NIST SPECIAL PUBLICATION 1800-7C

Situational Awareness For Electric Utilities¶

Volume C:

How-To Guides

Jim McCarthy

National Cybersecurity Center of Excellence

National Institute of Standards and Technology

Otis Alexander

Sallie Edwards

Don Faatz

Chris Peloquin

Susan Symington

Andre Thibault

John Wiltberger

Karen Viani

The MITRE Corporation

McLean, VA

August 2019

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-7

The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/es-sa-nist-sp1800-7-draft.pdf

DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-7C, Natl. Inst. Stand. Technol. Spec. Publ. 1800-7C, 173 pages, (August 2019), CODEN: NSPUE2

FEEDBACK

As a private-public partnership, we are always seeking feedback on our Practice Guides. We are particularly interested in seeing how businesses apply NCCoE reference designs in the real world. If you have implemented the reference design, or have questions about applying it in your environment, please email us at energy_nccoe@nist.gov.

All comments are subject to release under the Freedom of Information Act (FOIA).

National Cybersecurity Center of Excellence
National Institute of Standards and Technology
100 Bureau Drive
Mailstop 2002
Gaithersburg, MD 20899
Email: nccoe@nist.gov

NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners — from Fortune 50 market leaders to smaller companies specializing in IT security — the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Md.

To learn more about the NCCoE, visit https://www.nccoe.nist.gov. To learn more about NIST, visit https://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDES

NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

ABSTRACT

Through direct dialogue between NCCoE staff and members of the energy sector (composed mainly of electric power companies and those who provide equipment and/or services to them) it became clear that energy companies need to create and maintain a high level of visibility into their operating environments to ensure the security of their operational resources (operational technology [OT]), including industrial control systems (ICS), buildings, and plant equipment. However, energy companies, as well as all other utilities with similar infrastructure and situational awareness challenges, also need insight into their corporate or information technology (IT) systems and physical access control systems (PACS). The convergence of data across these three often self-contained silos (OT, IT, and PACS) can better protect power generation, transmission, and distribution.

Real-time or near-real-time situational awareness is a key element in ensuring this visibility across all resources. Situational awareness, as defined in this use case, is the ability to comprehensively identify and correlate anomalous conditions pertaining to ICS, IT resources, and access to buildings, facilities, and other business mission-essential resources. For energy companies, having mechanisms to capture, transmit, view, analyze, and store real-time or near-real-time data from ICS and related networking equipment provides energy companies with the information needed to deter, identify, respond to, and mitigate cyber attacks against their assets.

With such mechanisms in place, electric utility owners and operators can more readily detect anomalous conditions, take appropriate actions to remedy them, investigate the chain of events that led to the anomalies, and share findings with other energy companies. Obtaining real-time and near-real-time data from networks also has the benefit of helping demonstrate compliance with information security standards. This NCCoE projectʼs goal is ultimately to improve the security of operational technology through situational awareness.

This NIST Cybersecurity Practice Guide describes our collaborative efforts with technology providers and energy sector stakeholders to address the security challenges that energy providers face in deploying a comprehensive situational awareness capability. It offers a technical approach to meeting the challenge and also incorporates a business value mind-set by identifying the strategic considerations involved in implementing new technologies. The guide provides a modular, end-to-end example solution that can be tailored and implemented by energy providers of varying sizes and sophistication. It shows energy providers how we met the challenge by using open-source and commercially available tools and technologies that are consistent with cybersecurity standards. The use case is based on an everyday business operational scenario that provides the underlying impetus for the functionality presented in the guide. Test cases were defined with industry participation to provide multiple examples of the capabilities necessary to provide situational awareness.

While the example solution was demonstrated with a certain suite of products, the guide does not endorse these products. Instead, it presents the characteristics and capabilities that an organizationʼs security experts can use to identify similar standards-based products that can be integrated quickly and cost effectively with an energy providerʼs existing tools and infrastructure.

KEYWORDS

correlated events; cybersecurity; energy sector; information technology; operational technology; physical access control systems; security information and event management; situational awareness

ACKNOWLEDGMENTS

We are grateful to the following individuals for their generous contributions of expertise and time.

Name	Organization
Pam Johnson	TDi
Clyde Poole	TDi
Eric Chapman	University of Maryland, College Park
David S. Shaughnessy	University of Maryland, College Park
Don Hill	University of Maryland, College Park
Mary-Ann Ibeziako	University of Maryland, College Park
Damian Griffe	University of Maryland, College Park
Mark Alexander	University of Maryland, College Park
Nollaig Heffernan	Waratek
James Lee	Waratek
John Matthew Holt	Waratek
Andrew Ginter	Waterfall
Courtney Schneider	Waterfall
Tim Pierce	Waterfall
Kori Fisk	The MITRE Corporation
Tania Copper	The MITRE Corporation

The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register. Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build this example solution. We worked with:

Technology Partner/Collaborator	Build Involvement
Dragos	CyberLens
Hewlett Packard Enterprise (HPE)*	ArcSight
ICS2	OnGuard
OSIsoft	PI Historian
Radiflow	iSIM
RS2 Technologies	Access It!, Door Controller
RSA, a Dell Technologies business	Archer Security Operations Management
Schneider Electric	Tofino Firewall
Siemens	RUGGEDCOM CROSSBOW
TDi Technologies	ConsoleWorks
Waratek	Waratek Runtime Application Protection
Waterfall Security Solutions	Unidirectional Security Gateway, Secure Bypass

*Please note: HPE in this project is now Micro Focus Government Solutions, which acquired the suite of products and solutions used by the NCCoE in this build.

The NCCoE also wishes to acknowledge the special contributions of the University of Maryland for providing us with a real-world setting for the situational awareness build; Project Performance Company for its dedication in assisting the NCCoE with the very challenging and complex integration in this build; and the NCCoE Energy Provider Community for its patience, support, and guidance throughout the life cycle of this project.

List of Figures

Figure 1-1 Monitoring and Data Collection Lab Build Architecture

Figure 1-2 Data Aggregation and Analysis Lab Build Architecture

Figure 1-3 Enterprise Lab Wiring Diagram

Figure 1-4 Cogeneration Facility Lab Network Diagram

Figure 2-1 OSIsoft PI Historian Connection

Figure 2-2 ApplicationSettings Syslog Configuration

Figure 2-3 IXIA TP-CU3 Network Tap

Figure 2-4 PI AF Server 2015 R2 Setup

Figure 2-5 Create New Data Source for SQL

Figure 2-6 Testing SQL Setup

Figure 2-7 PI SDK Setup

Figure 2-8 Configure New Interface

Figure 2-9 ICU — General Configuration

Figure 2-10 ICU — Citect ICU Control

Figure 2-11 ICU — Windows Service Setup

Figure 2-12 ICU — UniInt Configuration

Figure 2-13 System Status

Figure 2-14 RS2 Door Controller Case

Figure 2-15 Inside of RS2 Door Controller Case

Figure 2-16 AC/DC Inverter

Figure 2-17 EP-1502 Door Controller Board

Figure 2-18 Radiflow iSID Web Dashboard

Figure 2-19 Web Server (IIS) Components Section

Figure 2-20 .NET Framework 4.5 Features Selection

Figure 2-21 Application Pools

Figure 2-22 RSA Archer User Login

Figure 2-23 Security Operations Management Tab

Figure 2-24 Multiple Security Alerts within the RSA Archer Console

Figure 2-25 Sample Message from ArcSight, Showing Raw Log Message/Alert and Parsing with Normalization

Figure 2-26 Sample Message Showing Alert Indicating New Device Detected at Substation

Figure 2-27 Sample Message Showing an Alert Indicating Badged Entry Detected at Substation

Figure 2-28 New Incident Response Workflow Record Started, Documented with Title, Summary, Details

Figure 2-29 Incident Record Alerts Tab, Showing the Association of Two Events Attached to This Incident Response Investigation Record

Figure 2-30 Incident Response Procedure with Two Related Tasks Assigned to the Incident Response Record

Figure 2-31 Incident Response Tasks with Status, Details, and Completion Status

Figure 2-32 Incoming Packet Configuration

Figure 2-33 Outgoing Packet Configuration

Figure 2-34 Create New Project

Figure 2-35 Administrator Password

Figure 2-36 Project Explorer Window

Figure 2-37 Tofino SA/MAC Address

Figure 2-38 Project Explorer

Figure 2-39 New Asset

Figure 2-40 Project Explorer Tofino SA Icon

Figure 2-41 Asset Rule Profiles

Figure 2-42 Apply Configuration Pane

Figure 2-43 CrossBow Server Configuration

Figure 2-44 CrossBow Server Configuration

Figure 2-45 CrossBow Server Configuration

Figure 2-46 MMC Snap-In

Figure 2-47 Preferences Dialogue Box

Figure 2-48 CxBClientOnlyCerts Snap-In

Figure 2-49 CrossBow Server Configuration

Figure 2-50 Preference Dialogue Box

Figure 2-51 CrossBow Server Configuration

Figure 2-52 Virtual Private Network (VPN) Certificate Form

Figure 2-53 VPN Private Key Form

Figure 2-54 Client Connection Info

Figure 2-55 SAC Connection List

Figure 2-56 Connection List

Figure 2-57 Certificates Info

Figure 2-58 Trigger Action

Figure 2-59 Status Log

Figure 2-60 Station Access Controller Properties

Figure 2-61 SAC Property Configuration — Identification

Figure 2-62 SAC Property Configuration — Connection

Figure 2-63 SAC Property Configuration — NERC CIP

Figure 2-64 Scheduling Push SAC Database

Figure 2-65 Application Selection Dialogue

Figure 2-66 RUGGEDCOM Web Login

Figure 2-67 Enable IPSec and NAT Traversal

Figure 2-68 Binding to Syslog

Figure 2-69 Server Management Bind Edit

Figure 2-70 Adding SYSLOG Console

Figure 2-71 Copying Plug-In to CWScript Directory

Figure 2-72 CWScript Upload

Figure 2-73 Browse for CWScript

Figure 2-74 Select CWScript XML

Figure 2-75 Review CWScript Settings

Figure 2-76 Modify Action and Parameter for CWScript

Figure 2-77 Add New Scan

Figure 2-78 Add New Event

Figure 2-79 Syslog Forwarding Action Config

Figure 2-80 Add Console to Syslog Forwarding Action Config

Figure 2-81 Review Event Settings

Figure 2-82 Waterfall Secure Bypass Interface

Figure 2-83 Set Up Syslog on CyberLens

Figure 2-84 ArcSight Configure

Figure 2-85 Program Parameters Setup

Figure 2-86 Request URL Configuration

Figure 2-87 Tool URL Verification

Figure 2-88 Access It! SQL Table

Figure 2-89 Access It! Application Window

Figure 2-90 Example Location

Figure 2-91 Example String/URL

Figure 2-92 Categorization File Fields

Figure 3-1 Create New Filter

Figure 3-2 Create Conditions (Logic)

Figure 3-3 Bro Filter

Figure 3-4 Dragos CyberLens Filter

Figure 3-5 ICS2 On-Guard Filter

Figure 3-6 Windows Log Filter for OSI PI Historian

Figure 3-7 Radiflow iSID Filter

Figure 3-8 RS2 Access It! Filter

Figure 3-9 RSA Archer Filter

Figure 3-10 Waratek Filter

Figure 3-11 OT Cross-Boundary Filter

Figure 3-12 OT Inbound Filter

Figure 3-13 OT Outbound Filter

Figure 3-14 SA-1 - OT-Alerts Filter

Figure 3-15 SA-1 - OT and PACS Dashboard

Figure 3-16 SA-1 OT and PACS Active Channel

Figure 3-17 SA-2 - IT to OT AppAttack Filter

Figure 3-18 SA-2 OT-comms-with-non-OT Filter

Figure 3-19 SA-2 SQL Injection Dashboard

Figure 3-20 SA-2 SQL Injection Active Channel

Figure 3-21 SA-3 - FailedLogins Filter

Figure 3-22 SA-3 OT to IT or OT BadLogins Filter

Figure 3-23 SA-3 OT-to-IT or FailedLogins Dashboard

Figure 3-24 SA-3 OT-to-IT or FailedLogins Active Channel

Figure 3-25 SA-4 Anomaly Detection Filter

Figure 3-26 SA-4 Anomaly Detection Dashboard

Figure 3-27 Anomaly Detection Active Channel

Figure 3-28 SA-5 ConfigMgnt Filter

Figure 3-29 SA-5 ConfigMgmt Filter

Figure 3-30 SA-5 Master Filter

Figure 3-31 SA-5 Configuration Changes Dashboard

Figure 3-32 SA-5 Configuration Changes Active Channel

Figure 3-33 SA-6 RogueDevice Filter

Figure 3-34 SA-6 Rogue Device Dashboard

Figure 3-35 SA-6 Rogue Device Active Channel

List of Tables

Table 2-1 CentOS Partitioning Scheme for ArcSight ESM Manager Server

Table 2-2 RSA Archer Configuration Settings

Table 2-3 IIS Components and .NET Framework

1. Introduction¶

The following volumes of this guide show information technology (IT) professionals and security engineers how we implemented this example solution. We cover all of the products employed in this reference design. We do not recreate the product manufacturers’ documentation, which is presumed to be widely available. Rather, these volumes show how we incorporated the products together in our environment.

Note: These are not comprehensive tutorials. There are many possible service and security configurations for these products that are out of scope for this reference design.

1.1. Practice Guide Structure¶

This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates a standards-based reference design and provides users with the information they need to replicate this approach to situational awareness. This reference design is modular and can be deployed in whole or in part.

This guide contains three volumes:

NIST SP 1800-7A: Executive Summary
NIST SP 1800-7B: Approach, Architecture, and Security Characteristics – what we built and why
NIST SP 1800-7C: How-To Guides – instructions for building the example solution (you are here)

Depending on your role in your organization, you might use this guide in different ways:

Business decision makers, including chief security and technology officers, will be interested in the Executive Summary (NIST SP 1800-7A), which describes the following topics:

challenges enterprises face in maintaining cross-silo situational awareness
example solution built at the NCCoE
benefits of adopting the example solution

Technology or security program managers who are concerned with how to identify, understand, assess, and mitigate risk will be interested in NIST SP 1800-7B, which describes what we did and why. The following sections will be of particular interest:

Section 3.4.1, Risk, provides a description of the risk analysis we performed.
Section 3.4.2, Security Control Map, maps the security characteristics of this example solution to cybersecurity standards and best practices.

You might share the Executive Summary, NIST SP 1800-7A, with your leadership team members to help them understand the importance of adopting a standards-based situational awareness solution.

IT professionals who want to implement an approach like this will find this whole practice guide useful. You can use the How-To portion of the guide, NIST SP 1800-7C, to replicate all or parts of the build created in our lab. The How-To guide provides specific product installation, configuration, and integration instructions for implementing the example solution. We do not recreate the product manufacturers’ documentation, which is generally widely available. Rather, we show how we incorporated the products together in our environment to create an example solution.

This guide assumes that IT professionals have experience implementing security products within the enterprise. While we have used a suite of commercial products to address this challenge, this guide does not endorse these particular products. Your organization can adopt this solution or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of a solution that includes physical access control systems (PACS) operational technology (OT), IT systems, and business processes. Your organization’s security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. We hope that you will seek products that are congruent with applicable standards and best practices. Volume B, Section 3.5, Technologies, lists the products that we used and maps them to the cybersecurity controls provided by this reference solution.

1.2. Build Overview¶

Energy sector colleagues shared that they need to know when cybersecurity events occur throughout the organization. Additionally, the information about such events must correlate data among various sources before arriving at a converged platform. Security staff need to be aware of potential or actual cybersecurity incidents in their IT and OT systems and PACS and to view these alerts on a single converged platform. Furthermore, the ability to drill down, investigate, and subsequently fully remedy or effectively mitigate a cybersecurity incident affecting any or all of the organization is essential.

1.3. Typographic Conventions¶

The following table presents typographic conventions used in this volume.

Typeface/Symbol	Meaning	Example
Italics	file names and path names; references to documents that are not hyperlinks; new terms; and placeholders	For detailed definitions of terms, see the NCCoE Glossary.
Bold	names of menus, options, command buttons, and fields	Choose File > Edit.
Monospace	command-line input, on-screen computer output, sample code examples, and status codes	mkdir
Monospace Bold	command-line user input contrasted with computer output	service sshd start
blue text	link to other parts of the document, a web URL, or an email address	All publications from NIST’s NCCoE are available at https://www.nccoe.nist.gov.

1.4. Logical Architecture Summary¶

NIST Special Publication (SP) 1800-7B describes an example solution consisting of a monitoring/data collection component, which is deployed to operations facilities such as substations and generating plants; and a data aggregation/analysis component that is deployed as a single service for the enterprise. Data is collected from the industrial control systems (ICS) network by the monitoring/data collection component and sent to the data aggregation/analysis component. NIST SP 1800-7B also presents an architecture for building an instance of the example solution by using commercial products. That architecture is depicted in Figure 1-1 and Figure 1-2 below.

Figure 1-1 Monitoring and Data Collection Lab Build Architecture

Figure 1-2 Data Aggregation and Analysis Lab Build Architecture

This practice guide provides detailed instructions on installing, configuring, and integrating the products used to build an instance of the example solution. The role of each product in the example solution is described in NIST SP 1800-7B, Section 4, Architecture.

1.5. Wiring Diagrams¶

The architecture diagrams in the previous section present the logical connections needed among the products used to build an instance of the example solution. This section describes the physical wiring that implements those logical connections.

