Design and Configuration of IPS, IDS and SIEM in Industrial Control Systems
In recent years, some cybercriminals have focused their attacks on industrial infrastructures, where they are using new emerging and evolving techniques, and take advantage of vulnerabilities found in networks that are used in these environments and in particular in those that use the TO (technologies of operation) typical of an industrial environment.
In response to the utilisation of these possible vulnerabilities, architectures, techniques and systems that may detect and prevent these undue actions have been developed. This is how IDSs and IPSs appear, systems originally focused on the IT area, but which have evolved to be effective also in OT scenarios, incorporating the detailed knowledge of protocols and communications specific to industrial environments and TO.
-Security and architecture with IDS sensors-
In order to make life easier for cybersecurity personnel, SIEMs are also created. These are devices that will be responsible for collecting the events collected by the IDS and IPS, analysing them and signalize alerts that are previously configured in accordance to rules that process the received events allowing their aggregation and correlation.
-Linux distribution specialized in incident monitoring-
INCIBE has published a study where, in addition to provide background on above-mentioned technologies (IPS, IDS and SIEM) and the most common topologies in the field of industrial security, information on various software tools is also offered, tools that will allow the deployment of a complete and fully functional intrusion detection/prevention environment, as well as the management of the events generated.
The study, available in English and Spanish, can be downloaded from the following links: