Detect: Difference between revisions
No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
Real-time detection involves utilizing detection tools to inform users of potential network anomalies that might indicate cyber security events. Real-time detection is meant to be a means to aid system operators in preventing a cyber event before it causes loss of equipment and safety. Real-time detection typically involves: utilizing monitoring and alerting tools to collect network data and events aggregating and processing events displaying events and potential vulnerabilities and notifying system users and operators of events | Real-time detection involves utilizing detection tools to inform users of potential network anomalies that might indicate cyber security events. Real-time detection is meant to be a means to aid system operators in preventing a cyber event before it causes loss of equipment and safety. Real-time detection typically involves: utilizing monitoring and alerting tools to collect network data and events aggregating and processing events displaying events and potential vulnerabilities and notifying system users and operators of events | ||
'''Key detection topics'' include: | '''Key detection topics''' include: | ||
*Real-Time Detection | *Real-Time Detection | ||
*Network Scanning | *Network Scanning | ||
Revision as of 13:36, 30 October 2024
Detection Summary Real-time detection involves utilizing detection tools to inform users of potential network anomalies that might indicate cyber security events. Real-time detection is meant to be a means to aid system operators in preventing a cyber event before it causes loss of equipment and safety. Real-time detection typically involves: utilizing monitoring and alerting tools to collect network data and events aggregating and processing events displaying events and potential vulnerabilities and notifying system users and operators of events
Key detection topics include:
- Real-Time Detection
- Network Scanning
- Security Information and Event Management
Real-Time Detection
Real-time security monitoring and detection is a fundamental cyber security domain. It includes continuous monitoring of both digital assets from network-based and host-based sources to identify anomalies and threats in real-time. It minimizes the impact of cyber events on operations if an event were to occur and provides better knowledge of baseline operations. The real-time detection process includes Data Collection, Event Aggregation, Event Display and Notification, and Event Processing.
Challenges with real-time detection in power generation facilities include:
- Host-based detection capability is limited for native real-time equipment, such as programmable logic controllers and protective relays. Agent-based solutions are not typically compatible with these devices used in OT environments.
- Detection techniques, such as active interrogation of devices, may interfere with OT operation. OT compatibility and warranty concerns may limit deployment. This limits detection to mainly passive solutions.
Current real-time detection key practices include:
- Implemented through end-point detection, network-based detection, log collection and aggregation, and enterprise or OT security information and event management (SIEM) tools.
- Capabilities include multiple types of malicious activity detection (i.e., utilization, asset changes, file and configuration changes, malware, privilege, network flow, and topology) and event aggregation and processing.
- Common endpoint and network detection methods are well-established in OT systems.
- Cloud-based detection and third-party information-sharing tools were not prevalent in recent utility surveys.