Awesome SCADA Security Operations Centre

To understand the problems faced by SCADA users, the team at Regency IT Consulting wanted to build a basic test rig. The goal with the rig was to help us understand the users’ challenges and to interact with the technology and protocols.

I’ve always worked on the basis of needing to be able to ‘take things apart’ and understand its internals before I look at how to protect them. Call it going back to the first principles of Information Security if you like, but to me it’s a simple common sense and a methodical approach.

Development of the SCADA Security Operations Centre (SOC)

The first prototype was boxes and wires everywhere on a bench. We could change it around and try things, add and subtract components and attempt ‘off the wall’ stuff that challenged conventional thinking. Never assume that the intuitive approach is the best. Instead, deliberately throw a metaphorical spanner1 in the works and see what happens. Do what doesn’t make sense and apply Murphy’s Law, because in real life that is what tends to happen all too regularly.

Having learned from the prototype, we worked on the Mark 2 version. This version was intended not just as a test rig, but also as a demonstration system. We didn’t want to have a SCADA security demo that was pre-recorded and used a script with a video. Those are too boring.

Instead, we wanted to show people the reality, and to allow them to interact with it. We used the Tofino SCADA Security Simulator, large version, as the starting point, and then added touch screens and the actual working systems to control it. This was called “Security Operations Centre in a Box”, which quickly became “SOC-in-a-Box”. I can’t take credit for the name or for the engineering behind it, that was our Operations Manager Dan Hanman and his team.

The “SOC-in-a-Box” contains the control workstation for the Tofino Security Appliances, a fully working McAfee SIEM (Security Information and Event Management program) and their Whitelisting technology. There are firewalls, a switch and all the cabling and power. The box is hidden in the base of the stand you can see in the picture.

Shown is the Regency IT “Security Operations Centre in a Box”.  Photo: Regency IT Consulting.

It Demonstrates, It Tests Stuff, It Looks Good and It Travels Too!

From arriving on site with 3 flight cases I can have the stand and system set up and running in just over an hour. Yes, I did say flight cases. This system is not only effective; it’s also air-portable! We’re just waiting for the first emergency call from a client to bring it to their defense – and we could do the same on your site.

Using the system we can run a variety of attacks from different vectors in undefended mode, partially or fully defended. We can show the different impacts, the value of each defense, and the behavior of associated monitoring tools.

This isn’t smoke and mirrors, I have run hundreds of live demonstrations, including at the recent International Cyber Security Forum for Energy and Utilities conference in Abu Dhabi. Eric Byres had the opportunity to examine and play with the system himself, so over to him for a few words....

More than just a SCADA Security Demo

David’s SOC-in-a-Box is an amazing bit of engineering. There are many SCADA demos out there (including our Tofino SCADA Security Simulator) that can show you a cool SCADA hack or two. And there are even a few that integrate a solution in them too. But what Regency IT did was create a wide range of different attack scenarios to represent the real world of threats faced by the typical power or oil and gas company.

Then they integrated a number of separate security products together to provide a realistic defense scenario as well. No company can depend on a single technology to solve all their security needs, so a demo that shows a multi-technology situation is far closer to real life.

To cap it off, Regency IT worked to create a seamless interaction between PLCs, HMI, Firewalls, Whitelisting and SIEMs. For example, launch a Modbus based attack against the PLC and of course the Tofino Firewall will detect it. But it is then integrated into the SIEM system to provide a dashboard view of what is happening across the entire SCADA and IT network. That integration is more than a demo – it is proof that integrated security solutions can be created.

If you get a chance to see the SOC-in-a-Box demo, take advantage of it. It will open your eyes to what is possible using the technology on the market today.

1 The UK word for wrench

Update Sept 20, 2012

The “Security Operations Centre-in-a-Box” has been nominated for an innovation award by Utilities Middle East. Here is what the publication says about it:

“With utilities operators becoming increasingly aware of the existence of cyber threats to automation systems, Cassidian CyberSecurity's recent launch of its Security Operation Centre has been timely. Utilizing industrial firewalls, whitelisting and deep packet inspection of data, the firm has created an integrated system to protect the information systems of critical national infrastructure.”

(Ed. Note: Cassidian is the parent company of Regency IT Consulting)

This article is a special guest contribution by:

David Alexander
Head of Vulnerability Research, Regency IT Consulting
david.alexander@regencyitc.co.uk

Eric Byres collaborated with David on this article.

Related Content to Download

Presentation - "Advanced Persistent Threat: A Real Problem, with Real Solutions"

 

Download this presentation and benefit from:

  • Definitions of APT and The Threat Continuum
  • Examples of Advanced Persistent Threat (APT) attacks on major companies
  • A summary of the advanced approaches companies use to defend against APTs

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

2

Does the "SOC-in-a-Box" perform full packet capture, as described here:
http://www.netresec.com/?page=Blog&month=2012-08&post=SCADA-Network-Fore...

I'd say that sniffing all network traffic from a SCADA network is by far the best way to enable digital forensics of an attack!

David is away this week in the Middle East, so I will jump in with my point of view.

First, what impressed me with the SOC-in-Box wasn't the individual capabilities of the various pieces, but rather how the Regency IT team had integrated so many different products into a unified system that does a lot of analysis of the data streams. Getting SCADA Firewalls, Whitelisting, SIEM, PLC, HMI and so on to talk to each other isn't a trivial task, and correlating the data into a meaningful dashboard is a real challenge.

Now to answer your specific question, the Tofino is doing the actual packet capture. I believe that David has the Tofino sending the first 64 bytes of any suspect frame to the SIEM. It is not sending the whole frame, because the first 64 bytes contains 99% of the useful forensic data. This significantly reduces the bandwidth load on the network, something that really matters, especially over a WAN-based SCADA system.

Add new comment