Scribd Logo
Upload

Welcome to Scribd!

  • Nikolas Upvanage - Do We Have Logs For That

    Uploaded by

    Manoharr
    11 views15 pages
    The document discusses challenges with network traffic analysis and logging for industrial control systems. It proposes two scenarios: 1) developing a cyber attack using exfiltrated logic and manipulating a tank overflow via USB and scripts; and 2) getting logs from field devices to a security information and event management (SIEM) system by addressing different levels and boundaries in the network. Visualizing threats and linking to asset management are also covered. Key takeaways discuss logging capabilities and exporting process information.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses challenges with network traffic analysis and logging for industrial control systems. It proposes two scenarios: 1) developing a cyber attack using exfiltrated logic and manipulating a tank overflow via USB and scripts; and 2) getting logs from field devices to a security information and event management (SIEM) system by addressing different levels and boundaries in the network. Visualizing threats and linking to asset management are also covered. Key takeaways discuss logging capabilities and exporting process information.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views15 pages

    Nikolas Upvanage - Do We Have Logs For That

    Uploaded by

    Manoharr
    The document discusses challenges with network traffic analysis and logging for industrial control systems. It proposes two scenarios: 1) developing a cyber attack using exfiltrated logic and manipulating a tank overflow via USB and scripts; and 2) getting logs from field devices to a security information and event management (SIEM) system by addressing different levels and boundaries in the network. Visualizing threats and linking to asset management are also covered. Key takeaways discuss logging capabilities and exporting process information.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Do we have logs for that?

    When network traffic analysis falls


    short.

    Authors: Nikolas Upanavage & Derek LaHousse

    Background Photo by Unknown Author is licensed under Creative Commons.


    Background

    Level 4 – Public ©2023 Bechtel | 2


    The Physical Process

    Phase 1 – Fill & Mix

    Phase 2 - Drain

    Level 4 – Public ©2023 Bechtel | 3


    The Control System and Lab Network

    Level 4 – Public ©2023 Bechtel | 4


    Challenge 1: Developing cyber attack

    Level 4 – Public ©2023 Bechtel | 5


    New Attack Scenario

    Assumption: Adversary exfiltrated


    valid logic to craft malicious logic

    USB inserted into


    Engineering Workstation.

    Script loads malicious


    Logic

    Control is manipulated to
    overflow a tank.

    Level 4 – Public ©2023 Bechtel | 6


    New Attack Scenario

    Scenario Step MITRE ATT&CK for ICS Techniques

    T0847 –
    Replication T0863 - User T0859 - Valid
    Through Execution Accounts
    Removeable Media

    T0807 - T0843 -
    T0853 -
    Command- Program
    Scripting
    Line Interface Download

    T0836 - T0831 - T0879 -


    Modify Manipulation Damage to
    Parameter of Control Property

    Level 4 – Public ©2023 Bechtel | 7


    How to detect this activity?

    Log Remix by Arvin61r58 is licensed under Creative Commons.

    Level 4 – Public ©2023 Bechtel | 8


    Challenge 2: Getting Logs to a SIEM

    This Photo by Unknown Author is licensed under Creative Commons. No alterations.

    Level 4 – Public ©2023 Bechtel | 9


    Challenge 2: Getting Logs to a SIEM

    Level 4: Level 3.5: Level 3/2: Level 1: Level 0:


    Business (Site) DMZ Site/Local Supervisory Local Control Field Devices

    IT Boundary DCS Boundary


    Redundant DCS ACME Water
    Firewall Firewall
    Vendor Switches Treatment SKID
    DCS Vendor
    Switch
    Lab Switch

    Supervisory

    Local Control
    Local Control
    Malcolm Engineering Tag/Logic
    Open

    Workstation Database Server


    Splunk
    DCS
    Controller
    VM Host Server

    Credit: Andy Robinson


    https://github.com/aaOpenSource/aaLog

    Level 4 – Public ©2023 Bechtel | 10


    Visualizing the threats to the Physical Process

    Level 4 – Public ©2023 Bechtel | 11


    Link to Asset Performance Management (APM)

    Level 4 – Public ©2023 Bechtel | 12


    Key Takeaways

    Operators:
    • Being able to view all proprietary protocols in your system in not realistic in many cases due
    to time/budget concerns
    • Network indicators may be easy to access, but hard to analyze
    • Host based logs are a key data source and should be brought out to SIEM databases
    • Ask vendors about logging capabilities (for all types of applications and systems)

    Vendors:
    • Get proactive about automating the export of process information and host-based indicators

    Level 4 – Public ©2023 Bechtel | 13


    Contributors

    Demo Design Team:

    Nikolas Upanavage
    Derek LaHousse
    Sonja Nguyen
    Erika Poole
    Ovi Hossain
    Ben St. Amand

    Level 4 – Public ©2023 Bechtel | 14


    Thank you!
    Any questions?

    Contact Info:

    Nikolas Upanavage – naupanav@bechtel.com


    Derek LaHousse – dlahouss@bechtel.com

    Background Photo by Unknown Author is licensed under Creative Commons.

    You might also like