LESSONS LEARNED FOR A BEHAVIOR-BASED IDS

IN THE ENERGY SECTOR

Jerry Crowley, PhD, BoeingCliff Gregory, PhD, SecurityMatters

Presentation to the 10th EnergySec Security Sumit 04/08/2023

Background

Boeing and a Regional Transmission Operator cooperated under a DOE-1304 project to demonstrate advanced technology solutions focused on cybersecurity in an energy management environment on the US regional power grid

DOE Benefits: Increased grid reliability Greater grid security Baseline for national grid replication

Background (cont)

As a result of a Boeing cyber risk-based assessment, it was determined to reduce uncovered risks by complementing an existing signature-based IDS with a behavior-based IDS

The SecurityMatters SilentDefense ICS product was selected as an advanced yet mature technology

What was deployed

Private network

Monitoring Objectives

Monitor communications from members to control centers IP addresses of the members (including public IPs) Who initiates the connection (datacenter or member) Only ICCP and DNP3 Unexpected behavior

Monitor communications within the control centers What non-SCADA services/protocols are in use (e.g., SSH, SMTP, etc.) Unexpected traffic patterns

SilentDefense ArchitectureSilentDefense

Monitoring SensorsSilentDefense

Command CenterWeb Client

One to many relationship

How it was deployed Phase 1: Initial learning

Capture traffic on site (PCAP files) Playback traffic in offline mode Use SilentDefense in learning mode Inspect the captured traffic Detect misconfigurations (e.g., non-compliant data) Evaluate learned traffic patterns

Phase 2: Detection model fine-tuning Capture more traffic on site Process with SilentDefense in detection mode; Analyze generated alerts Refine model

Phase 3: Live detection Deploy SilentDefense in detection mode to monitor live traffic.

Initial Learning

Fine-tuneDetection

Model

Live detection

Three-phase deployment minimized impact to operational system

DNP3 in depth

SilentDefense ICS monitoring:

Assures only “well-formed” DNP3 messages are passed

Detects buffer overflow attacks Monitors health of remote RTUs - inspects internal indicators

Validates MTUs do only intended operations - inspects function codes & data point addresses

Detects suspicious datalink communications - scanning RTU destinations

Applies high-level access control - checking what data points are accessed

Detects anomalous traffic to the lowest level

SilentDefense ICS monitoring:

Assures only well-formed ICCP messages are exchanged by control centers

Detects buffer overflow attacks Insures only intended messages are exchanged at all layers - no dangerous

COTP, session presentations, ACSE, MMS functionalities are used Applies “high-level” access controls - only allowed MMS domains, services and

domain name formats are used Detects malformed data structures - the structure of variables shared between

control centers changes

ICCP in depth

SilentDefense forwards alters to industry standard SIEMs

Detection Lessons Learned an IPS must:

Be able to detect abnormal behavior Malicious and non-malicious

Be able to detect behavior in multiple dimensions Protocol parameters Session Information

Be able to detect across protocol stack layers (layers 3 thru 7)

Detection Model is automatically created for each SCADA environment

Operator training is key to success General SilentDefense overview

For SCADA engineers and security analysts Presentation of the findings obtained with the tool so far

In depth SilentDefense training Security analysts only Configure/operate/maintain structure Hands-on using the live system

SCADA Engineer’s involvement was critical SilentDefense alerted to abnormal, non-malleolus behavior

e.g., obtain early warnings of when a device degradation or misconfiguration Allowed explanation to security analysts why they were observing certain events

Misconfigured devices Effects of devices restarting

Operational Lessons Learned

Detection Model is automatically created for each SCADA environment

General Operational Lessons Learned

A sensor must contain features to accommodate slow changes in traffic behavior and Be able to aggregate alerts that are generated for the same

reason Be able to easily analyze alerts, including raw traffic PCAPs Be able to easily update detection model(s) with “trim”

mechanisms

SilentDefense provides a simple intuitive user interface for analysis and forensics

Project demonstrated Energy Sector needs Easy Setup and Management

• Configuration with self-learning technology• Legitimate input values automatically learned• Be traffic non-blocking – keep human in the loop

Compatible with technology solutions• Natively interface with SIEM solutions:• Understand ICS/SCADA Protocols

Be Scalable & Adaptable• Multiple Sensors for each command center• Small form factor – 1U or smaller• Compatible with environmentally hardened platform• Deployable in redundant architectures

Contact Information

Jerry S. Crowley, PhD, Sr Security System Engineer

The Boeing CompanyJerry.s.crowley@boeing.com

Clifford H. Gregory, PhD,CEO – USA

SecurityMatters, LLCCliff.gregory@secmatters.com