By: Gabe Authier, product manager, Tripwire
In the past, industrial networks have been relatively immune to cybersecurity concerns. That's not so true now, as manufacturing environments become increasingly connected and exposed to the kinds of cyber issues that previously only corporate IT teams had to deal with. Now, industrial operators now too would benefit from an understanding of cybersecurity techniques, strategies and tools.
Not all of the cybersecurity practices driven in IT should be applied in operational technology (OT) – some of those approaches can be disruptive in an operational environment. But one best practice that can and should be borrowed is "log management." Logs can tell you when a cyber event occurs that can interfere with you ability to view, monitor or control your process. Industrial cyber security takes layers of a defenses, so log management certainly isn't a silver bullet. However, collecting those logs is a relatively easy step to start with, yet many manufacturers still haven't implemented it.
A "Data Historian" for Cyber Events
You likely have a data historian on your shop floor. The data historian captures telemetry information about the measurements made and actions taken by the industrial process. Each device on the industrial network contributes data that then is stored in a central database.
If there is an incident on the production line, the data historian provides a way to understand what went wrong. A control engineer can review the point values, alarm events and batch records, and reconstruct events leading up to the failure. With a clear understanding of how events unfolded, control engineers then can make the necessary changes to prevent a recurrence.
In the same way that a data historian captures and replays process events and sensor measurements, log management solutions capture and store log events that are relevant to understanding the industrial network’s cybersecurity state and operations. A cyber historian performs five services for the industrial network:
Collection. The collection of log events, produced by a variety of network devices, is core to any cyber historian system. While this operation may appear simple at first, secure and reliable log collection involves many considerations. Of course, missing log data can’t be analyzed at all, so the ability to ensure that logs get collected is key. In addition, a cyber historian product should offer multiple means to collect logs, while also recommending the most reliable method.
Storage. Collected logs need to go somewhere, and the volume of log data makes storage a significant issue for any deployment. At a minimum, log storage needs to address the requirements for preservation and compression of log data. More advanced features add flexibility around where the data is stored geographically, generally for compliance requirements and scalability. While storing log data, it is also necessary to “normalize” it—organize it into a single format, which simplifies viewing for operators when the data is recalled later.
Search. Collected data is meant to be used, and log searching is an activity that applies whenever it is valuable to reconstruct events and/or to search for an intrusion. To be effective, log search should provide the right balance of flexibility and performance; users should be able to directly affect the search by providing better filtering using classification tags. While it’s preferred to search indexed, normalized log data, the ability to review raw logs is a key requirement as well. Log searching needs to facilitate directed queries, as well as broad queries that allow a control engineer to narrow down the results. For comparison purposes, users also should be able to simultaneously view the results of multiple queries.
Correlation. Cybersecurity events rarely occur in a single log entry from a single device. Much of what a cybersecurity specialist does is connect the dots between related events. While not all of this manual effort can be automated, a correlation capability in a cyber historian tool should alleviate the burden of the most obvious examples. While many events can be pre-populated with vendor-supplied rules, the most powerful correlation capabilities come from patterns of events that are specific to an individual organization or department.
In addition, some cyber historians can support importing additional data sources to facilitate more complete correlated events. Examples include vulnerability information and asset context from other cybersecurity and asset management systems.
Output. Finally, the ability to get data out of the system, whether from log searching or correlated events, is a core requirement for any cyber historian system. Whether that next stop is a human or another system, it’s vital that the cyber historian tool facilitate the exchange of data. Consider how search results are exported, whether they can be scheduled, how correlated events are delivered, and destination options.
Using Syslog Data for Logging
There are several ways to get data into a data historian, but the most universally supported method is syslog. Originally developed in the 1980s, syslog existed for a number of years as a de facto standard that was widely used but not recognized by any formal organization. Eventually, it was standardized by the Internet Engineering Task Force as (RFC 3164). Because of its usefulness and open design, it is incorporated into most devices.
For any device you wish to monitor, syslog must be configured with the address of the cyber data historian or syslog server. The device then will send all of its status messages to the syslog server for logging. Once the data has been received by the syslog server and recorded, it can no longer be modified. This is important in the event the original device is ever compromised.
Log management is a best practice that is referenced by many ICS cybersecurity frameworks and regulations including, but not limited to, IEC62443, NERC CIP, NIST SP 800-82, and American Water Works Association Process Control Network Security Guidance. Even if you have not selected a cybersecurity framework to adopt or follow, you can still set up a centralized log repository and begin harvesting and analyzing log events. Log management can prove invaluable in helping you discover potential cyber events that can impact your industrial process.
Gabe Authier is a senior product manager at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in Product Management and Information Technology and is passionate about software development that brings solutions to the marketplace to solve customer problems. Gabe can be reached at gauthier@tripwire.com.