Figure 1-3 Enterprise Lab Wiring Diagram

Figure 1-4 Cogeneration Facility Lab Network Diagram

2. Product Installation Guides¶

This section of the practice guide contains detailed instructions for installing and configuring all of the products used to build an instance of the example solution. Product installation information is organized alphabetically by vendor with one section for each instance of the product. The section heading includes the unique product instance identifier used in the example solution architecture diagrams. Those identifiers have the form “Ln” where L is a letter and n is a number. Three different letters are used in the example solution architecture diagrams:

En identifies a product instance installed in the enterprise portion of the build constructed in the NCCoE energy sector lab. For example, E1 is the Siemens RUGGEDCOM RX1400 installed in the NCCoE lab.
On identifies a product instance installed in the operations portion of the build constructed in the build partnerʼs cogeneration facility. For example, O1 is the Siemens RUGGEDCOM RX1501 installed in the build partnerʼs cogeneration facility.
Un identifies a product instance that is an existing part of the build partnerʼs cogeneration facility. For example, U1 is the Citect supervisory control and data acquisition (SCADA) controller that is part of the build partnerʼs cogeneration facility control system.

If the build contains multiple instances of the same product installed in nominally the same way, the full installation instructions are presented for one instance. Only the differences in installation and configuration are presented for the additional instances. For example, the build includes three instances of TDi Technologies ConsoleWorks (O5, O9, E6). Full installation instructions are provided for the E6 instance of TDi Technologies ConsoleWorks. The instructions provided for the O5 and O9 instances describe only the differences between those instances and the E6 instance.

2.1. Cisco 2950 (O15)¶

The Cisco 2950 switch is used to aggregate the IXIA network taps (O16). The configuration file is presented in the following subsection.

2.1.1. Cisco 2950 (O15) Installation Guide¶

Using 1904 out of 32768 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname aggregator

!

aaa new-model

enable secret 5 $1(s*tC$RHcpvnJts/adF.ONLSK32.

enable password C1sc0

!

username admin privilege 15 secret 5 $1*.1Gz$nHZ.CVIlq28oMB46m2X8k/

ip subnet-zero

!

ip domain-name lab-mgmt

ip ssh time-out 120

ip ssh authentication-retries 3

ip ssh version 2

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

!

!

interface FastEthernet0/1

no keepalive

speed 100

!

interface FastEthernet0/2

no keepalive

speed 100

!

interface FastEthernet0/3

no keepalive

!

interface FastEthernet0/4

no keepalive

!

interface FastEthernet0/5

no keepalive

!

interface FastEthernet0/6

no keepalive

!

interface FastEthernet0/7

no keepalive

!

interface FastEthernet0/8

no keepalive

!

interface FastEthernet0/9

no keepalive

!

interface FastEthernet0/10

no keepalive

!

interface FastEthernet0/11

no keepalive

!

interface FastEthernet0/12

no keepalive

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

switchport mode trunk

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

switchport access vlan 1000

switchport mode access

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan1000

ip address 172.19.1.20 255.255.254.0

no ip route-cache

!

ip http server

!

line con 0

line vty 0 4

password -1pqla,zMXKSOW)@

transport input ssh

line vty 5 15

password -1pqla,zMXKSOW)@

transport input ssh

!

!

!

monitor session 1 source interface Fa0/1 - 12 rx

monitor session 1 destination interface Fa0/23

end

2.2. Dragos Security CyberLens (E8, O10)¶

Dragos Security CyberLens software utilizes sensors placed within critical networks to identify assets and networks, building topologies and alerting on anomalies.

2.2.1. Dragos Security CyberLens Server (E8) Environment Setup¶

The system that was set up to run this application was a fully updated (as of 5/20/2016) Ubuntu 14.04 long-term support (LTS) operating system with the following hardware specifications:

4-core processor
8 gigabytes (GB) random access memory (RAM)
40 GB hard disk drive (HDD)

Other Requirements:

Sudo or root privileges
CyberLens installer (cyberlens-<version>-linux-<architecture>-installer.run)
valid CyberLens license file

2.2.2. Dragos Security CyberLens Server (E8) Installation and Configuration Guide¶

As root:
1. ./cyberlens-<version>-linux-<architecture>-installer.run
2. Accept the agreement and select Forward.
3. Select Forward for a randomly generated password for root on the MySQL Server. A custom password can be specified if desired.
4. Select Forward for a randomly generated password for CyberLens on the MySQL Server. As in the previous step, a custom password can be specified if desired.
5. Select Forward to accept the installation configuration.
6. Choose a Username, Password (and Confirm Password), and Email Address for the CyberLens login, then select Forward.
7. Select Localhost Access Only (the files will be transferred across the Waterfall Security Gateway), then select Forward.
8. Select Forward. Do not check the box for Block Outbound Traffic.
9. Click the folder icon to select the CyberLens license file, then select Forward.
10. Select Forward to begin installation.
Configure:
1. Open a browser and navigate to http://localhost/
2. On the menu bar on the left, select Server Console.
3. Click the drop-down arrow next to Options, and check the box for Use Sensor Files.
4. Click Start to start the server.
Set up file transfer protocol (FTP) for transferring files across the Waterfall Security Gateway:
1. First, set up the user login. We used the username “waterfall.”
2. adduser waterfall
3. Specify password.
4. Add additional information if desired.
5. Type y to accept information.
6. apt-get install vsftpd
7. Edit /etc/vsftpd.conf
8. Ensure anonymous_enable=NO
9. Ensure local_enable=YES
10. Set write_enable=YES
11. service vsftpd restart
12. ln -s /var/www/html/cyberlens/lib/file_link/ /home/waterfall/
Permissions error: When files are copied over, the permissions default to waterfall:waterfall. Use the following steps to change the default to www-data:www-data.
1. sudo apt-get install incrontab
2. sudo vi /etc/incron.allow
  1. Add root to file, then save and exit.
3. sudo incrontab -u root -e
  1. Add /var/www/html/cyberlens/lib/file_link IN_CREATE /bin/chown -R www-data:www-data /var/www/html/cyberlens/lib/file_link then save and exit.

New files created in the directory should now automatically change permissions and be ingested.

2.2.3. Dragos Security CyberLens Sensor (O10) Installation Guide¶

For Dragos Security CyberLens Sensor, follow the steps in Section 2.2.1 and Section 2.2.2 for Dragos Security CyberLens Server. There is no need to fix the permissions error.

2.3. Hewlett Packard Enterprise (HPE) ArcSight (E12)¶

HPE ArcSight is used as a central security information and event management (SIEM) platform, collecting alerts from across the build and aggregating them in one central location. (Please note: HPE in this project is now Micro Focus Government Solutions, which acquired the suite of products and solutions used by the NCCoE in this build.)

2.3.1. HPE ArcSight (E12) Installation Guide¶

2.3.1.1. ArcSight Enterprise Security Manager (ESM) Manager Server Environment Setup¶

The following configuration matched requirements for the product relative to the use in the situational awareness use case.

The base operating system is CentOS 7. The following partition scheme was used for the installation.

Table 2-1 CentOS Partitioning Scheme for ArcSight ESM Manager Server

Name	Size	Type
/	50 GB	ext4
/boot	1 GB	ext4
/home	22 GB	ext4
/tmp	40 GB	tmpfs
/opt	2126 GB	ext4^a

It is recommended to use XFS for/opt in lieu of ext4.

Ensure /tmp is larger than 3 GB; otherwise, ESM will fail to install.
Ensure the installation of X Windows and “compatibility libraries” are installed as well; ESM requires them.
Modification of user process limit may be required to ensure efficient thread usage:
1. If there is not already a file /etc/security/limits.d/90-nproc.conf, create it (and the limits.d directory, if necessary).
2. If the file already exists, delete all entries in the file.
3. Add the following lines:
  
  * soft nproc 10240
  
  * hard nproc 10240
Adjust networking items:
1. Set internet protocol (IP) address to 10.100.1.150.
2. Set Gateway to 10.100.0.1.
3. Set Subnet mask to 255.255.0.0.
4. Add DNS server in /etc/resolv.conf.
  
  10.97.74.8
5. Add host name in /etc/hosts as follows (or add to DNS):
  
  10.100.1.150 arcsight.es-sa-b1.test arcsight
6. Set host name in /etc/sysconfig/network.
7. Set ONBOOT to yes in /etc/sysconfig/network-scripts/ifcfg-eth0.

Ensure ports 8443, 9443, and 9000 are open on server firewall (e.g., check via iptables -S or iptables -L -n). If needed, add the following (as root). Adjust 0.0.0.0/0 statements as needed.

iptables -I INPUT -p tcp --dport 8443 -s 0.0.0.0/0 -j ACCEPT

iptables -I INPUT -p tcp --dport 9443 -s 0.0.0.0/0 -j ACCEPT

iptables -I INPUT -p tcp --dport 9000 -s 0.0.0.0/0 -j ACCEPT

If using a SuperConnector/Forwarder (e.g., to RSA Archer), add the following (adjust for user datagram protocol (UDP) or transmission control protocol (TCP) as needed):

iptables -I OUTPUT -p tcp -d 0.0.0.0/0 --dport 514 -j ACCEPT

Save the rules:

/sbin/service iptables save
Set Selinux to permissive mode (may set back to enforcing mode upon completion of installation).
adduser arcsight
mkdir /opt/arcsight/
chown arcsight:arcsight /opt/arcsight/
Modify files to imitate Red Hat Enterprise Linux (RHEL) 6.5 (for CentOS and newer Red Hat versions):
1. Edit /etc/system-release
  
  CentOS release 6.5 (Final)
2. Edit /etc/system-release-cpe
  
  cpe:/o:centos:linux:6:GA
Ensure the time zone (tzdata) package is version 2014F or later. To install, use …

rpm -Uvh tzdata

or

yum update
Reboot.

2.3.2. ArcSight ESM Manager Server Operating System Installation¶

Copy the ESM installation tar file (do not untar) to /home/arcsight/Desktop/ArcSight (create folder if it does not exist).
Copy the ESM zipped license file (do not unzip) into the folder from the previous step.
cd /home/arcsight/Desktop/ArcSight (su arcsight if not currently arcsight user)
chown arcsight:arcsight <ESM Install File>
tar xvf <ESM Install File>
./ArcSightESMSuite.bin -i console

Note: Stop xwindows first if doing the installation with the -i console switch. This switch runs the installation from the command line rather than from a graphical user interface (GUI). The command line installation eases troubleshooting.

As user “arcsight” run the configuration wizard:

/opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console

Settings in the wizard:
1. CORR-Engine (DB) password = __________
2. System storage size = 301 GB
3. Event storage size = 361 GB
4. Online event archive size = 200 GB (~1/6 minus 10% of total space; system reserves 10% of space)
5. Retention period (days) = 30
6. Manager host name = arcsight.es-sa-b1.test
7. Administrator username = admin
8. Administrator password = __________
As user “root” run the following to install the ArcSight services onto the operating system:
Open a browser and navigate to ArcSight Command Center (https://arcsight.es-sa-b1.test:8443). Set the manager Java heap to 12288 (or another value based on available RAM).

2.3.3. ArcSight Console Environment Setup¶

Microsoft Windows 7 64-bit with the following settings:
1. 1 virtual central processing unit (vCPU)
2. 4 GB RAM
3. 150 GB storage
The guest operating system (OS) IP information was set as follows:
1. IP address: 10.100.1.149
2. Gateway: 10.100.0.1?
3. Subnet mask: 255.255.0.0?
4. DNS: 10.97.74.8, 8.8.8.8, 8.8.4.4
Installed virtual machine (VM) Tools on guest OS to resolve missing mouse cursor issue.
Created OS user: arcsight, with password: __________

2.3.4. ArcSight Console Installation¶

Download ArcSight Console installation file (for Windows).
Run ArcSight Console installation file?
Add ArcSight Manager IP address to Windows OS host file (or add to DNS) at:

C:\windows\system32\drivers\etc\hosts (edit this file as Administrator) by adding the following line:

10.100.1.150 arcsight.es-sa-b1.test arcsight
Open ArcSight Console.
Log in to ArcSight Console with user: arcsight, password: __________, and in the Manager drop-down selection box type or select the server name: arcsight.es-sa-b1.test
At certificate-related pop-up, click Accept.

2.3.4.1. ArcSight Connector Server Preparation¶

CentOS 7 host with the following VM settings:
1. 1 vCPU
2. 12 GB RAM
3. 140 GB provisioned
Install CentOS using the following options:
1. Server with GUI Xwindows libraries are required in accordance with ArcSight guide.
2. File and Storage (in case file-based log collection will be used)
3. Compatibility libraries
4. Development tools
Set guest host name as follows: arcconn.es-sa-b1.test
Install VM Tools on guest OS.
Set guest OS IP information as follows:
1. IP address: 10.100.1.148
2. Gateway: 10.100.0.1
3. Subnet mask: 255.255.0.0
4. DNS: 10.97.74.8, 8.8.8.8
Add host names in /etc/ hosts as follows (or add to DNS):

10.100.1.148 arcconn.es-sa-b1.test arcconn
10.100.1.150 arcsight.es-sa-b1.test arcsight adduser arcsight
mkdir /opt/arcsight/
chown -r arcsight:arcsight /opt/arcsight/
As user arcsight, mkdir /opt/arsight/connectors/syslog1
Ensure UDP port 514 is open inbound on server firewall and also that connector is allowed outbound on port 8443. For example: …

As root:

iptables -I INPUT -p udp --dport 514 -s 0.0.0.0/0 -j ACCEPT

iptables -I OUTPUT -p tcp -d 0.0.0.0/0 --dport 8443 -j ACCEPT

Save the rules:

/sbin/service iptables save

Disable firewall:

systememct1 disable firewall

systemct1 mask firewalld expressions

Disable OS native syslog service:

systemctl disable rsyslog.service

2.4. ICS2 OnGuard (E5)¶

ICS2 OnGuard is used for behavioral analysis based on an extended model of historical historian information. Utilizing this information, OnGuard alerts to changes in historian activity based on deviations to original model.

2.4.1. Environment Setup¶

The following configuration matched requirements for the product relative to the use in the situational awareness build:

Microsoft Windows Server 2012 R2
VM with CPU Quad Core 2.199 gigahertz (GHz)
VM with 16,384 MB of memory
virtual hard disk
OSIsoft PI OLE DB Driver
ICS2_Installation_<version>.zip

2.4.2. Install Vendor Software¶

Open and extract the provided ICS2_Installation_<version>.zip file.
Open the ICS2 Installation folder created by extracting the .zip file.
Right-click the ServerDeploy.PS1 file and select Run with PowerShell.
Press Y to change the execution policy.
Once the directory structure has been created, press Enter for the default PostgreSQL directory.
Press Enter for the default SQLServer directory.

The installer will install multiple products, including Google Chrome and Notepad++.
When the DreamPie installer pops up, click Next.
Select Install for anyone using this computer and click Next.
Keep the default destination folder and click Install.
When the installation is complete, click Next.
Close the installer by clicking Finish.

Once completed, PowerShell will close.

2.4.3. Install OnGuard System¶

Open the Deploy OnGuard <version> folder.
Double-click the DeployOnGuard Windows Batch File.
Verify that ApplicationSettings.config, ConnectionStrings.config, and SpiderSettings.json have been created.
1. If necessary, change the historian IP address (OSIsoft PI) in SpiderSettings.json to the appropriate IP address (the key is DataProviders.SqlConfig.ConnectionString).

Figure 2-1 OSIsoft PI Historian Connection

In ApplicationSettings.config, verify that settings LogAlarmsToSyslog is True, SyslogTargetHost is set to the syslog server IP (10.100.0.50), and the SyslogTargetPort is set to 514 (or whatever port syslog is listening on).

Figure 2-2 ApplicationSettings Syslog Configuration

Open C:\OnGuardWebsite\log4net.config in Notepad++ and verify that the appender RemoteSyslogAppender has a remoteAddress value of the syslog server IP (10.100.0.50).

Close Notepad++ and open Google Chrome to http://localhost/ for the login screen.

2.5. IXIA Full-Duplex Tap (O16)¶

The following is the installation for the IXIA TP-CU3 taps used in the lab.

Figure 2-3 IXIA TP-CU3 Network Tap

Mount the tap to the rack.
Utilize the supplied power cord to connect an outlet to the power jacks located on the rear of the tap.
To connect to the network …
1. Connect Network Port A to the Ethernet cable coming in from the control system network.
2. Connect Network Port B to an Ethernet cable going out to the destination port of the original Ethernet cable used in the previous step.
3. Verify that the link LEDs illuminate.
4. Connect Monitor Port A to the monitoring port of the device used to monitor the ingress of Network Port A.
5. Connect Monitor Port B to the monitoring port of the device used to monitor the ingress of Network Port B.
The tap installation and setup are complete.

2.6. OSIsoft PI Historian (E4, O8)¶

OSIsoft PI Historian is the primary historian type utilized in the build. The two instances serve as the main mirror of the control systemʼs historian as well as a secondary historian located in the enterprise network. The secondary historian feeds the anomaly detection platform in the enterprise network.

For further information, visit http://www.osisoft.com/federal/.

2.6.1. OSIsoft PI Historian (E4) Installation Guide¶

The following are the installation and configuration for the OSIsoft PI Historian located within the enterprise network.

2.6.1.1. Environment Setup¶

Microsoft Windows Server 2012 R2
2.2 GHz processor
8 GB RAM
250 GB storage
Structured Query Language (SQL) Server Express

2.6.1.2. Installation Instructions¶

Create admin user in windows: Piadmin
Create admin user in windows: Afadmin
Create standard user in windows: Piuser
Create new folder C:Download
Install SQL Server 2014.
1. Create instance:
  1. Name: PIAFSQL
  2. Instance ID: PIAF
2. SQL Server Configuration Manager:
  1. Enable SWL Server Network Configuration -> Protocols for PIAFSQL -> {Shared Memory, Named Pipes, TCP/IP}
Copy PI-AF-Server_2015-R2_ to C:\Download and self-extract setup (run as administrator).
1. A reboot will be required.
2. After reboot, the Microsoft Visual C++ 2013 install window will appear.

