SlideShare a Scribd company logo

Stories from the Trainyard!

Download as PPTX, PDF
P
Patrick Kelley

A look at the application of behavioral learning in transportation environments.

Technology
1 of 18
Stories from the Trainyard: Interesting things I learned! Presented By: Patrick Kelley Critical Path Security 2020
Critical Path Security 2020
• Logs Lie… – Even if they aren’t lying, the technology is dated. • Intrusion Detection Systems at the border only tell a portion of the story. • Signature-based detection is quick, but often ineffective. – Too many false positives! • Visibility must be multi-dimensional and contextual. – It must be enriched with outside data! Why are we were there? Critical Path Security 2020
Problem: Traditional IDS Appliances grade all indicators based on CVSS or arbitrary grading, without considering contextual factors specific to the environment. – Solution: Correlating Suricata and (Zeek) Zeek-IDS flow data gives teams the ability to apply custom grading based on the context, type, and amount of correlated events. Problem: Black Box Recorders can record for a finite period of time. – Solution: Sensors are only limited by available storage, which is far easier to allocate. In short, the data retrieved can save lives. Sensors become more than myopic security devices and have the ability to become flight data recorders. What is an multi-directional, contextual detection network sensor? Critical Path Security 2020
• Blended IDS technologies (Zeek) Zeek-IDS is great for behavioral indicators, but Suricata is updated more frequently for atomic indicators. – You have to start somewhere. In the middle of 2 million raw DNS flows, isn’t that place. • Logging with more enhanced fidelity (json > syslog) • Portability (Not every environment has a rack) • Intelligence is applied where all atomic indicators can be correlated and acted upon, regardless of collection point. – Move this action away from the sensor, itself. • Zeek (Zeek-IDS) fallback analyzers are your friend. What makes an effective network security platform? Critical Path Security 2020
• Detect cyber incidents in time to permit effective response and recovery • Expand visibility and monitoring capabilities within manufacturing control systems, networks, and devices • Reduce opportunities for disruptive cyber incidents by providing real-time monitoring and anomaly-detection alerts • Support the oversight of resources (e.g., IT, personnel, data) • Enable faster incident-response times, fewer incidents, and shorter downtimes (REDUCE DWELL) Don’t blow the budget!!! The objectives Critical Path Security 2020
• Ingress/Egress (Obvious) • In-between VLANS (Should be obvious) • Between the Office, Plant, and Control networks in ICS environments. Expand to include PTC. • At remote sites • Integrated in Deception Technology Networks • Dynamic environments where system log forwarding is easily forgotten. (Example: That DevOps box in the corner…) • Wherever you can make it fit on a train or vessel! Lots of Velcro. Where to place sensors to get the most value in OT/IT environments. Critical Path Security 2020
Simulating Attack Traffic Critical Path Security 2020
Challenges experienced when placing sensors in high value OT/IT environments. Critical Path Security 2020 You don’t always have rackspace! You don’t always have a protocol analyzer written.
Challenges experienced when placing sensors in high value OT/IT environments. Critical Path Security 2020 Example: Integration into trains requires proprietary cables to J5 ports and it can be difficult to find suitable power. Bring batteries. Lots of batteries.
Backpressure: It is common that communication between a Locomotive and the Back Office will be severed and routed across different links and verbosity. As illustrated above, it can choose between 220 MHz, Cellular, and WiFi to the Wayside. For that reason, the ability to backpressure and store-and-forward messages is most important. Without the proper adherence to time, you can’t build an accurate narrative. IT/OT Communications Aren’t Always Stable “You can’t properly build a narrative around an event, without proper adherence to time.” Critical Path Security 2020
However, some of the information collected is really interesting, if you can make it work. Critical Path Security 2020 {"ts":1536324083.512216,"uid":"5b9271d60000000000002a50","id.orig_h ":"10.255.255.17","id.orig_p":4096,"id.resp_h":"10.255.255.255","id.resp_ p":22001,"nmea_msgid":"GPRMC","gps_time":"200626.934","latitud e":3610.372304,"latitude_dir":"N","longitude":8646.492506,"longitud e_dir":"W","checksum":"*15","checksum_verified":true,"validity":"A","sog ":2.61,"cmg":244.29,"dof":"040117","mv":0.0,"mv_dir":""}
payload_len":1460,"excerpt":"u00ffu00ffu0000hu00ffu0097u0000u0000 u0001u0008u0083u0001u0000u0010u0000^<2>WARN:2017/01/04 14:49:18.766:BRAKE_INTERFACE:","excerpt_size":64,"payload_size":1460} {"ts":1536324073.413067,"uid":"5b9271e900000000000054fb" …REALLY interesting. Critical Path Security 2020
• ICS networks react unpredictably when traditional firewall, IPS/IDS and endpoint protection controls are introduced. • You can’t “scan” networks to find vulnerabilities. You must be available to find value in a passive manner. So…we enrich Indicators with Zeek-IDS flows Critical Path Security 2020
We have to make it actionable... Several options are readily available for safely transferring data to aggregation. • Splunk with signed certificates • Secure Logstash • SSL curl direct to Elasticsearch from Zeek • Elasticsearch with certs, encryption, etc.. For the case of working with (Zeek) Zeek-IDS and Suricata, we find Kafka to be the most stable option available when working with Raspberry Pi devices. This requires a dedicated Kafka server and Zookeeper to be present. How to ingest, process, and transport data safely Critical Path Security 2020
Lessons Learned • For Raspberry Pi devices, centralize on a Zeek-IDS build that works best on the platform. Most often, sub-versions are going to be problematic. • MicroSD cards fails over time. They last long enough for most onsite work. • Ingest the SPAN/TAP traffic using the interface ON the board. Backhaul over USB Ethernet or WiFi. • Splunk works, but Zeek-IDS protocol data can be heavy. You’ll exhaust Splunk licenses relatively quickly. • Log verbosity requires significant consideration, as trains can pass data over 220 radio, Cellular, or Wifi. You don’t want to DoS PTC (Positive Train Control) or other sensitive systems. Critical Path Security 2020
Where to go from here Easy... • Develop additional protocol analyzers. Make them good! Make them verbose! – Embrace the fallback analyzers. • Reduce difficulty in maintaining a lightweight Zeek-IDS profile. Hard… • Develop sensing methods for altering log verbosity and destination of aggregate based on available WAN link. Route determination is critical! Verbose logs over radio could be disruptive to some environments. • Upgrading OT environments that are constantly moving or require significant oversight. In short, upgrading thousands of moving freight trains is hard. • Find a more efficient method for transferring from air gapped networks. Critical Path Security 2020
Thank you! Twitter: @pkelley2600 LinkedIn: https://www.linkedin.com/in/pmkelley/ Critical Path Security 2020

