The Radiflow Security Blog
The advantages of interfacing between your SCADA and IDS systems
Ilan Barda, CEO, Radiflow
A couple of weeks ago I had the pleasure of presenting at the Copa-Data zenonIZE conference. My presentation focused on the analysis of gaps and mitigations for IEC62443 compliance in OT networks. Here are the highlights.
In today’s industrial environments, it is essential to streamline the flow of security alerts between the security system (IDS) and both the operations personnel and IT professional, for better security as well as better implementation of risk mitigation approaches.
The IEC 62443 standard for Security of Industrial Automation and Control Systems (IACSs) outlines the process of mapping system assets and partitions as part of the OT cyber risk assessment process, which eventually results in risk scoring and drafting requirements for implementing security controls.
Zone & Conduit Requirements (ZCRs) as perscribed in IEC62443
The IDS-SCADA integration
In typical deployments, an Industrial Threat Detection system such as the Radiflow ISID is used for passively monitoring the OT network; mapping networked assets, links and vulnerabilities; amd detecting and alerting on anomalies.
The IEC62443 standard emphasizes the need for a central, auditable mechanism for distributing event and alert information to stakeholders (IEC 62443-3-3).
Typically, an organization’s cyber security tools report to SIEM platforms used by the SOC analyst. However, in industrial enterprises this might not be sufficient due to the lack of OT know-how among the SOC team.
At the zenonIZE conference we have introduced a unique integration with the CopaData zenon SCADA system:
- iSID receives asset information from zenon for improving risk scoring
- zenon presents cyber security alerts for every asset from iSID in parallel to the alerts sent to the SIEM at the SOC
I found that the best way to present the value of this integration is by walking through the life-cycle of the NIST cyber-security framework:
The NIST Framework Threat Handling Lifecycle
- Identify Phase: in this phase iSID learns the network assets and uses the additional inventory information received from zenon to enhance its asset information and improve iSID’s cyber risk scoring
- Detect Phase: iSID’s alert severities are fine-tuned according to the operational value of the assets as defined in the Zenon platform
- Respond Phase: iSID sends alerts to both the SIEM and the zenon SCADA system, providing the OPs team with a unified OPs & Cyber alerts in Zenon. This enables the OPs team to effectivly work with the SOC team during the incident response process
- Recover Phase: advise OPs on affected assets for recovery
The IDS-SCADA interface
The iSID software interfaces with the SCADA server using either industrial protocols (e.g. Modbus, DNP3) or REST API:
- Both the MODBUS and the DNP3 interfaces are natively supported by today’s SCADA systems, making the use of industrial protocols a fast and easy solution.
- REST API allows for bi-directional interfacing: iSID feeds alerts to the SCADA server, and at the same time the SCADA software provides asset information to the iSID
By connecting the SCADA system to the IDS, the operator can easily add a color-coded (e.g. blue) indicator for “Cyber Alerts” in the SCADA event management dashboard to view cyber alerts in the dashboard, along with all other production alerts, for easy correlation.
In industrial enterprises the OT IDS should interface with both the SIEM at the SOC and the SCADA server at the production control center. This dual reporting facilitates the sharing of event handling responsibilities among the SOC and OT teams.