Implementation of Industrial Defender NIDS Monitoring
Due to NERC CIP standards, Energy and Utilities companies are mandated to produce certain reports in order to collect and archive NERC CIP compliance related data.
In order to produce the reports mandated by NERC CIP standards, the majority of the energy industry has implemented the Industrial Defender system. Industrial Defender monitors, manages and protects critical cyber assets in accordance with NERC CIP V5. The application ensures the safe and reliable operation of control systems. Real-time intelligence about the physical location, system health and state data of assets is key to reliable operations and regulatory compliance.
The Network Intrusion Detection System (NIDS) is one of Industrial Defender’s key assets. It is responsible for monitoring all network traffic within the control network security perimeter, enabling detection of various types of suspicious activity. Olenick implemented the Industrial Defender version 6.2 Upgrade in August 2016 at a client. Upon completion, it was determined that the NIDS lacked redundancy. The lack of redundancy prevents the NIDS from continuing to report in the event of a failure, resulting in a possible NERC CIP audit finding. Due to the lack of redundancy, an additional monitoring feature was needed.
Olenick was engaged to develop a method to monitor the NIDS. Industrial Defender generates a number of reports to display the daily backup status when the assets on the network last communicated with Industrial Defender. There is a known issue in Industrial Defender as the system does not allow for a method to communicate asset failures. Due to the lack of redundancy specifically on the NIDS, this is where risk comes into play as well as the necessity for a monitoring feature.
After extensive investigation, an Olenick consultant created a PowerShell script to analyze reports, and send an email if there’s any unexpected behavior. The script can be used for any report that Industrial Defender generates. In this case, one script was specifically set up to monitor events on the NIDS and to monitor the communication status between Industrial Defender and all devices on the network. Two scheduled tasks are located on the Industrial Defender Automation Systems Manager (ASM) in order to produce the reports. The scheduled tasks are set to run automatically daily at 6:30 AM EST. If there is no unexpected behavior, an email will not be generated. In the event that there is an asset that is not communicating with Industrial Defender, then an email will be sent to a team to review and take appropriate action.
The two major benefits of the implemented NIDS monitoring process are as follows:
- Time Savings - The automated monitoring process replaced the manual analysis that the team was performing to ensure all devices were reporting with Industrial Defender. The automated monitoring process resulted in a time savings of approximately five hours per week that was previously spent performing the manual analysis.
- Risk Mitigation – The automated monitoring process communicates asset failures in the event where the NIDS fails and logging no longer occurs, consequently mitigating the risk of a NERC CIP compliance finding.
If other energy entities are using Industrial Defender and could benefit from an asset monitoring feature similar to the one created by Olenick, please don’t hesitate to reach out to Dave Doyle.