SCADA SPLUNK: A stop-gap solution to process variable anomaly detection

In industrial control systems, or ICS, there is a large amount of data that goes unused. This process data routinely sits in something called a historian and is just another way to consume energy. My goal is to display some of the benefits, mostly related to cybersecurity, of sending process data to an analysis platform like Splunk.

Splunk is a powerful tool that can be used to analyze most types of data. At its core Splunk is a Data Company. This presentation plans to target organizations with control systems who have IT departments already using a data analysis platform, or for incident responders looking to gain a tactical advantage. The ability to use existing infrastructure that will increase operational technology (OT) network security is a must in the current budget constrained environment we live in.

As a simple demonstration, I will setup a Schweitzer Engineering Laboratories, or SEL, overcurrent protective relay, similar to what is currently in use for protecting the US grid. I will also connect an Allen Bradley PLC with some process logic that will flip a relay, or breaker, based on the state of the SEL relay. By sending the process data from the SEL relay and Allen-Bradley PLC, to Splunk I will be able to easily detect anomalies.

During the demo I will attempt to induce an overcurrent condition that the SEL relay will pick-up, creating an overcurrent condition on the simulated grid. After the pick-up the relay will trip and “tell” the AB PLC to “flip the breaker.” Simultaneously ingesting relevant data into Splunk in order to verify the legitimacy of the fault condition. I will then push a button that will flip the bit controlling the breaker, without an overcurrent condition, and thus creating an anomaly or “attack.” I will then use Splunk’s Machine Learning Toolkit to fit a model on the historical data and do simple predictive analysis to prove the event was anomalous. This presentation does not attempt to create anything new, only introduce the idea that process data in aggregate can be used for not only efficacy but also security.

After the demo, I will quickly describe 1-2 well known industrial attacks and how having all the process data in aggregate could have avoided a shutdown, damage, or speed up the flash to bang on incident response. I will close out the talk with a thought provoking use case of using Splunk to identify correlative process data in order to enable effective offensive actions.

Jake Coyne is a cyber operations officer, and S4, at the 1st Cyber Battalion on Fort Gordon. He graduated from Illinois State in 2017 with a Bachelor’s of Science in Industrial Technology. He currently holds various certifications to include; CISSP, CCNA, OSCP, OSWP, GRID, and GICSP.