Figure 2-4 PI AF Server 2015 R2 Setup

On the “Welcome to the PI AF Server 2015 R2 Installation” screen …

Click Next.

Click Next to select default install directory.

Click Next for default features.

Select Virtual User Account.

Under SQL Server Connection, select <hostname>\PIAFSQL and click Next.

Click Install.

Open Open Database Connectivity (ODBC) Data Sources (64-bit).
1. Under System DSN, click Add.
1. Name: PIAFSQL
2. Description: OSIsoft PI AF SQL
3. Server: <hostname>\PIAFSQL

Figure 2-5 Create New Data Source for SQL

Click Next.

Click Next.

Check the Change the default database to: and select PIFD.

Click Next.

Click Finish.

Click Test Data Source…

Figure 2-6 Testing SQL Setup

After a successful pass, click OK three times to close ODBC Data Sources.

Open Microsoft SQL Server Management Studio (as Administrator).

Ensure the settings are correct and click Connect.

In the left tab, select <hostname>\PIAFSQL > Databases > PFID > Tables and ensure tables are listed.

Close Microsoft SQL Server Management Studio.

Copy PISDK_2014_ and PISMT_2015_R2_ to C:\Downloads.
Copy PI-AF-Client_2015-R2_ to C:\Download and run as administrator.

Change the Extraction path to .\

When the PI AF Client 2015 R2 installation screen starts up, click OK.

In the Default Data server input, type piafsql and click Next.

Click Next for the default PIHOME directory.

Wait for the installation to finish and click Next.

Select whether to participate in the Customer Experience Improvement and click Next.

Click Next for default features, then click Install.

Verify that the Service Status screen shows all services started successfully, and click Next.

Click Close.

Run PISDK_2014_ as administrator.

Change the Extraction path to .\

When the PI Software Development Kit installation screen starts up, click OK.

Figure 2-7 PI SDK Setup

On the screen listing services that will be stopped, click OK.

Verify that the Service Status screen shows all services started successfully, and click Next.

Click Close.

Run PISMT_2015_R2_ as administrator.

Change the Extraction path to **.**

When the installation screen starts up, click Next twice.

On User Information, change the Full Name field to PIadmin and fill in Organization.

Click Next.

Click Install.

Click Close.

Run the MSRuntimes and MSRuntimes_x64 applications to install the proper DLLs.
Run OSIprerequisites-standalone_2.0.0.10_ as administrator.

Click OK.

Change Unzip folder to .\ and select Unzip.

When completed, click Close.

Run OSIprerequisites-Patch_2.1.1_

Change Unzip folder to .\ and select Unzip.

When completed, click Close.

Reboot the machine.
Create the following folders:

C:\PI

C:\PI\Bin

C:\PI\Dat

C:\PI\License

C:\PI\Queue

C:\PI\Archive

Copy a generated license file into C:\PI\License and name pilicense.dat.
Copy PIServer_2012SP_x64_ to C:\Downloads.
Run PIServer_2012SP_x64_ as Administrator.

Change the Unzip folder to .** and click **Unzip.

When the PI Server 2012 SP1 64-bit installation screen starts up, click OK.

When it is showing what is installed, click Close.

On the welcome screen, click Next.

On licensing, click Browse and select C:\PI\License, then Next.

Verify that the AF Server is the host name, then click Next.

Ensure that No is selected for enabling PI Module Database, and click Next.

For PI Server Binaries, click Browse and select C:\PI\Bin.

For Event Queues, click Browse and select C:\PI\Dat.

For Archives, click Browse and select C:\PI\Archive.

Click Next.

Click Next to start installation.

When complete, click Close.

Open PI System Management Tools.

Under Servers on the left, select the piafsql server.

Close PI System Management Tools.

Reboot system.
Copy C:\PI\Bin\admin\pisrvstart.bat and C:\PI\Bin\admin\pisrvstop.bat to the Desktop.
Open PISDKUtility.

Under Tools, select Add Server.

Network Path/fully qualified domain name (FQDN): <hostname>

Click OK.

Under Default User Name for the new server, type piadmin.

Under Connections, select Options.

Set the Connection time-out to 30 seconds.

For Default Server, select <hostname>.

Ensure the Protocol Order is …

PI Trust

Default User

Windows Security

Click OK.

Under Connections, select Aliases.

Click Add…

Under Alias, type the machineʼs IP Address.

Click OK.

Click Close.

Click Save.

2.6.2. OSIsoft PI Historian (O8) Installation Guide¶

Follow the installation guide for OSIsoft PI Historian in Section 2.6.1.

2.7. OSIsoft Citect Interface (O13)¶

The OSIsoft Citect Interface creates a connection for the OSIsoft PI Historian to interface with the SCADA server for aggregating historian data.

2.7.1. OSIsoft Citect Interface (O13) Installation Guide¶

Open the pipc.ini file located in C:\Windows (or the %windir% directory).
The file should contain the following info. If the file does not exist, create it and add the following lines:
```
[PIPC]

PIHOME=C:\Program Files (x86)\PIPC
```
Start the installation executable (Citect_#.#.#.#_.exe).
This will install files in PIHOME\Interfaces\Citect\.
Copy the following files from the Citect machineʼs Bin directory into the PIHOME\Interfaces\Citect\\ directory.
1. CtApi.dll
2. Ct_ipc.dll
3. CtEng32.dll
4. CtRes32.dll
5. CtUtil32.dll
6. CiDebugHelp.dll
To install the connector as a service, run PI_Citect.exe /install /auto /depend tcpip. Test the connection between the interface node and the Citect node by using the PI_CitectTest.exe connection tester.
Run the interface configuration utility (ICU), and configure a new instance of this interface.
Define digital states.
Cit_Bad_Conn indicates communication problems with the Citect node.
Build input tags and, if desired, output tags for this interface by using the point builder utility PICitect_PointBuilder.exe. Important point attributes and their purposes are:
1. Location1 (interface instance ID): 1
2. Location2 (input/output parameter): 0 (input)
3. Location3 (not used): 0
4. Location4 (scan class): 1
5. Location5 (not used): 0
6. ExDesc (optional, event-driven scans): -
7. InstrumentTag: [Citect point name]
Start the interface interactively, and confirm its successful connection to the PI Server without buffering.
Confirm that the interface collects data successfully.
Stop the interface, and configure a buffering application (either Bufserv or PIBufss). When configuring buffering, use the ICU menu item Tools > Buffering… > Buffering Settings to make a change to the default value (32678) for the Primary and Secondary Memory Buffer Size (Bytes) to 2000000. This will optimize the throughput for buffering and is recommended by OSIsoft.
Start the buffering application and the interface. Confirm that the interface works together with the buffering application by stopping the PI Server.
Configure the interface to run as an automatic service that depends on the PI Update Manager and PI Network Manager services.
Restart the interface node, and confirm that the interface and the buffering application restart.

2.7.2. Configuration¶

The PI Interface Configuration Utility provides a graphical user interface for configuring PI interfaces. If the interface is configured by the PI ICU, the batch file of the interface (PI_Citect.bat) will be maintained by the PI ICU, and all configuration changes will be kept in that file and the module database. The procedure below describes the necessary steps for using PI ICU to configure the PI Citect interface.

From the PI ICU menu, select Interface, then New Windows Interface Instance from EXE..., and then Browse to the PI_Citect.exe executable file. Then, enter values for Host PI System, Point Source, and Interface ID#. A window such as the following results:

Figure 2-8 Configure New Interface

Interface name as displayed in the ICU (optional) will have PI- pre-pended to this name, and it will be the display name in the services menu.
Click Add.
Once the interface is added to PI ICU, near the top of the main PI ICU screen, the interface Type should be Citect. If not, use the drop-down box to change the interface Type to be Citect.
Click on Apply to enable the PI ICU to manage this instance of the PI Citect interface.

Figure 2-9 ICU — General Configuration

Because the start-up file of the PI Citect interface is maintained automatically by the PI ICU, use the Citect page to configure the start-up parameters, and do not make changes in the file manually.

Figure 2-10 ICU — Citect ICU Control

Supply values for the fields in the Citect General tab as follows:
1. Citect host machine — CITECT
2. Citect username — administrator
3. Citect password — <enter password here>
4. Connection Delay — none (unchecked)
5. Reconnect Rate — none (unchecked)
6. Use PI API data to Send Data — (unchecked)
7. Use Version 2 Implementation — (unchecked)
8. Use Timestamp from Citect Server — (unchecked)
Keep the defaults on the Citect Debug tab.
To set up the interface as a Windows Service, use the Service page. This page allows configuration of the interface to run as a service as well as starting and stopping the interface service. Keep the default values, as shown below.

Figure 2-11 ICU — Windows Service Setup

Because the PI Citect interface is a UniInt-based interface, the UniInt page allows the user to access UniInt features through the PI ICU and to make changes to the behavior of the interface.

Figure 2-12 ICU — UniInt Configuration

Keep the default values, but check the following boxes:
1. Include Point Source in the header log of messages
2. Write status to tags on shutdown
Uncheck the following box:

Suppress initial outputs from PI

2.8. RS2 Technologies Access It! Universal.NET (E7)¶

RS2 Technologies Access It! Universal.NET pairs with the RS2 Door Controller to monitor access into the lab utilized in the build. The software then alerts the SIEM for any access into the facility, allowing the SIEM to correlate network events with physical access events.

2.8.1. Environment Setup¶

The following configuration matched requirements for the product relative to the use in the example solution:

Microsoft Windows Server 2012 R2
VM with CPU Quad Core 2.199 GHz
VM with 8,192 MB of memory
virtual hard disk containing 240 GB of storage
.NET Framework 3.5

2.8.1.1. Product Installation¶

Start the provided AIUniversalNET51044CD.exe.
Follow the prompts for installation:
1. Select Stand-Alone/Server Installation.
2. Select I do not have a SQL Server Installed.
3. When prompted to install SQL Server 2008 R2 Express Edition, select Yes.
4. Select Install Access It! Universal.NET.
5. When prompted to install a Stand-Alone Server version of Access It! Universal.NET, select OK.
6. Select Next >.
7. Read the license agreement and select Next > if the terms of the agreement are agreeable.
8. Use the default installation folder C:\Program Files(x86)\RS2 Technologies\Access It! Universal.NET\, then select Next >.
When the installer is ready, select Next > to continue.
Select Close to exit the installer.

2.8.2. Post-Installation and Configuration¶

Post-installation and configuration are partially dependent on installation and configuration of the RS2 Technologies Door Controller (O4). If that is not complete, please follow that guide first before attempting to complete the post-installation of Access It! Universal.NET (E7).

Launch Access It! Universal.NET by selecting it from the Start menu.
Log in with the default username Admin. Leave password blank.

2.8.2.1. Connecting Access It! Universal.NET¶

Select Hardware under the Navigation pane, then select the Channels pane.
Select the green + sign in the top left corner to create a new channel.
For Channel Type, select IP server.
Ensure Protocol Type is secure copy protocol (SCP).
Ensure Channel Enabled is checked.
Select Save.
Select SCPs under the Navigation pane on the left.
Select the green + sign in the top left corner to create a new SCP.
Under the General tab …
1. Select EP-1502 for Model.
2. Ensure Device installed is checked.
3. Set SCP time zone to the local time zone of the door controller.
Under the Comm. tab …
1. Ensure that the channel created in the previous steps is listed.
2. Set the IP address to 10.100.2.150.
3. Ensure the port number is set to 3001.
4. Ensure the Encryption Settings is set to None.
Select Save.

2.8.2.2. Enable TCP/IP for Local SQL 2008 R2 Express Edition Server¶

Launch Microsoft SQL Server Configuration Manager.
Expand SQL Server Network Configuration (32-bit).
Select Protocols for AIUNIVERSAL.
Right-click on TCP/IP, then select Properties.
Select the IP Addresses tab.
Under IP1, ensure that IP Address is set to 0.0.0.0, and TCP Port is set to 1433.
Under IPALL, ensure that TCP Dynamic Ports is set to 52839, and TCP Port is set to 1433.
Restart the SQL Server. Select SQL Server Services, then right-click on SQL Server (AIUNIVERSAL) and select Restart.

Figure 2-13 System Status

2.9. RS2 Technologies Door Controller (O4)¶

The RS2 Technologies Door Controller is the physical piece to the Access It! Universal.NET product. This piece connects to the door itself, alerting the software to any access to the location.

2.9.1. Hardware Installation¶

The following instructions detail the hardware installation for the door controller:

The fully assembled and closed case:

Figure 2-14 RS2 Door Controller Case

The interior modules:

Figure 2-15 Inside of RS2 Door Controller Case

The battery is pictured in the lower right corner of the case. The smaller board (AC/DC inverter) is pictured below:

Figure 2-16 AC/DC Inverter

The two cables to the left are for positive and neutral input from a low voltage AC power supply. The ground (green) cable from the AC power supply attaches to a grounding nut on the case (pictured in the previous figure).

The black and red cables to the left of AC are the DC outputs. These supply power directly to the door controller EP-1502 board.

The other two black and red wires, connected to a harness, sit in the BATTERY port of the smaller board. These provide a trickle charge to the battery, which can be used in the event of a power outage.

The larger EP-1502 board is pictured below:

Figure 2-17 EP-1502 Door Controller Board
The white and black wires on the bottom center of the figure go into Door Contact 1 - IN1, and these connect to the physical door-monitoring devices.
Power is supplied to the board via the bottom right corner posts, for 12 to 24 VDC (max 500 mA).

2.9.2. Connecting Hardware to Access It! Universal.NET¶

Conduct the following steps to connect the EP-1502 Door Controller Board to the Access It! Universal.NET software. The DIP switches referenced in these steps apply to those highlighted in yellow in the figure above.

Ensure that DIP Switch DIP 2 is ON and 1, 3, and 4 are OFF.
Power on the EP-1502.
Manually configure a computer to 192.168.0.100.
Using a crossover cable, connect the computer to the EP-1502 board.
Open a web browser, and navigate to http://192.168.0.251.
Set DIP Switch DIP 1 to ON.
Select Click Here to Login.
Select Continue to this website (not recommended).
Log in with username admin and password password.
Select Network on the left-hand menu.
Select Use Static IP configuration.
1. IP Address: 172.18.3.50
2. Subnet Mask: 172.18.0.0/16
3. Default Gateway: 172.18.0.1
Click OK.
Click Apply Setting.
Click Apply, Reboot.
Wait 60 seconds for the EP-1502 to reboot.
Remove power from the EP-1502.
Set all DIP switches to OFF.
Remove the crossover cable, and connect to the network.
Apply power to the EP-1502 and follow the instructions in Section 2.8.2, Post-Installation and Configuration.

2.10. Radiflow 3180 (O14)¶

Radiflowʼs 3180 is a secure, ruggedized router used to handle connections between the OSIsoft Citect Interface and the OSIsoft PI Historian. This device ensures that proper communication is allowed while stopping any traffic that is not required.

2.10.1. Radiflow 3180 (O14) Installation Guide¶

Log in with the su user with the provided username and password.
Enter the following commands:

a. config terminal

b. ip access-list extended 1001

c. permit tcp host 172.16.2.170 eq 5450 host 172.18.2.150 eq 5450 priority 1

d. exit

e. interface fastethernet 0/1

f. ip access-group 1001 in

g. exit

h. ip access-list extended 1002

i. permit tcp host 172.16.2.150 eq 5450 host 172.18.2.170 eq 5450 priority 2

j. exit

k. interface fastethernet 0/2

l. ip access-group 1002 in

m. exit

n. ip access-list extended 2001

o. deny ip any any priority 51

p. exit

q. interface fastethernet 0/1

r. ip access-group 2001 in

s. exit

t. ip access-list extended 2002

u. deny ip any any priority 52

v. exit

w. interface fastethernet 0/2

x. ip access-group 2002 in

y. exit

z. write start

aa. reload

2.11. Radiflow iSID (O11)¶

Radiflowʼs iSID product is a software industrial intrusion detection system that monitors for anomalies within the control systems network and builds a network topology model.

2.11.1. Environment Setup¶

Radiflow supplies an open virtual appliance (OVA) to be deployed to a virtualized environment, so environment setup should be minimal.

2.11.2. Product Installation¶

After deploying the vendor-provided OVA on a virtualized platform, navigate to /home/radiflow/isid.
Modify the server.conf file to reflect the IP address of the syslog server:

rfids_remote_syslog_server=172.18.0.50

poco_source_dir=/home/radiflow/tools/poco

Run sudo ./build_install_all.sh stop start install config bridge.
Open a web browser, and navigate to https://localhost/dashboard.

Figure 2-18 Radiflow iSID Web Dashboard

Toggle the Learning switch on the left bar under Main Network.

Allow learning to take place for 5 to 7 days.
Toggle the Detection switch on the left bar under Main Network.
Setup and configuration are now complete.

2.12. RSA Archer Security Operations Management (E13)¶

Governance, risk, and compliance (GRC) platforms allow an organization to link strategy and risk, adjusting strategy when risk changes, while remaining in compliance with laws, regulations, and security policies. RSA Archer Security Operations Management, based in part on the RSA Archer GRC platform, was used to perform the task of the Analysis Workflow Engine and Security Incident Response and Management.

For more information, visit …

2.12.1. System Requirements¶

This build installed a multihost RSA Archer GRC platform node on a VMware VM with the Microsoft Windows Server 2012R2 operating system to provide the Security Incident Response Management environment needed.

Note:

All components, features, and configurations presented in this guide reflect what we used based on vendors’ best practices and requirements. Please refer to vendors’ official documentation for complete instructions for other options.

