Charles and I are currently working on adding modules into the Portaledge code base that help asset owners and operators to meet NERC CIP logging requirements (for more specifics on Portaledge and NERC CIP requirements see this previous blog post and the SCADApedia page). As part of this work I am writing a module that adds IDS awareness to Portaledge.
This IDS awareness adds a new dimension of alerting into Portaledge, integrating the IDS into Portaledge’s correlation and aggregation capabilities. This broadens the set of possible events that Portaledge can work from to include many types of attacks, exploits, and other common hacking techniques seen by the IDS.
Currently the IDS feeds data into a syslog, then via PI Syslog Interface we bring the data into a PI point. I then retrieve the data from the point across a time-slice and look for the relevant IDS input. Seems a bit convoluted but the PI Syslog interface really makes it a simple process.
As noted above, this module adds IDS awareness to Portaledge, letting Portaledge correlate and aggregate on events and alerts seen by the IDS (plus the syslog interface will allow us to look for a variety of other events like; escalation of privileges, failed log in attempts, etc but I digress).
I am currently focused on Snort. Meaning the module knows standard Snort event output, is able to parse out data from Snort alerts, then uses some of the data in the Snort output to determine if the event should be added into Portaledge. I currently use a SCADA tag in the QuickDraw pre-processors, the Snort classifications, and Snort SIDs to determine if a Snort alert should be included.
Snort was chosen as the first target as it is in certain forms free, has lots of rules available for it including Digital Bonds IDS signatures for common dcs protocols and known SCADA exploits, and enjoys a large install base.
The question(s) then becomes:
What other IDS flavors and outputs should be included?
If you think a flavor of IDS should be included, make a case for it. And, if you are going to make a case for an IDS….. please include some example output that I can work from. I can always add a user tunable parameter to specify what type of IDS is being used, or even set it up to work with multiple IDS, if the other IDSs specify, like Snort does that it is Snort (or the respective IDS) output.
The goal is to make Portaledge more robust and comprehensive in working with IDSs.