Recommended

“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...
“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...
“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...
Edge AI and Vision Alliance
 
Harness the Power of Microsoft Azure
Harness the Power of Microsoft AzureHarness the Power of Microsoft Azure
Harness the Power of Microsoft Azure
RBA
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesEnabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Charalampos Doukas
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Real-Time Innovations (RTI)
 
Data Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingData Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and Troubleshooting
Grant Swanson
 
Artificial Intelligence in the Network
Artificial Intelligence in the Network Artificial Intelligence in the Network
Artificial Intelligence in the Network
Michelle Holley
 
透過電腦視覺與人工智慧創造物聯網新價值
透過電腦視覺與人工智慧創造物聯網新價值透過電腦視覺與人工智慧創造物聯網新價值
透過電腦視覺與人工智慧創造物聯網新價值
John Chang
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 

Recommended

“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...
“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...
“Visual AI at the Edge: From Surveillance Cameras to People Counters,” a Pres...
Edge AI and Vision Alliance
 
Harness the Power of Microsoft Azure
Harness the Power of Microsoft AzureHarness the Power of Microsoft Azure
Harness the Power of Microsoft Azure
RBA
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health DevicesEnabling Data Protection through PKI encryption in IoT m-Health Devices
Enabling Data Protection through PKI encryption in IoT m-Health Devices
Charalampos Doukas
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Real-Time Innovations (RTI)
 
Data Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingData Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and Troubleshooting
Grant Swanson
 
