Today's manufacturers must protect their resources from multiple threats

Industrial security is now much more complex than using guards to patrol the fence. Today's manufacturers must protect their resources from multiple threats. Terry Dalby explains

On 9 June 2001, Los Angeles Times staff writer Dan Morain reported that hackers had attacked the network that controls power distribution throughout California and much of the western US. Apparently they did not gain access to the most sensitive area of the network, but it was still a significant threat. If they had been able to control the flow of power to homes and businesses, anything could have happened.

Few manufacturers have back up generators. If the hackers had been able to switch power on and off arbitrarily, it could have caused damage to expensive equipment, in addition to disrupting production schedules.

California is the world's fifth largest economy, so this hacker attack had major financial implications. But it is just an example of the new threats we are facing today.

If you use the internet in any way to conduct business, you are vulnerable to an attack. Manufacturers must consider every possible threat to their facilities, technologies, and assets. And these threats come from all directions. Competitors and bored hackers looking for a new challenge are just the obvious ones.

Network security
There are many different network security tools. Each was developed as a result of a specific type of threat. Some tools try to keep the bad people out. They include firewalls, filtering routers, access control systems, and card scanners. Other tools look to see if a bad person has got in. Host-based and network-based intrusion detection systems (IDS) and anti-virus scanners (AV) fit this group.

There is a third type of tool that tries to protect your data while it is still in your network and when you send it through the internet. This group includes virtual private network devices (VPNs) and encryption.

The problem with these tools is that they do not share information with each other well. Each does an excellent job in its particular area, but is ignorant of other security systems.

This forces administrators to watch multiple screens to track events. The result is that we do not really manage the network's security. Instead we are managing several devices, which collect data, but do not give us a real look at our security situation.

Companies need to be able to treat their network security as a single system. They can do this by taking a new approach, based on a consolidated methodology - a 'security manager'. Like a network manager, a security manager collects information from all the point tools, consolidates and correlates events and presents them to operators in an efficient format.

This new methodology builds on the investment made in security tools, essentially by allowing the separate tools to share data so the security engineer can react in real time.

Security management
At the core of this new methodology lies a graphical rules engine. As events occur in the network, rules control how the data flows through the manager. My own company's security manager uses a five-step approach to security management.

Step 1 – Collect, consolidate and correlate The first step in making order out of chaos is to collect the data from all of the point tools into a single system. This means accepting data streams in several formats: SNMP (Simple Network Management Protocol) traps, SYSLOGS, SMTP (Simple Mail Transfer Protocol) messages, and XML over TCP/IP.

The consolidation results in a single database that contains the security events in the network.

Step 2 - Normalise the data Each message contains information describing the event. This includes data such as the source address, the target address, and the type of event. Each tool, however, has its own structure and language. So this step translates the proprietary event codes into a common taxonomy. The normalised data allows the manager to see all login failures whether from an NT, SOLARIS, or CheckPoint. Normalised data ensures consistency across point tools.

Step 3 – Classify and prioritise Some events are more severe than others, and some assets are more important than others. For example, a ping flood causes greater concern than a dropped packet (unsolicited connection) on a firewall. Similarly, a financial server is more important than a user's workstation. The graphical rules engine must allow the operator to specify what events should be responded to first and what resources need to be watched most closely.

Step 4 – Analyse This step uses the graphical rules engine to allow the operator to manipulate and analyse the event data. The rules should include a rich set of operators representing a specific mathematical, logical, temporal, or message function. It should be easy to create a rule by selecting the operator from the list of icons, to drop it on the page, connect it with a line and set a few attributes.

Step 5 – Respond This step controls how the system responds to the event. It can be an automated 'shut down the port' command or a notification to the operator with a trouble ticket, an e-mail, a page, or through the network management system.

The event can be presented graphically (see Figure 1). This provides the operator with a more effective way to view security events. Events are grouped by source, threat type, and target. Related threats or threats to the same devices are grouped visually.

The impact
Today's network security professionals are taking a cue from their network management colleagues and relying on a consolidated management system. However, security management has different requirements and characteristics, and so requires an alternative management solution. And the response includes presenting the data in an appropriate way.

Terry Dalby is business development manager, Aprisma Management Technologies, Tel: 001 303 708 1061, E-mail: