Detection-In-Depth: Out of Band Monitoring for Critical Process Parameters-Gus Serino

In industrial processes, there are often a set of critical process parameters that are most fundamental to understand the functional status of the process. When considering the potential impacts of a malicious manipulation of the control system that includes the attacker masking their actions by altering process information being transmitted between the controller and the HMI, a possible mitigation is an “out-of-band” monitoring system to identify when the control system is misrepresenting critical process parameters to the operator. In this technique, a 4-20mA signal isolator is used to send a copy of the critical parameter directly from the instrument signal to a separate data logger, which then communicates that signal over independent telemetry to a Data Logger Server. The both the SCADA system and the Data Logger server send the value for the same instrument to the Historian. In the historian, a comparison of the two values for what should be the same signal can be performed so alerts on deviations can be initiated. This talk will cover that technique and then walk through a realistic attack scenario, in the context of the ICS Cyber Kill Chain, to present mechanisms to detect the attack with both traditional network and continuous security monitoring, as well as out-of-band process integrity checking. Then, response scenarios will be presented with and without this advanced detection technique to highlight the benefit of these monitoring techniques. View upcoming Summits: http://www.sans.org/u/DuS Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE