By Dale Peterson, SecureSystems Insider Contributor
GOVERNMENTS AND industry organizations have recognized that supervisory control and data acquisition (SCADA), distributed control systems (DCS), and other process control networks, which we will refer to collectively as SCADA, are potential targets of attack from hackers, disgruntled insiders, cyberterrorists, and others who want to disrupt the critical infrastructure.
Presented here are the current intrusion detection and cybersecurity monitoring products and services used in information technology (IT) enterprise networks. They can provide early identification of attacks from the most common threat agents. The article also discusses the deficiencies of the current general IT solutions and describes future SCADA-specific solutions. Especially important is how intrusion detection can serve as a compensating security control for the lack of security in field communications.
Arena Information Technology
In a General Accounting Office report, the U.S. government identified five trends that have escalated the risks to SCADA networks:
- Adoption of standardized technologies with known vulnerabilities
- Connectivity of control systems to other networks
- Constraints on the use of existing security technologies and practices
- Insecure remote connections
- Widespread availability of technical information about control systems
These trends have moved SCADA networks from proprietary, closed networks to the arena of information technology with all its cost and performance benefits and IT security challenges. The transformation continues to be gradual and may take ten or more years to complete, as expensive legacy systems hang on. This leaves the SCADA community with a large challenge of providing the appropriate IT security for a mission critical network with systems and applications unfamiliar with the general IT environment and its inherent security risks.
New SCADA systems are emerging that have better security features, and this improvement is likely to continue as customers demand certified secure solutions. A number of efforts are underway to retrofit security onto legacy systems, but these efforts are having limited success and can be expensive. The SCADA community will need to find compensating security controls until secure systems are available and insecure legacy systems move on. Intrusion detection and security monitoring are possible compensating controls.
Evaluates Data Traveling Over
A strong information security program includes a variety of technical and administrative controls to prevent intrusions and unauthorized activities from internal and external threat agents. However, even with a set of strong security products and security policies it is impossible to ensure that a network is secure. For this reason, networks that are mission critical or contain sensitive information are deploying intrusion detection and cybersecurity monitoring systems.
Consider the physical analogy to this cyber situation. A critical building has locks on the doors, safes, and other mechanisms to prevent unauthorized access.
This same building will also deploy a set of physical monitoring systems, such as cameras and motion detectors, just in case a breach of security transpires. The monitoring systems identify breaches and enable a quick response.
A variety of product and service solutions have come on the market to create the cyber equivalent of cameras and motion detectors. These include:
Network intrusion detection sensor (NIDS) products: A device that sits on the network and evaluates data traveling over the network. A NIDS typically connects to SPAN ports on switches, so a single sensor can evaluate all or most of the traffic on a subnet. The data matches up to data related to a hacking exploit—a signature. A NIDS may have more than 1,000 signatures, and each new exploit typically requires the development of a new signature.
Host intrusion detection sensor (HIDS) products: This is software that loads on a host computer system. A HIDS system identifies attacks using signatures or behavior analysis and attempts to prevent the attack. A HIDS is generally an active defense that combines attack identification and response.
Audit log analysis products: Computer systems, applications, infrastructure equipment, and most other IT hardware and software can generate an audit log. Some of the log entries will identify successful and failed intrusion attempts. There are a variety of systems available that gather log information from various sources and present it in a useful format to a network administrator or security officer.
Managed security system provider (MSSP) services: Security incidents occur on a twenty-four-hours-a-day, seven-days-a-week (24x7) basis. An organization needs a team of security experts working around the clock to monitor, evaluate, and quickly respond to information gathered from NIDS, HIDS, audit logs, and other sources. Many companies outsource these tasks to MSSPs. In addition to the manpower, MSSPs have developed sophisticated correlation and analysis engines to process the massive amount of data received daily. As an example, MSSP engines will reduce 5 million events a day to 200 or fewer events that require human evaluation. A small number of product vendors sell correlation and analysis engines for large organizations that want to keep this function in-house.
There are a number of commercial NIDS and HIDS vendors, and the open source NIDS and HIDS solutions have earned respect and are in wide use. In general, commercial vendors offer better support and easier-to-use products, while open source solutions are more flexible and the software is available for free.