Artificial Intelligence in the Network
Artificial Intelligence in the Network Artificial Intelligence in the Network
Artificial Intelligence in the Network
Michelle Holley
 
透過電腦視覺與人工智慧創造物聯網新價值
透過電腦視覺與人工智慧創造物聯網新價值透過電腦視覺與人工智慧創造物聯網新價值
透過電腦視覺與人工智慧創造物聯網新價值
John Chang
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
David Glover
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
NUS-ISS
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessCreator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Paul Evans
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1Abe Arredondo
 
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
Edge AI and Vision Alliance
 
Introduction to Fog
Introduction to FogIntroduction to Fog
Introduction to Fog
Cisco DevNet
 
利用电脑视觉与人工智能 创造更多物联网价值
利用电脑视觉与人工智能 创造更多物联网价值 利用电脑视觉与人工智能 创造更多物联网价值
利用电脑视觉与人工智能 创造更多物联网价值
John Chang
 
DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)
Abdullah Ozturk
 
IoT Panel- Cisco and Intel
IoT Panel- Cisco and Intel IoT Panel- Cisco and Intel
IoT Panel- Cisco and Intel
Bessie Wang
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
Kaspersky Lab
 
deceptionGUARD by GrayMatter
deceptionGUARD by GrayMatterdeceptionGUARD by GrayMatter
deceptionGUARD by GrayMatter
GrayMatter
 
IoT-SecurityECC-v4
IoT-SecurityECC-v4IoT-SecurityECC-v4
IoT-SecurityECC-v4Abe Arredondo
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
IoT Panel, Part II: Security for Silicon, Software, and Sensors
IoT Panel, Part II: Security for Silicon, Software, and SensorsIoT Panel, Part II: Security for Silicon, Software, and Sensors
IoT Panel, Part II: Security for Silicon, Software, and Sensors
Real-Time Innovations (RTI)
 
Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?
Real-Time Innovations (RTI)
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Sylvain Martinez
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
Julien Vermillard
 
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
pietrobr
 
IoT Security by Sanjay Kumar
IoT Security by Sanjay KumarIoT Security by Sanjay Kumar
IoT Security by Sanjay Kumar
OWASP Delhi
 
Sgcp14phillips
Sgcp14phillipsSgcp14phillips
Sgcp14phillips
Justin Hayward
 
Walking through the fog (computing) - Keynote talk at Italian Networking Work...
Walking through the fog (computing) - Keynote talk at Italian Networking Work...Walking through the fog (computing) - Keynote talk at Italian Networking Work...
Walking through the fog (computing) - Keynote talk at Italian Networking Work...
FBK CREATE-NET
 

More Related Content

What's hot

Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
David Glover
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
NUS-ISS
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessCreator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Paul Evans
 
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
Edge AI and Vision Alliance
 
Introduction to Fog
Introduction to FogIntroduction to Fog
Introduction to Fog
Cisco DevNet
 
利用电脑视觉与人工智能 创造更多物联网价值
利用电脑视觉与人工智能 创造更多物联网价值 利用电脑视觉与人工智能 创造更多物联网价值
利用电脑视觉与人工智能 创造更多物联网价值
John Chang
 
DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)
Abdullah Ozturk
 
IoT Panel- Cisco and Intel
IoT Panel- Cisco and Intel IoT Panel- Cisco and Intel
IoT Panel- Cisco and Intel
Bessie Wang
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
Kaspersky Lab
 
deceptionGUARD by GrayMatter
deceptionGUARD by GrayMatterdeceptionGUARD by GrayMatter
deceptionGUARD by GrayMatter
GrayMatter
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
IoT Panel, Part II: Security for Silicon, Software, and Sensors
IoT Panel, Part II: Security for Silicon, Software, and SensorsIoT Panel, Part II: Security for Silicon, Software, and Sensors
IoT Panel, Part II: Security for Silicon, Software, and Sensors
Real-Time Innovations (RTI)
 
Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?
Real-Time Innovations (RTI)
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Sylvain Martinez
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
Julien Vermillard
 
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
pietrobr
 
IoT Security by Sanjay Kumar
IoT Security by Sanjay KumarIoT Security by Sanjay Kumar
IoT Security by Sanjay Kumar
OWASP Delhi
 

What's hot (20)

Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
Microsoft IoT Security @ Xpand:X:ED Meetup Sydney Feb 2016
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
 
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessCreator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1
 
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
“Video Activity Recognition with Limited Data for Smart Home Applications,” a...
 
