Splunk software provides a scalable and versatile platform for machine data generated by all of the devices, control systems, sensors, SCADA, networks, applications and end users connected by today's networks. In this session we will discuss and demo how you can use Splunk software to gain insights into machine data generated by devices and control systems. We’ll cover common themes in use cases, and show you how to access the free apps and add-ons that simplify the connection and collection of data from both industrial systems and the Internet of Things. In addition we will introduce you to Splunk’s growing ecosystem of IoT and Industrial focused technology partners.
12. Powerful IoT and Industrial Data Ecosystem
12
APIs, SDKs, App Framework, User Interface
SDKs UI
Legacy Data and
Sensors
IoT/ICS SecurityIoT Platforms Native Inputs
REST
Advanced Analytics and ML Custom Interfaces
19. Why the Growing Interest in ICS Security?
19
Everyday Headlines
20. Preventing Control
System Service
Interruption
Prevent Damage
Health and Safety of
Employees
Meet Compliance
Logging Capabilities
Reporting Capabilities
Correlation Between OT
and IT
Data Silos
Existing ICS Security Problem Space
20
Weaknesses
Drivers
21. A New Approach to ICS Security is Needed
21
Analyze all relevant data
Contextual and Behavioral Relevance
Rapid learning loops and responses
Collaborative & Coordinated
Leverage IOC & Threat Intel
Fusion of Technology/People/Process
• Goal-oriented
• Human directed
• Multiple tools, steps
& activities
• Dynamic
• New evasion
techniques
• Coordinated
24. Connecting the “Data Dots”
24
24
Machine data
Traffic data
Abnormal behavior
High confidence event
Med confidence event
Low confidence event
Malware
download
Program
installation
Access to ICS
Malware install
Malware &
endpoint
execution data
User on machine
Link to program
And process
Authenticated
Sessions used to
pivot into Control
Systems LAN
Delivery, exploit
installation
Gain trusted
access
Access Operations
Environment
Upgrade (escalate)
Lateral movement
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
Control System LAN
POSCO is a multi-national steel making company headquartered in Korea. They are the world’s 4th largest steelmaker.
Data for one process coming from: sensors, devices, and servers. Each data type has different formats and fields and is stored in a different place. Existing SCADA tools only show current values. Cannot see past data or trends over time.
For refinery operators to access data for investigations, must get permission from IT departments in each factory. Extract data from several databases into Excel files, mash it up and compare levels and trends over time to deduce root cause.! Between obtaining permissions, transforming data and actual analysis, investigations can take up to 2 weeks.
The Perseus is a OI platform powered by Splunk that deliver three key values such as Experience Visualization, Operation Playback and Map Search in order to bridge gap of OI for the industry customers who want to get an operational visibility from their business infrastructures unlike the other siloed approaches.
Perseus can integrate, correlate, manipulate and visualize data with contents such as images, maps, SCADA, remote desktops and even live streaming videos using next generation UX technology called POD (Pixel On Demand) which is powered by N3N.
Most of all, Perseus is tightly integrated with Splunk in order to get world best BigData capability with valuable advantages.
Experience Visualization – integrate all types of data needed to provide operators with complete operational visibility: Video, Links, Documents, Charts, Tables, Text, Images
Map search: Always search within the context of the current view. Clicking the “search” button brings up the search view with all of the metrics in the current view pre-selected. Operators can easily change the visualization to get a different perspective on the data.
Operation Playback: Adjust the time range for any view in the Perseus UI to see the values of each component in the view at any point in the past. This is incredibly useful for troubleshooting where existing systems make it hard to access and manipulate past data.
Lumo Energy is an Australian energy retailing business with several power stations throughout Eastern Australia. They use a customized SCADA (supervisory control and data acquisition) system to monitor and control its machinery and equipment. They wanted to extend the capacity of their SCADA system to improve their ability to respond to price fluctuations in real time. They were also seeking more visibility into the infrastructure of their many power stations.
Lumo uses Splunk to automate its monitoring of base electricity prices and predictions, which are provided by the Australian Energy Market Operator (AEMO). Splunk indexes all of the inbound data from AEMO, runs specific analysis and calculations specific to Lumo, and then securely provides pricing execution proposals to the stations. This way, AEMO can better predict and react to pricing fluctuations, thereby maximizing revenue.
