Introduction

Industrial Control System (ICS)-embedded architectures differ from standard enterprise systems. ICS are interconnected, like enterprise systems, but the core of ICS is the Programmable Logic Controller (PLC) rather than a CPU. The PLC uses logic code and reading sensor inputs to provide system reliability. 

ICSes are susceptible to cybersecurity threats despite the fact that, historically, they weren’t designed to be reliant on the internet to function. Previously, ICS were air-gapped and operated in their own discrete environments, independent of the internet. 

As with standard enterprise architecture environments, Supervisory Control and Data Acquisition (SCADA) environments now have tools to aid in cybersecurity. These tools are categorized by function and include:

  • Network traffic monitoring and anomaly detection
  • Indicators of Compromise (IOC) detection
  • Log analysis
  • Hardware security

The Idaho National Laboratory (INL) recently performed a survey of security tools used in the ICS environment. A short list of some of those tools are below:

Tool name
ABB Cyber Security Benchmark Protecode 
AlienVault Unified Security Management SIEM Radare 
Binary Ninja  Radiflow 
Binwalk  Security Onion 
Bro  SecurityMatters SilentDefense 
Centrifuge  Senami IDS 
CheckPoint Software – SandBlast  Snort 
ConPot  Snowman 
CyberX XSense  Splunk 
DarkTrace ICS  Suricata 
Digital Ants  Symantec Anomaly Detection for ICS 
Dragos  Symantec Embedded Security: CSP 
Elastic Stack  Tofino Xenon Security Appliance (Tofino SA) 
Fcd T-Pot 
FireEye IOC Editor  Tripwire 
FireEye IOC Finder  TruffleHog 
Fortinet-Nozomi Networks  USB-ARM 
Hyperion  Verve Security Center 
McAfee  Volatility Framework 
Nessus  Waterfall BlackBox 
Nextnine ICS Shield  WeaselBoard 
OSSEC  X64dbg 
Plaso – Log2timeline  YARA

 

While the tools on this list fall into the categories of network traffic monitoring and anomaly detection, Indicators of Compromise (IOC) detection, log analysis and hardware security, they could also be multi-purpose tools, covering multiple categories. 

This article is focused on the following categories and tools:

1. Multi-purpose

  • AlienVault Unified Security Management (USM) SIEM
  • Dragos
  • McAfee
  • Nessus

2. IOC detection

  • FireEye IOC Editor and Finder
  • ABB Cyber Security Benchmark

3. Network traffic anomaly detection

  • OSSEC
  • Security Onion
  • Snort
  • Symantec Anomaly detection for ICSs

4. Log review

  • ElasticSearch
  • Splunk

5. Hardware security

Multi-purpose tools

Multi-purpose tools provide some of the following benefits:

  • Asset discovery
  • Intrusion detection
  • Threat intelligence using behavioral analytics
  • Investigation and response assistance by providing step by step guidance

AlienVault Unified Security Management (USM) SIEM

A SIEM is a Security Information and Event Management system. It is used to view security information in easy-to-process formatting. AlienVault combines log management, SIEM functionality, asset discovery, vulnerability management and intrusion detection into one system. It is used in cloud, hybrid or on-premises environments.

Dragos

Dragos, the company, releases a yearly review of current threats, vulnerabilities and incident response and assessments lessons learned. This information can be used to help create security related metric reports. 

The Dragos Industrial Cybersecurity Ecosystem collects and cross-references suspicious events. The suite of tools offers asset discovery, compromise assessment functionality, threat hunting, forensics tools, automated workflows and incident response.

McAfee

McAfee is a well-known name in the security industry and has many tools used by security professionals to better protect their assets. McAfee also has a suite of security products geared towards SCADA. Their SCADA/ICS tools provided security in four areas:

  • Database
  • Endpoint
  • Data protection
  • Network security

Nessus

Nessus is another well-known name in the IT security sector. It is a security scanner developed by Tenable Network Security and used to identify system security vulnerabilities. The Nessus scanner is useful for malware detection, web application scanning, compliance checks, configuration review and assessments.

