About NitroSecurity

Born from the INL

Highly Optimized Core Architecture, Using Patented Technology

- 8 unique mechanisms to improve performance (collection & analysis)

- Unique mechanisms to improve the diversity of supported devices

- Unique mechanisms to improve storage efficiency and archiving

- Additional open technology to further optimize performance

NitroEDB

IDS / IPS

SIEM

Log Mgmt

Database

Monitor

Application

Data Monitor

All Assets Need Security

– “The Responsible Entity shall ensure that all Cyber

Assets within the Electronic Security Perimeter, as

technically feasible, implement automated tools or

organizational process controls to monitor system

events that are related to cyber security.”

~ CIP-007-3 (R6)

What does this mean?

1. The assets themselves need security baked in

– Hardened (ports & services)

– Cleaned (protected against malware and patched)

– Restricted (account / access control)

– Monitored (audit trail of security event activity)

1. All Assets need to be monitored as a system

– Analyzed (trends, anomalies)

– Correlated (threats, risk)

– Organized (reports, compliance)

Alternate Security Monitoring

• What if an Asset doesn’t produce sufficient

security events?

– CIP compliant “drop in” security appliances can

passively monitor the control system

– Events are generated passively (no impact to asset)

• Example

– Network-based IDS with advanced SCADA pre-

processors

– Advanced detection signatures for exploit threats

against control systems (e.g., OPC)

What’s a SIEM?

• A Security Information & Event Management

System (SIEM) collects all relevant information

from the enterprise network, to:

– Understand systems & protocols of the ENTERPRISE

– Detect patterns indicative of THREATS

– Analyze VULNERABILITY and RISK

– Provide forensic detail required to INVESTIGATE

– Provide actionable data for INCIDENT RESPONSE

– Produce a clear audit trail for COMPLIANCE

But this isn’t “The Enterprise” …

… it’s a Control System

Diagram courtesy of US CERT

So, what does the Control System need?

• A Security Information & Event Management

System (SIEM) that collects all relevant

information from the control system, to:

– Provide CONTEXT to threats within the Control System

– Monitor Control System SYSTEMS & PROTOCOLS to

detect anomalies/patterns that threaten RELIABILITY

– Analyze EVENTS in accordance with CIP-007

– Provide actionable data for INCIDENT RESPONSE

– Produce auditable reports for SUSTAINED NERC-CIP

COMPLIANCE

Outside systems & services (e.g., Internet)

Other Cyber Assets

The Secure Enclave

Critical Assets

&

All Systems that

Access them

… is it this easy?

The Evolution of Threats

• They’re moving “up the stack”

– Targeting the application layer

• They’re getting more complex

– Multiple vectors

– Tiered reconnaissance

– Low & slow profiles

Threats are “Moving up the Stack”

① Physical

② Data Link

③ Network

④ Transport

⑤ Session

⑥ Presentation

⑦ Application

Physical Security = Who enters the control room

Routable Access Control = Who connects to cyber assets

Database Security = Who / what accesses Historian

Application Security = Who logs in to sensitive applications

Authorized Applications Break the ESP

① Physical

② Data Link

③ Network

④ Transport

⑤ Session

⑥ Presentation

⑦ Application

Physical Access = Personal Identity (name, badge #)

Network Access = Logical Identity (IP, MAC, hostname)

Backend Access = Session Identity (port ID, session ID)

Application Access = User Identity (login, domain name, etc)

Outside systems & services (e.g., Internet)

Other Cyber Assets

Re-examining the Enclave

Business Apps & Services

CS Apps & Services

Remote Apps & Services

Critical Assets

… the ESP is blurred

Monitor activity from outside of the enclave

Monitor Business Apps & Services

Monitor Control Systems Apps & Services

Monitoring all Layers of the ESP

① Physical

② Data Link

③ Network

④ Transport

⑤ Session

⑥ Presentation

⑦ Application

Physical Security = Who enters the control room

Routable Access Control = Who connects to cyber assets

Database Security = Who / what accesses Historian

Application Security = Who logs in to sensitive applications

Physical Access Control / Endpoint Security

Entry Scanner Logs, Biometrics, etc.

Separation of Networks

IPS, Firewalls, Access Control Lists, etc

Database Access Control

Database Monitoring, DB Log Analysis, IAM, etc.

Application / Use Policies

Application Monitoring, Application Whitelisting, etc.

Enhancing SIEM for the Control System

• Behavior Monitoring

– Establish baseline network and asset behavior

• Advanced Vulnerability Assessment

– Understand vulnerabilities specific to control systems

• Advanced Correlation

– Identify threats within the context of the control system

• Identity Management

– Map logical ID (usernames) to Personnel (CIP-003)

• Change Management

– Monitor configuration changes

Turning Data into Intelligence

Events from SCADA

HIDS, NIDS, firewalls,

and other security

devices

Historian

transactions

OS events

Contents of

Business Apps

& Services

User

Identity

VA Scan

Data

Asset Event Logs

Authentication

& IAM

Location

Physical

Entry

Logs

Thank You!