit8/23/2014

2. Background
 Boeing and a Regional Transmission Operator cooperated under a
DOE-1304 project to demonstrate advanced technology
solutions focused on cybersecurity in an energy management
environment on the US regional power grid
 DOE Benefits:
 Increased grid reliability
 Greater grid security
 Baseline for national grid replication

3. Background (cont)
 As a result of a Boeing cyber risk-based assessment, it was
determined to reduce uncovered risks by complementing an
existing signature-based IDS with a behavior-based IDS
 The SecurityMatters SilentDefense ICS product was selected as
an advanced yet mature technology

4. What was deployed
Privat
e
networ
k

5. Monitoring Objectives
 Monitor communications from members to control centers
 IP addresses of the members (including public IPs)
 Who initiates the connection (datacenter or member)
 Only ICCP and DNP3
 Unexpected behavior
 Monitor communications within the control centers
 What non-SCADA services/protocols are in use (e.g., SSH, SMTP, etc.)
 Unexpected traffic patterns

6. SilentDefense Architecture
SilentDefense
Monitoring Sensors
SilentDefense
Command Center
Web Client
One to many
relationship

7. How it was deployed
 Phase 1: Initial learning
 Capture traffic on site (PCAP files)
 Playback traffic in offline mode
 Use SilentDefense in learning mode
 Inspect the captured traffic
 Detect misconfigurations (e.g., non-compliant data)
 Evaluate learned traffic patterns
 Phase 2: Detection model fine-tuning
 Capture more traffic on site
 Process with SilentDefense in detection mode;
 Analyze generated alerts
 Refine model
 Phase 3: Live detection
 Deploy SilentDefense in detection mode to monitor live traffic.
Initial Learning
Fine-tune
Detection
Model
Live detection
Three-phase deployment minimized impact to operational system

8. DNP3 in depth
 SilentDefense ICS monitoring:
 Assures only “well-formed” DNP3 messages are passed
 Detects buffer overflow attacks
 Monitors health of remote RTUs - inspects internal indicators
 Validates MTUs do only intended operations - inspects function codes & data
point addresses
 Detects suspicious datalink communications - scanning RTU destinations
 Applies high-level access control - checking what data points are accessed
Detects anomalous traffic to the lowest level

9.  SilentDefense ICS monitoring:
 Assures only well-formed ICCP messages are exchanged by control centers
 Detects buffer overflow attacks
 Insures only intended messages are exchanged at all layers - no dangerous
COTP, session presentations, ACSE, MMS functionalities are used
 Applies “high-level” access controls - only allowed MMS domains, services and
domain name formats are used
 Detects malformed data structures - the structure of variables shared between
control centers changes
ICCP in depth
SilentDefense forwards alters to industry standard SIEMs

10. Detection Lessons Learned an IPS must:
 Be able to detect abnormal behavior
 Malicious and non-malicious
 Be able to detect behavior in multiple dimensions
 Protocol parameters
 Session
 Information
 Be able to detect across protocol stack layers (layers 3 thru 7)
Detection Model is automatically created for each SCADA environment

11.  Operator training is key to success
 General SilentDefense overview
 For SCADA engineers and security analysts
 Presentation of the findings obtained with the tool so far
 In depth SilentDefense training
 Security analysts only
 Configure/operate/maintain structure
 Hands-on using the live system
 SCADA Engineer’s involvement was critical
 SilentDefense alerted to abnormal, non-malleolus behavior
 e.g., obtain early warnings of when a device degradation or misconfiguration
 Allowed explanation to security analysts why they were observing certain
events
 Misconfigured devices
 Effects of devices restarting
Operational Lessons Learned
Detection Model is automatically created for each SCADA environment

12. General Operational Lessons Learned
 A sensor must contain features to accommodate slow
changes in traffic behavior and
 Be able to aggregate alerts that are generated for the same
reason
 Be able to easily analyze alerts, including raw traffic PCAPs
 Be able to easily update detection model(s) with “trim”
mechanisms
SilentDefense provides a simple intuitive user interface for analysis and forensics

13. Project demonstrated Energy Sector needs
 Easy Setup and Management
• Configuration with self-learning technology
• Legitimate input values automatically learned
• Be traffic non-blocking – keep human in the loop
 Compatible with technology solutions
• Natively interface with SIEM solutions:
• Understand ICS/SCADA Protocols
 Be Scalable & Adaptable
• Multiple Sensors for each command center
• Small form factor – 1U or smaller
• Compatible with environmentally hardened platform
• Deployable in redundant architectures

14. Contact Information
Jerry S. Crowley, PhD,
Sr Security System Engineer
The Boeing Company
Jerry.s.crowley@boeing.com
Clifford H. Gregory, PhD,
CEO – USA
SecurityMatters, LLC
Cliff.gregory@secmatters.com