Introduction to Fog
Introduction to FogIntroduction to Fog
Introduction to Fog
 
利用电脑视觉与人工智能 创造更多物联网价值
利用电脑视觉与人工智能 创造更多物联网价值 利用电脑视觉与人工智能 创造更多物联网价值
利用电脑视觉与人工智能 创造更多物联网价值
 
DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)
 
IoT Panel- Cisco and Intel
IoT Panel- Cisco and Intel IoT Panel- Cisco and Intel
IoT Panel- Cisco and Intel
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
 
deceptionGUARD by GrayMatter
deceptionGUARD by GrayMatterdeceptionGUARD by GrayMatter
deceptionGUARD by GrayMatter
 
IoT-SecurityECC-v4
IoT-SecurityECC-v4IoT-SecurityECC-v4
IoT-SecurityECC-v4
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
IoT Panel, Part II: Security for Silicon, Software, and Sensors
IoT Panel, Part II: Security for Silicon, Software, and SensorsIoT Panel, Part II: Security for Silicon, Software, and Sensors
IoT Panel, Part II: Security for Silicon, Software, and Sensors
 
Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
 
IoT Security by Sanjay Kumar
IoT Security by Sanjay KumarIoT Security by Sanjay Kumar
IoT Security by Sanjay Kumar
 

Similar to Stories from the Trainyard!

Sgcp14phillips
Sgcp14phillipsSgcp14phillips
Sgcp14phillips
Justin Hayward
 
Walking through the fog (computing) - Keynote talk at Italian Networking Work...
Walking through the fog (computing) - Keynote talk at Italian Networking Work...Walking through the fog (computing) - Keynote talk at Italian Networking Work...
Walking through the fog (computing) - Keynote talk at Italian Networking Work...
FBK CREATE-NET
 
[Feb 2020] Cours IoT - CentraleSupelec - Master SIO
[Feb 2020] Cours IoT - CentraleSupelec - Master SIO[Feb 2020] Cours IoT - CentraleSupelec - Master SIO
[Feb 2020] Cours IoT - CentraleSupelec - Master SIO
Nicolas Lesconnec
 
QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421
QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421
QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421
Anderson Cheng
 
Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Aymeric Weinbach
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPTomar awad
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Eurotech
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
Adrian Wright
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
L'Internet des objets (IDO)
L'Internet des objets (IDO)L'Internet des objets (IDO)
L'Internet des objets (IDO)
Cisco Canada
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3Soon Zoo Kwon
 
EDGE devices_ ERTOS_ IOT_ presentation_P.pptx
EDGE devices_ ERTOS_ IOT_ presentation_P.pptxEDGE devices_ ERTOS_ IOT_ presentation_P.pptx
EDGE devices_ ERTOS_ IOT_ presentation_P.pptx
National Institute of Technolgy(REC) warangal
 
UCT IoT Deployment and Challenges
UCT IoT Deployment and ChallengesUCT IoT Deployment and Challenges
UCT IoT Deployment and Challenges
The IOT Academy
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
Damien Contreras
 
Ignite 2019
Ignite 2019Ignite 2019
Ignite 2019
TI Safe
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
Introduction to Internet of Things.pdf
Introduction to Internet of Things.pdfIntroduction to Internet of Things.pdf
Introduction to Internet of Things.pdf
GVNSK Sravya
 
Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022
Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022
Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022
HostedbyConfluent
 
Smart Grids & Dumb Security => A Guide For Business Managers
Smart Grids & Dumb Security => A Guide For Business ManagersSmart Grids & Dumb Security => A Guide For Business Managers
Smart Grids & Dumb Security => A Guide For Business Managers
Faris Al-Kharusi
 

Similar to Stories from the Trainyard! (20)

Sgcp14phillips
Sgcp14phillipsSgcp14phillips
Sgcp14phillips
 
Walking through the fog (computing) - Keynote talk at Italian Networking Work...
Walking through the fog (computing) - Keynote talk at Italian Networking Work...Walking through the fog (computing) - Keynote talk at Italian Networking Work...
Walking through the fog (computing) - Keynote talk at Italian Networking Work...
 
