We are back on the Portaledge project, and if our loyal readers remember this year’s tasks are to develop the capability for the PI Server to perform the automated security monitoring for CIP-5 and CIP-7. These modules, as will a NERC CIP approach, will work for any ICS, not just the bulk electric sector. Here are the CIP-5 monitoring requirements:

R3. Monitoring Electronic Access — The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

R3.2. Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar day.

Solid, basic security advice to monitor the firewalls at the security perimeter and preferably do this in an automated fashion. There are a number of tools to do this, but rather than purchase and deploy something new, PI owners will be able to use the PI server to both collect the logs, monitor the logs and alert on attack activity.

We have started with Cisco PIX/ASA firewalls, simply because of market share and anecdotal experience seeing them in many energy sector security perimeters. We went through all of the System Log Messages available from the firewall via syslog and identified the cyber security / CIP-5 related messages. There are 48 applicable message types.

We then categorized these into Event Classes:

  • Attack Activity – A small number of events specifically tied to attacks such as LAND, teardrop or IP spoofing. Eventually IDS/IPS log messages from the perimeter security device may be added here.
  • Authenticated Access – These are valid logins to meet the access logging requirement and for forensics.
  • Inbound Blocked – Attempts to access inside the electronic security perimeter (ESP) that are blocked by the firewall. This can be spurious network traffic or an attacker knocking on the door.
  • Outbound Blocked – Attempts from inside the ESP to communicate outside the ESP that are blocked by the firewall.
  • Suspicious Activity – Log messages from blocked activity that is unexpected or invalid. It could be the result of an attack, but not necessarily.

The syslog messages are sent to a PI Syslog Interface and then forwarded to the PI Server, standard stuff for a PI administrator. The Portaledge modules create events in PI when one of the 48 identified messages are received. This is good for logging and forensics purposes, but probably too much for monitoring and alerting.

The Portaledge Event Class Modules will then create CIP-5 Event Class Events that aggregates all of the Events in each category over a user defined time period. Thresholds can be set for specified alerting types. The first release will have very simple thresholds. We will experiment with more sophisticated correlation and thresholds in the future, but my hunch is the simpler the better for most ICS owner/operators at this point. After all, there is nothing here that a full featured SIEM cannot do. The main benefits to the owner/operator is the simplicity and integration into a PI Server that is already deployed and understood.