Detection and Analysis of Threats to the Energy Sector (DATES)
The Detection and Analysis of Threats to the Energy Sector (DATES) project had as its overall objective a breakthrough integrated capability in detection, security event monitoring, and large-scale threat analysis to effectively
defend against cyber attacks targeted against digital control systems in the energy sector, as called for in the Energy Sector Roadmap. The project was sponsored by the National Energy Technology Laboratory of the U.S. Department of Energy. Our partners were ArcSight (security incident event monitoring) and Sandia National Laboratories (architecture analysis, and test and evaluation).
DATES is a detection and security information/event management (SIEM) solution enabling asset owners to protect their energy control systems at the network, host, and device levels from cyber attacks. DATES complements traditional, signature-based detection with multiple detection algorithms including model-based and flow anomaly detection and cross-site attack correlation. The DATES detection and SIEM solution provides succinct and intuitive attack visualization, with attacks prioritized as to their impact on critical cyber assets and network zone crossing. This enhances an asset owner’s situational awareness capability beyond simple event detection and log management.
- Enhances attack detection using protocol analysis and probabilistic (Bayes) detection capabilities
- Provides model-based and anomaly detection for identifying new, zero-day attacks
- Prioritizes and visualizes attacks, particularly attacks that escalate in criticality and/or cross control systems network zone boundaries
- Enhances situational awareness levels compared to simple event detection and log management
- Interfaces passively to the monitored network, minimizing interference to the critical functions of the control systems
The DATES monitoring platform uses multiple algorithms to examine packet headers, including a Snort sensor enhanced with a SCADA-aware rule set, stateful protocol analysis, and a Bayes component. Such a combination of model-based detection with anomaly detection leverages the unique traffic characteristics of energy control systems to detect zero-day attacks that violate these characteristics. The model-based capability lets the user configure the detection system for valid connection patterns. DATES will detect patterns violating the model-generated specification, such as attacks that alter the connectivity and traffic flows in the users’ control systems.
DATES also supports multiple monitoring interfaces, providing the security operator an actionable view of potentially correlated and escalating attacks throughout different parts of the control systems environment.
DATES was developed as an intrusion detection system that alerts operators, but does not perform intrusion prevention, because of the critical nature of energy control systems and the potential for attackers to harness automated responses to inflict denial-of-service attacks. As a detection system, DATES provides the security administrator with root cause information to allow a quick and adequate human reaction to detected events.
The project team developed the multi-algorithm detection capability, including the model-based and flow anomaly detection capability and SIEM correlation scripts. The correlation scripts comprehend asset criticality, network zones, and alert incident class, enabling correlation and prioritization of an attack that escalates and crosses to higher criticality zones.
The scripts are currently specific to the ArcSight SIEM platform; however, they can be tailored for other SIEM solutions or event-consuming components. To test and validate DATES, the team developed testing environments at both SRI and Sandia, and conducted demonstrations of the visualization of critical and escalating attacks.
We demonstrated part of the DATES system at DistribuTech 2010. http://www.csl.sri.com/projects/dates/distributech.html contains a short movie from this demo.