Introduction
Industrial computer systems (ICSs) are a type of Supervisory Control and Data Acquisition (SCADA) systems. ICS’s embedded architectures differ from standard enterprise systems. They do consist of interconnected systems, but the heart of their system is the Programmable Logic Controller (PLC) instead of a CPU. The PLC is responsible for providing system reliability by making use of logic code and reading sensor inputs. Despite not always being connected to the internet, ICS systems are still susceptible to security threats.
Due to these threats, just like in standard enterprise architecture environments, there are various types of security tools used in SCADA environments. These tools can be compartmentalized into categories. Some of those categories include:
- Network Traffic monitoring and anomaly detection
- Indicator of Compromise (IOC) Detection
- Log Analysis
- Hardware Security
The Idaho National Laboratory (INL), recently performed a survey of security tools used in the ICS environment. A short list of some of those tools are below:
| ABB Cyber Security Benchmark | Protecode |
| AlienVault Unified Security Management SIEM | Radare |
| Binary Ninja | Radiflow |
| Binwalk | Security Onion |
| Bro | SecurityMatters SilentDefense |
| Centrifuge | Senami IDS |
| CheckPoint Software – SandBlast | Snort |
| ConPot | Snowman |
| CyberX XSense | Splunk |
| DarkTrace ICS | Suricata |
| Digital Ants | Symantec Anomaly Detection for ICS |
| Dragos | Symantec Embedded Security: CSP |
| Elastic Stack | Tofino Xenon Security Appliance (Tofino SA) |
| Fcd | T-Pot |
| FireEye IOC Editor | Tripwire |
| FireEye IOC Finder | TruffleHog |
| Fortinet-Nozomi Networks | USB-ARM |
| Hyperion | Verve Security Center |
| McAfee | Volatility Framework |
| Nessus | Waterfall BlackBox |
| Nextnine ICS Shield | WeaselBoard |
| OSSEC | X64dbg |
| Plaso – Log2timeline | YARA |
The tools listed fall into one of the categories mentioned earlier (Network Traffic monitoring and anomaly detection, Indicator of Compromise (IOC) Detection, Log Analysis, Hardware Security) or could be a multi-purpose tool, meaning it covers multiple categories.
In this article we will focus on the following categories and tools:
- Multi-Purpose
AlienVault Unified security Management (USM) Siem
Dragos
McAfee
Nessus
- IOC Detection
FireEye IOC Editor and Finder
ABB Cyber Security Benchmark
- Network Traffic Anomaly Detection
Bro
OSSEC
Security Onion
Snort
Symantec Anomaly detection for ICSs
- Log Review
Elastic Stack
Splunk
- Hardware Security
Multi-Purpose Tools
Multi-Purpose tools take on many hats, security hats. They provide some of the following benefits:
- Asset discovery
- Intrusion detection
- Threat intelligence using behavioral analytics
- Investigation and response assistance by providing step by step guidance
AlienVault Unified security Management (USM) Siem – A SIEM is a Security Information and Event Management system. It is used to view security information in easy to process formatting. AlienVault has combined log management, SIEM functionality, asset discovery, vulnerability management, and intrusion detection into one system. It can be used in cloud, hybrid, or on-premises environments.
Dragos – Dragos, the company, releases a yearly review of current threats, vulnerabilities, and incident response and assessments lessons learned. This information can be used to help create security related metric reports. The Dragos Industrial Cybersecurity Ecosystem collects and cross references suspicious events. The suite of tools offer asset discovery, compromise assessment functionality, threat hunting, forensics tools, automated workflows and incident response.
McAfee – is a well-known name in the security industry. McAfee has many tools used by security professionals to better protect their assets. McAfee has a suite of security products geared towards SCADA. Their SCADA/ICS tools provided security in four areas:
- Database
- Endpoint
- Data protection and
- Network security
Nessus – Nessus is another well known name in the IT security sector. It is a security scanner, developed by Tenable Network Security, used to identify system security vulnerabilities. The Nessus scanner is useful for malware detection, web application scanning, compliance checks, configuration review, and assessments.