2.12.2. Preinstallation¶

We chose the multihost deployment option for installing and configuring the GRC platform on multiple VMs under the Microsoft Windows Server 2012R2 Operating System. The web application and services are running on one server, instance database/Microsoft SQL Server is running on one server, and integration components for Security Incident Response are running on a third server. Below are the preinstallation tasks that we performed prior the RSA Archer installation:

Operating System: Windows Server 2012R2 Enterprise
Database: Microsoft SQL Server 2012 Enterprise (x64)

Follow Microsoftʼs installation guidelines and steps to install the SQL Server Database Engine and SQL Server Management tools. Refer to https://msdn.microsoft.com/en-us/library/bb500395(v=sql.110).aspx for additional details.

We used the following configuration settings during the installation and configuration process. We also created the required database instances and users for the RSA Archer installation. Test the database instances by using different users to verify the login permissions on all database instances and configuration databases to ensure that database owners have sufficient privileges and correct user mappings.

Table 2-2 RSA Archer Configuration Settings

Setting	Value
Collation settings set to case insensitive for instance database	SQL_Latin1_general_CP1_CI_AS
SQL compatibility level set appropriately	SQL Server 2012 - 110
Locale set	English (United States)
Database server time zone	EST
Platform language	English
Create both the instance and configuration databases within a single SQL Server instance. For migration, create only the configuration database.	Database names: grc-content grc-config
User Account set to Database Owner role	grc-content-archeruser grc-config-archeruser
Recovery Model	Simple (configuration and instance databases)
Auto Shrink	False (configuration database)
Auto-Growth	Set it for (instance database)
Max Degree of Parallelism	1 (configuration and instance databases)

Web and Services

Microsoft Internet Information Services (IIS) 8
Microsoft .NET Framework 4.5

Use Server Manager for installing IIS and .NET Framework, referring to http://www.iis.net/learn/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012 for detailed steps and corresponding screenshots.

First install IIS and then install the .NET Framework.

Table 2-3 below summarizes the required IIS components and .NET Framework features followed by the screenshots.

Table 2-3 IIS Components and .NET Framework

Required Option	Value
IIS
Common (http) Features	Default Document Directory Browsing http Errors Static Content
Health and Diagnostics	http Logging
Application Development	.NET Extensibility 4.5 Active Server Pages (ASP) .NET 4.5 Internet Server Application Programming Interface (ISAPI) Extensions ISAPI Filters
Security	Request Filtering
Management Tools	IIS Management Console
.NET Framework
.NET Framework 4.5 Features	.NET Framework 4.5 ASP.NET 4.5
WCF Services	http Activation TCP Port Sharing

Figure 2-19 Web Server (IIS) Components Section

Figure 2-20 .NET Framework 4.5 Features Selection

Microsoft Office 2013 Filter Pack

Download it from Microsoft website http://www.microsoft.com/en-us/download/details.aspx?id=40229 and install it.

Java Runtime Environment (JRE) 8

Download and install JRE 8. Refer to http://www.oracle.com/technetwork/java/javase/install-windows-64-142952.html for details.

Note: All preinstallation software must be installed and configured before installing RSA Archer.

2.12.3. Installation¶

Create folders C:\ArcherFiles\Indexes and C:\ArcherFiles\Logging (will be used later).
Obtain/Download the installer package from RSA; extract the installation package.
Run installer.
1. Open installation folder; right-click on ArcherInstall.exe.
2. Select Run as Administrator.
3. Click OK to run the installer.
4. Follow the prompts from the installer for each step, set the value, and click Next.
5. Select all components (Web Application, Services, Instance Database) for installation, then click Next.
6. Specify the X.509 Certification by selecting it from the checklist (create new cert or use existing cert). We created a new cert.
7. Set the Configuration Database options with the following properties:
  
  SQL Server: <ip address of SQL Server>
  
  Login Name: ######
  
  Password: ######
  
  Database: grc-config (This is the configuration database we created during the preinstallation process.)
8. Set the Configuration Web Application options with the following properties:
  
  Website: Default Website
  
  Destination Directory: Select Install in an IIS application option with RSAarcher as the value
9. Set Configuration of the Service Credentials.
  
  Select Use the Local System Account to Run All from the checklist.
10. Set the Services and Application Files paths with the following properties:
  1. Services: use the default value C:\Program Files\RSA Archer\Services\.
  2. Application Files: use the default value C:\Program Files\RSA Archer\.
11. Set the Log File Path to C:\ArcherFiles\Logging.
12. Perform the installation by clicking Install, wait for the installer to complete installing all components, then click Finish. The RSA Archer Control Panel opens.

2.12.4. Post-Installation¶

2.12.4.1. Configure the Installation Settings¶

Verify and set the configurations for the following by clicking on RSA Archer Control Panel > Installation Settings, then select corresponding sections:

Logging Section
1. Path: Archer FilesLogging
2. Level: Error
Locale and Time Zone Section
1. Locale: English (United States)
2. Time Zone: (UTC-05:00) Eastern Time (US & Canada)
On the Toolbar, click Save.
Create the Default GRC Platform Instance.
1. Start the RSA Archer Queuing Service by doing the following steps:
  1. Go to Start.
  2. Open Server Manager.
  3. Locate RSA Archer Queuing in the list under the SERVICES section.
  4. Right-click RSA Archer Queuing, and click Start.
2. Add a new instance by doing the following steps:
  1. Open the RSA Archer Control Panel.
  2. In Instance Management, double-click Add New Instance.
  3. Enter SituationalAwareness as the Instance Name, then click Go.
  4. Complete the properties as needed.
3. Configure the Database Connection Properties by doing the following steps:
  1. Open the RSA Archer Control Panel.
  2. In the Database tab, go to the Connection Properties section.
  3. In Instance Management, double-click the SituationalAwareness instance.
4. In the Database tab, set up the following:
  1. SQL Server: <ip address of SQL Server>
  2. Login name: xxxxxx
  3. Password: xxxxxx
  4. Database: grc-content
Click on the Test Connection link to make sure the Success message appears.
Configure the General Properties by doing the following steps:
1. Open RSA Archer Control Panel.
2. Go to Instance Management.
3. Under All Instances, click on SituationalAwareness.
4. In the General tab, set up the following:
  1. File Repository section — Path C:\ArcherFiles\Indexes.
  2. Search Index section — Content Indexing: Check on Index design language only; Path: C:\ArcherFiles\Indexes\SituationalAwareness
Configure the Web Properties by doing the following steps:
1. Open the RSA Archer Control Panel.
2. Go to Instance Management.
3. Under All Instances, click on SituationalAwareness.
4. In the Web tab, set up the following:
  1. Base uniform resource locator (URL): http://localhost/RSAArcher/
  2. Authentication URL: default.aspx
Change SysAdmin and Service Account passwords by doing the following steps:
1. Open the RSA Archer Control Panel.
2. Go to Instance Management.
3. Under All Instances, click on SituationalAwareness.
4. Select the Accounts tab.
5. Change the password on the page by using a strong password.
6. Complete the Default GRC Platform Instance Creation by clicking Save on the toolbar.
Register the Instance by doing the following steps:
1. Open the RSA Archer Control Panel.
2. Go to Instance Management.
3. Under All Instances, right-click on SituationalAwareness.
4. Select Update Licensing, enter the following information, then click on Active:
  1. Serial Number (obtained from RSA)
  2. Contact Info (First Name, Last Name, Company, etc.)
  3. Activation Method (select Automated)
Activate the Archer Instance by doing the following steps:
1. Start the RSA Archer Services.
2. On Server Manager, go to Local Services or All Services.
3. Locate the following services, right-click on each service, and click Start.
  1. RSA Archer Configuration
  2. RSA Archer Job Engine
  3. RSA Archer Lightweight Directory Access Protocol (LDAP) Synchronization
4. Restart the RSA Archer Queuing Service.
  1. Open Server Manager.
  2. Go to Local Services or All Services.
  3. Locate the RSA Archer Queuing.
  4. Right-click on RSA Archer Queuing, and click Restart.
5. Rebuild the Archer Search Index.
  1. Open RSA Archer Control Panel.
  2. Go to Instance Management.
  3. Under All Instances, right-click on SituationalAwareness, then click on Rebuild Search Index.
Configure and activate the Web Role (IIS).
1. Set up Application Pools as shown in the screenshot.
  1. Open Server Manager.
  2. Navigate to Tools > IIS Manager > Application Pools (in the left side bar).
  3. Right-click to add applications (.NET, ArcherGRC, etc.); example screenshot is below.

Figure 2-21 Application Pools

Restart IIS.

Verify that RSA Archer GRC is accessible by opening a browser and inserting the Base and Authentication URL from the Web tab of the RSA Archer Control Panel. The RSA Archer GRC Login screen appears as shown below.

Figure 2-22 RSA Archer User Login

Log in to SituationalAwareness Instance.

Figure 2-23 Security Operations Management Tab

2.12.5. Configuration of ArcSight ESM to RSA Archer Security Operations Management¶

After a base installation of RSA Archer and the associated RSA Archer Security Operations Management functionality, an additional configuration is required to connect the Security Incident Response use case to external data providers, such as ArcSight ESM. In this environment, this required an installation and configuration of the RSA Archer Unified Collector Framework on the third Windows Server in the Archer multihost setup. For full details, please consult the installation and configuration guide for the RSA Collector Framework.

Create user within RSA Archer framework for the Collector Framework Web Services access. For testing, this user was granted appropriate privileges to read and write data for Security Alert Data originating from ArcSight.
Execute Archer Unified Collector Framework installer. When prompted, provide the Archer Collector Framework Web Services username and password created in step 1.
When prompted, follow the instructions for importing the Data Feed for the Unified Collector Framework (UCF).

2.12.6. Additional ArcSight Integration Configuration¶

Additional details for the ArcSight installation can be found in the RSA Archer Security Operations Management Implementation Guide from RSA. Below are the steps that were followed specifically for this environment to enable the connection to ArcSight.

Create ArcSight Forwarding Connector User.
1. From ArcSight ESM Console:
  1. Create a new group under custom user groups and name as follows: FwdConnector
  2. Create a new user under that group and name as follows: FwdConnectorUser
  3. Set the user type to Forwarding Connector.
  4. For additional detail, see pages 7 – 9 of FwdConn_ConfigGuide_7.0.7.7286.0.pdf.
Install SuperConnector (also known as Forwarding Connector).
1. From the ArcSight ESM Manager command line …
  1. Su to arcsight user
  2. Find the install file ArcSight-7.0.7.7286.0-Superconnector.bin, and run the following command (to allow the installation to execute):
    
    chmod + x ArcSight-7.0.7.7286.0-Superconnector.bin
  3. Make a folder for the connector:
    
    e.g., mkdir /opt/arsight/superconnector
  4. As arcsight user, execute the installation file:
    
    ./ArcSight-7.0.7.7286.0-Superconnector.bin
  5. Choose to install to the folder that was just made:
    
    e.g., /opt/arcsight/superconnector
  6. Accept defaults.
  7. Choose Don’t Create Links.
  8. Install.
  9. Next.
  10. Enter the ArcSight ESM Manager name: [hostname]
  11. Enter the ArcSight ESM Manager port: 8443
  12. Enter the name of the user that was just created: FwdConnectorUser
  13. Enter the ArcSight Manager password: __ ____
  14. Import the manager certificate.
  15. Select CEF Syslog.
  16. Enter the IP address of the RSA Archer UCF IP, Port: 514, TCP (not UDP)
  17. Select Next twice, Exit, Done.
  18. As user root, install the service as follows:
  /opt/arcsight/superconnector/current/bin/arcsight agentsvc -i -u arcsight
  1. Start the service as follows:
  ./etc/init.d/arc_superagent_ng start

Note: If another forwarding destination needs to be added, see page 32 of FwdConn_ConfigGuide_7.0.7.7286.0.pdf.

2.12.7. Sample Use Case Demonstration¶

For the use of the Security Incident Response use case and integration with ArcSight, the following sample use case was simulated:

Event 1

An individual enters a substation, an event that is detected by a door controller. This door reader is able to log its data or a SIEM, such as ArcSight, including identifying information (such as a badge ID or user).
Event 2

A new device appears on the substation network, detected by a tool (for example, CyberLens). This data is reported via a log event to a SIEM such as ArcSight.
Action 1

An Alert/Correlation Rule appropriate for these events fires in ArcSight, triggering message delivery to RSA Archer Security Incident Response for review and possible action.

Below are screenshots and narratives of this sample use case within the RSA Archer Security Operations Management Use Case.

User is logged into the Archer Interface and is examining the Security Alerts that have been delivered for review.

Figure 2-24 Multiple Security Alerts within the RSA Archer Console

Figure 2-25 Sample Message from ArcSight, Showing Raw Log Message/Alert and Parsing with Normalization

Figure 2-26 Sample Message Showing Alert Indicating New Device Detected at Substation

Figure 2-27 Sample Message Showing an Alert Indicating Badged Entry Detected at Substation

Based on rule or physical examination, these alerts are deemed Incident Investigation material and instantiate a full Incident Response Workflow.

Figure 2-28 New Incident Response Workflow Record Started, Documented with Title, Summary, Details

Figure 2-29 Incident Record Alerts Tab, Showing the Association of Two Events Attached to This Incident Response Investigation Record

Based on Incident type, Appropriate Incident Response Procedure(s) and related tasks are assigned to the Record for completion. This directly represents the defined policy and procedure(s) outlines and maintained by an organizationʼs security policy program and response.

Figure 2-30 Incident Response Procedure with Two Related Tasks Assigned to the Incident Response Record

Figure 2-31 Incident Response Tasks with Status, Details, and Completion Status

2.13. Schneider Electric Tofino Firewall (O3, O18, O20)¶

Schneider Electric Tofino Firewalls are used in multiple points throughout the build, supplying the necessary protection for network devices, including the door controller, the TDi ConsoleWorks operations management instance, and the connection between the OSIsoft Citect connector and the SCADA server.

2.13.1. Schneider Electric Tofino Firewall (O3) Installation Guide¶

Log in to the web interface:
1. Open a browser and navigate to the IP address assigned to device.
2. Enter the username admin and password private.
For Login-Type, select Administration, then select OK.
From the menu on the left, select Network Security -> Packet Filter -> Incoming IP Packets. This is where the firewall rules will be created.
Click the Create button on the bottom of the main window.
Fill in the text fields for Description, Source IP (CIDR), Source Port, Destination IP (CIDR), Destination Port, Protocol, Action Log, and Error according to the rules needed for incoming packets.

Figure 2-32 Incoming Packet Configuration

From the menu on the left, select Network Security -> Packet Filter -> Outgoing IP Packets.
Follow the previous steps to create outgoing firewall rules.

Figure 2-33 Outgoing Packet Configuration

If necessary, configure the interface IP addresses from the menu on the left by selecting Basics -> Network -> Transparent Mode.

2.13.2. Schneider Electric Tofino Firewall (O18) Installation Guide¶

Install and Configure the Schneider Tofino Firewall:

Download the ConneXium software from the Schneider site as stated in the instructions accompanying the firewall, then start the ConneXium Tofino Configurator.
In the start-up screen, click Create New Project…

Figure 2-34 Create New Project

Enter the name for the project in the Project name field, the company name in the Company field, then click Next.
In the Project Protection screen, choose a password to protect the project, then click Next.

Figure 2-35 Administrator Password

In the Administrator Password screen, choose the administrator password, then click Finish.
In the Project Explorer window, right-click Tofino SAs, and select New Tofino SA. A folder can also be created for the SAs to help organize multiple areas.

Figure 2-36 Project Explorer Window

In the Tofino ID field, enter the MAC address listed on the firewall hardware sticker. Fill out the rest of the fields as necessary, then click Finish.

Figure 2-37 Tofino SA/MAC Address

Figure 2-38 Project Explorer

Right-click on the Assets icon in the Project Explorer frame, then click New Asset.
In the New Asset window, set the name and type of the device and all other fields as necessary, then click Next.

Figure 2-39 New Asset

Fill in the IP address and/or the MAC address fields, then click Finish.
Repeat for all devices on the network. When they are configured, click on the Assets icon in the Project Explorer frame (if it is not already selected). There should be a list of all configured assets.
Under the Project Explorer frame, click the drop-down arrow next to Tofino SAs, then choose the SA created earlier. From there, click Firewall in the Project Explorer frame to display current firewall rules. This should currently be empty.

Figure 2-40 Project Explorer Tofino SA Icon

To create the first rule, click the + Create Rule button above the Tofino SA-Firewall title. Then, ensure the Standard rule radio button is selected, and click Next.
On the next screen, choose the interface for Asset 1. This is where traffic originates before going into the device.

Select a source asset and a destination asset from the radio buttons below. Set the direction of the traffic by using the arrow buttons in the middle. When finished, select Next.
In the Asset Rule Profiles window, select the Manually create the firewall rules for the selected assets radio button, then click Next.

Figure 2-41 Asset Rule Profiles

On the Protocol screen, choose the protocol to be checked against. Then choose the Permission on the right side of the screen, as well as whether to log, then click Finish.
After these steps are completed, the firewall rule should be listed in the Rule Table.
Repeat steps for the remainder of the rules needed.
Finally, click the Save button on the menu bar.
Place a FAT/FAT32 formatted Universal Serial Bus (USB) device into the computer running the ConneXium Tofino Configurator, then right-click Tofino SAs in the Project Explorer pane and select Apply. If the project asks that it be saved, click OK.

