PCSF group moves to detect control system attacks

June 13, 2006
The Process Control Systems Forum (PCSF) Interim Governing Board (IGB) has voted to transition the Control System Security Event Monitoring (SEM) Interest Group to Working Group status.
The Process Control Systems Forum (PCSF) Interim Governing Board has voted to transition the Control System Security Event Monitoring (SEM) Interest Group to Working Group status. The new designation signifies that the SEM Working Group has defined specific output from forthcoming projects that will be valuable to the control systems community as a whole and will support the PCSF’s underlying mission to accelerate the design, development, and deployment of more secure control and legacy systems.

According to Dale Peterson, Director, Network Security Practice, Digital Bond, Inc. and Chair of the SEM Working Group, the purpose of the Group is to serve as a clearinghouse of information and tools to detect attacks on control systems.

Accurately determining risk is extremely important to control system security. Today, the control system community understands two-thirds of the risk equation: the impact of a control system outage due to cyber attack and the vulnerabilities of control systems. What is missing is quantitative and qualitative measurement of the risk. SEM services, in the form of managed security services providers (MSSPs), are monitoring many control system networks for attacks and have threat data. Some asset owners also have deployed SEM products and have threat data.

The first task of the SEM Working Group is to gather and normalize this threat data from disparate sources. The SEM Working Group has been collaborating with these entities to develop a format that will allow them to easily—and anonymously—submit this data to the PCSF.

Next, the Group plans to analyze the data and provide statistics to the community through the PCSF. Planned statistics include the number of control systems being monitored, the number of actionable cyber security events, and the breakdown of the actionable cyber security events into seven event categories.

Today, SEM products and services monitor traditional IT systems such as firewalls, operating system logs, and intrusion detection systems (IDS). However, the majority of these products and services do not account for security events in the supervisory control and data acquisition (SCADA) and distributed control systems (DCS) application logs, because each application logs these security events differently.

In response to this, the SEM Working Group also plans to develop a data dictionary containing a normalized list of control system application log events and a description of the impact of each event. Additionally, they plan to create a database that will use pattern recognition to identify similar events from different SEM products.