SIEM for ICS/SCADA environments
Security Information and Event Management (SIEM) solutions are the traditional IT go-to for organizations looking to get the most out of their vast information load, which includes system logs, network logs and Intrusion Detection and Prevention Systems (IDS/IPS). Although there are differences between a traditional IT environment and an Industrial Control System (ICS)/Supervisory Control and Data Acquisition, SIEM solutions help organizations secure their vital industrial systems.
This article introduces the concepts of SIEM and ICS/SCADA. It explores common features of SIEM in ICS/SCADA environments including timestamp of security events, collection of event-specific information, correlation of security events and the SIEM process steps.
Learn ICS/SCADA Security
What is SIEM?
SIEM is a software security solution that normalizes, collects, filters, assembles, correlates and provides central management of security events.
This pivotal security solution type allows for the collection of information from a wide array of security, network, device, application and user activity information sources such as log files, audit files, IDS/IPS solutions and other sources of information. This information is then analyzed for trends, allowing information security professionals to get a better understanding of their security environment in a way that the veritable nightmare of manual analysis cannot match.
What is ICS/SCADA?
ICS and SCADA are two types of control systems that are in widespread use in industry, manufacturing and critical infrastructure, like power grids. ICS and SCADA are different, with ICS being used slightly more in industry and SCADA used more in critical infrastructure, but the differences are superficial in a security-related context. Both of these environments share similar read-only, log-based information storage methods and employ near-identical methods of SIEM information collection and correlation.
SCADA environments sometimes have different SIEM needs based on their unique design proclivities.
Can SIEM benefit ICS/SCADA?
SIEM can be of great benefit to both ICS and SCADA environments. ICS and SCADA are both changing from a traditional defense-in-depth approach to security, especially when it comes to isolation and segmentation.
ICS/SCADA environments are now connecting to the internet. This opens these environments to attacks and intrusions facing IT environments, making SIEM an increasingly smart security solution choice for ICS/SCADA environments.
Common SIEM features
There are multiple vendors offering SIEM solutions for ICS/SCADA environments. Despite inherent differences, SIEM solutions share some common features that are worth noting.
Timestamp of security events
SIEM solutions offer timestamp information for security events, in real-time, in ICS/SCADA environments. This occurs so the security event can be better analyzed and later correlated with other information show the whole security picture.
SCADA environments face a unique challenge in that there are multiple components with different time clocks. These clocks should be synchronized as much as possible to provide accuracy and to distinguish between security events that occur at the same time.
Collection of event specific information
Information from security events and raw logs will be collected at a central service point. It is at this point the information is analyzed and processed for future use by the SIEM solution. References to the respective raw log items that the collected information was generated from are retained for forensics investigators, who require access to this identification information.
Correlation of security-related events
An essential functionality of SIEM solutions is its capability to correlate security events across an ICS/SCADA environment. Security event information is collected by the SIEM solution and stored for a long time, so backtracking can be performed to correlate security events with previous ones. The effect of this can be profound. Below is an example of the power of correlation:
- Without correlation, the same event occurring multiple times simultaneously will look just like a repeating event. With correlation, this behavior looks like an attack
- Suppose an ID card records an employee is leaving and 30 minutes later, that user’s login username and password is logged in a server room. Without correlation, this would look just like two security events allowed within security controls. With correlation, you can connect the dots to see that a login occurring after an ID card is used to leave would indicate a security breach
Correlation is what allows the massive amount of information to be used in an intelligent way and spot possible attacks and security breaches.
SIEM process steps
There are six main steps in the SIEM process. These steps are:
- Collection
- Normalization and aggregation
- Correlation
- Analysis
- Alerting and reporting
- Raw log archiving
Recommendations
Some recommendations for using SIEM in ICS/SCADA environments should be considered by organizations to make their SIEM deployment as successful as possible.
- Use a universal clock: This will help standardize security event information across the ICS/SCADA environment
- Log information is often in different formats if it originates from different system components. Organizations should focus on standardizing the logging formats of the sub-system logs feeding information into SIEM
- Correlation rules can be complex. Ensure they are carefully crafted, or false positives will plague the SIEM solution
Conclusion
SIEM solutions are powerful tools that organizations can use to collect, process, analyze and correlate security event information. This correlated information is where the gold of SIEM lies, because it can transform otherwise useless information into evidence of attacks and security breaches.
Learn ICS/SCADA Security Fundamentals
Sources
- Yuan Gao, Xin Xie, Mithil Parekh, Edita Bajramovic, "SIEM: Policy-based Monitoring of SCADA Systems," Informatik 2016
- Guide to Industrial Control Systems (ICS) Security, NIST
Learn SCADA Security Fundamentals
Get hands-on experience around ICS and their environments, devices, regulatory standards and more. What you'll learn:- Access controls
- Common cyber threats
- Process control networks
- ICS protocol features
- And more
In this Series
- SIEM for ICS/SCADA environments
- Securing operational technology: Safeguard infrastructure from cyberattack
- Operation technology sees rise in targeted remote access Trojans and ransomware
- Vehicle hacking: A history of connected car vulnerabilities and exploits
- Operational technology compromises: Low sophistication, high-frequency
- ICS/SCADA threats and threat actors
- Incident response and recovery best practices for industrial control systems
- BPCS & SIS
- Security Technologies for ICS/SCADA environments
- Data Loss Protection (DLP) for ICS/SCADA
- ICS/SCADA Wireless Attacks
- Security controls for ICS/SCADA environments
- SCADA & security of critical infrastructures [updated 2020]
- CIP (Common Industrial Protocol): CIP messages, device types, implementation and security in CIP
- Open vs proprietary protocols
- Critical security concerns facing the energy & utility industry
- ICS/SCADA Social Engineering Attacks
- ICS/SCADA Malware Threats
- Biggest threats to ICS/SCADA systems
- Intrusion Detection and Prevention for ICS/SCADA Environments
- Firewalls for ICS/SCADA environments
- ICS/SCADA Security Technologies and Tools
- The state of threats to electric entities: 4 key findings from the 2020 Dragos report
- Modbus, DNP3 and HART
- RS-232 and RS-485
- BACnet
- TASE 2.0 and ICCP
- FOUNDATION Fieldbus
- Account Management Concepts for ICS/SCADA environments
- PROFIBUS and PROFINET
- ICS Strengths and Weaknesses (from security perspective)
- Access Control Implementation in ICS
- ICS Components
- Access Control Models for ICS/SCADA environments
- ICS/SCADA Security Specialist/Technician Role
- Credential Management and Enforcement for ICS/SCADA environments
- IT vs ICS
- Process control network (PCN) evolution
- ICS protocols
- Saving lives with ICS and critical infrastructure security
- ICS/SCADA Access Controls
- Types of ICS
- Physical security for ICS/SCADA environments
- Introduction to SCADA security
- ICS/SCADA security overview
- Who Is Targeting Industrial Facilities and ICS Equipment, and How?
- Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment
- MyPublicWiFi – A Windows Utility to manage ICS
- Situational awareness and ICS Using GRASS MARLIN
- Cyber risks for Industrial environments continue to increase
- Advice to a New SCADA Engineer
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Critical infrastructure
Securing operational technology: Safeguard infrastructure from cyberattack
Critical infrastructure
Operation technology sees rise in targeted remote access Trojans and ransomware
Critical infrastructure
Vehicle hacking: A history of connected car vulnerabilities and exploits
Critical infrastructure
Operational technology compromises: Low sophistication, high-frequency