Figure 2-42 Apply Configuration Pane

In the Apply Configuration pane, ensure that the appropriate SA is selected in the table at the top and that the USB Drive radio button is selected. Browse to the top-level directory of the USB drive, then click Finish.
A pop-up will announce successful completion.
Ensure that the firewall has been powered on and has been running for at least one minute, then plug the USB device used to copy the Tofino configuration into the USB port on the back of the firewall.
Press the Save/Load/Reset button twice, setting it to the Load setting. (Pressing once should turn the indicator light to green pressing it again will change it from green to amber.) After a few seconds, the device will begin displaying lights that move from right to left across the LEDs on the back, indicating the configuration is being loaded.
Once the lights stop moving right to left, wait a few seconds to ensure that the Fault LED does not light up. Then remove the USB drive and place it back into the computer running the ConneXium Tofino Configurator software.
Right-click Tofino SAs in the Project Explorer pane and select Verify.
At the Verify Loaded Configuration window, select the Tofino SA in the table, and select the USB Drive radio button. Then select the USB drive by using the Browse button. Finally, click Finish.
A pop-up will announce successful verification, and configuration is complete.

2.13.3. Schneider Electric Tofino Firewall (O20) Installation Guide¶

Refer to the guide in Section 2.13.2 on installing the Schneider Electric Tofino Firewall (O18).

2.14. Siemens RUGGEDCOM CROSSBOW (E9)¶

Siemens RUGGEDCOM CROSSBOW is a platform that allows remote connections and controls from the enterprise side of the lab to the control systems network lab. The product does require the Waterfall Secure Bypass to be in the closed position, however CROSSBOW also monitors the IXIA Network TAP aggregator Cisco switch for any configuration changes, which then prompts an alert to the centralized SIEM.

2.14.1. Environment Setup¶

Microsoft Windows Server 2012 (64-bit)
4 GB RAM
4 cores
200 GB HDD
Software:
- Microsoft SQL Server 2012 (version 11.0.2100.60)

2.14.2. Installation Procedure¶

The following sections detail the installation procedure for the Siemens RUGGEDCOM CROSSBOW used in the build.

2.14.2.1. Installing CROSSBOW Database¶

On the RUGGEDCOM CROSSBOW Server, extract the contents of SQLScripts.zip to RUGGEDCOMCROSSBOW install directory (e.g. C:\ProgramFiles\RuggedCom\CrossBow).
On a Microsoft SQL Server, launch SQL Server Management Studio, and connect to the SQL Server as a System Administrator (SA) or administrator.
In Object Explorer, expand the SQL Server.
Right-click Databases, and then click New Database. The New Database screen will appear.
In the Database name field, type the name of the new database (e.g. CROSSBOW).
Click …. and the Select Database Owner dialogue box will appear.
Select a user to be the RUGGEDCOM CROSSBOW database owner in the SQL Server. This grants the RUGGEDCOM CROSSBOW Server full access to the RUGGEDCOM CROSSBOW database.
If the desired account is unavailable, add a Windows domain user account for authenticating against the database. This account must be added to the database as an authorized user.
Click OK.
Optional: Further configure the database (such as the recovery model) as required based on the chosen database backup strategy. For more information, contact the local Database Administrator (if available) or visit the Microsoft Developer Network website (https://msdn.microsoft.com/en-us/library/bb545450).
Click OK.
In Object Explorer, expand the Security folder, followed by Logins.
Right-click the desired Windows domain account, and then click Properties. The Login Properties dialogue box will appear.
Under Default database, select the CROSSBOW database, then click OK.
Execute the following scripts in order:
1. Crossbow_db_create.sql
2. Crossbow_db_functions.sql
3. Crossbow_db_initial_data.sql
4. Crossbow_db_scripts.sql
5. Crossbow_db_client_queries.sql

2.14.2.2. Installing CROSSBOW Server and Services¶

Contact Siemens Customer Support, and obtain a compressed zip file containing the latest CROSSBOW Server installer for RUGGEDCOM CROSSBOW v4.4.
Open the compressed zip file, and double-click Server Strong Setup.msi. The CROSSBOW Server with Strong Authentication Setup installation wizard will appear.
Follow the onscreen instructions to install CROSSBOW Server.

2.14.2.3. Configuring Server Host Connection¶

Access the RUGGEDCOM CROSSBOW Server, and launch CROSSBOW Server.
Make sure the CROSSBOW Main Server service is stopped.
Under CrossBow Main Server, click Configure. The CrossBow Server Configuration dialogue box will appear.

Figure 2-43 CrossBow Server Configuration

OK Button

Cancel Button

Server Port Box

Allow Transport Layer Security 1.0 Connections Check Box

Client Connection Timeout Box

Device Session Timeout Box

Disable Check Box

On the Primary Configuration tab, under Connection Configuration, type the TCP port number that the CROSSBOW Client application will use to connect to the CROSSBOW Server in the Server Port field. The default port number is 21000 but can be changed as needed.
In the Client Connection Timeout field, type or select the maximum amount of time (in minutes) for the server to wait before disconnecting an inactive client. To disable this feature, select Disable.
In the Device Session Timeout field, type or select the maximum amount of time (in minutes) for the server to wait before disconnecting an inactive remote device. To disable this feature, select Disable.
Click OK to save changes.
Start the CROSSBOW Main Server service.

2.14.2.4. Installing a License File¶

Access the RUGGEDCOM CROSSBOW Server, and launch CROSSBOW Server.
Make sure the CROSSBOW Main Server service is stopped.
Under CrossBow Main Server, click Configure. The CrossBow Server Configuration dialogue box will appear.

Figure 2-44 CrossBow Server Configuration

License File Box

OK Button

Cancel Button

Install Button

On the Primary Configuration tab, under License Configuration, either type the name of the license file (including the system path) or click Install and select the desired file.
Click OK to save changes.
Start the CROSSBOW Main Server service.

2.14.2.5. Selecting/Installing the CROSSBOW Server Certificate¶

Access the RUGGEDCOM CROSSBOW Server, and launch CROSSBOW Server.
Make sure the CROSSBOW Main Server service is stopped.
Under CrossBow Main Server, click Configure. The CrossBow Server Configuration dialogue box will appear.

Figure 2-45 CrossBow Server Configuration

OK Button

Cancel Button

Certificate Store Type List

Certificate Store Name Box

Certificate Subject Box

Browse Button

On the Primary Configuration tab, under Server Certificate Configuration, click Browse. The Select Server Certificate dialogue box will appear.
Click Import. A confirmation dialogue box will appear.
Click Yes. A confirmation dialogue box will appear, as well as the Microsoft Management Console (MMC) snap-in.

Figure 2-46 MMC Snap-In

Expand Certificates (Local Computer).
Right-click either Personal or Trusted Root Certification Authorities, point to All Tasks, then click Import. The Certificate Import Wizard will appear.
Follow the onscreen instructions to import the certificate.
Close the Microsoft Management Console snap-in.
Once the certificate is imported, click OK to close the dialogue box.
On the Select Server Certificate dialogue box, select the certificate from the list, and click OK. The certificate name appears in the Certificate Subject field.
Click OK to save changes.
Start the CROSSBOW Main Server service.

2.14.2.6. Verifying/Installing the CROSSBOW Client Certification Authority (CA) Certificate¶

Launch CROSSBOW Client, but do not connect to the RUGGEDCOM CROSSBOW Server.
On the toolbar, click File, then click Preferences. The Preferences dialogue box will appear.

Figure 2-47 Preferences Dialogue Box

OK Button

Cancel Button

Install Certificates Button

Click Install Certificates. The CxBClientOnlyCerts snap-in will appear.

Figure 2-48 CxBClientOnlyCerts Snap-In

In the left pane, navigate to Certificates — Current User ->Trusted Root Certification Authorities -> Certificates.
Verify the appropriate CA certificate is listed in the right pane.
If the certificate is not listed, proceed to the next step.
Right-click Trusted Root Certification Authorities, point to All Tasks, then click Import. The Certificate Import Wizard will appear.
Follow the onscreen instructions to import a new CA certificate.
Close the snap-in.

2.14.2.7. Select a Trusted CA for the CROSSBOW Server¶

Access the RUGGEDCOM CROSSBOW Server, and launch CROSSBOW Server.
Make sure the CROSSBOW Main Server service is stopped.
Under CrossBow Main Server, click Configure. The CrossBow Server Configuration dialogue box will appear.

Figure 2-49 CrossBow Server Configuration

OK Button

Cancel Button

Choose Trusted Certificate Authorities Button

Click Choose Trusted Certificate Authorities. A dialogue box will appear.
Optional: Filter the list of CAs by selecting Show Root Certificate Authorities, Show Intermediate Certificate Authorities, and/or Show Third Party Certificate Authorities.
Select one or more CAs from the list, or select Specify a certificate authority and define the CA in the box below.
Click OK to save changes.
Start the CROSSBOW Main Server service.

2.14.2.8. Selecting a Trusted CA for a CROSSBOW Client¶

Launch CROSSBOW Client, but do not connect to the RUGGEDCOM CROSSBOW Server.
On the toolbar, select File, then click Preferences. The Preferences dialogue box will appear.

Figure 2-50 Preference Dialogue Box

OK Button

Cancel Button

Choose Trusted Certificate Authorities Button

Click Choose Trusted Certificate Authorities. A dialogue box will appear.
Optional: Filter the list of CAs by selecting Show Root Certificate Authorities, Show Intermediate Certificate Authorities, and/or Show Third Party Certificate Authorities.
Select one or more CAs from the list, or select Specify a certificate authority and define the CA in the box below.
Click OK to save changes.

2.14.2.9. Adding a Common Name¶

Access the RUGGEDCOM CROSSBOW Server, and launch CROSSBOW Server.
Make sure the CROSSBOW Main Server service is stopped.
Under CrossBow Main Server, click Configure. The CrossBow Server Configuration dialogue box will appear.

Figure 2-51 CrossBow Server Configuration

OK Button

Cancel Button

Choose Trusted Certificate Authorities Button

Configure Valid Incoming Certificate Common Names Button

On the Primary Configuration tab, under Unattended Application Client Configuration, click Configure Valid Incoming Certificate Common Names. The Incoming Certificate Common Name dialogue box will appear.
Click Add Name. The Common Name dialogue box will appear.
In the Common Name box, type the common name, then click OK to close the dialogue box.
Click OK.
Start the CROSSBOW Main Server service.

2.14.2.10. Managing the RUGGEDCOM CROSSBOW Certificates and Keys¶

The following references the RUGGEDCOM RX1400 and RX1511 web interface:

Navigate to security -> crypto -> ca and click <Add ca>. The Key Settings form will appear.
Configure the following parameter as required:
1. name
Click Add. The CA form will appear.

Figure 2-52 Virtual Private Network (VPN) Certificate Form

Contents Box

Private Key Name List

CA Certificate Name List

Copy the contents of the CA certificate into the Key Cert Sign Certificate field.
Add the associated Certificate Revocation List.
Navigate to security -> crypto -> private-key and click <Add private-key>. The Key Settings form will appear.
In the Key Settings form, configure the following parameter as required:
1. name
Click Add to create the new private key. The Private Key form will appear.

Figure 2-53 VPN Private Key Form

Algorithm List

Contents Box

In the Private Key form, configure the following parameters as required:
1. Algorithm
2. Contents

2.14.2.11. Managing the RUGGEDCOM CROSSBOW Application on RX1501¶

To enable or disable communication with a RUGGEDCOM CROSSBOW system, do the following:

Change the mode to Edit Private or Edit Exclusive.
Navigate to apps -> crossbow. The CROSSBOW form will appear.
Ensure that the Enabled check box is selected.
Navigate to apps -> crossbow -> client-connection. The Client Connection Info form will appear.

Figure 2-54 Client Connection Info

IP Address Box

Port Box

(Keep default)

(Keep default)

Configure the following parameters as required:
1. ipaddr
2. port
Navigate to apps -> crossbow -> sac-connection. The station access controller (SAC) Connection List will appear.

Figure 2-55 SAC Connection List

Navigate to apps -> crossbow -> sac-connection -> Add connection-list. The Key Settings form will appear.
Configure the following parameter(s) as required:
1. sam-ipaddr
Click Add. The Connection List form will appear.

Figure 2-56 Connection List

SAM Common Name Box

Port Box

Configure the following parameters as required:
1. sam-name
2. sam-port
Navigate to apps -> crossbow -> certificate. The Certificates Info forms will appear.

Figure 2-57 Certificates Info

Certificate/Private Key List

Configure the following parameters as required:
1. cert
2. cert-private-key
Navigate to apps -> crossbow -> certificate -> ca-cert-list and click <Add ca-cert-list>. The Key Settings form will appear.
Configure the following parameter as required:
1. name
Click Commit to save the changes or click Revert All to abort. A confirmation dialogue box will appear. Click OK to proceed.
Click Exit Transaction, or continue making changes.

2.14.2.12. Viewing the RUGGEDCOM CROSSBOW Log¶

Navigate to apps -> crossbow -> status and click log in the menu. The Trigger Action form will appear.

Figure 2-58 Trigger Action

Perform Button

Click Perform. The Log form will appear.

Figure 2-59 Status Log

2.14.2.13. Managing SACs¶

Access the RUGGEDCOM CROSSBOW client workstation, launch CROSSBOW Client, and log in as a user with the necessary administrative privileges. The Field Layout tab appears by default.
In the right pane, right-click the associated facility or gateway, and click Add Station Access Controller. The Station Access Controller Properties dialogue box will appear.

Figure 2-60 Station Access Controller Properties

Name Box

Description Box

Status List

Custom Fields

OK Button

Cancel Button

Configure the identification properties (e.g., name, description) for the SAC.

Figure 2-61 SAC Property Configuration — Identification

Name Box

Description Box

Status List

Custom Fields

OK Button

Cancel Button

Configure the connection properties (e.g., IP address, port, platform) for the SAC.

Figure 2-62 SAC Property Configuration — Connection

IP Address Box

Common Name Box

Port Box

Platform List

Device Group

OK Button

Cancel Button

Configure the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) properties for the SAC.

Figure 2-63 SAC Property Configuration — NERC CIP

Questions

Network Box

OK Button

Cancel Button

BES Cyber System List

2.14.2.14. Updating the SAC Database¶

Access the RUGGEDCOM CROSSBOW client workstation, launch CROSSBOW Client, and log in as a user with the necessary administrative privileges. Make sure to enter the host name and port number for the SAC during the login process.
Search for the SACʼs device family on the Devices tab.
Right-click the Station Access Controller device family, point to Special Operations, then click Push SAC Database. The Scheduling Push SAC Database dialogue box will appear.

Figure 2-64 Scheduling Push SAC Database

Description Box

OK Button

Cancel Button

Repetition Lists

Start Time Options

Start Time Box

Optional: Under Description, type a description for the operation. Include details such as the affected target, the purpose of the operation, etc. This description will appear in the list of scheduled operations.
Under Repetition, select the interval and value (if applicable).
Under Start Time (On Server), select Now or Specific Time.
Click OK to save changes. The operation will commence at the selected time.

2.14.2.15. Managing Devices and Gateways¶

Access the RUGGEDCOM CROSSBOW client workstation, launch CROSSBOW Client, and log in as a user with the necessary administrative privileges.
On the Field Layout tab, right-click the desired facility or gateway, and click Add Device, Add Gateway, or Add Subordinate Gateway (gateways only). The Device Properties or Gateway Properties dialogue box will appear.
Configure the identification properties (e.g., name, description) for the device/gateway.
Configure the connection properties (e.g., host name, user names, passwords) for the device/gateway.
Configure the interfaces available for the device/gateway.
Enable or disable the applications available for the device/gateway.
Configure the NERC CIP properties for the device/gateway.
Configure any advanced parameters associated with the device/gateway.
Click OK to save changes.

2.14.2.16. Connecting to a Device/Gateway¶

Access the RUGGEDCOM CROSSBOW client workstation, launch CROSSBOW Client, and log in as a user with the necessary administrative privileges.
If connecting to the device/gateway via a Station Access Controller, make sure to enter the host name and port number for the SAC during the login process. Otherwise, provide the host name and port number for the RUGGEDCOM CROSSBOW Server.
Search for the desired device/gateway on the Field Layout or Devices tab by either facility or device type.
Right-click the device/gateway, and then click either Connect (devices) or Connect to Gateway (gateways). The Application Selection dialogue box will appear.

Figure 2-65 Application Selection Dialogue

Available Applications

Select Login Level Options

OK Button

Cancel Button

Select an application to connect to the deviceʼs interface.
Under Select login level, select the login level to use when connecting to the device.
Click OK. RUGGEDCOM CROSSBOW will attempt to connect to the device. Review the Messages pane for details.
Once connected, the device/gateway and the connection status are displayed in the Device Connection History pane.
When the application launches, if required, enter the local host IP address or the real IP address of the end-device or gateway, followed by the port number.

2.15. Siemens RUGGEDCOM RX1400 (E1)¶

The Siemens RUGGEDCOM RX1400 device is used on the enterprise side of the lab and creates an always-on VPN connection to the Siemens RUGGEDCOM RX1501, located on the boundary of the control network lab.

2.15.1. Environment Setup¶

Requirements for installation:

personal computer/laptop with Ethernet port
CAT5 or higher Ethernet cables
RUGGEDCOM VPN device
any type of terminal emulator
web browser
When connecting the device to the network, the NCCoE used switch.0001 as the wide area network (WAN) port and switch.0010 as the local area network port connected to the local network.

2.15.2. Installation Procedure¶

After powering on the device, connect to the IP address that the device supplies itself via a web browser. The connection will most likely require an interim switch for connecting, but this varies between cases.
The following screen should appear:

Figure 2-66 RUGGEDCOM Web Login

Once logged in, click the link for Edit Private to go into Edit mode.
Navigate to tunnel -> ipsec, and check the boxes for Enable IP security (IPSec) and network address translator (NAT) Traversal.

