Using PI to Aggregate

1
Using PI to Aggregate Correlate Security Events
to Detect Cyber Attacks Dale Peterson Digital
Bond, Inc.
2
Agenda

• Hardening the PI Server
• Architecture considerations
• Using Bandolier to audit PI server security
• Using PI to Detect Cyber Attacks
• Dept of Energy funded research project
• Digital Bonds Portaledge

3
PI Security 101

• Architecture
• Put PI servers in the right zone or zones
• Do not allow access to control center for PI
• Do not use two Ethernet cards and become a bridge
• Leverage PI to PI communication to move between
  zones of different security levels
• Is access to your PI data mission critical?

4
PI Security 101

• OSIsoft provides guidance on securing PI
• Digital Bond has yet to see it followed!!!
• piadmin username and password for PI trusts
• Bandolier
• A Dept. of Energy funded research project

5
Identifying the Problem

• How do we establish an optimal / best possible
  secure configuration for our control system
  servers?
• How do we verify that this configuration has not
  changed over time?
• Can we do this using existing security tools at a
  low or no additional cost?

6
Solution Bandolier
7
Multiple Levels of Audit Tests
8
Bandolier Security Audit File

• Batch file extracts security parameters from PI
• Runs piconfig and a few other programs and dumps
  results to a file that can be audited
• 222 Security Audit Checks
• 26 Application Checks
• 196 Operating System Checks

9
NERC CIP Compliance Aid

• CIP-007 R1 Test Procedures
• CIP-007 R2 Ports and Services
• CIP-007 R5 Accounts and Services
• CIP-007 R8 Vulnerability Assessment
• See the SCADApedia Page

10
Nessus Compliance Check Plugin

• Only uses one Nessus plugin!
• Safer than traditional scanning
• Secure management connection. NOT a Nessus scan!
• Evaluates the known good not known bad
• Exporting to OVAL/XCCDF for use in other
  vulnerability scanners and security tool

11
Bandolier Costs and Requirements

• Prerequisites
• Digital Bond Site Subscription
• 100 / Year
• Nessus Professional Feed Subscription
• 1,200 / Year
• Many organizations already have a Nessus
  subscription
• Administrator credentials for PI server

12
Questions
13
Detecting Cyber Attacks

• Security log events are everywhere
• Firewalls, routers, switches
• IDS/IPS
• Server and workstation operating systems
• SCADA and DCS applications, field devices,
• Aggregate and evaluate events
• Multiple events can decrease false positives
• Multiple events can better

14
Security Event Managers (SEM)

• A class of IT security product
• ArcSight and LOGIIC
• Aggregates correlates security events
• Used to detect attacks and forensics
• Weakness Does not have interfaces to bring in
  control system information

15
Question?

• What do we use in control systems to aggregate
  and analyze information?
• A Historian
• A PI Server

16
PI Historian Advantages over SEM

• Already exist on many control systems
• Especially in the energy sector
• Already interface to control system devices and
  applications
• Interface to IT devices and applications
• Has an advanced correlation capability, ACE

17
Portaledge

• A Digital Bond research project
• Funded by the US Department of Energy
• OSIsoft is a major partner and contributor
• Goal Use PI Server as a SCADA SEM
• Aggregate security events
• Correlate security events using ACE
• Alert when cyber attacks are detected

18
Event Taxonomy
19
Event Class Events

• One or more Events in an Event Class with a
  commonality generate an Event Class Event
• Commonalities time, IP address,
• Will contain a chain of Events
• Length and diversity of chains can be used to
  measure confidence
• Chains can be used for escalation process

20
Event Classes

• Availability
• Communication
• Enumeration
• Escalation

• Exploitation
• Obfuscation
• Process Manipulation
• Reconnaissance

21
Release Packages

• Subscriber content on digitalbond.com
• 100 / year, YES thats all
• Business model is to get research deployed
• FREE for 3 months for event attendees who ask me
  for a free subscription
• Requires appropriate PI licenses
• PI Server, SMT, ACE, Datalink, Excel

22
Release Package - I

• Spreadsheet to create PI Tags with SMT plugin
• Will require some customization for IP address
• Will require copy / paste for multiple data
  sources
• Spreadsheet to create modules, alias and
  properties in the Module Database
• Alias PI Tag names for use in ACE
• These are common functions for PI Admins

23
Release Package - II

• ACE Modules
• ACE Module DLL and related files
• VB.NET files for customization if desired
• Context spreadsheet to load ACE module using the
  SMT Module Database Plugin
• Documentation
• Detailed Portaledge documentation on SCADApedia
• Notes and instructions available

24
Release Package - III

• DataLink Display
• Basic display that shows a scroll of Events
• Customers can display results in a variety of
  ways
• PI Users are highly experienced on displaying
  data
• Future research to build security dashboard
• Better way to display alerts so operators can
  escalate
• Security metrics to show the security state of
  the system

25
Release Schedule

• Released Today Availability Event Class
• Computer System Availability Event
• Field Device Availability Event
• Network Device Availability Event
• Performance Degradation Availability Event 3
• Simple Network Availability Event
• Next Enumeration Event Class
• All complete in 2009

26
Questions
27
Contact Info

• Dale Peterson, 954-303-7560
• peterson_at_digitalbond.com
• www.digitalbond.com for
• Bandolier, Portaledge and other research
• SCADA Security Blog and SCADApedia
• Whitepapers, podcasts, presentations,