As I have started the code for using Portaledge to meet NERC CIP requirements some other security benefits from this process have become apparent. These benefits help to improve security by; creating data redundancy, and by leveraging the log data through the Portaledge correlation process.
By using PI via Portaledge to store log events redundant copies of the log events are created. These copies then help to bypass the dangers associated with data loss and data tampering. As hard drive failures are common, the combination of original logs, log events stored into PI, and PI data backed into a PI slave create a much more reliable log keeping mechanism then just the original logs on the original system alone.
This redundancy will also help to reveal log tampering. Erasing one’s tracks by deleting or modifying log files is part of any good attacker repertoire of tricks. By deleting or modifying the logs the attacker can make his presence very hard to prove, erasing the forensic audit trail. The cyclic gathering and monitoring of these log events through Portaledge then helps to keep “good” log files and show where logs have been tampered with.
Aside from creating data redundancy, Portaledge will parse through the logs and extract relevant data. As I am currently playing with IDS logs I am extracting; source ports and IPs, destination ports and IPs, session protocol, event message (type), event time-stamp, and priority. All of these data points, save for the priority, are currently employed in Portaledge to correlate events. With this correlation we can now combine events from multiple sources; IDSs, systems event logs, system security logs, firewall logs, field device logs and others. This correlation of the various logs combined with the correlation of the existing Portaledge Availability and Enumeration events creates a very powerful tool for monitoring the security of a control system network.