Security Onion

Security Onion is a collection of free tools used to assist with traffic analysis and network monitoring. It includes a Network Intrusion Detection System (NIDS), host-based Intrusion Detection System (HIDS), packet capture and analysis tools. Bro, Snort, Open-Source HIDS Security (OSSEC) and other tools are included in the Security Onion suite. 

Security Onion tools take the information gathered and show it in an easy-to-read format. This makes analysis easier to perform.

IOC detection tools 

IOC tools assist in data management and analysis, and manipulation of the IOC’s logical structures. An IOC is a forensic artifact that indicates a computer intrusion has taken place.

FireEye IOC Editor and Finder

FireEye has created both the IOC Editor and Finder for ICS systems. The editor is the interface used to manage data and manipulate the logical structures of IOCs. The XML documents produced by IOCs are used by incident responders and forensics analysts to capture the attributes of malicious payload files and/or the characteristics of registry changes after an attack. The IOC finder collects data generated by the host system and reports the presence of an IOC once identified.

ABB Cyber Security Benchmark

This performs an analysis of KPIs (Key Performance Indicators) to help identify the presence of IOCs. ABB tools are known for generating a very easy-to-read overview of the system status.

Network traffic anomaly detection

Network-connected systems have unique identities, and those identities set the benchmark for what is “normal” within that system. Network traffic anomaly detection tools are trained to recognize the identity of particular systems so that intrusions will appear as anomalies to the norm. These tools include:

OSSEC

This tool includes HIDS, log monitoring, signature analysis, anomaly detection, central logging and file integrity checks.

Snort

A very popular IDS/IPS (Intrusion Prevention System), Snort is known for providing signatures and its signature engine. Signatures are available for free or for a paid subscription. The paid subscription provides the most up-to-date signatures at a quicker rate. 

Snort is also used to perform protocol analysis, content searching and anomaly detection.

Symantec anomaly detection for ICSes

This performs a deep packet inspection of ICS protocols in SCADA environments.

Log review

Systems generate logs, including audit logs, user access logs, security logs and system status logs. So much data is generated by logs that analysis can be difficult. Log review tools are designed to help with this issue. Some of the best log analysis tools for ICSes on the market include the following.

ElasticSearch

If you’ve ever heard the term “ELK stack,” ElasticSearch is the E in that acronym. (The other two letters are for Log Stash and Kibana.) ElasticSearch is useful in data mining and analytics. It allows the user to search and filter data quickly through the use of manual searches or the creation of rulesets. 

The Kibana dashboard is the tool used to easily view gathered information in a formatted GUI. It provides the visualization of the data.

Splunk

Splunk is a network monitoring tool that also provides intelligence. It is useful in analyzing device, HMI and overall network/system behaviors. Splunk is also useful in forensics investigations.

Hardware

Physical security practices are an integral part of a complete cyber hygiene program. Physical security includes guards, strategic lighting, fences, doors and locks. Within the protection of exterior security and access control, the hardware and components physically connected to the system are further protected by hardware security practices such as the use of anti-tampering devices and hardware security modules (HSM). 

Anti-tamper devices are physically attached to hardware to prevent unauthorized access to the physical system components.

Hardware security modules are physical computing devices that provide crypto processing. They are used to manage digital keys for more secure authentication. Some HSMs also include anti-tamper protection.

Conclusion

SCADA environments and ICSes are increasingly moving from air-gapped embedded systems to those that are connected to the internet. Greater security and attention to security is now required for these systems and environments. 

There is an array of options available for those interested in securing ICSes from potential attack. These security tools cover a multitude of categories including log analysis, network monitoring, intrusion detection and hardware protection. A good ICS security posture will use tools that cover a majority of these categories to ensure the most in-depth security architecture for their environment.

 

Sources

  1. A Survey of Security Tools for the Industrial Control System Environment, OSTI.gov
  2. ABB Ability™ Cyber Security Benchmark, ABB
  3. IOC Editor, FireEye
  4. A Hybrid Approach to ICS Intrusion Detection, F-Secure
  5. What is ICS Security?, Digital Guardian
  6. Hardware Security ICs Offer Large Security Returns at a Low Cost, Maxim Integrated
  7. A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity, Robert M. Lee

Be Safe

Section Guide

Tyra
Appleby

View more articles from Tyra

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Tyra
Appleby

View more articles from Tyra