Building Insider Threat Detection Use Cases for SCADA Systems in Electric Power Grids
摘要
Insider threats to critical infrastructure assets have always been a problem, but the advent of industrial control systems has significantly increased the impacts of incidents. Off-the-shelf implementations of user and entity behavior analytics – standard information technology tools for detecting insider threats – are inappropriate for industrial control systems because they focus on data theft instead of sabotage. By examining historical incidents and using an analytical process, a number of denial-of-access scenarios can be identified in the supervisory control layer by adjusting the anomalies that are considered in information technology environments. This chapter shows that denial-of-access use cases can be detected by customizing the dimensions of volumetric anomalies. One example is to measure data transfer volumes between specific devices instead of data transfers at large. However, manipulations of process scenarios require drastic changes to traditional user and entity behavior analytics. These include maintaining allowed lists of devices that can connect directly as supervisory control and data acquisition clients and correlating with other data sources such as human-machine interface usage logs and post hoc analysis of operator actions.