Lumo Energy also has greater control over their custom SCADA environment. Splunk dashboards display market demand and pricing information, power station status and output, resource utilization and other telemetry. Lumo Energy can respond faster to market fluctuations with greater operational intelligence and unparalleled visibility into plant and equipment efficiency. Splunk also provides fail-safe security for private online control of their energy assets operating in the Australian market.
Splunk’s customer, Royal Flying Doctor Service, uses Splunk to better manage the systems and aircraft through which they provide rural healthcare in Australia’s most remote environments. Sensor data from the cooling systems that keep the medicine safe during transport, avionic data from the aircraft, and precise location data give the RFDS team a unique view into overall operations – which is incredibly important as the number of med flights they execute makes them the third largest Australian Airline!
In addition to troubleshooting and ops using sensor data, RFDS management is able to re-purpose the precise location data to deliver a unique fundraising opportunity – Buy the sky: buythesky.com.au
As planes are servicing patients around Australia, individuals and businesses are able to sponsor patches of sky. As planes fly through these patches, Splunk alerts Salesforce, and a custom email Is sent to the sponsors letting them know their money is being put to good use!
At CeBit2014, Volkswagen’s Data Lab chose splunk to demonstrate the power of the machine data generated by their next generation of electric vehicle – the e-up.
There are some very interesting concepts and innovations in this dashboard. First is its capability to replay any vehicle’s journey for the selected time range. In the lower left, you can see the scrub controls, and vehicle activity is marked by a simple histogram. All available sensors on the vehicle are “played back” in real-time or fast-forward mode, including vehicle speed, engine RPM, battery status, vehicle range, outdoor temperature, door and headlight status.
This is a really great example of Splunk’s capabilities as a developer platform. Using Splunk 6’s built in web framework, a web developer was quickly able to develop an engaging and compelling dashboard in far less time than it would have taken using traditional or competing web data frameworks.
What does this platform look like?
The platform consists of 2 layer:
A core engine and an interface layer
On top of the platform you can’t run a broad spectrum of content that supports use cases
Use cases range from application mgmt. and IT operations, to ES and PCI compliance, to web analytics
The core engine provides the basic services for real time data input, indexing and search as well alerting, large scale distributed processing and role based access
The Interface layer consist of the basic UI for search, reporting and visualization – it contains developer interfaces, the REST API and SDKs
The SDKs provide a convenient access to core engine services in a variety of programing language environments.
These programmatic interfaces allow you to either:
extend Splunk
integrate Splunk with other applications
build completely new applications from scratch that require OI or analytical services that Splunk provides
Endpoints designed to have long life spans with availability in mind
Usually has an Embedded Operating System and Software
Limited memory and storage
Different Components – HMI, Historian, PLC, Embedded
Cyber to Physical – A software based system that has the capability to have a physical effect
Lets start with today’s ever changing threat landscape:
With all the news on cyber attacks and security breaches, you know we are constantly up against 3 very sophisticated adversaries:
the cyber criminals,
the nation states
and also the malicious Insiders;
All going after major stakes of our life, our company and our nation.
SANS SCADA Security Survey found that 70% of respondents are most concerned about “Preventing Control System Service Interruption” and are most worried about “HMI, Servers and Workstations”.
https://www.sans.org/reading-room/whitepapers/analyst/results-scada-security-survey-35135
One of the top ICS CERT Recommended Practices is to “Increase Logging Capabilities”. The other top recommendation is user behavior analysis.
https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
https://ics-cert.us-cert.gov/Recommended-Practices#nogo
Most technology in the ICS / SCADA industry is decades old and the market is looking for new solutions.
Operations staff need solutions to decrease MTTR and keep facilities operational
Security staff are looking for better visibility and monitoring capabilities for Control Systems
Management wants to leverage IoT, ICS, SCADA data for better business intelligence solutions
Audit often has regulatory requirements to meet and need improved capabilities in reporting and compliance
What role doe Splunk’s solution play in the new security Universe ?
Splunk is the Brain, the Nerve center.
There are four key categories of solutions we work with :
They bring the sensory info from end points to the network, contextual info from users to business Apps, and threat trends& visibility at global level
(It is about intelligence, collecting information, deriving intelligence and sharing them!)
Intelligence sharing is front and center of the WH Security summit, we are enabling our customers to do exactly that!
Without our sponsors we couldn’t be here today. So please stop by outside this room in the pavilion. Thanks to all of you for being here and most of all sponsoring our happy hour!
Without our sponsors we couldn’t be here today. So please stop by outside this room in the pavilion. Thanks to all of you for being here and most of all sponsoring our happy hour!