IOC detection tools
IOC tools are used to identify vulnerable components. They assist in analyzing your architecture and performing a risk assessment; determining your ability to thwart off and handle cyber-attacks. An IOC is a type of forensic artifact that indicates a computer intrusion has taken place. IOC detection tools are used to detect malicious data.
FireEye IOC Editor and Finder – FireEye has created both the IOC Editor and Finder for ICS systems. The editor is the interface used to manage data and manipulate the logical structures of IOCs. The XML documents produced by IOCs are used by incident responders and forensics analysts to capture the attributes of malicious payload files, and/or the characteristics of registry changes after an attack. The IOC finder collets data generated by the host system and reports the presence of an IOC once identified.
ABB Cyber Security Benchmark – performs and analysis of KPIs (Key performance Indicators) to help identify the presence of IOCs. The ABB tools is known for generating a very easy to read overview of the system status.
Network Traffic Anomaly Detection
Every network connected system has an identity that constitutes what is “normal” for them. Network traffic anomaly detections tools have to be trained to recognize what is normal for a system. Some tools used to assist with this include:
Bro – is an intrusion detection system (IDS) as well as a Network IDS (NIDS) used for traffic analysis. Bro uses both signature-based and anomaly detection. Due to the similarity and popularity of both tools, there has been an ongoing effort to convert Bro signature into Snort signatures. Bro is ran on a Linux based system.
OSSEC – includes HIDS, log monitoring, signature analysis, anomaly detection, central logging and file integrity checks.
Security Onion – a collection of free tools used to assist with traffic analysis and network monitoring. It includes a NIDS, HIDS, packet capture and analysis tools. Bro, Snort, OSSEC, and other tools, are included in the Security Onion suite. Security Onion tools take the information gathered and presents it in an easy to read format. This makes analysis easier to perform.
Snort – is a very popular IDS/IPS (Intrusion prevention system). Snort is known for providing signatures and its signature engine. Signatures are available for free or for a paid subscription. The paid subscription provides the most up to date signatures at a quicker rate. Snort is also used to perform protocol analysis, content searching, and anomaly detection.
Symantec Anomaly detection for ICSs – performs a deep packet inspection of ICS protocols in SCADA environments.
Log Review
Systems generate logs. These include audit log, user access logs, security logs, system status logs, etc. Because logs generate so much data, analysis can prove difficult. Log review tools are designed to help with this issue. Some of the best log analysis tools for ICSs on the market include:
Elastic Stack – if you’ve ever heard the term “ELK Stack” Elastic Search is the E in that acronym. The other two letters are for Log Stash and Kibana. Elastic search is useful in data mining and analytics. It allows the user to search and filter through data quickly throught the use of manual searches or the creation of rulesets. The Kibana dashboard is the tool used to easily view gathered information in a formatted GUI. It provides the visualization of the data.
Splunk – is a network monitoring tool that also provides intelligence. It is useful in analyzing device, HMI and overall network/system behaviors. Splunk is also useful in forensics investigations.
Hardware
Good physical security practices are also a part of a complete cyber hygiene program. Physical security includes things like guards, strategic lighting, fences, doors, locks, etc. Hardware security is part of physical security which included the items that are physically connected to the system components.
Anti-tamper devices are items that are physically attached to the hardware to prevent unauthorized access to the physical system components.
Hardware Security Modules (HSM) are physical computing devices that provide crypto processing. They are used to manage digital key for more secure authentication. Some HSMs include anti tamper protection as well.
Conclusion
SCADA environments and ICSs may include mostly embedded systems, but still require security. There are an array of options available for those interested in securing ICSs from potential attack. These security tools cover a multitude of categories including log analysis, network monitoring, intrusion detection, and hardware protection. A good ICS security posture will use tools that cover a majority of these categories to ensure the most defense in depth security architecture for their environment.
References
https://www.osti.gov/servlets/purl/1376870
https://www.fireeye.com/services/freeware/ioc-editor.html
https://labs.f-secure.com/archive/hybrid-approach-to-ics-intrusion-detection/
https://digitalguardian.com/blog/what-ics-security
https://www.maximintegrated.com/en/design/technical-documents/tutorials/5/5716.html