In Digital Bond's Portaledge project we are writing ACE modules to use PI to detect cyber attacks. This turns the PI Server into a Security Event Manager product specifically for control systems. Security events from a wide variety of control system and IT sources, including firewalls, OS, application, IDS, field device, etc., are aggregated in the PI Server using a variety of PI interfaces. Correlation rules are written in ACE modules to detect events in a variety of event classes such as availability, reconnaissance, exploits, and process manipulation. These event-class events are then correlated into meta events. The correlated results are output to a security dashboard in the form of a series of DataLink displays. In this presentation we will discuss the technical approach, provide examples of the detection, and discuss how an asset owner would deploy this solution in their system.
Dale Peterson leads the control system security practice at Digital Bond. He has 25 years experience in security, beginning as a Cryptanalyst at the US National Security Agency [NSA]. His SCADA security blog is the most read source of control system security information on the Internet.