DOI QR코드

DOI QR Code

A Study for Integrating ICS Security Logs with Centralized SIEM (Security Information and Event Management) using OPC Protocol

OPC 프로토콜을 활용한 제어시스템 보안로그 전송방법 고찰 및 통합 로그서버 구축방안

  • Kim, Jaehong (Graduate School of information Security, Sejong Cyber University) ;
  • Park, Yongsuk (Graduate School of information Security, Sejong Cyber University)
  • Received : 2022.06.12
  • Accepted : 2022.07.27
  • Published : 2022.08.31

Abstract

Cyber threat targeting ICS (Industrial Control System) has indicated drastic increases over the past decade and Cyber Incident in Critical Infrastructure such as Energy, Gas Terminal and Petrochemical industries can lead to disaster-level accidents including casualties and large-scale fires. In order to effectively respond to cyber attacks targeting ICS, a multi-layered defense-in-depth strategy considering Control System Architecture is necessary. In particular, the centralized security log system integrating OT (Operational Technology) and IT (Information Technology) plays an important role in the ICS incident response plan. The paper suggests the way of implementing centralized security log system that collects security events and logs using OPC Protocol from Level 0 to Level 5 based on IEC62443 Purdue Model to integrate ICS security logs with SIEM (Security Information Event Management) operated in IT environment.

산업제어시스템 (ICS)을 공격 대상으로 하는 사이버 보안 위협들이 지속적으로 증가하는 추세이며 특히 발전, 가스, 정유 시설과 같은 국가 기반시설에서 발생할 수 있는 사이버 보안 사고는 인명 손실 및 대형 화재와 같이 재난 수준의 사고로 이어질 수 있다. 제어시스템을 목표로 하는 사이버 공격에 효과적으로 대응하기 위해서는 ICS 환경을 고려한 다 계층 방어 전략이 필요하며, 특히 제어 망과 IT 환경에서 발생하는 보안 로그들을 통합된 환경에서 운영하는 전략은 기반시설 침해사고 대응에 있어 효과적인 역할을 한다. 본 연구에서는 제어 망에서 발생하는 보안 로그들을 IT 환경에서 운영하는 SIEM (Security Information and Event Management)으로 전송 하는 방법으로 OPC 프로토콜을 활용하는 방안을 소개하고, 이를 통하여 IEC 62443에서 정의하는 제어시스템 전 계층 (Level 0 ~ Level 4)에서 발생하는 이벤트를 통합할 수 있는 보안 로그 서버 구축 방안을 제시한다.

Keywords

References

  1. H. Kanamaru, "Bridging Functional Safety and Cyber Security of SIS/SCS," in Proceedings of the 2017 SICE Annual Conference, Kanazawa, Japan, pp. 279-284, 2017.
  2. K. R. Lee, S. Y. Lee, and K. B. Yim, "Classification and Analysis of Security Threats in the Infrastructure," The Journal of Korean Institute of Communications and Information Sciences, vol. 43, no. 3, pp. 572-579, Mar. 2018. https://doi.org/10.7840/kics.2018.43.3.572
  3. K. M. Su, I. H. Liu, and J. S. Li, "The Risk of Industrial Control System Programmable Logic Controller Default Configurations," in Proceedings of 2020 International Computer Symposium, Tainan, Taiwan, pp. 443-447, 2020.
  4. K. R. Lee and K. B. Yim, "Analysing and Neutralizing the Stuxnet's Stealthing Techniques," Journal of Advanced Navigation Technology, vol. 14, no. 6, pp. 838-844, Dec. 2010.
  5. ISA(International Society of Automation). ISA/IEC 62443 Series of Standards [Internet]. Available: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards.
  6. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, "Guide to Industrial Control Systems (ICS) Security," NIST, Technical Report NIST 800-82 Version 2, 2015.
  7. Y. Chang, T. Y. Kim, and W. N. Kim, "A Study on the Possibility for Incident Investigation Using PLC Logs," Journal of the Korea Institute of Information Security & Cryptology, vol. 30, no. 4, pp. 745-756, Aug. 2020.
  8. M. Hoffman, "Gaining Endpoint Log Visibility in ICS Environments," Journal of the Cyber Security & Information Systems Information Analysis Center, vol. 7, no. 2, pp. 32-44, Feb. 2019.
  9. J. G. Um and H. Y. Kwon, "Model Proposal for Detection Method of Cyber Attack using SIEM," The Journal of the Institute of Internet, Broadcasting and Communication, vol. 16, no. 6, pp. 43-54, Dec. 2016. https://doi.org/10.7236/JIIBC.2016.16.6.43
  10. OPC Foundation. OPC Classic [Internet]. Available: https://opcfoundation.org/about/opc-technologies/opc-classic/.
  11. OPC Foundation, "Alarms and Events Custom Interface," OPC Foundation, Phoenix: AZ, U.S.A, Industry Standard Specification Version 1.10, 2002
  12. I. Y. Kim, H. T. Lim, D. B. Ji, and J. P. Park, "A Efficient Network Security Management Model in Industrial Control System Environments," Journal of Engineering and Applied Sciences, vol. 19, no. 4, pp. 664-673, Apr. 2018.
  13. IEC62443-2-1, Security for Industrial Automation and Control Systems: Establishing and Industrial Automation and Control System Security Program, ISA, ISA99 Working Group 2, 2009