Figure 2-67 Enable IPSec and NAT Traversal

Click preshared-key, then <Add preshared-key>.
In the Remote Address field, type the remote IP address (the cogeneration plantʼs IP address).
In the Local Address field, type the local IP address (the enterprise network).
Click Add.
Click the newly created entry under the preshared-key folder.
Under Secret Key, create a new secret key that will be shared between devices.
Under ipsec->connection, click <Add connection> to create a new connection.
Fill in a name for Connection Name, then click Add.
Click on the new connection, and click the Enable check box for Dead Peer Detect.
Ensure that the settings under Dead Peer Detect are:
1. Interval: 30
2. Timeout: 120
3. Action: Restart
Under Connection, set the following parameters:
1. Startup Operation: start
2. Authenticate By: secret
3. Connection Type: tunnel
4. Address-family: ipv4
5. Perfect Forward Secrecy: yes
6. SA Lifetime: default
7. IKE Lifetime: default
8. L2TP: Unchecked (disabled)
9. Monitor Interface: switch.0001
In the top window row, select the folder ike, and click <Add algorithm>.
Under Key settings, ensure the following parameters and click Add:
1. Cipher Algorithm: aes256
2. Hash Method: sha2
3. Modpgroup: modp8192
Going back to the top window row, select the esp folder directly underneath ike, then select algorithm and click <Add algorithm>.
Under Key settings, ensure the following parameters and click Add:
1. Cipher Algorithm: aes256
2. Hash Method: sha2
Going back to the top window row, select left under esp.
Under Public IP Address, ensure Type is address, then type the IP address into the Hostname or IP Address field.
Going back to the top window row, select subnet, and click <Add subnet>.
Under Key Settings, in the Subnet Address field, type the local subnet on the inside of the RX1400 in the box (lab used 10.100.0.0/16) and click Add.
Going back to the top window row, select right under left.
Under Public IP Address, ensure Type is address, then type the remote VPN IP Address into the Hostname or IP Address field.
Under the Right heading, for NAT Traversal Negotiation Method, select rfc-3947.
Going back to the top window row, select subnet, then click <Add subnet>.
Under Key Settings, in the Subnet Address field, type the remote subnet on the inside of the remote VPN in the box (lab used 172.19.0.0/16) and click Add.
Going back to the beginning of the top row, ensure that interfaces->ip->switch.0001->ipv4 contains a folder named after the externally facing network IP address.
Ensure that interface->ip->switch.0010->ipv4 contains a folder named after the internal network (lab used 10.100.0.0/16).

2.16. Siemens RUGGEDCOM RX1501 (O1)¶

The Siemens RUGGEDCOM RX1501 device is used on the boundary of the control network lab and creates an always-on VPN connection to the Siemens RUGGEDCOM RX1400, located on the inside of the enterprise network lab.

2.16.1. Siemens RUGGEDCOM RX1501 (O1) Installation Guide¶

The instructions for installation of the RUGGEDCOM RX1501 are very similar to those in Section 2.15, with the following additional information:

Ensure that the shared key used in this installation is the same as the one used in the previous installation.
The remote IPs and local IPs will be different for this installation as they are relative to the device.
NAT Traversal Negotiation Method will be on the left menu option (as opposed to the right listed earlier) and must be the same value (e.g., rfc-3947).

2.17. TDi Technologies ConsoleWorks (E6, O5, O9)¶

TDi Technologies ConsoleWorks creates multiple consoles (both GUI- and terminal-based) that allow connections through a web interface to internal devices, utilizing a protocol break to separate connections. ConsoleWorks is also utilized to normalize syslogs from the control network before sending them to the SIEM.

2.17.1. System Environment¶

The system that was set up to run this application was a fully updated (as of 4/20/2016) CentOS 7 Operating System with the following hardware specifications:

4 GB RAM
500 GB HDD
2 network interface controllers (NICs)
This installation required a preconfigured network where one NIC was located on the WAN side (connected to the Waterfall Secure Bypass) and the other was connected to the Dell R620 ESXi server.

Other requirements:

ConsoleWorks install media (a CD was used in the build)
- ConsoleWorksSSL-<version>.rpm
- ConsoleWorks_gui_gateway-<version>.rpm
ConsoleWorks license keys (TDI_Licenses.tar.gz)
software installation command:

yum install uuid libbpng12 libvncserver

2.17.2. Installation¶

As Root:

Place ConsoleWorks Media into the system (assuming from here on that the media is in the form of a CD).
mount /dev/sr0 /mnt/cdrom
mkdir /tmp/consoleworks
cp /mnt/cdrom/consolew.rpm /tmp/consoleworks/consolew.rpm
rpm -ivh /tmp/consoleworks/ConsoleWorksSSL-<version>.rpm
mkdir /tmp/consoleworkskeys/
Copy ConsoleWorks keys to /tmp/consoleworkskeys/
cd /tmp/consoleworkskeys/
tar xzf TDI_Licenses.tar.gz
cp /tmp/consoleworkskeys\* /etc/TDI_licenses/
/opt/ConsoleWorks/bin/cw_add_invo
Accept the License Terms.
Press Enter to continue.
Name the instance of ConsoleWorks.
Press Enter to accept default port (5176).
Press N to deny SYSLOG listening.
Press Enter to accept parameters entered.
Press Enter to return to /opt/ConsoleWorks/bin/cw_add_invo.
rpm -ivh /tmp/consoleworks/ConsoleWorks_gui_gateway-version>.rpm
/opt/gui_gateway/install_local.sh
/opt/ConsoleWorks/bin/cw_start <invocation name created early>
service gui_gatewayd start

2.17.3. Usage¶

Open a browser and navigate to https://<ConsoleWorksIP>:5176.
Log in with Username console_manager, Password Setup.
Change the default password.
Choose Register Now.

2.17.3.1. Initial Configuration¶

All instructions below start with a menu on the sidebar.

Tags
Security > Tags > Add
Set Name.

Click Save.
Profiles
Users > Profiles > Add
Set Name.

Select Tag.

Click Save.
Users
Users->Add
Set Name.

Set Password.

Set Profile.

Set Tag.

Click Save.

2.17.3.2. Graphical Connections¶

Use the following steps to set up graphical connections (specifically virtual network computing (VNC)):

Graphical Gateway:
1. Graphical->Gateways->Add
2. Set a name, then set Host as Localhost and port as 5172.
3. Check the Enabled check box and click Save.
4. Verify that it works by clicking Test in the top left corner.
Add a graphical connection (We will use VNC.):
1. Graphical->Add
2. Set Name.
3. Set the Type (VNC/remote desktop protocol (RDP)).
4. Set the Hostname/IP.
5. If recordings are desired, set Directory and Recordings.
6. Set the Authentication.
7. Add Graphical Gateway.
8. Add Tags.
Access Controls
1. Security->Access Control->Add
2. Set Name.
3. Check Enabled.
4. Set Priority.
5. Set ALLOW.
6. Set Component Type to Graphical Connection.
7. The following will appear under Profile Selection:
  1. Property Profile Equals \*Profile Name\* <join>
  2. The correct profile should appear in the box on right.
8. The following will appear under Resource Selection:
  1. Associate With a Tag that
  2. Property Tag Equals \*Tag name\* <join>
  3. The correct Graphical Console should appear in the box on right.
1. Under Privileges, check …
  1. Aware
  2. View
  3. Connect
  4. Enable
  5. Monitor
2. Click Save.

Figure 2-68 Binding to Syslog

2.17.4. TDi Technologies ConsoleWorks (E6) Installation Guide¶

Follow the guide above on installing ConsoleWorks instance (O5), however, do not follow

Section 2.17.3.1, Initial Configuration; or Section 2.17.3.2, Graphical Connections.

Navigate to Server Management > Bind List > Add.
Enter a name for Binding (e.g. SYSLOG_514).
Leave Address as default (0.0.0.0).
Set Port to 514.
Set Bind type to SYSLOG and Enable.

Figure 2-69 Server Management Bind Edit

Navigate to Consoles > Add.
Add Console and set a name (e.g., SYSLOG).
In the Connector field, click the drop-down menu, and select Syslog Listener.
Under Connection Details, click the drop-down menu, and select the Binding that was created above (e.g., SYSLOG_514).
Check the Catch All check box.

Figure 2-70 Adding SYSLOG Console

Copy the socket plug-in to the cwscript directory under the ConsoleWorks instance directory.

Figure 2-71 Copying Plug-In to CWScript Directory

Navigate to Admin > Database Management > XML Imports > Import > Upload a file, then click Next.

Figure 2-72 CWScript Upload

Click Browse.

Figure 2-73 Browse for CWScript

Select the syslog.xml file, then click Next.

Figure 2-74 Select CWScript XML

Navigate to Tools > CWScripts > Select SYSLOG_FORWARD > Review Settings.

Figure 2-75 Review CWScript Settings

Navigate to Actions > Automatic > Add.
Set Name.
Set Type to CWScript.
In the Action field, click the drop-down menu, and select SYSLOG_FORWARD.
In the Parameter field, enter the IP address (or FQDN) of the Syslog target.

Figure 2-76 Modify Action and Parameter for CWScript

Navigate to Scans, then select Add.
Set Name.
In the Consoles field, add/select the Console defined in the previous steps.
In the Automatic Action field, add/select the Action defined in the previous steps.

Note: The Events field will be updated later.

Figure 2-77 Add New Scan

Navigate to Events, then select Add.
Name the Event.
Set the Severity level.
In the Pattern fields, line 1, type in a character pattern that matches the syslog data. Set Wildcarding to Standard Wildcards.
In the context Lines Below field, enter 1.
In the Scans field, click Add, then select the name of the Scan that was defined in the previous steps.
In the Automatic Actions field, click Add, then select the name of the Action that was defined in the previous steps.

Figure 2-78 Add New Event

Navigate back to Actions > Automatic, then edit the Action defined in the previous steps.
In the Event field, confirm that the Event that was just created is selected.

Figure 2-79 Syslog Forwarding Action Config

In the Console field, select the Syslog Console that was defined in previous steps.

Figure 2-80 Add Console to Syslog Forwarding Action Config

Review settings.

Figure 2-81 Review Event Settings

Add rules to ConsoleWorks host OS firewall:

iptables -I INPUT -p udp --dport 514 -s 0.0.0.0/0 -j ACCEPT iptables -I
OUTPUT -p udp -s 0.0.0.0/0 --dport 514 -j ACCEPT

Save the rules:

/sbin/service iptables save

2.17.5. TDi Technologies ConsoleWorks (O9) Installation Guide¶

Follow the guide for ConsoleWorks (E6) in Section 2.17.4.

2.18. Waterfall Technologies Unidirectional Security Gateway (O2)¶

Waterfallʼs Unidirectional Security Gateway delivers a security gateway solution for replicating servers and emulating devices from the control system lab to the enterprise system lab. The replication occurs through hardware that is physically able to transmit information in only one direction and physically unable to transmit any information or attack in the reverse connection. The Unidirectional Gatewayʼs combination of hardware and software supports many kinds of replications, including process historians, many open platform communication (OPC) variants, syslog, FTP, and others.

2.18.1. Waterfall Technologies Unidirectional Security Gateway (O2) Installation Guide¶

The Unidirectional Security Gateway was shipped to the NCCoE as an appliance in a 1U server chassis. The chassis contains two Host Modules, each running Microsoft Windows 8. The chassis also contains a Transmit (TX) Module and a Receive (RX) Module, linked by a short fiber-optic cable. The TX Module is physically able to send information/light to the fiber but is unable to receive any signal from the fiber. Conversely, the RX Module is able to receive information from the fiber but has no transmitter and so is physically unable to send any information to the fiber. In this guide, we will refer to the Windows Host Module connected to the TX Module as the Tx host, and the Windows Host Module connected to the RX Module as the Rx host.

2.18.1.1. Rx Configuration¶

Open the Waterfall RX Configuration utility located in the Start menu.

2.18.1.1.1. FTP Stream¶

Expand wfStreamRx from the left sidebar.
Expand Files.
From the sidebar, select Local Folder.
Under Channels, select Add. Ensure that the Active check box is checked.
Fill out the Channel Name field, and make a note of the Channel ID in parenthesis.
From the sidebar, select NCFTP.
Under Channels, select Add. Ensure that the Active check box is checked.
Select the Automatically Bind to Local Folder with ID radio button. Ensure that the ID for the Local Folder is selected by using the same ID that was automatically generated for the Local Folder that was just created.
Fill out the correct values for the following form fields:
1. FTP folder: /file_link
2. FTP host: 10.100.1.250
3. FTP port: 21
4. Username: waterfall
5. Password: <insert password here>
For Transfer mode, select the Passive radio button.
For Transfer type, select the Binary radio button.
Ensure that the Enable recursive transfer check box is checked.
Ensure that the File pattern check box is checked and that the form field contains this value: *.

2.18.1.1.2. OSI Pi Streams¶

Digital
1. Expand wfStreamRxPI_D from the left sidebar.
2. Expand SME from the left sidebar.
3. Expand PiPoint from the left sidebar.
4. Ensure that the Active check box is checked.
5. Fill out the correct values for the following form fields:
  1. Channel name: PiPt Digital
  2. Server IP: 10.100.1.76
  3. Points type: Digital
  4. Snapshots/Sec limit: 5000
  5. Snapshots/Sec warning: 500
Numeric
1. Expand wfStreamRxPI_N from the left sidebar.
2. Expand SME from the left sidebar.
3. Expand PiPoint from the left sidebar.
4. Ensure that the Active check box is checked.
5. Fill out the correct values for the following form fields:
  1. Channel name: PiPt Numeric
  2. Server IP: 10.100.1.76
  3. Points type: Numeric
  4. Snapshots/Sec limit: 5000
  5. Snapshots/Sec warning: 5000
String
1. Expand wfStreamRxPI_S from the left sidebar.
2. Expand SME from the left sidebar.
3. Expand PiPoint from the left sidebar.
4. Ensure that the Active check box is checked.
5. Fill out the correct values for the following form fields:
  1. Channel name: PiPt String
  2. Server IP: 10.100.1.76
  3. Points type: String
  4. Snapshots/Sec limit: 5000
  5. Snapshots/Sec warning: 5000

2.18.1.1.3. Syslog Streams¶

Expand wfStreamRx from the left sidebar.
Expand IT Monitoring from the left sidebar.
Select Syslog UDP from the left sidebar.
Under Channels, select Add. Ensure that the Active check box is checked.
Fill out the correct values for the following form fields:

Channel name: Syslog 1

Send report every: 500
Under Target Addresses, select Add, and set the IP address to 10.100.0.50 and port to 514.

2.18.1.2. TX Configuration¶

Open the Waterfall TX Configuration utility located in the Start menu.

2.18.1.2.1. FTP Stream¶

Expand wfStreamTx from the left sidebar.
Expand Files.
From the sidebar, select Local Folder.
Under Channels, select Add. Ensure that the Active check box is checked.
Fill out the Channel name field, and make a note of the Channel ID in parenthesis.
From the sidebar, select NCFTP.
Under Channels, select Add. Ensure that the Active check box is checked.
Select the Automatically Bind to Local Folder with ID radio button. Select the ID that was automatically generated for the Local Folder created in the previous steps.
Fill out the correct values for the following form fields:
1. FTP folder: /file_link
2. FTP host: 172.18.1.250
3. FTP port: 21
4. Username: root
5. Password: <insert password here>
For Transfer mode, select the Passive radio button.
For Transfer type, select the Binary radio button.
Ensure that the Enable recursive transfer check box is checked.
Ensure that the File pattern check box is checked and that the field contains this value: *.

2.18.1.2.2. OSI Pi Streams¶

Digital
1. Expand wfStreamTxPI_D from the left sidebar.
2. Expand SME from the left sidebar.
3. Expand PiPoint from the left sidebar.
4. Ensure that the Active check box is checked.
5. Fill out the correct values for the following form fields:
  1. Channel name: PiPt Digital
  2. Server IP: 172.18.2.150
  3. Points type: Digital
  4. Snapshots/Sec limit: 5000
  5. Snapshots/Sec warning: 5000
  6. APS port: 3010
Numeric
1. Expand wfStreamTxPI_N from the left sidebar.
2. Expand SME from the left sidebar.
3. Expand PiPoint from the left sidebar.
4. Ensure that the Active check box is checked.
5. Fill out the correct values for the following form fields:
  1. Channel name: PiPt Numeric
  2. Server IP: 172.18.2.150
  3. Points type: Numeric
  4. Snapshots/Sec limit: 5000
  5. Snapshots/Sec warning: 5000
  6. APS port: 3000
String
1. Expand wfStreamTxPI_S from the left sidebar.
2. Expand SME from the left sidebar.
3. Expand PiPoint from the left sidebar.
4. Ensure that the Active check box is checked.
5. Fill out the correct values for the following form fields:
  1. Channel name: PiPt String
  2. Server IP: 172.18.2.150
  3. Points type: String
  4. Snapshots/Sec limit: 5000
  5. Snapshots/Sec warning: 5000
  6. APS port: 3020

2.18.1.2.3. Syslog Streams¶

Expand wfStreamTx from the left sidebar.
Expand IT Monitoring from the left sidebar.
Select Syslog UDP from the left sidebar.
Under Channels, select Add. Ensure that the Active check box is checked.
Fill out the correct values for the following form fields:
1. Channel name: Syslog 1
2. Send report every: 500
3. Port: 514
4. IP (Listening): 0.0.0.0
Under target addresses, select Add. Set the IP address to 10.100.0.50 and port to 514.

2.19. Waterfall Secure Bypass (O17)¶

Waterfall Secure Bypass is used as a secure connection solution that allows bidirectional communication into the product lab at the control system. It is solely dependent on a person turning a physical key, and it has an automated time-out of two hours.

2.19.1. Waterfall Secure Bypass (O17) Installation Guide¶

The Waterfall Secure Bypass Solution is installed directly between the Siemens RUGGEDCOM RX1501 (O1) and a Schneider Electric Tofino Firewall (O18).

