Critical infrastructure

ICS/SCADA Security Technologies and Tools

Tyra Appleby
April 21, 2020 by
Tyra Appleby

Introduction

Industrial Control System (ICS)-embedded architectures differ from standard enterprise systems. ICS are interconnected, like enterprise systems, but the core of ICS is the Programmable Logic Controller (PLC) rather than a CPU. The PLC uses logic code and reading sensor inputs to provide system reliability. 

ICSes are susceptible to cybersecurity threats despite the fact that, historically, they weren’t designed to be reliant on the internet to function. Previously, ICS were air-gapped and operated in their own discrete environments, independent of the internet. 

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

As with standard enterprise architecture environments, Supervisory Control and Data Acquisition (SCADA) environments now have tools to aid in cybersecurity. These tools are categorized by function and include:

  • Network traffic monitoring and anomaly detection
  • Indicators of Compromise (IOC) detection
  • Log analysis
  • Hardware security

The Idaho National Laboratory (INL) recently performed a survey of security tools used in the ICS environment. A short list of some of those tools are below:

Tool name

ABB Cyber Security Benchmark Protecode 

AlienVault Unified Security Management SIEM Radare 

Binary Ninja  Radiflow 

Binwalk  Security Onion 

Bro  SecurityMatters SilentDefense 

Centrifuge  Senami IDS 

CheckPoint Software - SandBlast  Snort 

ConPot  Snowman 

CyberX XSense  Splunk 

DarkTrace ICS  Suricata 

Digital Ants  Symantec Anomaly Detection for ICS 

Dragos  Symantec Embedded Security: CSP 

Elastic Stack  Tofino Xenon Security Appliance (Tofino SA) 

Fcd T-Pot 

FireEye IOC Editor  Tripwire 

FireEye IOC Finder  TruffleHog 

Fortinet-Nozomi Networks  USB-ARM 

Hyperion  Verve Security Center 

McAfee  Volatility Framework 

Nessus  Waterfall BlackBox 

Nextnine ICS Shield  WeaselBoard 

OSSEC  X64dbg 

Plaso - Log2timeline  YARA

 

While the tools on this list fall into the categories of network traffic monitoring and anomaly detection, Indicators of Compromise (IOC) detection, log analysis and hardware security, they could also be multi-purpose tools, covering multiple categories. 

This article is focused on the following categories and tools:

1. Multi-purpose

  • AlienVault Unified Security Management (USM) SIEM
  • Dragos
  • McAfee
  • Nessus

2. IOC detection

  • FireEye IOC Editor and Finder
  • ABB Cyber Security Benchmark

3. Network traffic anomaly detection

  • OSSEC
  • Security Onion
  • Snort
  • Symantec Anomaly detection for ICSs

4. Log review

  • ElasticSearch
  • Splunk

5. Hardware security

Multi-purpose tools

Multi-purpose tools provide some of the following benefits:

  • Asset discovery
  • Intrusion detection
  • Threat intelligence using behavioral analytics
  • Investigation and response assistance by providing step by step guidance

AlienVault Unified Security Management (USM) SIEM

A SIEM is a Security Information and Event Management system. It is used to view security information in easy-to-process formatting. AlienVault combines log management, SIEM functionality, asset discovery, vulnerability management and intrusion detection into one system. It is used in cloud, hybrid or on-premises environments.

Dragos

Dragos, the company, releases a yearly review of current threats, vulnerabilities and incident response and assessments lessons learned. This information can be used to help create security related metric reports. 

The Dragos Industrial Cybersecurity Ecosystem collects and cross-references suspicious events. The suite of tools offers asset discovery, compromise assessment functionality, threat hunting, forensics tools, automated workflows and incident response.

McAfee

McAfee is a well-known name in the security industry and has many tools used by security professionals to better protect their assets. McAfee also has a suite of security products geared towards SCADA. Their SCADA/ICS tools provided security in four areas:

  • Database
  • Endpoint
  • Data protection
  • Network security

Nessus

Nessus is another well-known name in the IT security sector. It is a security scanner developed by Tenable Network Security and used to identify system security vulnerabilities. The Nessus scanner is useful for malware detection, web application scanning, compliance checks, configuration review and assessments.

