NIST NCCoEが”NISTIR 8219 製造産業用制御システム:動作異常検出”を発表しましたね
こんにちは、丸山満彦です。
NIST NCCoEが”NISTIR 8219 製造産業用制御システム:動作異常検出”を発表しましたね。。。
● NIST NCCoE
・2020.07.16 NCCoE Announces Final NISTIR 8219 for Manufacturers
・[PDF] Securing Manufacturing Industrial Control Systems : Behavioral Anomaly Detection
概要のつまみ食い
- 異常な行動の検出と防止のメカニズムを実証し、ICSデバイスに対するサイバー攻撃に対抗する多面的なアプローチをサポートしている。
- 目標は、独自の環境での異常の検出機能と防止機能を確立するための詳細な情報を業界に提供すること。
Executive Summary
National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE), with NIST’s Engineering Laboratory and NCCoE collaborators, offers information regarding the use of behavioral anomaly detection capabilities to support cybersecurity in industrial control systems for manufacturing. This NIST Interagency Report (NISTIR) was developed in response to feedback from members of the manufacturing sector concerning the need for cybersecurity guidance.
Cybersecurity attacks directed at a manufacturing infrastructure can be detrimental to both human life and property. behavioral anomaly detection (BAD) mechanisms support a multifaceted approach to detecting cybersecurity attacks against Industrial Control Systems (ICS) devices on which manufacturing processes depend to permit mitigation of those attacks.
The NCCoE and EL deployed commercially available hardware and software provided by industry in response to a NIST notice in the Federal Register to demonstrate behavioral anomaly detection capabilities in an established laboratory infrastructure. We mapped the security characteristics of the demonstrated capabilities to the Framework for Improving Critical Infrastructure Cybersecurity [1] based on NISTIR 8183, the Cybersecurity Framework Manufacturing Profile [2]. The mapping can be used as a reference in applying specific security controls found in prominent industry standards and guidance.
Introducing anomalous data into a manufacturing process can disrupt operations, whether deliberately or inadvertently. The goal of this NISTIR is to provide practical approaches for manufacturers to use in their efforts to strengthen the cybersecurity of their manufacturing processes. This NISTIR demonstrates how BAD tools can be used as a key security component in sustaining business operations, particularly those based on an ICS. The examples provided in this NISTIR illustrate how detecting anomalous conditions can improve the reliability of an ICS in addition to providing specific cybersecurity benefits.
[1] National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD). https://doi.org/10.6028/NIST.CSWP.04162018
[2] Stouffer KA, Zimmerman TA, Tang C, Lubell J, Cichonski JA, McCarthy J (2019) Cybersecurity Framework Manufacturing Profile. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 818
目次 ↓
Table of Contents
1. Introduction
1.1. Background
1.2. Purpose and Scope
1.3. Challenges
1.4. Approach to Addressing Challenges
1.5. Benefits
2. Cybersecurity Framework and NIST Manufacturing Profile
3. Demonstration Environment Architecture
3.1. Collaborative Robotic System
3.1.1. CRS Network Architecture
3.2. Process Control System
3.2.1. PCS Network Architecture
3.3. Behavioral Anomaly Detection Capabilities Demonstrated
3.3.1. SecurityMatters SilentDefense
3.3.2. Secure-NOK SNOK
3.3.3. CyberX
3.3.4. OSIsoft PI Data Archive
3.4. Behavioral Anomaly Detection Methods and Security Functions
3.5. Typographic Conventions
4. Demonstration Scenarios and Findings
4.1. Network-Based Behavioral Anomaly Detection
4.2. Agent-Based Behavioral Anomaly Detection
4.3. Historian-Based and Sensor-Based Behavioral Anomaly Detection
4.4. Demonstration Results and Findings
5. Conclusion
Appendix A. SecurityMatters SilentDefense Supplemental Information
A.1. Build Architecture
A.2. Installation and Configuration
A.2.1. Hardware
A.2.2. Operating System
A.2.3. Configure Sniffing Ports
A.2.4. Configure the Management Port Internet Protocol Address
A.2.5. Configure the SPAN Ports on Layer 3 Network Switches
A.2.6. Log into SilentDefense
A.3. Anomaly Scenarios
A.3.1. Unencrypted Passwords Are Used to Access a Networking Device
A.3.2. Transmission Control Protocol Connection Requests Are Received from the Internet
A.3.3. Data Exfiltration Between ICS Devices via Server Message Block
A.3.4. Data Exfiltration to the Internet via File Transfer Protocol
A.3.5. Unauthorized Device Is Connected to the Network
A.3.6. Loss of Communications with Modbus TCP Device
A.3.7. Brute-Force Password Attack Against an ICS Device
A.3.8. Invalid Credentials for Remote Access
A.3.9. Unauthorized ICS Device Firmware Update
A.3.10. Unauthorized HMI Logic Modification
A.3.11. ICS Device Receives Diagnostic Modbus TCP Function Codes
A.3.12. ICS Device Receives Undefined Modbus TCP Function Codes
A.3.13. ICS Device Receives Malformed Modbus TCP Traffic
A.3.14. Illegal Memory Addresses of ICS Device Are Accessed
A.3.15. ICS Device Scanning Is Performed on the Network
Appendix B. Secure-NOK SNOK Supplemental Information
B.1. Build Architecture
B.2. Installation and Configuration
B.2.1. Hardware