Connect an Ethernet cable from the RX1501 to the Ext interface of the Secure Bypass.
Connect an Ethernet cable from the WAN interface of the Tofino to the Int interface of the Secure Bypass.
When the key is fully turned clockwise, the Secure Bypass will allow bidirectional traffic between the Tofino and the RX1501.
When the key is fully turned counterclockwise, the Secure Bypass will block all traffic between the Tofino and the RX1501.
If the key is left fully turned clockwise for more than two hours (time was configured at Waterfall location prior to receiving the device), the Secure Bypass will block all traffic between the Tofino and the RX1501. To allow for traffic to pass again, the user must fully turn the key counterclockwise and then clockwise again.

Figure 2-82 Waterfall Secure Bypass Interface

2.20. Waratek Runtime Application Protection (E10)¶

Waratek Runtime Application Protection is a software agent plug-in for monitoring and protecting user interactions with enterprise applications. In the build, Waratek is monitoring a database application for any attempts the user may undertake to pull unauthorized data from the database (mainly through SQL injection).

For further information, see http://www.waratek.com/solutions/ or http://www.waratek.com/runtime-application-self-protection-rasp/.

2.20.1. System Environment¶

A CentOS 7 Operating System (fully updated as of 4/20/2016) was set up to run this application. Other requirements:

Web application that demonstrates protection capabilities (this build used Spiracle, Waratekʼs demo application: https://github.com/waratek/spiracle).

web application server (This build used Apache Tomcat 9.)
SQL database (can be MSSQL, MySQL, or Oracle. In the build, we used MySQL.)

2.20.2. Waratek Runtime Application Protection (E10) for Java Installation¶

Download JDK 8 from the Oracle site, and unzip in /opt directory (e.g. /opt/jdk1.8.0_121).
To configure for apache tomcat (or other web server), in $CATALINA_HOME/bin/Catalina.sh, point JAVA_HOME to /opt/<jdk version>
Add the following line to Catalina.sh:

JAVA_OPTS="-javaagent:/opt/waratek/waratek.jar

-Dcom.waratekContainerHome=/opt/<jdk version>"

Change directories to /opt, and untar the waratek_home.tar.gz package.
cd waratek_home
Create the Rules directory in the current directory.
Move the provided LICENSE_KEY file from Waratek to /var/lib/javad/.
Create a rules file: /opt/waratek-home/Rules/global.rules

VERSION 1.0

# SQL Injection Blocking sqli:database:mysql:deny:warn file:read:/opt/tomcat/*:allow:trace

Create a logging XML file: /opt/waratek/mylogProps.xml

<logProps-array>

<logProps>

<logMode>BOTH</logMode>

<logFile>SECURITYLOG</logFile>

<fileName>/opt/waratek/alerts.log</fileName>

<remoteHost>**INSERT REMOTE SYSLOG HERE (i.e. 10.100.100.10:514)**</remoteHost>

<patternLayout>%m</patternLayout>

<priorityLevel>WARN</priorityLevel>

</logProps>

</logProps-array>

Edit the /opt/waratek_home/setenv.sh file as follows:

export WARATEK_OPTS="-Dcom.waratek.jvm.name=tomcat7

-Dcom.waratek.rules.local=/opt/waratek_home/Rules/jvc.rules

-Dcom.waratek.log.properties=/opt/waratek_home/logProps.xml

-Dcom.waratek.jmxh

2.20.3. Usage¶

To utilize the Runtime Protection for Java product, start the web application mentioned in

Section 2.20.1, System Environment. The web application server (Tomcat 9 in our case) should load the Runtime Protection JDK that was configured.

2.21. ArcSight Connector Guides¶

The following detail the custom configuration for the ArcSight connectors to individual monitoring and alerting products.

2.21.1. Dragos CyberLens Connector¶

2.21.1.1. Configure Source Product¶

Connect to the CyberLens console.
In the CyberLens application, go to Settings.
In the CyberLens Alerting drop-down, select On.
In the Syslog Logging section …
1. Select the drop-down for On - Rsyslog.
2. Enter the IP address of the syslog server, e.g.:
  
  172.18.0.50
3. Enter the port of the syslog server, e.g.:
  
  514

Figure 2-83 Set Up Syslog on CyberLens

From the command line, using the cybersudo account, check the OS firewall to see if it allows the syslog traffic by running sudo ufw status. Add and save the rule if needed.

Note: Upon upgrading CyberLens software, the rsyslog settings may be lost. Be sure to check and update these settings as needed after any upgrades.

2.21.1.2. Install/Configure Custom ArcSight FlexConnector¶

Follow ArcSightʼs instructions for installing a Linux-based syslog SmartConnector [1].

Copy the custom FlexConnector configuration files to the appropriate locations.
Start the Connector service:

/etc/init.d/arc_<connectorName> start

2.21.1.3. Custom Parser — ArcSight FlexConnector Parser¶

Create a file containing the text below, and copy this file to /opt/arcsight/connectors/<connector directory>/current/user/agent/flexagent/cyberlens.subagent.sdkrfilereader.properties

#::::::::::::::::::::::::::::::::::::::::::::::

# Syslog custom subagent regex properties file: for CyberLens rsyslog

#

# raw syslog example:

# "Sep 6 16:04:48 ubuntu CyberLensApp: I, [2016-09-06T16:04:48.839937

#65401] INFO -- : Cyberlens generated the following alert: A Sensor saw 'S7COMM' for the first time"

#

#::::::::::::::::::::::::::::::::::::::::::::::

# without double slashes

# regex=(CyberLensApp):\sI, (\[\d+-\d\d-\d\d\S\d\d:\d\d:\d\d.\d+

#\d+]) (\D+) -- : (.*)\n?Source IP: (\d+.\d+.\d+.\d+)\n?(.*)

# with double slashes and newline regex=(CyberLensApp):\\sI,

(\\[\\d+-\\d\\d-\\d\\d\\S\\d\\d:\\d\\d:\\d\\d.\\d+ #\\d+]) (\\D+) -- : (.*)\\n?Source IP: (\\d+.\\d+.\\d+.\\d+)\\n?(.*)

token.count=6 token[0].name=Application

token[1].name=Message

token[2].name=Severity

token[3].name=Name

token[4].name=SourceIP

token[4].type=IPAddress

token[5].name=CatchAnyDoubledLines

event.name=Name

event.deviceProduct= stringConstant("CyberLens")

event.deviceVendor= stringConstant("DragosSecurity")

event.deviceSeverity=Severity

event.message=Message event.deviceProcessName=Application

event.deviceAddress=SourceIP

event.deviceCustomString1=CatchAnyDoubledLines

severity.map.veryhigh.if.deviceSeverity=1,2

severity.map.high.if.deviceSeverity=3,4

severity.map.medium.if.deviceSeverity=5,6

severity.map.low.if.deviceSeverity=INFO

2.21.1.4. ArcSight agent.properties File¶

Modify the agent.properties file settings as needed based on the example below:

/opt/arcsight/connectors/<connector directory>/current/user/agent/agent.properties
Modify the customsubagent list as needed for the environment.
Replace the IP address to suit the environment.

#ArcSight Properties File

#Fri Mar 18 17:37:10 GMT 2016

agents.maxAgents=1

agents[0].aggregationcachesize=1000

agents[0].customsubagentlist=cyberlens.subagent.sdkrfilereader.propert ies_syslog|cyberlensPREFIX.subagent.sdkrfilereader.properties_syslog|s
ourcefire_syslog|ciscovpnios_syslog|apache_syslog|ciscovpnnoios_syslog

\|ciscorouter_syslog|pf_syslog|nagios_syslog|cef_syslog|ciscorouter_non ios_syslog|catos_syslog|symantecnetworksecurity_syslog|snare_syslog|mc
afeesig_syslog|symantecendpointprotection_syslog|citrix_syslog|linux_a uditd_syslog|vmwareesx_syslog|citrixnetscaler_syslog|vmwareesx_4_1_sys
log||pulseconnectsecure_syslog|pulseconnectsecure_keyvalue_syslog|flex agent_syslog|generic_syslog

#agents[0].customsubagentlist=sourcefire_syslog|ciscorouter_syslog|pf\_ syslog|cef_syslog|ciscorouter_nonios_syslog|catos_syslog|symantecnetwo
rksecurity_syslog|symantecendpointprotection_syslog|linux_auditd_syslo g|vmwareesx_syslog|vmwareesx_4_1_syslog|flexagent_syslog|generic_syslo g

agents[0].destination.count=1

agents[0].destination[0].agentid=3R9bQilMBABCIy6NStvvaDA\=\=

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n

<Parameter Name\="aupmaster" Value\="false"/>\n

<Parameter Name\="port" Value\="8443"/>\n

<Parameter Name\="fipsciphers" Value\="fipsDefault"/>\n

<Parameter Name\="host"

Value\="arcsight.es-sa-b1.test"/>\n

<Parameter Name\="filterevents"

Value\="false"/>\n</ParameterValues>\n

agents[0].destination[0].type=http

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=0WbNilMBABCAAoBJrJmUOw\=\=

agents[0].fcp.version=0

agents[0].filequeuemaxfilecount=100

agents[0].filequeuemaxfilesize=10000000

agents[0].forwarder=false agents[0].forwardmode=true

agents[0].id=3R9bQilMBABCIy6NStvvaDA\=\=

agents[0].ipaddress=10.100.1.148

agents[0].overwriterawevent=false

agents[0].persistenceinterval=0

agents[0].port=514 agents[0].protocol=UDP

agents[0].rawloginterval=-1

agents[0].rawlogmaxsize=-1

agents[0].tcpbindretrytime=5000

agents[0].tcpbuffersize=10240

agents[0].tcpcleanupdelay=-1

agents[0].tcpmaxbuffersize=1048576

agents[0].tcpmaxidletime=-1

agents[0].tcpmaxsockets=1000

agents[0].tcppeerclosedchecktimeout=-1

agents[0].tcpsetsocketlinger=false

agents[0].tcpsleeptime=50

agents[0].type=syslog

agents[0].unparsedevents.log.enabled=true

agents[0].usecustomsubagentlist=true

agents[0].usefilequeue=true

remote.management.ssl.organizational.unit=HzjHilMBABCAAWiR1ATijw

2.21.1.5. Map File¶

Create a file containing the text below, and copy this file to /opt/arcsight/<connector directory>/current/user/agent/map/map.1.properties

Note: If an existing map.1.properties file exists, increment the suffix as needed (e.g., map.2.properties).

!Flags,CaseSens-,Overwrite regex.event.name,set.event.deviceVendor,set.event.deviceProduct

.*Cyberlens.*,DragosSecurity,CyberLens

2.21.1.6. Categorization File¶

Create a .csv file containing the text below, and copy this file to /opt/arcsight/<connector directory>/current/user/agent/acp/categorizer/current/<deviceproduct>/deviceproduct.csv

event. device Product	set.event. category Object	set.event. category Behavior	set.event. category Technique	set.event. category DeviceGroup	set.event. category Significance	set.event. category Outcome
CyberLens	/Host	/Found	/Traffic Anomaly	/IDS/Network	/Informational	/attempt

2.21.2. ICS2 OnGuard¶

2.21.2.1. Integration Setup¶

This will allow a user to right-click on a URL in an event to spawn OnGuard with the URL passed as a parameter.

Select Tools > Local Commands > Configure.

Figure 2-84 ArcSight Configure

In the name field, type ICS2-URL, then select the Program Parameters browse button.

Figure 2-85 Program Parameters Setup

Select Event Attributes > Request > Request URL.

Figure 2-86 Request URL Configuration

Select OK.

Figure 2-87 Tool URL Verification

Right-click on a URL in an event, select Tools, and verify that the ICS2-URL tool appears in the menu.

2.21.2.2. Install/Configure Custom ArcSight FlexConnector¶

Follow ArcSightʼs instructions for installing a Linux-based syslog SmartConnector.
Copy the custom FlexConnector configuration files to the appropriate locations.
1. See Sections 6-8 of cyberlens-syslog-configuration-v2_3.docx.
Start the Connector service:

/etc/init.d/arc_[connectorName] start

2.21.2.3. Custom Parser — ArcSight FlexConnector Parser¶

Create a file containing the text below, and copy the file to /opt/arcsight/connectors/[connector-directory]/current/user/agent/flexagent/onguard.s dkrfilereader.properties

#::::::::::::::::::::::::::::::::::::::::::::::

# Syslog custom regex properties file

# for ICS^2 OnGuard CEF syslog

delimiter=\| text.qualifier=" comments.start.with=\# trim.tokens=true contains.empty.tokens=true

token.count=8

token[0].name=Token0 token[0].type=String

token[1].name=Token1 token[1].type=String

token[2].name=Token2 token[2].type=Integer

token[3].name=Token3 token[3].type=String

token[4].name=Token4 token[4].type=String

token[5].name=Token5

token[5].type=TimeStamp

token[5].format=yyyy-MM-dd HH\:mm\:ssz

token[6].name=Token6

token[6].type=TimeStamp

token[6].format=yyyy-MM-dd HH\:mm\:ssz

token[7].name=Token7 token[7].type=String

# mappings

event.deviceCustomString1=Token0

event.deviceHostName=Token1

event.externalId=Token2

event.name=Token3 event.message=Token4

event.startTime=Token5

event.endTime=Token6

event.requestUrl=Token7

event.deviceVendor= stringConstant("ICS2")

event.deviceProduct= stringConstant("OnGuard")

#severity.map.veryhigh.if.deviceSeverity=1,2

severity.map.high.if.deviceSeverity=HIGH

severity.map.medium.if.deviceSeverity=MEDIUM

severity.map.low.if.deviceSeverity=LOW

severity.map.verylow.if.deviceSeverity=INFO

2.21.2.4. ArcSight agent.properties File¶

Example, from the following directory: /opt/arcsight/connectors/[connector directory]/current/user/agent/agent.properties

#ArcSight Properties File

#Fri Apr 08 22:28:12 BST 2016

agents.maxAgents=1

agents[0].AgentSequenceNumber=0

agents[0].configfile=onguard

agents[0].destination.count=1

agents[0].destination[0].agentid=3dfzD91MBABDtvfjvZeFjZw\=\=

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=<?xml version\="1.0"

encoding\="UTF-8"?>\n<ParameterValues>\n <Parameter Name\="host"

Value\="arcsight.es-sa-b1.test"/>\n <Parameter Name\="aupmaster"

Value\="false"/>\n <Parameter Name\="filterevents" Value\="false"/>\n<Parameter

Name\="port" Value\="8443"/>\n

<Parameter Name\="fipsciphers"

Value\="fipsDefault"/>\n</ParameterValues>\n

agents[0].destination[0].type=http

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=3dfzD91MBABDtvfjvZeFjZw\=\=

agents[0].extractfieldnames=

agents[0].extractregex=

agents[0].extractsource=File Name

agents[0].fcp.version=0

agents[0].fixedlinelength=-1

agents[0].followexternalrotation=true

agents[0].id=3dfzD91MBABDtvfjvZeFjZw\=\=

agents[0].internalevent.filecount.duration=-1

agents[0].internalevent.filecount.enable=false

agents[0].internalevent.filecount.minfilecount=-1

agents[0].internalevent.filecount.timer.delay=60

agents[0].internalevent.fileend.enable=true

agents[0].internalevent.filestart.enable=true

agents[0].logfilename=/opt/arcsight/connectors/syslogfiledata/OnGuardS yslogExample.txt

agents[0].maxfilesize=-1

agents[0].onrotation=RenameFileInTheSameDirectory

agents[0].onrotationoptions=processed

agents[0].persistenceinterval=0

agents[0].preservedstatecount=10

agents[0].preservedstateinterval=30000

agents[0].preservestate=false

agents[0].roationonlywheneventexists=false

agents[0].rotationdelay=30

agents[0].rotationscheme=None

agents[0].rotationsleeptime=10

agents[0].startatend=false

agents[0].type=sdkfilereader

agents[0].unparsedevents.log.enabled=true

agents[0].usealternaterotationdetection=false

agents[0].usefieldextractor=false

agents[0].usenonlockingwindowsfilereader=false

remote.management.second.listener.port=10051

remote.management.ssl.organizational.unit=vRTB91MBABCAASNGV81kQQ

server.base.url=https\://arcsight.es-sa-b1.test\:8443

server.registration.host=arcsight.es-sa-b1.test

2.21.2.5. Additional Configuration Files¶

2.21.2.5.1. Map File¶

Create a file containing the text below, and copy this file to /opt/arcsight/connector directory]/current/user/agent/map/map.1.properties

Note: If an existing map.1.properties file exists, increment the suffix as needed (e.g., map.2.properties).

!Flags,CaseSens-,Overwrite regex.event.name,set.event.deviceVendor,set.event.deviceProduct

.*On-Guard.*,ICS2,OnGuard

.*OnGuard.*,ICS2,OnGuard

2.21.2.5.2. Categorization File¶

Create a .csv file containing the text below, and copy this file to /opt/arcsight/connector directory]/current/user/agent/acp/categorizer/current/[deviceproduct]/ deviceproduct.csv

event. device Product	set.event. category Object	set.event. category Behavior	set.event. category Technique	set.event. category DeviceGroup	set.event. category Significance	set.event. category Outcome
OnGuard	/Host	/Found	/Traffic Anomaly	/IDS/Network	/Informational	/Attempt

2.21.3. RS2 Access It! Universal.NET¶

2.21.3.1. Review Data Source¶

Review the relevant fields in Access It!ʼs Microsoft SQL Server Management Studio.

Figure 2-88 Access It! SQL Table

Review the data in RS2’s Access It! application.

Figure 2-89 Access It! Application Window

2.21.3.2. Install/Configure Custom ArcSight FlexConnector¶

On the Access It! server, follow ArcSightʼs instructions for installing a Microsoft Windows-based Flex Connector, and specify the Time Based Database option [1].
Copy the custom FlexConnector configuration files to the appropriate locations. See Sections 6-8 of cyberlens-syslog-configuration-v2_3.docx.
Start the Connector service via the Windows Administrative Tools > Services control panel item.

