Many of the large electric and oil/gas asset owners either have purchased a Security Event Manager (SEM) or use a managed security service provider (MSSP) for monitoring security on the enterprise network. Now that we have identified meta security events occurring in the control system network in a PI SCADA SEM in Part 2, Part 3 of the project sends these events from PI to the Enterprise SEM.
Why do this? At least a couple of reasons. First, the attacker may be coming from or through the Enterprise network so correlating events from the control system network and Enterprise network will help identify and respond to an attack. Second, oftentimes the top security expertise inside or outside an organization is assigned to the SEM. Having this talent aware of the security events can only help.
We will be developing and testing with Tenable’s Security Center SEM, and one of the asset owner participants has deployed both the PI on a SCADA DMZ and Security Center on the enterprise so we will have a real world test of the resulting toolkit.
Generalized Solution
The SEM marketplace is a lot more fragmented than the vulnerability scanner or historian markets, so generalizing this solution is critical for widespread use. Fortunately, most SEM’s have, by design and necessity, the ability to easily integrate and add context to security events sent to them. If they couldn’t do this it would be very difficult to support a new firewall, IDS, router or even a new log message in an existing device.
We will work with another of our asset owner partners who has a different enterprise SEM and test the toolkit integration.