Critical infrastructure is the key asset in the development of a nation. In order to achieve efficiency and improvements, connectivity with the internet has also increased. With increase in connectivity and convergence of utility industries to the internet, the scopes of attacks are also increasing. In recognition of these trends and potential threats, this project focuses on developing a framework for critical infrastructure protection (CIP) consisting of two modules namely Asset Management Tool and Security Operations Centre

Asset management tool for inventory and monitoring in Industrial Control System networks works in non-intrusive and real time provides asset owners the ability to leverage their existing ICS and network infrastructure and investments to gain operational, compliance, asset inventory, network, and cyber security benefits.

Security Operations Center (SOC) incorporates the incident detection and security incident response process by finding the anomalies in the environment and reducing response time of security incidents from initial finding to tracking to reporting.

Asset Management Tool or SCADA NetrA-AMS: 

Asset Management Tool (AMT) is used for inventory of assets and monitoring in ICS networks in a non-intrusive manner in real time. It provides asset owners the ability to leverage their existing ICS network infrastructure. It helps in gaining operational, compliance, asset inventory and cyber security benefits. 

The Asset Management tool is designed without impacting the underlying OT systems by adapting passive (non-intrusive) scanning to scan the devices to maintain inventory. As part of active scanning, only vendor approved commands will be used. With all network traffic being captured, the solution leverages its deep packet inspection and deep content inspection capabilities to parse the protocol.

This tool can work in one of two modes: baseline or operational modes. 

SCADA-NetrA works by 

Capturing available information from a network switch in passive mode. 

Detecting the devices available in the network. This includes hardware, software, protocols used in the network, and those properties.

Capturing the statistics of the protocol. This includes parameters such as baud rate, function codes, incoming, outgoing traffic flow rates, sensor and actuator address used etc.

Capturing the properties of devices. This inventory is useful during operational mode as well as for baselining.

Detecting Anomalies in either of two modes: baseline info based and behavioral based. 

Finding the vulnerabilities of the devices 

Detecting Protocol anomalies 

Security Operations Center: 

SOC primarily focuses on Protecting Critical Infrastructure like power system utilities or any ICS. OT (Operational Technology) Security Operations Center (SOC) is designed to monitor, detect, and respond to cybersecurity threats targeting critical infrastructure and industrial systems. It focuses on safeguarding assets like SCADA systems, programmable logic controllers (PLCs), and Remote Terminal Units against cyberattacks, ensuring operational continuity and safety. The OT SOC integrates real-time monitoring, anomaly detection and incident response tailored to OT environments. It provides unified OT & IT device security monitoring, while adhering to NIST Cybersecurity Framework and is based on the Purdue Model. 

OT-SOC works by 

Collecting logs from varied sources in different formats like IT & OT devices, IDS/IPS, firewall, network components and also including sources like expert knowledge, earlier experiences and data generated from assets.

Parsing and normalizing the data collected for analysis.

Converting Log data into events and performing security event correlation within a context by finding relationships between disparate events received from various sources and finally identifying incidents. This is done based on Correlation rules that are pre-configured and also can be custom made based on the use case or feature in the security incident and event management (SIEM) tool.

Integrating an SIEM tool to generate and provide alerts, events and incidents to the incident management system.

Integrating an Incident management system, providing features such as classification and triage of alerts, management of alerts, detection of anomalies and proactive monitoring of alerts.

Provision of Generated incidents/ anomalies/ events to SOC analysts through dashboards.

Provision of incident metrics and play books along with visualization to SOC analysts.

AMT: 

Devices discovery, identification, monitoring and management

Identifying protocols used for communication between devices

Anomaly detection - protocol, baseline and behavioural

Asset verification and auditing 

Offline network security analysis of OT systems ( OT PCAP Analyzer)

SOC:

Real-time threat detection like detecting host scanning/ port scanning in the network

OT specific protocol anomalies detection (Modbus, IEC-104) 

Behavioural anomaly detection on OT systems

Coordinating incident response with Security stakeholders. 

Configuration monitoring for OT devices 

AMT:

Cyber Assets Discovery & Identification

Hybrid scanning - combination of active (select probing) and passive scanning

Identifying protocols used for communication between devices

Creating baseline of the system

Inventory of Authorized and Unauthorized Devices

Inventory of software 

Mapping the asset properties against common vulnerability exposure (CVE)/ National vulnerability database (NVD )

Continuously monitor the Industrial control systems (ICS) network to detect vulnerabilities

Devices monitoring and management

Dynamic network map with devices and its communication patterns

Identification of anomalies in the network

SOC: 

Real-time monitoring of IT & OT endpoints

Asset discovery & management

Log aggregation from diverse sources like Windows and Linux machines, Servers and networking devices(Routers, switches, etc.) and OT devices (RTUs, MTUs, PLCs, etc.)

Traffic analysis at system, protocol, and behavioral levels

Scanning of assets for vulnerabilities for better risk management & mitigation 

Support for industrial protocols anomaly detection (e.g. Modbus, IEC 60870-5-104)

Security incident and event management (SIEM)

Incident triage & prioritization 

Customizable log management

Threat Intelligence feed connections 

AMT: 

Operational Specification

AMT sensors run on a single board computer assuming that support will be provided by the field personnel to sniff the traffic through the mirrored port.

Provision for required configuration of tools for deployment in AMT server

System Specification

AMT Sensors

Minimal configuration required for AMT sensor 

SBC with Quad core, 64-bit SoC @ 1.5GHz, 

8GB RAM and Gigabit Ethernet, 

64 GB storage

AMT Server

Minimal configuration required for AMT Server

No. of Cores 16

Processor Description: 2.9Ghz 

RAM 256 GB DDR4 SDRAM

Hard Disk 20 TB HDD

SOC:

Basic Architecture

Redundant systems for high availability.

Centralized monitoring consoles with distributed data collectors or sensors in the OT environment.

Monitoring & Detection

Real-time monitoring of SCADA networks and endpoints.

Protocol-aware intrusion detection systems (IDS) for OT-specific protocols (e.g., Modbus, IEC-104).

Anomaly detection systems utilizing machine learning or baselines for OT traffic.

Integration

Compatibility with OT devices, including legacy systems.

Integration with Security Information and Event Management (SIEM) systems and other SOCs

Incident Response

OT-IT combined incident handling

Threat Intelligence

Subscription to third party threat intelligence feeds.

Compliance & Standards

Adherence to NIST Cyber Security Framework

Resilience & Redundancy

Log data retention as per needs

Backup and recovery mechanisms.

Fail-safe and failover configurations to maintain operations during attacks.

Name : R K Senthil Kumar

E-mail Id : senthil@cdac.in