Network appliances like firewalls and switches, have software (commonly referred to as firmware) on them that monitor and log security events. Unfortunately, the logs are rarely read by anyone. In fact, most people have never logged into their home router to look at the logs or change the administrator password. If the firmware was compromised, or the Internet provider uses the same administrator username and password for all of them, as soon as one is compromised, they are all open to the attacker.
Since large corporate networks have thousands of network appliances and computers, the task of manually logging in and looking at logs only once a year is unreasonable if not impossible. Consequently, security tools have been created to manage all of these device logs. They gather and analyze thousands of logs from all types of network appliances including firewalls, switches, computers, etc.
The security tools come in several variants with slightly different names. Today, most of them overlap in capability, so it is important to verify that the one you are considering includes the specific functions you need right now. Security Information and Event Management (SIEM) is the combination of Security Information management (SIM) and Security Event Management (SEM).
At Kenexis, we provide complete life cycle design, including implementation and validation for SIEM systems. We do this for critical applications providing network security monitoring (NSM) for multiple nuclear power generation facilities in compliance with the Nuclear Regulatory Commission (NRC) 10 CFR 73.54 and NEI 08-09. While a SIEM is required for this type of infrastructure, it may also be appropriate for many other control system environments running processes or machines.
Life cycle design includes many considerations from policy to wiring. General requirements usually include drawings, wiring challenges including old control systems and complex security defenses, implementation plans, compliance considerations, monitoring and reporting plans, monitoring system devices and data integrity, intrusion and malware detection and defenses, and acceptable use criteria as part of the overall roadmap.
The design and implementation process at a nuclear power plant is more complicated than most process plants or industrial control systems (ICS) and includes developing a conceptual and detailed design incorporating multiple SIEM systems, data diodes, firewalls, intrusion detection systems (IDS), and servers within multiple different security levels. With an excellent design and implementation, the SIEM can gather and analyze the logs from all of these network appliances across complex security networks designed to provide cybersecurity barriers.
Throughout the process, we work with the customer to integrate their existing process control and ICS equipment to gather the logs from control systems along with the network appliance logs into the SIEM. In the case above, we send it to the SIEM at the Security Operations Center (SOC). SOCs are becoming common place for large institutions and may become outsourced in the future to highly secure monitoring agencies where it is convenient to staff experts to work on multiple systems.
Kenexis continues to provide ongoing support for the SIEM design once the system is operational.
If you would like to now more, please contact us at firstname.lastname@example.org
Closing thought, please go home today and log in to your home router. If you forgot your log in or never set one in the first place, most Internet providers publish the hard-coded or default password in the user manual posted somewhere on the Internet! Consider changing the username and password for the administrator, check out what devices are connected to the router including wired and wireless, and enable logging or read through logs to see if anything weird has occurred.