Lightweight Journaling for Scada Systems via Event Correlation - Critical Infrastructure Protection X
Conference Papers Year : 2016

Lightweight Journaling for Scada Systems via Event Correlation

Abstract

Industrial control systems are not immune to cyber incidents. However, the support for incident responders and forensic investigators is low. In particular, there are limited journaling capabilities for operator actions. Barring the preservation of full packet captures and operator workstation security logs, which can generate unmanageable amounts of data on production networks, it is generally not possible to attribute control events (e.g., opening a valve or operating a breaker) to individual operators. This information can be necessary to perform security investigations, especially in cases involving malicious insider activities. This chapter presents a lightweight journaling system for SCADA networks based on event correlation. By correlating network events and operating system logs, a journal is generated of all Modbus protocol write events along with the usernames of the operators who performed the actions. The journal is much more compact than a full packet capture, achieving compression ratios of around 570 to 1 in conservative conditions and more than 2,000 to 1 in typical operating conditions, allowing for the preservation of valuable information for security investigations.
Fichier principal
Vignette du fichier
434671_1_En_6_Chapter.pdf (521.79 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01614870 , version 1 (11-10-2017)

Licence

Identifiers

Cite

Antoine Lemay, Alireza Sadighian, Jose Fernandez. Lightweight Journaling for Scada Systems via Event Correlation. 10th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2016, Arlington, VA, United States. pp.99-115, ⟨10.1007/978-3-319-48737-3_6⟩. ⟨hal-01614870⟩
47 View
119 Download

Altmetric

Share

More