Security Onion

Security Onion is a collection of free tools used to assist with traffic analysis and network monitoring. It includes a Network Intrusion Detection System (NIDS), host-based Intrusion Detection System (HIDS), packet capture and analysis tools. Bro, Snort, Open-Source HIDS Security (OSSEC) and other tools are included in the Security Onion suite. 

Security Onion tools take the information gathered and show it in an easy-to-read format. This makes analysis easier to perform.

IOC detection tools 

IOC tools assist in data management and analysis, and manipulation of the IOC’s logical structures. An IOC is a forensic artifact that indicates a computer intrusion has taken place.

FireEye IOC Editor and Finder

FireEye has created both the IOC Editor and Finder for ICS systems. The editor is the interface used to manage data and manipulate the logical structures of IOCs. The XML documents produced by IOCs are used by incident responders and forensics analysts to capture the attributes of malicious payload files and/or the characteristics of registry changes after an attack. The IOC finder collects data generated by the host system and reports the presence of an IOC once identified.

ABB Cyber Security Benchmark

This performs an analysis of KPIs (Key Performance Indicators) to help identify the presence of IOCs. ABB tools are known for generating a very easy-to-read overview of the system status.

Network traffic anomaly detection

Network-connected systems have unique identities, and those identities set the benchmark for what is “normal” within that system. Network traffic anomaly detection tools are trained to recognize the identity of particular systems so that intrusions will appear as anomalies to the norm. These tools include:

OSSEC

This tool includes HIDS, log monitoring, signature analysis, anomaly detection, central logging and file integrity checks.

Snort

A very popular IDS/IPS (Intrusion Prevention System), Snort is known for providing signatures and its signature engine. Signatures are available for free or for a paid subscription. The paid subscription provides the most up-to-date signatures at a quicker rate. 

Snort is also used to perform protocol analysis, content searching and anomaly detection.

Symantec anomaly detection for ICSes

This performs a deep packet inspection of ICS protocols in SCADA environments.

Log review

Systems generate logs, including audit logs, user access logs, security logs and system status logs. So much data is generated by logs that analysis can be difficult. Log review tools are designed to help with this issue. Some of the best log analysis tools for ICSes on the market include the following.

ElasticSearch

If you’ve ever heard the term “ELK stack,” ElasticSearch is the E in that acronym. (The other two letters are for Log Stash and Kibana.) ElasticSearch is useful in data mining and analytics. It allows the user to search and filter data quickly through the use of manual searches or the creation of rulesets. 

The Kibana dashboard is the tool used to easily view gathered information in a formatted GUI. It provides the visualization of the data.

Splunk

Splunk is a network monitoring tool that also provides intelligence. It is useful in analyzing device, HMI and overall network/system behaviors. Splunk is also useful in forensics investigations.

Hardware

Physical security practices are an integral part of a complete cyber hygiene program. Physical security includes guards, strategic lighting, fences, doors and locks. Within the protection of exterior security and access control, the hardware and components physically connected to the system are further protected by hardware security practices such as the use of anti-tampering devices and hardware security modules (HSM). 

Anti-tamper devices are physically attached to hardware to prevent unauthorized access to the physical system components.

Hardware security modules are physical computing devices that provide crypto processing. They are used to manage digital keys for more secure authentication. Some HSMs also include anti-tamper protection.

Conclusion

SCADA environments and ICSes are increasingly moving from air-gapped embedded systems to those that are connected to the internet. Greater security and attention to security is now required for these systems and environments. 

There is an array of options available for those interested in securing ICSes from potential attack. These security tools cover a multitude of categories including log analysis, network monitoring, intrusion detection and hardware protection. A good ICS security posture will use tools that cover a majority of these categories to ensure the most in-depth security architecture for their environment.

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

 

Sources

  1. A Survey of Security Tools for the Industrial Control System Environment, OSTI.gov
  2. ABB Ability™ Cyber Security Benchmark, ABB
  3. IOC Editor, FireEye
  4. A Hybrid Approach to ICS Intrusion Detection, F-Secure
  5. What is ICS Security?, Digital Guardian
  6. Hardware Security ICs Offer Large Security Returns at a Low Cost, Maxim Integrated
  7. A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity, Robert M. Lee
Tyra Appleby
Tyra Appleby

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.