If a control system is hacked and there are no mechanisms in place to forensically trace the attack, you have no idea how the attack occurred and no clues on what to do to close/remediate the attack pathway. This lack of forensics leaves the system open and vulnerable to the repetition of the exact same vector.

Enter Qucikdraw, Portaledge and Bandolier. Quickdraw is Digital Bond’s DHS funded control system specific set of Snort IDS pre-processors that monitors for common field device events. Portaledge is Digital Bond’s DOE funded security event monitor that builds upon the OSIsoft PI ACE engine to monitor a control system for attack events. And last but not least is Bandolier. Bandolier is Digital Bond’s DOE funded set of accredited Nessus scans for common control system devices that helps to lock the devices down, hardening security.

By deploying an IDS on the control system network and coupling it with the event monitoring capability of Portaledge you can create a deep record of what actions composed the attack, what systems were unsuccessfully attacked, and what systems are most likely infected. This, combined with Quickdraw’s ability to create common field device logs, becomes a compelling argument for deploying these devices.

By installing an IDS armed with the Quickdraw preprocessor rules, and feeding the alerts into Portaledge, you can provide forensics to field devices by now logging mnay common field device events. Such events include; login attempts, successful logins, firmware pushes, point polling and a multitude of other events. A complete list of Quickdraw events is available on Digital Bond’s SCADAPedia.

The Enumeration, and Availability modules of Portaledge, coupled with the correlational ability of Portaledge to create event chains and meta event chains will provide a record of the basics of how the attack occurred. By reviewing the Portaledge events one can determine the system to system attack pathway. This information can be used to determine which machines were targeted.

With the new NERC CIP driven Portaledge modules, these alerts generated by Quickdraw can be stored in the PI Historian via Portaledge. Creating a forensic log of the events in the PI Historian. These Qucikdraw and other IDS created events will then be correlated with the events of the Availability and Enumeration modules. The inclusion of the IDS events will also help to create a more complete forensic record. The IDS can reveal the specific attack and exploit against a specific system.

Portaledge will then correlate the IDS driven alerts with the Enumeration and Availability alerts. Such an attack, on a control system with a properly configured Portaledge Traffic Monitor would generate both the IDS alert, and the Traffic Monitor alert. The Portaledge Meta Event module would then correlate these alerts on their source and destination IPs.

Now armed with a list of targeted/infected systems and insights into the attackers activities, the system administrator can use Bandolier accredited vulnerability scans to determine weaknesses in the targeted systems (after the systems have been sanitized). As part of the scan results Bandolier will suggest remediations and patches.