Facilitate Security Event Monitoring and Logging of Operational Technology (OT) Legacy Systems

Abstract

AbstractTraditional networks with event monitoring and logging capability have been successfully deployed and implemented for years. However, these solutions are not always suited to be deployed and configured within an industrial control system (ICS) due to the legacy challenges and nature of devices running on this ecosystem. It is essential to understand what system, device and application to monitor, which logs to collect, where to collect them, how to acquire, secure, and preserve them as well as how best to use the collected logs. For example, users, assets, applications, and behaviours should be monitored and logged with an easy-to-read dashboard that adds context to the acquired logs. There has been a significant cyber threat to the ICS legacy system, such as malicious malware and advanced persistent threat (APT). In this paper, we propose a secure virtualised architecture based on the Purdue Enterprises Reference Architecture Model (PERA) for the ICS ecosystem that facilitates monitoring and logging of ICS legacy systems. The proposed architecture uses an enhanced open-source host-based intrusion detection system (HIDS) and network monitoring capability to maintain log integrity on transit and storage. The current Operational Technology (OT) monitoring and logging tools and software are ineffective in collecting and centralising OT legacy system logs. The novelty of the proposed virtualised architecture has an endpoint visibility feature and critical alert capabilities that detects an indication of compromise on the legacy and non-legacy systems in the ICS ecosystem.KeywordsAPTCyber attackICSIDSOTPERA