Lessons Learned for a Behavior-Based IDS in the Energy Sector


Published on

This presentation will review lessons learned from a deployment of behavior-based intrusion detection system (IDS) on a SCADA network that was part of a large-scale energy management system. The IDS architecture, sensor features, and sensor placement within the target SCADA environment proved to be key for successful detection of malicious activity. Challenges included simultaneous monitoring of multiple SCADA protocols (DNP3 and ICCP) across multiple network segments; monitoring of both encrypted and unencrypted network traffic; adapting to slow environment changes to minimize false positive output; and integration of the behavior-based IDS output into an existing monitoring system/SIEM

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • A team comprised of Boeing and SecurityMatters engineers undertook the deployment of SilentDefense ICS into a major RTO in 2013, this discussion explains the challenges and advantages gained and the lessons learned about threat to critical infrastructure and mitigation of it in real time.
  • Jerry talks
  • Jerry talks
  • Jerry Talks
  • Jerry talks If place happens to be available mention that SilentDefense was designed specifically for this function.
  • Cliff – this is the logical lay out of our system, we use a one to many relationship between the command center and an array of sensors. You can build a redundant system depending on the need for reliability. In general silent defense uses a web client to provide information to operators and can feed status data to SEM/SIEM devices.
  • Jerry Talks. What we heard from the customers in the US and EU was that it is critical to know when something is not normal, but also that SCADA and ICS networks change, and any system must adapt to those changes easily.
  • Jerry talkls
  • Jerry talks
  • Jerry talks
  • Jerry talks
  • Kind of the bottom line of our deployment at a large RTO is that the energy sector needs these things for any IDS system to be accepted and for it to be an effective tool. Summarily, it needs to be easy to setup and manage; it needs to be compatible with the technologies that are being used within the existing network, it must be scalable and adaptable to both weather and deployment location. We also found that any system has to make it easy for the security analyst and SCADA engineers to do their job with greater efficiency. A learning system which build whitelists and does not block necessary traffic but does notify operators of the abnormal behavior is the kind of system that is needed. SilentDefense ICS was built for this exact concept
  • If you have questions or want to receive any information please feel free to contact either of us.
  • Lessons Learned for a Behavior-Based IDS in the Energy Sector

    1. 1. LESSONS LEARNED FOR A BEHAVIOR-BASED IDS IN THE ENERGY SECTOR Jerry Crowley, PhD, Boeing Cliff Gregory, PhD, SecurityMatters Presentation to the 10th EnergySec Security Sumit8/23/2014
    2. 2. Background  Boeing and a Regional Transmission Operator cooperated under a DOE-1304 project to demonstrate advanced technology solutions focused on cybersecurity in an energy management environment on the US regional power grid  DOE Benefits:  Increased grid reliability  Greater grid security  Baseline for national grid replication
    3. 3. Background (cont)  As a result of a Boeing cyber risk-based assessment, it was determined to reduce uncovered risks by complementing an existing signature-based IDS with a behavior-based IDS  The SecurityMatters SilentDefense ICS product was selected as an advanced yet mature technology
    4. 4. What was deployed Privat e networ k
    5. 5. Monitoring Objectives  Monitor communications from members to control centers  IP addresses of the members (including public IPs)  Who initiates the connection (datacenter or member)  Only ICCP and DNP3  Unexpected behavior  Monitor communications within the control centers  What non-SCADA services/protocols are in use (e.g., SSH, SMTP, etc.)  Unexpected traffic patterns
    6. 6. SilentDefense Architecture SilentDefense Monitoring Sensors SilentDefense Command Center Web Client One to many relationship
    7. 7. How it was deployed  Phase 1: Initial learning  Capture traffic on site (PCAP files)  Playback traffic in offline mode  Use SilentDefense in learning mode  Inspect the captured traffic  Detect misconfigurations (e.g., non-compliant data)  Evaluate learned traffic patterns  Phase 2: Detection model fine-tuning  Capture more traffic on site  Process with SilentDefense in detection mode;  Analyze generated alerts  Refine model  Phase 3: Live detection  Deploy SilentDefense in detection mode to monitor live traffic. Initial Learning Fine-tune Detection Model Live detection Three-phase deployment minimized impact to operational system
    8. 8. DNP3 in depth  SilentDefense ICS monitoring:  Assures only “well-formed” DNP3 messages are passed  Detects buffer overflow attacks  Monitors health of remote RTUs - inspects internal indicators  Validates MTUs do only intended operations - inspects function codes & data point addresses  Detects suspicious datalink communications - scanning RTU destinations  Applies high-level access control - checking what data points are accessed Detects anomalous traffic to the lowest level
    9. 9.  SilentDefense ICS monitoring:  Assures only well-formed ICCP messages are exchanged by control centers  Detects buffer overflow attacks  Insures only intended messages are exchanged at all layers - no dangerous COTP, session presentations, ACSE, MMS functionalities are used  Applies “high-level” access controls - only allowed MMS domains, services and domain name formats are used  Detects malformed data structures - the structure of variables shared between control centers changes ICCP in depth SilentDefense forwards alters to industry standard SIEMs
    10. 10. Detection Lessons Learned an IPS must:  Be able to detect abnormal behavior  Malicious and non-malicious  Be able to detect behavior in multiple dimensions  Protocol parameters  Session  Information  Be able to detect across protocol stack layers (layers 3 thru 7) Detection Model is automatically created for each SCADA environment
    11. 11.  Operator training is key to success  General SilentDefense overview  For SCADA engineers and security analysts  Presentation of the findings obtained with the tool so far  In depth SilentDefense training  Security analysts only  Configure/operate/maintain structure  Hands-on using the live system  SCADA Engineer’s involvement was critical  SilentDefense alerted to abnormal, non-malleolus behavior  e.g., obtain early warnings of when a device degradation or misconfiguration  Allowed explanation to security analysts why they were observing certain events  Misconfigured devices  Effects of devices restarting Operational Lessons Learned Detection Model is automatically created for each SCADA environment
    12. 12. General Operational Lessons Learned  A sensor must contain features to accommodate slow changes in traffic behavior and  Be able to aggregate alerts that are generated for the same reason  Be able to easily analyze alerts, including raw traffic PCAPs  Be able to easily update detection model(s) with “trim” mechanisms SilentDefense provides a simple intuitive user interface for analysis and forensics
    13. 13. Project demonstrated Energy Sector needs  Easy Setup and Management • Configuration with self-learning technology • Legitimate input values automatically learned • Be traffic non-blocking – keep human in the loop  Compatible with technology solutions • Natively interface with SIEM solutions: • Understand ICS/SCADA Protocols  Be Scalable & Adaptable • Multiple Sensors for each command center • Small form factor – 1U or smaller • Compatible with environmentally hardened platform • Deployable in redundant architectures
    14. 14. Contact Information Jerry S. Crowley, PhD, Sr Security System Engineer The Boeing Company Jerry.s.crowley@boeing.com Clifford H. Gregory, PhD, CEO – USA SecurityMatters, LLC Cliff.gregory@secmatters.com