We have written quite a bit about intrusion detection and developed SCADA signatures to detect attacks on the SCADA or DCS IP networks and associated DMZ’s, but let me introduce another buzzword to the community: extrusion detection.
The idea behind extrusion detection is you watch what is leaving your network to detect an attacker who has successfully attacked your network trying to phone home, propagate, or perform other nasty activities. This is not a new concept, Richard Bejtlich even has a book titled Extrusion Detection published back in 2005.
Extrusion detection is even more effective in control systems where authorized network traffic is relatively static and predictable as compared to the corporate network.
The easiest place to perform extrusion detection is the firewall between the control center and corporate network [and any other perimeter firewalls]. Of course we know that you have configured a least privilege ruleset. Right? A ruleset that not only limits what can pass from the corporate network to the DMZ and DMZ to control center to only the IP addresses and ports/services required, but also limits communication from the control center to less secure networks to only what is required and approved. You are blocking unnecessary outbound http, smtp, ftp, … requests.
This is an important point and common assessment finding. Many firewalls start with a default ruleset that blocks all traffic from less secure zones to more secure zones, but allow by default all traffic from more secure zones to less secure zones. Also, IT staffs still all too often allow all outbound traffic to the Internet so restricting outbound access may not be part of their methodology.
Now that you have a least privilege ruleset at the perimeters, extrusion detection is simple. Just monitor your firewall logs and look for blocked packets originating from the control center or other related zones. You will see an attacker or automated program that has gotten on your system from bad software, infected laptop, vendor connection, the dreaded consultant, or other source trying to get out of the network. Sure this is going to identify some traffic bouncing around your network that is not an attack, but it is not a bad idea to clean that up as well.
There are many other ways to perform extrusion detection, but the perimeter firewall log is a good place to start. Of course this is one of the many data sources we are including in the Portaledge project.