[Feb 2020] Cours IoT - CentraleSupelec - Master SIO
[Feb 2020] Cours IoT - CentraleSupelec - Master SIO[Feb 2020] Cours IoT - CentraleSupelec - Master SIO
[Feb 2020] Cours IoT - CentraleSupelec - Master SIO
 
QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421
QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421
QIoT 您專屬的私有雲平台 - 新知講堂 - 20170421
 
Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPT
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
L'Internet des objets (IDO)
L'Internet des objets (IDO)L'Internet des objets (IDO)
L'Internet des objets (IDO)
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3
 
EDGE devices_ ERTOS_ IOT_ presentation_P.pptx
EDGE devices_ ERTOS_ IOT_ presentation_P.pptxEDGE devices_ ERTOS_ IOT_ presentation_P.pptx
EDGE devices_ ERTOS_ IOT_ presentation_P.pptx
 
UCT IoT Deployment and Challenges
UCT IoT Deployment and ChallengesUCT IoT Deployment and Challenges
UCT IoT Deployment and Challenges
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
 
Ignite 2019
Ignite 2019Ignite 2019
Ignite 2019
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Introduction to Internet of Things.pdf
Introduction to Internet of Things.pdfIntroduction to Internet of Things.pdf
Introduction to Internet of Things.pdf
 
Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022
Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022
Tactical Virtual Assistance (TVA) With Jubal Biggs | Current 2022
 
Smart Grids & Dumb Security => A Guide For Business Managers
Smart Grids & Dumb Security => A Guide For Business ManagersSmart Grids & Dumb Security => A Guide For Business Managers
Smart Grids & Dumb Security => A Guide For Business Managers
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

Stories from the Trainyard!

