Quickdraw is Digital Bond’s DHS funded security project to develop an application that will generate security log events for PLC’s and other legacy field devices with little or no security event logging capability.  While evaluting the technical requirements necessary to capture the security events identified for Quickdraw, Martin Solum and I came up with some event categories to help to understand how much specific knowledge would be necessary to implement each event.

The diversity in control system platforms and applications is well-known, especially the large number of legacy equipment that will be deployed in the field for the foreseeable future.  This also means that many security events that are common in Enterprise computing are manifested in strange and mysterious ways in Industrial Control.  Some events are quite generic – all PLC and DCS systems allow the user to upload a control application.  Others, such as an user authentication system, may not be implemented by a system in a particular configuration.  Finally, many events that have relevence to the state of security of the system are specific to the control application itself, such as changing a setpoint of a critical process variable.

To manage these differences, three event categories were determined: System Events, Device Events and Application Events.  The most generic category are System Events.  A system event is one that is implemented, in some form or another, in all control systems.  An example of a System Event would be an invalid address in a message since all networked control systems must have some mechanism to identify hosts.

Device Events represent security events specific to the type of controlling devices in the system.  Some devices implement a “locking” mechanism that prevents changes to ladder logic or setpoints, where others don’t.  This is especially true for devices involved in safety systems like logic solvers.  Other Device Events could be the absence of a heartbeat message or uploading of device firmware.  The presence of an user authentication system is determined by the equipment and its configuration, and so all authentication events would fall into this category.

Application Events are the most specific and require contextual knowledge of the control application running on the system.  Setpoint and register data can be sensitive and accessing these values often have implications for the state of the system.  Knowing that a setpoint is modified to a dangerous value is something definately worth detecting, but changes to the application would require updates to the IDS rules that detect the change.

Of course, nothing is ever clear-cut when you have as much diversity as we do in process control.  Some events will fall into multiple categories, like updates to configuration files that may be device or application specific.  There are definately some interesting questions that need answering.

The conclusion of this particular conversation was the selection of some initial events that the first alpha of Quickdraw will detect.  They include software upload, software download, firmware upload, PLC Lock and PLC Unlock.  If anyone has a preference for the specific events they’d like to see implemented sooner rather than later, or have any other input for Quickdraw and the events we ought to be logging, please leave us some comments!