2.21.3.3. Custom Parser — ArcSight FlexConnector Parser¶

This parser will allow ArcSight to query the RS2 Access It! SQL database for door controller event data.

Create a file containing the text below, and copy this file to the connector installation directory.
Example location: C:\ArcSight\FlexConnector\user\agent\flexagent\RS2AccessIt

Figure 2-90 Example Location

# Flex Connector for RS2 AccessIt Door Controller MS SQL Database
version.id=1.0

version.order=0

version.query=SELECT Max(EventDate) FROM Events

# Pull events from which time period lastdate.query=SELECT
Max(EventDate) FROM Events

additionaldata.enabled=true

# Database Query

query= SELECT Events.EventID, Events.EventDate, Events.SourceType,
Events.EventType, Events.EventDescriptionID, Events.EventLocationID,
EventDescriptions.EventDescription \

  FROM Events \

  LEFT OUTER JOIN EventDescriptions ON Events.EventDescriptionID =
  EventDescriptions.EventDescriptionID \

  WHERE Events.EventDate > ? \ ORDER
  BY Events.EventDate

# gets all the day's events once, and no new events
#timestamp.field=Events.EventDate
# gets events every time a new event occurs timestamp.field=EventDate
uniqueid.fields=EventDescription,EventLocation,LocationLink

# DB Column Mapping
event.deviceEventClassId= concatenate(EventDescription,":",EventID)
event.externalId=EventID
event.endTime=EventDate
event.name=EventDescription
#event.message=EventLocation
event.deviceCustomString1=SourceType
event.deviceCustomString2=EventType
event.deviceCustomString3=EventDescriptionID
event.deviceCustomString4=EventLocationID
#event.deviceCustomString5=LocationLink

# Constants Mapping
event.deviceVendor= stringConstant(RS2) event.deviceProduct=
stringConstant(AccessIt) event.deviceCustomString1Label=
stringConstant(SourceType) event.deviceCustomString2Label=
stringConstant(EventType)
event.deviceCustomString3Label= stringConstant(EventDescriptionID)
event.deviceCustomString4Label= stringConstant(EventLocationID)
#event.deviceCustomString5Label= stringConstant(LocationLink)

# Severity Mapping event.deviceSeverity=EventDescription
severity.map.veryhigh.if.deviceSeverity=Door Forced Open,Door Held Open
severity.map.high.if.deviceSeverity=Power Loss,Comm Fail,Shutdown
severity.map.medium.if.deviceSeverity=Door Closed,Door Open,Startup
#severity.map.low.if.deviceSeverity=Low

2.21.3.4. ArcSight agent.properties File¶

Modify the agent.properties file settings as needed based on the example below.
Replace the Database connection string/url (in bold below) to suit the environment (refer to section above).

Figure 2-91 Example String/URL

#ArcSight Properties File

#Thu Jul 28 17:02:44 EDT 2016

agents.maxAgents=1

agents[0].AgentSequenceNumber=0

agents[0].JDBCDriver=com.microsoft.sqlserver.jdbc.SQLServerDriver

agents[0].configfolder=RS2AccessIt

agents[0].database=Default

agents[0].dbcpcachestatements=false

agents[0].dbcpcheckouttimeout=600

agents[0].dbcpidletimeout=300

agents[0].dbcpmaxcheckout=-1

agents[0].dbcpmaxconn=5

agents[0].dbcpreap=300

agents[0].dbcprowprefetch=-1

agents[0].destination.count=1

agents[0].destination[0].agentid=3B+tGM1YBABDj2XjY9XWuyg\=\=

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n

<Parameter Name\="aupmaster"

Value\="false"/>\n

<Parameter Name\="port"

Value\="8443"/>\n

<Parameter Name\="fipsciphers"

Value\="fipsDefault"/>\n

<Parameter Name\="host"

Value\="arcsight.es-sa-b1.test"/>\n

<Parameter Name\="filterevents"

Value\="false"/>\n</ParameterValues>\n

agents[0].destination[0].type=http

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=YdZKM1YBABCAAwkPuy5kNg\=\=

agents[0].fcp.version=0 agents[0].frequency=45

agents[0].id=3B+tGM1YBABDj2XjY9XWuyg\=\=

agents[0].initretrysleeptime=60000

agents[0].jdbcquerytimeout=-1

agents[0].jdbctimeout=240000

agents[0].loopingenabled=false

agents[0].password=OBFUSCATE.4.8.1\:tN7+FHyJvO5qkdFrnyHeng\=\=

agents[0].passwordchangeingcharactersets=UPPERCASE\=ABCDEFGHIJKLMNOPQR
STUVWXYZ,LOWERCASE\=abcdefghijklmnopqrstuvwxyz,NUMBER\=01234567890,SPECIAL\=+-
\!@\#$%&*()

agents[0].passwordchangingcharactersetdelimiter=,

agents[0].passwordchangingenabled=false

agents[0].passwordchanginginterval=86400

agents[0].passwordchanginglength=16

agents[0].passwordchangingtemplate=UPPERCASE,NUMBER,SPECIAL,UPPERCASE\|
LOWERCASE|NUMBER,UPPERCASE|LOWERCASE|NUMBER|SPECIAL

agents[0].persistenceinterval=1

agents[0].preservedstatecount=10

agents[0].preservedstateinterval=30000

agents[0].preservestate=true

agents[0].rotationtimeout=30000

agents[0].startatend=true

agents[0].type=sdktbdatabase

agents[0].unparsedevents.log.enabled=false

agents[0].url=jdbc\:sqlserver\://10.100.2.102\:1433;databasename\=AIUE
vents_20160607062103

agents[0].useconnectionpool=true

agents[0].user=OBFUSCATE.4.8.1\:LkwoJdKuWx8CDMiRZv4Qpg\=\=

remote.management.second.listener.port=10050

remote.management.ssl.organizational.unit=rE09M1YBABCAAQkPuy5kNg

2.21.3.5. Categorization File¶

Create a .csv file containing the fields below, and copy this file to the appropriate folder: C:\ArcSight\<connector directory>\current\user\agent\acp\categorizer\current\rs2accessit\ rs2accessit.csv

Figure 2-92 Categorization File Fields

2.21.4. Additional References¶

HPE ArcSight SmartConnector User Guide https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-SmartConnector-User-Guide-7-12-0/ta-p/1586784
Syslog Guide https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Raw-Syslog-Daemon/ta-p/1589006
SmartConnector Quick Reference https://community.microfocus.com/t5/ArcSight-User-Discussions/SmartConnector-Quick-Reference/td-p/1598927
HPE ArcSight FlexConnector Developerʼs Guide https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874
FlexConnector Quick Reference https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874

3. Test Cases/Alert Configurations¶

This section shows filters used in ArcSight for the test cases as well as descriptions of test case alerts.

3.1. ArcSight Filters¶

The following sections describe the creation of filters and what filters were used in the build.

3.1.1. Filter Creation¶

ArcSight content is composed of many parts. A primary component in all content is the ArcSight filter. Use the following steps to create a filter:

Go to the ArcSight navigation pane on the left.
Select Filters from the drop-down menu.
Right-click on a folder location.
Select New Filter from the pop-up menu.

Figure 3-1 Create New Filter

Right-click Event in the right pane of the Edit Window.
Select New Condition from the pop-up menu.

Figure 3-2 Create Conditions (Logic)

Next, begin constructing the conditions for which to query the ArcSight database.

Note: It is customary to create a central folder to house ArcSight content and allow it to be shared by groups of users. Once content (such as filters) has been tested, it can then be copied or moved to the group (shared) folder. Permissions can be set on the folder to control access as needed.

Shown below are ArcSight Filters that were created to support the Situational Awareness Test Cases.

Figure 3-3 Bro Filter

Figure 3-4 Dragos CyberLens Filter

Figure 3-5 ICS2 On-Guard Filter

Figure 3-6 Windows Log Filter for OSI PI Historian

Figure 3-7 Radiflow iSID Filter

Figure 3-8 RS2 Access It! Filter

Figure 3-9 RSA Archer Filter

Figure 3-10 Waratek Filter

Below are filters that were created to match against conditions based on …

direction of network activity
awareness of Security Zones (OT versus non - OT)

Figure 3-11 OT Cross-Boundary Filter

Figure 3-12 OT Inbound Filter

Figure 3-13 OT Outbound Filter

3.1.2. ArcSight Test Cases¶

Shown below are additional filters that were built to support the SA Test Cases. Also shown are examples of Dashboards and Data Monitors that use these filters.

Figure 3-14 SA-1 - OT-Alerts Filter

Figure 3-15 SA-1 - OT and PACS Dashboard

Figure 3-16 SA-1 OT and PACS Active Channel

Figure 3-17 SA-2 - IT to OT AppAttack Filter

Figure 3-18 SA-2 OT-comms-with-non-OT Filter

Figure 3-19 SA-2 SQL Injection Dashboard

Figure 3-20 SA-2 SQL Injection Active Channel

Figure 3-21 SA-3 - FailedLogins Filter

Figure 3-22 SA-3 OT to IT or OT BadLogins Filter

Figure 3-23 SA-3 OT-to-IT or FailedLogins Dashboard

Figure 3-24 SA-3 OT-to-IT or FailedLogins Active Channel

Figure 3-25 SA-4 Anomaly Detection Filter

Figure 3-26 SA-4 Anomaly Detection Dashboard

Figure 3-27 Anomaly Detection Active Channel

Figure 3-28 SA-5 ConfigMgnt Filter

Figure 3-29 SA-5 ConfigMgmt Filter

Figure 3-30 SA-5 Master Filter

Figure 3-31 SA-5 Configuration Changes Dashboard

Figure 3-32 SA-5 Configuration Changes Active Channel

Figure 3-33 SA-6 RogueDevice Filter

Figure 3-34 SA-6 Rogue Device Dashboard

Figure 3-35 SA-6 Rogue Device Active Channel

3.2. Test Cases¶

Below are descriptions of test cases as matched to Section 3.6, Situational Awareness Test Cases, of NIST SP 1800-7B.

3.2.1. SA-1 Event Correlation for OT and PACS¶

This test case focuses on the possibility of correlated events occurring that involve OT and PACS and that might indicate compromised access.

3.2.1.1. Events¶

Technician accesses substation/control station.
OT device goes down.

3.2.1.2. Desired Outcome¶

Alert of anomalous condition and subsequent correlation to PACS to see who accessed facility

3.2.1.3. ArcSight Content¶

OT network Zones
Filter for OT network Zones.
filters for OT/IT inbound, outbound, cross-boundary communications
filter for RS2 Door Controller events
filter for CyberLens or iSID events
Active List for RS2 Door Controller events with time threshold
rule to add RS2 Door Controller filter events to Active List
Data Monitor and Dashboard to display results of the above

3.2.2. SA-2 Event Correlation for OT and IT¶

The enterprise (IT) Java application communication with an OT device (historian) is used as a vector for SQL injection (SQLi), which also includes data exfiltration attempts.

3.2.2.1. Events¶

Detection of SQLi attack on IT device interconnected with OT device

3.2.2.2. Desired Outcome¶

Alert sent to SIEM on multiple SQLi attempts

3.2.2.3. ArcSight Content¶

filter for Waratek events (intended to monitor for SQLi against the OSIsoft PI Historian)
filter to combine Waratek and OT/IT inbound communications filters
Data Monitor and Dashboard to display results of the above

3.2.3. SA-3 Event Correlation for OT and IT/PACS and OT¶

Unauthorized access attempts are detected, and alerts are triggered based on connection requests from a device on the SCADA network destined for an IP that is outside the SCADA IP range. This test case focuses on the possibility of a malicious actor attempting to gain access to an OT device via the enterprise (IT) network. This test case is also relevant in a PACS-OT scenario, in which someone has physical access to an OT device but lacks the necessary access to perform changes to the device, and alerts are sent based on numerous failed login attempts.

3.2.3.1. Events¶

Inbound/outbound connection attempts from devices outside authorized and known inventory

3.2.3.2. Desired Outcome¶

Alert to SIEM showing IP of unidentified host attempting to connect, or of identified host attempting to connect to unidentified host

3.2.3.3. ArcSight Content¶

Use OT network Zones (as defined in SA-1 content).
Use filter for OT network Zones (as defined in SA-1 content).
Filter for events from OT network Zone to/from a different Zone
Filters for authorization, authentication failures
Filter for authorization, authentication failures, or outbound events
Data Monitor and Dashboard to display results of the above

3.2.4. SA-4 Data Infiltration Attempts¶

Examine the behavior of systems, and configure the SIEM to alert on behavior that is outside the normal baseline. Alerts can be created emanating from OT, IT, and PACS. This test case seeks alerting based on behavioral anomalies rather than recognition of IP addresses, and guards against anomalous or malicious inputs.

3.2.4.1. Events¶

Anomalous behavior falling outside defined baseline

3.2.4.2. Desired Outcome¶

Alert sent to SIEM on any event falling outside of what is considered normal activity based on historical data

3.2.4.3. ArcSight Content¶

Use OT network Zones.
Use Filter for OT network Zones.
Filter for ICS2 OnGuard events or events with a Category of Traffic Anomaly (e.g., as defined in Dragos Security CyberLens ArcSight FlexConnector/Categorizer files).
Data Monitor and Dashboard to display results of the above

3.2.5. SA-5 Configuration Management¶

An alert will be created to notify the SIEM of unauthorized (inadvertent or malicious) uploading of an ICS network device configuration. The detection method will be primarily based on inherent device capability (i.e., log files).

3.2.5.1. Events¶

Configuration change on Tofino FW, Cisco 2950

3.2.5.2. Desired Outcome¶

Alert will be created to notify SIEM that this has occurred.

3.2.5.3. ArcSight Content¶

Filter for any of the following:
1. ArcSight Category events:
  1. /Modify/Configuration
  2. /Found/Misconfigured
  3. tftp protocol
  4. tftp port
Filter for following ArcSight Category Device Groups:
1. /Firewall
2. /Network Equipment
3. /VPN
4. /IDS
5. or Category Object:
  1. /Network
Data Monitor and Dashboard to display results of the above

3.2.6. SA-6 Rogue Device Detection¶

Alerts are triggered by the introduction of any device onto the ICS network that has not been registered with the asset management capability in the build.

3.2.6.1. Events¶

Unidentified device appears on ICS network.

3.2.6.2. Desired Outcome¶

Alert will be created to notify the SIEM that this has occurred.

3.2.6.3. ArcSight Content¶

Specific Asset definitions for all known ICS devices (grouped by OT Zones)
Filter to detect presence of any “non-ICS” devices (not in Asset lists).
Filter for CyberLens events alerting on “new” hosts.
Data Monitor and Dashboard to display results of the above

Appendix A Acronyms

ASP	Active Server Pages
CA	Certificate Authority
CRADA	Cooperative Research and Development Agreement
E1	Siemens RUGGEDCOM RX1400
E4	OSIsoft Pi Historian
E5	OnGuard
E6	ConsoleWorks
E7	RS2 Access IT!
E8	CyberLens Server
E9	Siemens RUGGEDCOM CROSSBOW
E10	Waratek Runtime Protection
E12	Hewlett Packard Enterprise ArcSight
E13	RSA SecOps
EACMS	Electronic Access Control and Monitoring System
ESM	Enterprise Security Manager
FQDN	Fully Qualified Domain Name
FTP	File Transfer Protocol
HDD	Hard Disk Drive
HPE	Hewlett Packard Enterprise
ICS	Industrial Control System(s)
ICU	Interface Configuration Utility
IDS	Intrusion Detection System
IIS	Internet Information Services
IP	Internet Protocol
IPSec	IP Security
ISAPI	Internet Server Application Programming Interface
IT	Information Technology
LDAP	Lightweight Directory Access Protocol
LTS	Long-Term Support
NAT	Network Address Translator
NCCoE	The National Cybersecurity Center of Excellence
NERC CIP	North American Electric Reliability Corporation Critical Infrastructure Protection
NIC	Network Interface Controller
NIST	National Institute of Standards and Technology
O1	Siemens RUGGEDCOM RX1501
O2	Waterfall Security Solutions, Ltd. Unidirectional Security Gateway
O3	Schneider Electric Tofino Firewall
O4	RS2 Door Controller
O5	TDi Technologies ConsoleWorks
O8	OSIsoft Pi Historian
O9	TDi Technologies ConsoleWorks
O10	CyberLens Sensor
O11	Radiflow iSID
O13	OSIsoft Citect Interface software
O14	Radiflow 3180 Firewall
O15	Cisco 2950 Network Switch
O16	IXIA Full Duplex Taps
O17	Waterfall Secure Bypass Switch
O18	Schneider Electric Tofino Firewall
O20	Schneider Electric Tofino Firewall
ODBC	Open Database Connectivity
OPC	Open Platform Communication
OT	Operational Technology
OVA	Open Virtual Appliance
PAC	Physical Access Control
PACS	Physical Access Control Systems
PDP	Policy Decision Point
PEP	Policy Enforcement Point
RDP	Remote Desktop Protocol
RHEL	Red Hat Enterprise Linux
RMF	Risk Management Framework
SA	Situational Awareness
SAC	Station Access Controller
SCADA	Supervisory Control and Data Acquisition
SCP	Secure Copy Protocol
SIEM	Security Information and Event Management
SP	Special Publication
SQL	Structured Query Language
SQLi	Structured Query Language Injection
U1	Citect SCADA System
UDP	User Datagram Protocol
UMD	University of Maryland
vCPU	Virtual Central Processing Unit
VNC	Virtual Network Computing
VPN	Virtual Private Network
WAN	Wide Area Network

Appendix B References

[1]	Micro Focus. HPE ArcSight SmartConnector User Guide – Hewlett Packard Software Community. Available: https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-SmartConnector-User-Guide-7-12-0/ta-p/1586784.