SIEM for ICS/SCADA Environments
Security Information and Event Management (SIEM) solutions are the traditional IT go-to for organizations looking to get the most out of their vast information load, which includes system logs, network logs and Intrusion Detection and Prevention Systems (IDS/IPS). Although there are differences between a traditional IT environment and an Industrial Control System (ICS)/Supervisory Control and Data Acquisition, SIEM solutions help organizations secure their vital industrial systems.
This article introduces the concepts of SIEM and ICS/SCADA. It explores common features of SIEM in ICS/SCADA environments including timestamp of security events, collection of event-specific information, correlation of security events and the SIEM process steps.
What is SIEM?
SIEM is a software security solution that normalizes, collects, filters, assembles, correlates and provides central management of security events.
This pivotal security solution type allows for the collection of information from a wide array of security, network, device, application and user activity information sources such as log files, audit files, IDS/IPS solutions and other sources of information. This information is then analyzed for trends, allowing information security professionals to get a better understanding of their security environment in a way that the veritable nightmare of manual analysis cannot match.
What is ICS/SCADA?
ICS and SCADA are two types of control systems that are in widespread use in industry, manufacturing and critical infrastructure, like power grids. ICS and SCADA are different, with ICS being used slightly more in industry and SCADA used more in critical infrastructure, but the differences are superficial in a security-related context. Both of these environments share similar read-only, log-based information storage methods and employ near-identical methods of SIEM information collection and correlation.
SCADA environments sometimes have different SIEM needs based on their unique design proclivities.
Can SIEM benefit ICS/SCADA?
SIEM can be of great benefit to both ICS and SCADA environments. ICS and SCADA are both changing from a traditional defense-in-depth approach to security, especially when it comes to isolation and segmentation.
ICS/SCADA environments are now connecting to the internet. This opens these environments to attacks and intrusions facing IT environments, making SIEM an increasingly smart security solution choice for ICS/SCADA environments.
Common SIEM features
There are multiple vendors offering SIEM solutions for ICS/SCADA environments. Despite inherent differences, SIEM solutions share some common features that are worth noting.
Timestamp of security events
SIEM solutions offer timestamp information for security events, in real-time, in ICS/SCADA environments. This occurs so the security event can be better analyzed and later correlated with other information show the whole security picture.
SCADA environments face a unique challenge in that there are multiple components with different time clocks. These clocks should be synchronized as much as possible to provide accuracy and to distinguish between security events that occur at the same time.
Collection of event specific information
Information from security events and raw logs will be collected at a central service point. It is at this point the information is analyzed and processed for future use by the SIEM solution. References to the respective raw log items that the collected information was generated from are retained for forensics investigators, who require access to this identification information.
Correlation of security-related events
An essential functionality of SIEM solutions is its capability to correlate security events across an ICS/SCADA environment. Security event information is collected by the SIEM solution and stored for a long time, so backtracking can be performed to correlate security events with previous ones. The effect of this can be profound. Below is an example of the power of correlation:
- Without correlation, the same event occurring multiple times simultaneously will look just like a repeating event. With correlation, this behavior looks like an attack
- Suppose an ID card records an employee is leaving and 30 minutes later, that user’s login username and password is logged in a server room. Without correlation, this would look just like two security events allowed within security controls. With correlation, you can connect the dots to see that a login occurring after an ID card is used to leave would indicate a security breach
Correlation is what allows the massive amount of information to be used in an intelligent way and spot possible attacks and security breaches.
SIEM process steps
There are six main steps in the SIEM process. These steps are:
- Normalization and aggregation
- Alerting and reporting
- Raw log archiving
Some recommendations for using SIEM in ICS/SCADA environments should be considered by organizations to make their SIEM deployment as successful as possible.
- Use a universal clock: This will help standardize security event information across the ICS/SCADA environment
- Log information is often in different formats if it originates from different system components. Organizations should focus on standardizing the logging formats of the sub-system logs feeding information into SIEM
- Correlation rules can be complex. Ensure they are carefully crafted, or false positives will plague the SIEM solution
SIEM solutions are powerful tools that organizations can use to collect, process, analyze and correlate security event information. This correlated information is where the gold of SIEM lies, because it can transform otherwise useless information into evidence of attacks and security breaches.
- Yuan Gao, Xin Xie, Mithil Parekh, Edita Bajramovic, “SIEM: Policy-based Monitoring of SCADA Systems,” Informatik 2016
- Guide to Industrial Control Systems (ICS) Security, NIST