Q&A ’15: Tesoro touts SIEM as cyber security solution for refineries

By Ben DuBose
Digital Editor

NEW ORLEANS, Louisiana -- The Security Event Information Management (SIEM) system adopted by US refiner Tesoro in 2010 has greatly enhanced the company's situational awareness toward cyber security, Tesoro's senior control system specialist said this week.

In a breakout session at the AFPM Q&A and Technology Forum on cyber security for industrial control systems, Tesoro's Terry Crain explained how the SIEM system has transformed his job for the better.

"I think it's a must," Crain said. "I remember in 2009 when I started, looking at computer after computer. I never want to deal with that again. SIEM is a must for intrusion detection because it allows for continuous monitoring of ICS systems' log files, and it can reduce detection time from weeks down to minutes."

In contrast to SIEM, the retention of data collected in firewall log files can be as short as 30 minutes. As a result, data can be lost before it is even evaluated, Crain explained.

In general, cyber security monitoring is very challenging due to the large amounts of data compiled. In fact, Crain compared it to finding a needle in a haystack. Specifically, Crain said an ICS with 250 devices typically collects roughly 8.7 million events in 24 hours.

While many of the logged events are normal, significant time is needed to process and analyze the data.

"SIEM monitors and alarms you of a potential cyber security event," Crain said. "It's analogous to how operations personnel can be alerted of abnormal conditions via alarms. It allows you to sift through large amounts of data and reduces the reaction time to a security event."

The SIEM works by monitoring various devices like Windows system logs, SNMP traps, virus scan results, DNS logs, and the Firewall SYSLOG. Correlations and rules are then used to find possible security events. From there, the SIEM alerts practitioners on abnormal events, reports for pattern analysis and puts events into a historical archive for further analysis.

The reporting by the SIEM is done in the format of dashboards and graphs, which can provide trends and patterns that will allow specialists to analyze and focus on specific areas of risk.

The challenging part of maintaining a SIEM system, however, is that control system specialists such as Crain must continually update the SIEM by listing what is normal/acceptable and filtering those things out. If an alarm is not a true cyber security event, then the AIEM configuration must be adjusted accordingly.

"It requires time to set up and define what is normal," Crain said. "You need to update the list with each added ICS component. But you also can't try to list what is abnormal, because in cyber security, you just never fully know what's out there."

While setting up the monitoring is easy, Crain says that creating the "whitelists" and changing the rules to eliminate data that is not of interest is extremely difficult and requires ongoing effort. Additionally, a significant upfront investment in the system is required.

Crain believes the extensive process is worthwhile, because it provides ICS system staff with a level of situational awareness that simply was not possible before.

To that end, Crain notes that the 8.7 million events gathered in one 24-hour sample were narrowed down to 158,000 events after the first round of whitelisting, representing a 98% total reduction.

"It's still a lot of events to manage," Crain said. "But the key is that it allows people like me, whose jobs are to deal with the alarms, to be more effective and more efficient."


From the Archive

Comments

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}