Logging and monitoring
Log and status data as feedback for security improvements
The early detection of security-relevant incidents as well of system errors and performance "bottlenecks" during operation or data transmission depends to a large extent on adequate logging and monitoring.
In particular, log data and status information from the various areas, zones (processes) and conduits of your plant provide important information for all activities relating to security. They form the basis for decisions regarding the status of protection or necessary adjustments or extensions to security measures and policies.
A central function should consolidate and evaluate log data and status information from the entire plant. The results of this evaluation should be incorporated into the permanent risk management system so that a changing threat situation can be identified as quickly as possible and appropriate countermeasures initiated.
The evaluation of the log files and status information should be performed at regular intervals. A corresponding message/report should be generated as soon as a previously defined threshold value for a specific event is exceeded.
Logging: recording of events
The following list shows the events that should be logged.
- Operating system/firmware events an all PCs/devices in the network. This includes, for example, boot processes, state changes, CPU load, memory consumption as well as detected hardware errors (such as defective storage media) etc.
- Execution of applications.
- Events on all network devices, such as firewalls, switches, routers etc.
This includes, for example, the loss of network connections, traffic load, performance etc. - Intrusion/tampering attempts (detected, for example, by an Intrusion Detection System): Systems and components should log any attempt of unauthorized access or tampering.
- Security-related log data should include the user name, date and time of any login to any component in your plant. If possible, also the commands executed by the user should be logged.
Phoenix Contact provides security-related logging on the PLCnext Technology controller: The user, data and time of the login to the controller as well as the executed commands, state changes, etc. are logged for evaluation/monitoring purposes.
Each log entry should be composed of the following information:
- When? Date and time of the event.
Note: The time signal for synchronization should come from a trusted source.
Time synchronization through a dedicated Network Time Protocol (NTP) service or via Precision Time Protocol (PTP, acc. to IEEE 1588) is recommended. NTP and PTP are a worldwide industrial standards which enable the time synchronization of computers and other IT/OT components via an IP network, i.e., the Internet. - What? Description of what happened.
- Severity? How critical is the event in terms of security, system performance, maintenance of orderly operations??
- Who reports? Specification of the device/application reporting the event.
Monitoring the system state
- SNMP monitoring: System status information relating to, for example, the state of communication channels should be collected and evaluated (such as VPN up/down, number of users logged in, resource status etc.). Furthermore, e.g. traps sent (pushed) by an SNMP agent without being requested by the manager can be used for this purpose.
- The state of antivirus/malware protection (i.e. database version used) should be logged and reported