  • 1. Stories from the Trainyard: Interesting things I learned! Presented By: Patrick Kelley Critical Path Security 2020
  • 3. • Logs Lie… – Even if they aren’t lying, the technology is dated. • Intrusion Detection Systems at the border only tell a portion of the story. • Signature-based detection is quick, but often ineffective. – Too many false positives! • Visibility must be multi-dimensional and contextual. – It must be enriched with outside data! Why are we were there? Critical Path Security 2020
  • 4. Problem: Traditional IDS Appliances grade all indicators based on CVSS or arbitrary grading, without considering contextual factors specific to the environment. – Solution: Correlating Suricata and (Zeek) Zeek-IDS flow data gives teams the ability to apply custom grading based on the context, type, and amount of correlated events. Problem: Black Box Recorders can record for a finite period of time. – Solution: Sensors are only limited by available storage, which is far easier to allocate. In short, the data retrieved can save lives. Sensors become more than myopic security devices and have the ability to become flight data recorders. What is an multi-directional, contextual detection network sensor? Critical Path Security 2020
  • 5. • Blended IDS technologies (Zeek) Zeek-IDS is great for behavioral indicators, but Suricata is updated more frequently for atomic indicators. – You have to start somewhere. In the middle of 2 million raw DNS flows, isn’t that place. • Logging with more enhanced fidelity (json > syslog) • Portability (Not every environment has a rack) • Intelligence is applied where all atomic indicators can be correlated and acted upon, regardless of collection point. – Move this action away from the sensor, itself. • Zeek (Zeek-IDS) fallback analyzers are your friend. What makes an effective network security platform? Critical Path Security 2020
  • 6. • Detect cyber incidents in time to permit effective response and recovery • Expand visibility and monitoring capabilities within manufacturing control systems, networks, and devices • Reduce opportunities for disruptive cyber incidents by providing real-time monitoring and anomaly-detection alerts • Support the oversight of resources (e.g., IT, personnel, data) • Enable faster incident-response times, fewer incidents, and shorter downtimes (REDUCE DWELL) Don’t blow the budget!!! The objectives Critical Path Security 2020
  • 7. • Ingress/Egress (Obvious) • In-between VLANS (Should be obvious) • Between the Office, Plant, and Control networks in ICS environments. Expand to include PTC. • At remote sites • Integrated in Deception Technology Networks • Dynamic environments where system log forwarding is easily forgotten. (Example: That DevOps box in the corner…) • Wherever you can make it fit on a train or vessel! Lots of Velcro. Where to place sensors to get the most value in OT/IT environments. Critical Path Security 2020
  • 9. Challenges experienced when placing sensors in high value OT/IT environments. Critical Path Security 2020 You don’t always have rackspace! You don’t always have a protocol analyzer written.
  • 10. Challenges experienced when placing sensors in high value OT/IT environments. Critical Path Security 2020 Example: Integration into trains requires proprietary cables to J5 ports and it can be difficult to find suitable power. Bring batteries. Lots of batteries.
  • 11. Backpressure: It is common that communication between a Locomotive and the Back Office will be severed and routed across different links and verbosity. As illustrated above, it can choose between 220 MHz, Cellular, and WiFi to the Wayside. For that reason, the ability to backpressure and store-and-forward messages is most important. Without the proper adherence to time, you can’t build an accurate narrative. IT/OT Communications Aren’t Always Stable “You can’t properly build a narrative around an event, without proper adherence to time.” Critical Path Security 2020
  • 12. However, some of the information collected is really interesting, if you can make it work. Critical Path Security 2020 {"ts":1536324083.512216,"uid":"5b9271d60000000000002a50","id.orig_h ":"10.255.255.17","id.orig_p":4096,"id.resp_h":"10.255.255.255","id.resp_ p":22001,"nmea_msgid":"GPRMC","gps_time":"200626.934","latitud e":3610.372304,"latitude_dir":"N","longitude":8646.492506,"longitud e_dir":"W","checksum":"*15","checksum_verified":true,"validity":"A","sog ":2.61,"cmg":244.29,"dof":"040117","mv":0.0,"mv_dir":""}
  • 14. • ICS networks react unpredictably when traditional firewall, IPS/IDS and endpoint protection controls are introduced. • You can’t “scan” networks to find vulnerabilities. You must be available to find value in a passive manner. So…we enrich Indicators with Zeek-IDS flows Critical Path Security 2020
  • 15. We have to make it actionable... Several options are readily available for safely transferring data to aggregation. • Splunk with signed certificates • Secure Logstash • SSL curl direct to Elasticsearch from Zeek • Elasticsearch with certs, encryption, etc.. For the case of working with (Zeek) Zeek-IDS and Suricata, we find Kafka to be the most stable option available when working with Raspberry Pi devices. This requires a dedicated Kafka server and Zookeeper to be present. How to ingest, process, and transport data safely Critical Path Security 2020
  • 16. Lessons Learned • For Raspberry Pi devices, centralize on a Zeek-IDS build that works best on the platform. Most often, sub-versions are going to be problematic. • MicroSD cards fails over time. They last long enough for most onsite work. • Ingest the SPAN/TAP traffic using the interface ON the board. Backhaul over USB Ethernet or WiFi. • Splunk works, but Zeek-IDS protocol data can be heavy. You’ll exhaust Splunk licenses relatively quickly. • Log verbosity requires significant consideration, as trains can pass data over 220 radio, Cellular, or Wifi. You don’t want to DoS PTC (Positive Train Control) or other sensitive systems. Critical Path Security 2020
  • 17. Where to go from here Easy... • Develop additional protocol analyzers. Make them good! Make them verbose! – Embrace the fallback analyzers. • Reduce difficulty in maintaining a lightweight Zeek-IDS profile. Hard… • Develop sensing methods for altering log verbosity and destination of aggregate based on available WAN link. Route determination is critical! Verbose logs over radio could be disruptive to some environments. • Upgrading OT environments that are constantly moving or require significant oversight. In short, upgrading thousands of moving freight trains is hard. • Find a more efficient method for transferring from air gapped networks. Critical Path Security 2020