ICS/SCADA Security Technologies and Tools
Industrial Control System (ICS)-embedded architectures differ from standard enterprise systems. ICS are interconnected, like enterprise systems, but the core of ICS is the Programmable Logic Controller (PLC) rather than a CPU. The PLC uses logic code and reading sensor inputs to provide system reliability.
ICSes are susceptible to cybersecurity threats despite the fact that, historically, they weren’t designed to be reliant on the internet to function. Previously, ICS were air-gapped and operated in their own discrete environments, independent of the internet.
As with standard enterprise architecture environments, Supervisory Control and Data Acquisition (SCADA) environments now have tools to aid in cybersecurity. These tools are categorized by function and include:
- Network traffic monitoring and anomaly detection
- Indicators of Compromise (IOC) detection
- Log analysis
- Hardware security
The Idaho National Laboratory (INL) recently performed a survey of security tools used in the ICS environment. A short list of some of those tools are below:
|ABB Cyber Security Benchmark||Protecode|
|AlienVault Unified Security Management SIEM||Radare|
|CheckPoint Software – SandBlast||Snort|
|Digital Ants||Symantec Anomaly Detection for ICS|
|Dragos||Symantec Embedded Security: CSP|
|Elastic Stack||Tofino Xenon Security Appliance (Tofino SA)|
|FireEye IOC Editor||Tripwire|
|FireEye IOC Finder||TruffleHog|
|Hyperion||Verve Security Center|
|Nextnine ICS Shield||WeaselBoard|
|Plaso – Log2timeline||YARA|
While the tools on this list fall into the categories of network traffic monitoring and anomaly detection, Indicators of Compromise (IOC) detection, log analysis and hardware security, they could also be multi-purpose tools, covering multiple categories.
This article is focused on the following categories and tools:
- AlienVault Unified Security Management (USM) SIEM
2. IOC detection
- FireEye IOC Editor and Finder
- ABB Cyber Security Benchmark
3. Network traffic anomaly detection
- Security Onion
- Symantec Anomaly detection for ICSs
4. Log review
5. Hardware security
Multi-purpose tools provide some of the following benefits:
- Asset discovery
- Intrusion detection
- Threat intelligence using behavioral analytics
- Investigation and response assistance by providing step by step guidance
AlienVault Unified Security Management (USM) SIEM
A SIEM is a Security Information and Event Management system. It is used to view security information in easy-to-process formatting. AlienVault combines log management, SIEM functionality, asset discovery, vulnerability management and intrusion detection into one system. It is used in cloud, hybrid or on-premises environments.
Dragos, the company, releases a yearly review of current threats, vulnerabilities and incident response and assessments lessons learned. This information can be used to help create security related metric reports.
The Dragos Industrial Cybersecurity Ecosystem collects and cross-references suspicious events. The suite of tools offers asset discovery, compromise assessment functionality, threat hunting, forensics tools, automated workflows and incident response.
McAfee is a well-known name in the security industry and has many tools used by security professionals to better protect their assets. McAfee also has a suite of security products geared towards SCADA. Their SCADA/ICS tools provided security in four areas:
- Data protection
- Network security
Nessus is another well-known name in the IT security sector. It is a security scanner developed by Tenable Network Security and used to identify system security vulnerabilities. The Nessus scanner is useful for malware detection, web application scanning, compliance checks, configuration review and assessments.
Security Onion is a collection of free tools used to assist with traffic analysis and network monitoring. It includes a Network Intrusion Detection System (NIDS), host-based Intrusion Detection System (HIDS), packet capture and analysis tools. Bro, Snort, Open-Source HIDS Security (OSSEC) and other tools are included in the Security Onion suite.
Security Onion tools take the information gathered and show it in an easy-to-read format. This makes analysis easier to perform.
IOC detection tools
IOC tools assist in data management and analysis, and manipulation of the IOC’s logical structures. An IOC is a forensic artifact that indicates a computer intrusion has taken place.
FireEye IOC Editor and Finder
FireEye has created both the IOC Editor and Finder for ICS systems. The editor is the interface used to manage data and manipulate the logical structures of IOCs. The XML documents produced by IOCs are used by incident responders and forensics analysts to capture the attributes of malicious payload files and/or the characteristics of registry changes after an attack. The IOC finder collects data generated by the host system and reports the presence of an IOC once identified.
ABB Cyber Security Benchmark
This performs an analysis of KPIs (Key Performance Indicators) to help identify the presence of IOCs. ABB tools are known for generating a very easy-to-read overview of the system status.
Network traffic anomaly detection
Network-connected systems have unique identities, and those identities set the benchmark for what is “normal” within that system. Network traffic anomaly detection tools are trained to recognize the identity of particular systems so that intrusions will appear as anomalies to the norm. These tools include:
This tool includes HIDS, log monitoring, signature analysis, anomaly detection, central logging and file integrity checks.
A very popular IDS/IPS (Intrusion Prevention System), Snort is known for providing signatures and its signature engine. Signatures are available for free or for a paid subscription. The paid subscription provides the most up-to-date signatures at a quicker rate.
Snort is also used to perform protocol analysis, content searching and anomaly detection.
Symantec anomaly detection for ICSes
This performs a deep packet inspection of ICS protocols in SCADA environments.
Systems generate logs, including audit logs, user access logs, security logs and system status logs. So much data is generated by logs that analysis can be difficult. Log review tools are designed to help with this issue. Some of the best log analysis tools for ICSes on the market include the following.
If you’ve ever heard the term “ELK stack,” ElasticSearch is the E in that acronym. (The other two letters are for Log Stash and Kibana.) ElasticSearch is useful in data mining and analytics. It allows the user to search and filter data quickly through the use of manual searches or the creation of rulesets.
The Kibana dashboard is the tool used to easily view gathered information in a formatted GUI. It provides the visualization of the data.
Splunk is a network monitoring tool that also provides intelligence. It is useful in analyzing device, HMI and overall network/system behaviors. Splunk is also useful in forensics investigations.
Physical security practices are an integral part of a complete cyber hygiene program. Physical security includes guards, strategic lighting, fences, doors and locks. Within the protection of exterior security and access control, the hardware and components physically connected to the system are further protected by hardware security practices such as the use of anti-tampering devices and hardware security modules (HSM).
Anti-tamper devices are physically attached to hardware to prevent unauthorized access to the physical system components.
Hardware security modules are physical computing devices that provide crypto processing. They are used to manage digital keys for more secure authentication. Some HSMs also include anti-tamper protection.
SCADA environments and ICSes are increasingly moving from air-gapped embedded systems to those that are connected to the internet. Greater security and attention to security is now required for these systems and environments.
There is an array of options available for those interested in securing ICSes from potential attack. These security tools cover a multitude of categories including log analysis, network monitoring, intrusion detection and hardware protection. A good ICS security posture will use tools that cover a majority of these categories to ensure the most in-depth security architecture for their environment.
- A Survey of Security Tools for the Industrial Control System Environment, OSTI.gov
- ABB Ability™ Cyber Security Benchmark, ABB
- IOC Editor, FireEye
- A Hybrid Approach to ICS Intrusion Detection, F-Secure
- What is ICS Security?, Digital Guardian
- Hardware Security ICs Offer Large Security Returns at a Low Cost, Maxim Integrated
- A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity, Robert M. Lee