B.2.2. Windows XP / Windows 7 / Windows Server 2012 Installation
B.2.3. Ubuntu 12 / Ubuntu 14 Installation
B.2.4. SNOK Detector Configuration
B.3. Anomaly Scenarios
B.3.1. Web Browser Is Used to Access the Internet
B.3.2. Data Exfiltration to the Internet via HTTP
B.3.3. European Institute for Computer Antivirus Research Virus Test File Is Detected on Host
B.3.4. Host Scanning Is Performed on the Network
B.3.5. Port Scanning Is Performed on the Network
B.3.6. Unauthorized Installation of Software
B.3.7. Unauthorized Programmable Logic Controller Firmware Update
B.3.8. Unauthorized PLC Logic Download
B.3.9. Unauthorized PLC Logic Modification
B.3.10.Unauthorized Connection Is Established Between ICS Devices
B.3.11.Host-Based Firewall Is Disabled
B.3.12.Host-Based Anti-Virus Software Is Disabled
B.3.13.Host Central Processing Unit Load Is Increased
B.3.14.Unauthorized Detachment of Keyboard to Host
B.3.15.Unauthorized Insertion of USB Storage Device
Appendix C. CyberX Supplemental Information
C.1. Build Architecture
C.2. Installation and Configuration
C.2.1. Configuration Guide
C.2.2. Configuration of Forwarding Rules
C.2.3. Enabling Self-Learning Analytics
C.3. Anomaly Scenarios
C.3.1. Unencrypted Hypertext Transfer Protocol Credentials Are Detected on the Network
C.3.2. Unauthorized Secure Shell Session Is Established with an Internet-Based Server
C.3.3. Data Exfiltration to the Internet via DNS Tunneling
C.3.4. Data Exfiltration to the Internet via Secure Copy Protocol
C.3.5. European Institute for Computer Antivirus Research Virus Test File Is Detected on the Network
C.3.6. Unauthorized Device Is Connected to the Network
C.3.7. Denial-of-Service Attack Is Executed Against the ICS Local Area Network
C.3.8. Data Exfiltration Between ICS Devices via User Datagram Protocol
C.3.9. Invalid Credentials Are Used to Access a Networking Device
C.3.10.Brute-Force Password Attack Against a Networking Device
C.3.11.Unauthorized PLC Logic Download
C.3.12.Unauthorized PLC Logic Update – CRS
C.3.13.Unauthorized PLC Logic Update – PCS
C.3.14.Undefined Modbus Transmission Control Protocol Function Codes Are Transmitted to the PLC
C.3.15.Unauthorized Ethernet/IP Scan of the Network
Appendix D. OSIsoft Process Information Supplemental Information
D.1. Build Architecture
D.2. Installation and Configuration
D.2.1. PI AF Installation
D.2.2. PI Data Archive Installation
D.2.3. PI System Process Explorer Installation
D.2.4. PI Vision Installation
D.2.5. PI System Modbus Ethernet Interface Installation
D.2.6. PI System Points and Assets Configuration
D.2.7. PLC Asset Template Analysis Functions
D.2.8. Machining Station Asset Template Analysis Functions
D.2.9. Viewing and Acknowledging Alerts
D.3. Anomaly Scenarios
D.3.1. Frequency Increase of Trouble Calls from a Machining Station
D.3.2. Machining Station Shuts Down During Normal Workcell Operations
D.3.3. Inspection Station Rejects All Parts Leaving the Workcell
D.3.4. Machining Station Door Sensor Fails
D.3.5. Abnormal Process Variable Data Is Transmitted to the PLC
D.3.6. Abnormal Process Variable Data Is Transmitted to a Machining Statio
D.3.7. Robots Fail to Send Required Sensor Data to a Machining Station
D.3.8. Workcell Temperature Increases Above a Specified Threshold
Appendix E. Acronyms and Abbreviations
Appendix F. References.
List of Tables
Table 2-1 Mapping of Cybersecurity Framework Functions Addressed by BAD Capabilities to the Manufacturing Profile
Table 3-1 BAD Methods and Security Functions
Table 3-2 Typographic Conventions List of Figures
Figure 3-1 BAD High-Level Architecture
Figure 3-2 Robotic Assembly CRS Network
Figure 3-3 PCS Network Architecture
Figure 3-4 TE Process Control Model
Figure A-1 SPAN Port Connections to the SilentDefense Appliance in the PCS
Figure A-2 SPAN Port Connections to the SilentDefense Appliance in the CRS
Figure B-1 SPAN Port Connections to the SNOK Appliance in the PCS (Including the Hosts with SNOK Agents)
Figure B-2 SPAN Port Connections to the SNOK Appliance in the CRS (Including the Hosts with SNOK Agents)
Figure C-1 SPAN Port Connections to the CyberX Appliance in the PCS
Figure C-2 SPAN Port Connections to the CyberX Appliance in the CRS
Figure C-3 CyberX Network Reconfiguration Program on the Appliance
Figure C-4 Example Screenshot with All Five Self-Learning Analytics Enabled
Figure C-5 Event Log (Timeline View) of Real-Time Alerts in the CyberX Console
Figure D-1 Server Role Features to Be Selected During PI AF Installation
Figure D-2 Data Directories to Be Selected During PI Data Archive Installation
Figure D-3 Configuration Options in the PI Point Builder for Tags Utilizing the ModbusE Interface
Figure D-4 Example Configuration Settings for the Tag PLC-ExperimentMode
Figure D-5 PI System Explorer View Showing the Configured Assets (Elements), the Resulting Hierarchical Structure of Assets, and Live Attributes Received from Station 1 Figure D-6 PI System Explorer Interface Showing an Example of Alerts Displayed to the Operator for Acknowledgment, as Used During Anomaly Scenario Execution
Comments