Detection and Analysis of Threats to the Energy Sector (DATES)
6 Slides1.62 MB
Detection and Analysis of Threats to the Energy Sector (DATES) Alfonso Valdes Senior Computer Scientist Sponsored by the Department of Energy National SCADA Test Bed Program Managed by the National Energy Technology Laboratory The views herein are the responsibility of the authors and do not necessarily reflect those of the funding agency. SRI International
DATES Vision Future control systems with PCS aware defense perimeter with globally-linked cyber defense coordination. – IDS systems fully tuned for control system protocols and highest threat TCP/IP attacks – Realtime event correlation system to support local operator identification and response – Specification-based policies enabling intrusion prevention without impacting availability – An anonymous and secure peer sharing framework that allows Sector wide threat intelligence acquisition Enables rapid collaborative response to emerging threats
Detection and Event Monitoring Control System aware IDS at the Device, Control LAN, and Host Event Correlation integrates new detection data sources into ArcSight Result: – Breakthrough Detection and Security Information Event Monitoring (SIEM) in infrastructure systems. – High fidelity situational awareness
Sector Level Threat Detection and Analysis Develop a sector-wide, distributed, global, privacy-preserving repository of security events Enable participants to automatically – Contribute event data without attribution – Query databases for emerging threats – Conduct analyses to assess their security posture relative to that of other participants.
Test and Evaluation Implement a development environment in cooperation with a control systems vendor Sandia will provide a red team assessment of this defense-enabled control system architecture. As solutions mature, Sandia will conduct an extensive red team test and evaluation on the actual system.
The Team SRI (Overall Lead): Intrusion Detection, Protocol Analysis, Event Aggregation, Privacy Preserving Sector-wide Repository Sandia National Laboratories: Architectural Vulnerability Analysis, Red Team ArcSight: Security Information Event Monitoring