Lessons Learned for a Behavior-Based IDS in the Energy Sector
-
Upload
energysec -
Category
Technology
-
view
154 -
download
5
description
Transcript of Lessons Learned for a Behavior-Based IDS in the Energy Sector
LESSONS LEARNED FOR A BEHAVIOR-BASED IDS
IN THE ENERGY SECTOR
Jerry Crowley, PhD, BoeingCliff Gregory, PhD, SecurityMatters
Presentation to the 10th EnergySec Security Sumit 04/08/2023
Background
Boeing and a Regional Transmission Operator cooperated under a DOE-1304 project to demonstrate advanced technology solutions focused on cybersecurity in an energy management environment on the US regional power grid
DOE Benefits: Increased grid reliability Greater grid security Baseline for national grid replication
Background (cont)
As a result of a Boeing cyber risk-based assessment, it was determined to reduce uncovered risks by complementing an existing signature-based IDS with a behavior-based IDS
The SecurityMatters SilentDefense ICS product was selected as an advanced yet mature technology
What was deployed
Private network
Monitoring Objectives
Monitor communications from members to control centers IP addresses of the members (including public IPs) Who initiates the connection (datacenter or member) Only ICCP and DNP3 Unexpected behavior
Monitor communications within the control centers What non-SCADA services/protocols are in use (e.g., SSH, SMTP, etc.) Unexpected traffic patterns
SilentDefense ArchitectureSilentDefense
Monitoring SensorsSilentDefense
Command CenterWeb Client
One to many relationship
How it was deployed Phase 1: Initial learning
Capture traffic on site (PCAP files) Playback traffic in offline mode Use SilentDefense in learning mode Inspect the captured traffic Detect misconfigurations (e.g., non-compliant data) Evaluate learned traffic patterns
Phase 2: Detection model fine-tuning Capture more traffic on site Process with SilentDefense in detection mode; Analyze generated alerts Refine model
Phase 3: Live detection Deploy SilentDefense in detection mode to monitor live traffic.
Initial Learning
Fine-tuneDetection
Model
Live detection
Three-phase deployment minimized impact to operational system
DNP3 in depth
SilentDefense ICS monitoring:
Assures only “well-formed” DNP3 messages are passed
Detects buffer overflow attacks Monitors health of remote RTUs - inspects internal indicators
Validates MTUs do only intended operations - inspects function codes & data point addresses
Detects suspicious datalink communications - scanning RTU destinations
Applies high-level access control - checking what data points are accessed
Detects anomalous traffic to the lowest level
SilentDefense ICS monitoring:
Assures only well-formed ICCP messages are exchanged by control centers
Detects buffer overflow attacks Insures only intended messages are exchanged at all layers - no dangerous
COTP, session presentations, ACSE, MMS functionalities are used Applies “high-level” access controls - only allowed MMS domains, services and
domain name formats are used Detects malformed data structures - the structure of variables shared between
control centers changes
ICCP in depth
SilentDefense forwards alters to industry standard SIEMs
Detection Lessons Learned an IPS must:
Be able to detect abnormal behavior Malicious and non-malicious
Be able to detect behavior in multiple dimensions Protocol parameters Session Information
Be able to detect across protocol stack layers (layers 3 thru 7)
Detection Model is automatically created for each SCADA environment
Operator training is key to success General SilentDefense overview
For SCADA engineers and security analysts Presentation of the findings obtained with the tool so far
In depth SilentDefense training Security analysts only Configure/operate/maintain structure Hands-on using the live system
SCADA Engineer’s involvement was critical SilentDefense alerted to abnormal, non-malleolus behavior
e.g., obtain early warnings of when a device degradation or misconfiguration Allowed explanation to security analysts why they were observing certain events
Misconfigured devices Effects of devices restarting
Operational Lessons Learned
Detection Model is automatically created for each SCADA environment
General Operational Lessons Learned
A sensor must contain features to accommodate slow changes in traffic behavior and Be able to aggregate alerts that are generated for the same
reason Be able to easily analyze alerts, including raw traffic PCAPs Be able to easily update detection model(s) with “trim”
mechanisms
SilentDefense provides a simple intuitive user interface for analysis and forensics
Project demonstrated Energy Sector needs Easy Setup and Management
• Configuration with self-learning technology• Legitimate input values automatically learned• Be traffic non-blocking – keep human in the loop
Compatible with technology solutions• Natively interface with SIEM solutions:• Understand ICS/SCADA Protocols
Be Scalable & Adaptable• Multiple Sensors for each command center• Small form factor – 1U or smaller• Compatible with environmentally hardened platform• Deployable in redundant architectures
Contact Information
Jerry S. Crowley, PhD, Sr Security System Engineer
The Boeing [email protected]
Clifford H. Gregory, PhD,CEO – USA
SecurityMatters, [email protected]