What we know
Facts about intrusions reveal the need for continuous monitoring, need for robust security operational processes and security analytics for ICS/SCADA networks. 78% of intrusions are by “not specialized” hackers, 76% of intrusions exploited weak/stolen credentials, 84% intrusions happened in minutes, 66% of intrusions were undetected for months, and 69% of intrusions were first recognised by external parties
Security Analytics for ICS/SCADA network can:
Identify who is doing what, when, why and how in your network
- Identify and evaluate threats to information assets based on the pattern mapping and correlation
- The presence or absence of the vulnerability
- The likelihood of an exploit based on attack-path threat models
- Configuration information which may indicate, for example, that the server is not accessible because a default setting has been changed
- The presence of protective controls such as an intrusion prevention system
Detect abnormalities in the network
- Map feeds from RTUs, IED and PMUs to the intelligence information, outage management, oscillation management and customer behavior to predict the threat actions
- Identify the operations pattern to identify the presence of a malware or suspicious transaction within the ICS
- The value the organization assigns to the asset or data
Although the above aspects are trivial, it can still bring down an ICS/SCADA network in less than a minute.
- Create a security monitoring platform to span and correlate events, qualify incidents from L2 to L5 network layers in ICS
- Create vulnerability and threat maps and feed security defence mechanisms with right information
- Periodic review of security controls and operational processes
- Capture feeds from external threat intelligence sources to validate threat patterns
By applying the Business Context to threat preparation, security teams will be in a stronger position to confidently allocate resources in a controlled manner in line with the impact values placed on assets that may be simultaneously under attack by multiple yet unrelated threats. Security Analytics includes capturing and analyzing a variety of data such as DNS transactions, emails, documents, social media data, full packet capture data, and business process data; all collected over years of activity. Security Intelligence platforms can provide organizations with vital details of malicious activity present within the organization’s data through comprehensive analysis of structured and unstructured data.
Security Analytics leveraging a Big Data Platform
Most enterprises are moving from traditional Data Warehousing Platforms to the Big Data Platform in order to reduce cost of operations, increase the speed of query execution, correlation, and computing.
Big Data technology can be divided into two categories:
- Batch processing: This involves analytics applied to data at rest. Several tools can help analysts create complex queries and run machine-learning algorithms to improve the efficiency of data mining that repeatedly reuse a working set of data, thus improving the efficiency of advanced data analytics algorithms
- Stream processing: This involves analytics applied to data in motion, mostly used for real-time processing. This considers information flow as notifications of events (patterns) that need to be aggregated and combined to produce high-level events.
The Impact of Big Data on the Critical Infrastructure
For instance, in the context of smart meter management, organizations are generally subject to multiple operational triggers (such as triggering of meter disconnect commands). However, there needs to be proper access controls which ensure that these triggers are not directly initiated from the control center, thereby preventing the Meter Data Management logs from failing. This would eliminate the possibility of a DDoS (Distributed Denial of Service) kind of attack. By creating behavioral patterns for control center commands and leveraging machine learning, companies can recognize and prevent such DDoS attempts.
Security Analytics for SmartGrids (Substation)
A real-world use-case of preventing grid failure due to anomaly
Preventing grid failure due to anomaly requires the integration of a Security Analytics & Intelligence platform with multiple network traffic management systems or data collection points in a control center. The entire setup may take about 3-4 months of time to build a pattern base for anomalies. Inputs considered to build a pattern are typically inputs from the process LAN and Station LAN such as sensor data, IED behavior, commands which trigger overloading of grids, changes in the oscillation of PMU, multiple login attempts, password reset attempts, mismatch of command initiation, time slot for the execution, etc. By analyzing the converged network traffic in real-time and mapping this to the security pattern base, security analytics can contextualize the patterns based on the rule sets to validate events and incidents, determine threat levels, and create a threat perception. It can also trigger alerts, notification and remediation workflows based on a Set of Procedures (SOP) configured in Security Monitoring or Alert Management systems. This convergence helps get a unified view of the network thereby enabling more efficient use of Security Analytics & Intelligence to prevent grid failure.
Security management across organizations tends to be more mature for the enterprise side of the business rather than the operational networks that form a bulk of critical infrastructure. These operational networks are still in the architecture transformation phase of moving from silos into the layered network architecture.
Implementing Security Analytics & Intelligence requires data feeds from all sources, be it security operations, management platforms, control center operations of grids, oscillations from the PMUs, frequency of the wind turbines, inputs from PLC, detecting the changes to the comtrade files, IED configurations, etc. along with the feeds from unstructured data sources for computing and correlation. Though Security Analytics & Intelligence look like essential technology requirements in the context of Critical Infrastructure, the reality is that it is still in the process of embracing this platform by shredding the silos, deploying Defense-in-Depth security solutions, streamlining governance and classifying critica assets. Once these processes are adopted, Security Analytics & Intelligence will play an instrumental role in critical infrastructure protection.