SANS ICS Security Summit 2023
Do we have logs for that? When network traffic analysis falls short.
Speaker: Nikolas Upanavage, OT Cybersecurity Engineer, Bechtel Corporation
While developing a detection for a new cyber-attack scenario in Bechtel’s OT Cybersecurity Technical Center (Lab), the team encountered a challenge often mentioned with Industrial Control Systems: proprietary protocols. Due to time constraints, several common suggestions for approaching network traffic analysis of proprietary protocols were not feasible for the project. The team had to look for an alternative, which led to the question, “do we have logs for that?”
This presentation will review the approach taken to detect the cyber-attack. The key metric needed was tracking logic downloads to a controller from a major Distributed Control System (DCS) vendor. Like the proprietary protocol used in the communication between equipment, the team also had to determine how to work with a proprietary log file format, how to parse the logs, how to send the data to a SIEM, and more. The presenter will also discuss details of the attack used for the Lab’s cyber demo, including mapping to the MITRE ATT&CK framework.
This presentation will cover practical experience from both IT and OT Security Engineers in overcoming challenges of systems that use proprietary protocols. Attendees will learn an approach that is not often discussed at ICS conferences, which can supplement network traffic analysis methods for a better security posture of their systems. Finally, during the development of the detection, several other data points were found in available logs that enriched the detection dashboards. The presenter will highlight how these additional data points add more context to a SIEM, allowing for a quicker decision making during an incident response investigation.
View upcoming Summits: www.sans.org/u/DuS