“Operators and engineers are generally tasked with one thing: uptime. Service availability is king and that often comes at the expense of patching systems, for example, that might require a service to be temporarily taken down.
The processes for monitoring and analyzing incidents are even less refined, experts say. That’s the gap Scott Weston sought to backfill with OpenICS, a project sponsored by EnergySec, short for Energy Sector Security Consortium. Released to GitHub recently, OpenICS is a library that decodes sniffed control network traffic; it currently supports three widely used ICS protocols: MODBUS; DNP3; and EIP/CIP.
“These are special-purpose components that know how to interpret control system traffic and build data dictionaries from traffic that can be used to script specific situations that are of interest in an information security context, Weston said.
The data dictionaries, or metadata repositories, are the key differentiator to OpenICS’ success, Weston said. Rather than developing signatures that can be dumped into an intrusion detection system, data dictionaries can help bridge the expansive gap between security-aware engineers and business operators in critical infrastructure operations.|