Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.2.471

A Study on ICS Security Information Collection Method Using CTI Model  

Choi, Jongwon (The Attached Institute of ETRI)
Kim, Yesol (The Attached Institute of ETRI)
Min, Byung-gil (The Attached Institute of ETRI)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.2, 2018 , pp. 471-484 More about this Journal
Abstract
Recently, cyber threats are frequently occurring in ICS(industrial control systems) of government agencies, infrastructure, and manufacturing companies. In order to cope with such cyber threats, it is necessary to apply CTI to ICS. For this purpose, a security information collection system is needed. However, it is difficult to install security solution in control devices such as PLC. Therefor, it is difficult to collect security information of ICS. In addition, there is a problem that the security information format generated in various assets is different. Therefore, in this paper, we propose an efficient method to collect ICS security information. We utilize CybOX/STIX/TAXII CTI models that are easy to apply to ICS. Using this model, we designed the formats to collect security information of ICS assets. We created formats for system logs, IDS logs, and EWS application logs of ICS assets using Windows and Linux. In addition, we designed and implemented a security information collection system that reflects the designed formats. This system can be used to apply monitoring system and CTI to future ICS.
Keywords
Industrial Control System; Cyber Threat Intelligence; Cyber Security Monitoring; Security Information Collection; Security Event and Log;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Barnum, "Standardizing cyber threat intelligence information with the structured threat information expression(STIX)," The MITRE Corporation, Jul. 2012.
2 J. Connolly, M. Davidson and C. Schmidt, "The trusted automated exchange of indicator information (taxii)," The MITRE Corporation, Feb. 2014.
3 Telecommunications Technology Association, "The System Log Information Message Exchange Format For The Security Control," TTAK.KO-12.0256, Dec. 2017
4 H. Debar, D. Curry and B. Feinstein, "The Intrusion Detection Message Exchange Format," RFC 4765, Mar. 2007.
5 R. Danyliw, J. Meijer and Y. Demchenko, "The Incident Object Description Exchange Format," RFC 5070, Dec. 2007.
6 W. Gibb and D. Kerr, "OpenIOC: back to the basics," https://www.fireeye.com/blog/threatresearch/2013/10/openioc-basics.html, accessed Feb. 2018.
7 ISA99/IEC62443, "Industrial automation and control systems security," https://www.isa.org/isa99/, accessed Feb. 2018.
8 Waterfall, "Unidirectional Security Gate ways," https://waterfall-security.com/products/unidirectional-security-gateways, accessed Feb. 2018.
9 V. Igure, S. Laughter, and R. Williams, "Security issues in SCADA networks," Computer & Security, vol.25, issue 7, pp. 498-506, Oct. 2006.   DOI
10 S. Patel, G. Bhatt, and J. Graham, "Improving the cyber security of SCADA communication networks," Communications of the ACM, vol. 52 issue 7, pp. 139-142, Jul. 2009.   DOI
11 J. Creasey and I. Glover, "Cyber Security Monitoring and Logging Guide," CREST, ver. 1, 2015.
12 K. Kent and M. Souppaya, "Guide to Computer Security Log Management," NIST Special Publication 800-92, Sep. 2006.
13 Microsoft, "Appendix L:Events to Monitor," https://docs.microsoft.com/en-us/win dows-server/identity/ad-ds/plan/appendi x-l-events-to-monitor, accessed Feb. 2018.
14 Snort, "Snort Users Manual," https://www.snort.org/documents, accessed Feb. 2018.
15 Siemens, "Totally Integrated Automation Portal," https://www. siemens.com/global/en/home/products/automation/industry-software/automation-software/tia-porta l.html, accessed Feb. 2018.
16 Westinghouse, "Cyber security services: event management and intrusion prevention," http://www.westinghousenuclear.com/, accessed Feb. 2018.
17 Rafael, "Scada dome: cyber defense for industrial systems," http://www.rafael.co.il/, accessed Feb. 2018.
18 S. Raval, "BlackEnergy a threat to industrial control systems network security," International Journal of Advance Research in Engineering Science and Technology, vol. 2, no. 12, pp. 120-125, Dec. 2015.
19 N. Falliere, L.O. Murchu and E. Chien, "W32. stuxnet dossier," White paper, Symantec Corp., Security Response, vol. 10, no. 6, pp. 29, Feb. 2011.
20 E. Chien, L.O. Murchu and N. Falliere, "W32. duqu: the precursor to the next stuxnet," Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, Apr. 2012.
21 K.A. Stouffer, J.A. Falco and K.A. Scarfone, "Guide to industrial control systems(ICS) security," NIST Special Publication 800-82, May. 2015.
22 S. Barnum, R. Martin, B. Worrell and I. Kirilov, "The CybOX language specification," The MITRE Corporation, Apr. 2012.