Learning Center
Plans & pricing Sign in
Sign Out

Presentation by Tony Dodge_ What's Transpiring Within Your


									What’s Transpiring Within Your Critical Infrastructure?
      A Practical Application of Security Incident and Event
            Management (SIEM) Technology at BCTC

Tony Dodge
IT Planner and Coordinator (Enterprise Security)
BC Transmission Corporation

September 29th, 2009
 • About BC Transmission Corporation (‘BCTC’)
 • Objective of Today’s Discussion
 • Drivers for Implementation
 • SIEM Primary Functions
 • Prerequisites for Implementation
 • Intellitactics Security Manager Overview
 • Summary & Wrap-Up
 • Q&A
About BC Transmission Corporation
Transmission System in BC
Crown Corporation
   Incorporated May 2, 2003 and operate
   two System Control Centers for all of
   BC, which are responsible for
   maintaining the reliability of the
   'backbone' of B.C.'s transmission grid.

    We are BC's independent electric
    transmission company, ensuring fair
    and open access to the grid and
    creating value and new opportunities
    for our customers and stakeholders by
    providing safe, reliable and cost-       • 18,000 km of high-voltage lines,
    effective transmission services.           underground and submarine cables
                                             • 20,500 steel towers
                                             • 75,000 wood poles
                                             • 293 substations
Objective of Today’s Session
• Overwhelmed on how to fight and win the battle against the
  volumes of potential attackers that are looming outside you
  electronic perimeters?

• Proper deployment of a SIEM solution can radically impact
  an organization’s success in winning this battle!

• Today I will discuss BCTC’s SIEM tool of choice, Intellitactics
  Security Manager (ISM), which is used to effectively identify
  and respond to security threats, specifically within our
  critical infrastructure
BCTC’s Drivers for SIEM Technology
Key BCTC Drivers
1) Reduce the cost and increase the accuracy of compliance (i.e.
    NERC CIP) – Primary Driver:

o   “Security Status Monitoring — … implement automated tools …to monitor system
    events that are related to cyber security.
o   … shall issue automated or manual alerts for detected Cyber Security Incidents.
o   The Responsible Entity shall review logs of system events related to cyber security
    and maintain records documenting review of logs.”

                   Given the volume of log data, review
                   is not feasible without automation
Key BCTC Drivers
2) Increase the effectiveness of security operations - reduce the
   number of security events to a manageable, actionable list

3) Accelerate incident response – a SIEM tool detects incidents
   automatically and automates analysis such that real attacks
   and intruders can be identified quickly (minimize/ eliminate

                           Analysis Across Multiple Systems

A SIEM tool is meant to be an actionable tool, not a system log
Primary Functions of a SIEM Tool
5 Primary Functions

1) Log Consolidation
2) Threat Correlation
3) Incident Management
4) Reporting
5) Forensic Investigations
Prerequisites for Implementation

•    You MUST know your requirements
•    You MUST have security policies in place on which the
     implementation will be based
•    You MUST define your framework in advance of implementation

The illustration on the next slide depicts the alert handling process
and operational model that BCTC developed
BCTC ISM Operational Model

                             RTS, TNI, and Corp

                             BCTC Security

Security Operations Group
Monthly meetings             Intellitactics
BCTC’s SIEM Tool Selection: Intellitactics Security
Manager (ISM)
Intellitactics Security Manager (ISM) - Overview
 •   ISM provides BCTC with:
     - Centralized log collection
     - Log normalization, correlation, and parsing
     - Easy, centralized access to logs and events to
       research attacks and incidents
     - Notification and reporting
ISM – Key Components
       Incident Manager   Client View
BCTC Implementation – Data Segregation

•   BCTC needed to segregate data views

•   There were two key reasons for this:

    1. allow users to focus on events
       pertinent to them

    2. ensure sensitive/ confidential data is
       not divulged to unauthorized
    BCTC Implementation – Device Status
•    Quickly identify those devices which are
     up or down

