Intrusion Detection And Prevention Systems (Idps); Policies, Procedures, Standards, And Guidelines; Understanding An Ics Network; Log And Event Management - Eaton Network-M2 User Manual

Intrusion detection and prevention systems (IDPS)

These are systems that are primarily focused on identifying possible incidents in an ICS network, logging the
information about them, attempting to stop them, and reporting them to ICS security administrators.
Because these systems are critical in an ICS network, they are regular targets for attacks and securing them
is extremely important.
The type of IDPS technology deployed will vary with the type of events that need to be monitored.
There are four classes of IDPS technology:
• Network-based IDPS monitors network traffic for particular ICS network segments or devices and
analyzes the network and application protocol activity to identify suspicious activity
• Wireless IDPS monitors and analyzes wireless network traffic to identify suspicious activity involving
the ICS wireless network protocol
• Network behavior analysis IDPS examines ICS network traffic to identify threats that generate unusual
traffic flows such as DOS attacks
• Host-based IDPS monitors the characteristics and the events occurring within a single ICS network
host for suspicious activity

4.1.7 Policies, procedures, standards, and guidelines

For the defense in depth strategy to succeed, there must be well-documented and continuously reviewed
policies, procedures, standards, and guidelines.
• Policies provide procedures or actions that must be carried out to meet objectives and to address the
who, what, and why
• Procedures provide detailed steps to follow for operations and to address the how, where, and when
• Standards typically refer to specific hardware and software, and specify uniform use and
implementation of specific technologies or parameters
• Guidelines provide recommendations on a method to implement the policies, procedures, and
standards

Understanding an ICS network

Creating an inventory of all the devices, applications, and services that are hosted in a network can establish
an initial baseline for what to monitor. Once those components are identified and understood, control,
ownership, and operational consideration can be developed.

Log and event management

It is important to understand what is happening within the network from both a performance and security
perspective. This is especially true in a control systems environment.
Log and event management entails monitoring infrastructure components such as routers, firewalls, and IDS/
IPS, as well as
host assets. Security Information and Event Management (SIEM) systems can collect events from various
sources and provide
correlation and alerts.
Generating and collecting events, or even implementing a SIEM is not sufficient by itself. Many organizations
have SIEM solutions, but alerts go unwatched or unnoticed.
Monitoring includes both the capability to monitor environments and the capacity to perform the monitoring.
Capability relates to the
design and the architecture of the environment. Has it been built in a manner that takes into consideration
the ability to monitor? Capacity speaks to the resources (personnel, tools, expertise) needed to perform
meaningful interpretation of the information and initiate timely and appropriate action.
Through monitoring, the organization can identify issues such as suspicious or malicious activities.
Awareness can be raised when new (potentially unauthorized) devices appear in the environment. Careful
consideration should be taken into account to ensure that log and event management does not adversely
impact the functionality or the reliability of the control system devices.
Cybersecurity considerations for electrical distribution systems
Securing the Network Management Module – 75