Detection and Analysis of Threats to the Energy Sector
DATES is a detection and security information/event management (SIEM) solution enabling asset owners to protect their energy control systems at the network, host, and device levels from cyber attacks. DATES complements traditional, signature-based detection with multiple detection algorithms including model-based and flow anomaly detection and cross-site attack correlation. The DATES detection and SIEM solution provides succinct and intuitive attack visualization, with attacks prioritized as to their impact on critical cyber assets and network zone crossing. This enhances an asset owner’s situational awareness capability beyond simple event detection and log management.
The DATES monitoring platform uses multiple algorithms to examine packet headers, including a Snort sensor enhanced with a SCADA-aware rule set, stateful protocol analysis, and a Bayes component. Such a combination of model-based detection with anomaly detection leverages the unique traffic characteristics of energy control systems to detect zero-day attacks that violate these characteristics. The model-based capability lets the user configure the detection system for valid connection patterns. DATES will detect patterns violating the model-generated specification, such as attacks that alter the connectivity and traffic flows in the users’ control systems.
DATES also supports multiple monitoring interfaces, providing the security operator an actionable view of potentially correlated and escalating attacks throughout different parts of the control systems environment.