Lightweight Journaling for Scada Systems via Event Correlation

Abstract : Industrial control systems are not immune to cyber incidents. However, the support for incident responders and forensic investigators is low. In particular, there are limited journaling capabilities for operator actions. Barring the preservation of full packet captures and operator workstation security logs, which can generate unmanageable amounts of data on production networks, it is generally not possible to attribute control events (e.g., opening a valve or operating a breaker) to individual operators. This information can be necessary to perform security investigations, especially in cases involving malicious insider activities. This chapter presents a lightweight journaling system for SCADA networks based on event correlation. By correlating network events and operating system logs, a journal is generated of all Modbus protocol write events along with the usernames of the operators who performed the actions. The journal is much more compact than a full packet capture, achieving compression ratios of around 570 to 1 in conservative conditions and more than 2,000 to 1 in typical operating conditions, allowing for the preservation of valuable information for security investigations.
Type de document :
Communication dans un congrès
10th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2016, Arlington, VA, United States. IFIP Advances in Information and Communication Technology, AICT-485, pp.99-115, 2016, Critical Infrastructure Protection X. 〈10.1007/978-3-319-48737-3_6〉
Liste complète des métadonnées

Littérature citée [17 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01614870
Contributeur : Hal Ifip <>
Soumis le : mercredi 11 octobre 2017 - 15:00:07
Dernière modification le : mercredi 11 octobre 2017 - 15:01:12

Fichier

 Accès restreint
Fichier visible le : 2019-01-01

Connectez-vous pour demander l'accès au fichier

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Antoine Lemay, Alireza Sadighian, Jose Fernandez. Lightweight Journaling for Scada Systems via Event Correlation. 10th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2016, Arlington, VA, United States. IFIP Advances in Information and Communication Technology, AICT-485, pp.99-115, 2016, Critical Infrastructure Protection X. 〈10.1007/978-3-319-48737-3_6〉. 〈hal-01614870〉

Partager

Métriques

Consultations de la notice

22