•    In cases where a device stops sending -
     an e-mail is automatically sent to a user
     to advise him/ her that this device has
     ceased sending data

•    Green - all devices within this device
     group is sending data to the DA server
•    Yellow - some, but not all, devices are
     sending data to the DA server
•    Red - no devices are sending data to the
     DA server
    BCTC Implementation – Alerts
•    ISM classifies alerts based on a colour-coding system that allows users to
     focus their attention and efforts on the appropriate alerts

•    Based on ISM’s risk assessment logic the following 3 categories of alerts were
     defined for BCTC:
     -   Red – high risk
     -   Orange – medium risk
     -   Yellow – low risk

•    Each orange and red alert results in the creation of an automated e-mail which
     is sent to a pre-defined user who is responsible for analyzing and closing the
ISM Alerts Monitoring Process

     ISM (Application)
                                                                                                              TMS – Red
                                                                                                              Alerts only
                                                                                                             EMS – Red &
                                                                             Automatically                   Orange alerts
                                                                             Create Ticket

     Intellitactics                                 Alerts

                         Regular Health
     TNI Controllers

                                                                                                       Info related to incident documented
                                                                                                              within Incident Manager

                                           Check for                           Assign
                                                                                                      Incident and               Close Ticket
                                          devices not                         Ownership
                                          feeding ISM
     RTS Operators

                                                                                                   Contact SCM (dependent on
                                                                                                    whether incident activates
                                                                                                           SOO 6T-10)
Owners (or Delegate)

                                                                                  Follow-up for                                   Monitor
                                                                                  all o/standing                                   Ticket
                                                                                   RED tickets                                   Resolutions
     BCTC ISM Dept.

                         Review Health
                         Check Reports

          Red alerts must be addressed immediately. If outside regular hours call out to technical staff.

     Orange alerts must be assessed and, where deemed to be a legitimate incident, resolved within 72 hours of being identified.
     These alerts will be resolver during normal business hours.
BCTC Implementation – Alerts
•   Within ISM users can drill down (by right-clicking on the alert) into the
    details of individual alerts which will facilitate their analysis and eventual
    resolution of the alert
BCTC Implementation – Incident Manager
•   Incident Manager is an incident response tool that assists in tracking
    incidents throughout their lifecycle and respond to them by:

    -   Creating incident reports (i.e. trouble ticket)
    -   Taking ownership of an incident report and resolving the incident
    -   Use collaboration tools to help resolve the incident
    -   Closing an incident upon resolution and, if necessary, re-opening an incident
Key Lessons Learned from BCTC ISM Implementation
  • No matter how secure an individual device may be, if not
    monitored each device can be bypassed individually;
    basically, the total security of a system is only as good as
    its weakest link.

  • Maturity of Products: Many products are not tailored to the
    NERC framework although many will claim it; BCTC only
    found a very few products mature

  • Flexible Solution: The devil is in the details. Need a
    flexible solution that is adaptable to your unique needs
Key Lessons Learned from BCTC ISM Implementation

  • Tuning Period: Need to learn and understand the type of
    log events over time and tune the SIEM solution to meet
    your needs

  • Walk Before You Run: Mature the processes over time;
    initially build the bare minimum to meet your requirements

  • Integrate alerts from multiple devices to look for attack
    patterns (i.e. malicious attacker probing different systems)

  • Watch for repeated events over a long period of time;
    complex rules are not necessarily required
• As an incident handling tool, ISM proven to be
  effective increasing personnel’s ability to identify
  and handle a large number of events

• By consolidating and correlating events, ISM can
  spot attacks that would otherwise go undetected

• With NERC CIP compliance looming on the
  horizon (Nov 1st for BC), the need for centralized
  logging and the pressures on already burdened
  staff to deal with an avalanche of events, ISM
  has proven to be an invaluable part BCTC’s
  enterprise security solution landscape
Q&A Session
Contact Information

Tony Dodge
IT Planner & Coordinator
Enterprise Security & Business Continuity
BC Transmission Corporation
Work: (604) 699-7473

To top