Log in




Early Warning System for Industrial Control Systems

The Early Warning System for industrial control systems (SAT-ICS) is a service developed and implemented by the Information Security Incident Response Capacity of the National Cryptologic Center (CCN-CERT) for real-time detection of threats and incidents in the industrial control and supervision network traffic for the assigned agency. It is intended to detect different types of attack and threat patterns through traffic analysis, including traffic in industrial protocols thanks to DPI (Deep Packet Inspection).

Implementation requires installing an individual probe in the Agency's network, responsible for detecting and collecting the most relevant safety information and, after initial filtering, sending these safety events to the central system that makes a correlation among the different elements and between the different domains (organisms). Immediately thereafter, the attached Agency receives the corresponding warnings and alerts concerning any detected incidents.

The probe is a dedicated server that incorporates several detection and monitoring tools, including an Intrusion Detection System (IDS) and other specific purpose agents, both open source and commercial, and has two distinct network interfaces:

  • Analysis interface:Receives a copy of the organisation's traffic for analysis. This interface only reads offline traffic, without ever modifying it, and only when necessary to perform its function. Different options ensure that the probe does not bring traffic into the network through the monitoring interface: configuration at the switch itself, use of unidirectional cables, etc.
  • Management interface: connects securely to the central monitoring/correlation system over the Internet, using the Agency's infrastructure or a separate connection.

Figure 1. SAT-ICS arquitecture


What is a probe?

The probe is a high-performance server used to analyse network traffic for the assigned Agency, generate specific security events and transmit them securely to the central system. It consists of the following elements:

  • The management interface, which connects to the Agency's network to send events generated by the probe to the central SAT system.
  • The analysis interfaces, which receive the traffic to be analysed and have no IP address, are fully transparent to the network.
  • A Network Intrusion Detection System (NIDS), with specific detection rules from different sources (even specific for SCADA systems) and of its own creation.
  • A set of specific agents to detect anomalies in ICS environments, including an analysis of the network communications structure and the industrial protocol dissectors.
  • A collector of the detected events to send them to the Central System. This agent will initially be configured to analyse the events generated by the different detection tools that are incorporated.


Where is a probe installed?

The probe can be deployed at different points in the network within the Agency's infrastructure, typically in the industrial communications rings or in interconnections between the control, field and monitoring levels and their communications with the outside world.

The probe can be connected to different networks for differentiated monitoring, provided there are sufficient network interfaces available on the server (and in the network electronics) to perform this task. In each case, the ideal situation in which to install the probe will be studied with the Agency.


What is the central system?

The central system is responsible for collecting information from the different probes and correlating events to detect security incidents.

It is composed of different elements:

  • Event collector. This is in charge of receiving the events from the different systems to be analysed and sending them to the event bus from which the next element is fed.
  • Correlation engine. This is in charge of processing the information that arrives at the event bus. This part of the system implements correlation rules that decide whether or not a warning should be generated in response to the events received.
  • Single operator console. This allows analysis of the warnings generated after correlation of events received by the system.
  • Active control panel. This presents information related to the monitored processes and displays indicators.


Who monitors the central system?

The management, updating and maintenance of the central system are the responsibility of the CCN-CERT, which, with a team of experts in information security, carries out administration tasks, maturing the rules for detection and inclusion of possible new sources.


What characteristics should the server have?

There are two types of probes recommended depending on the characteristics of the industrial installation. Their hardware requirements for an adequate functioning are as follows:

1) Standard probe:


2) Mini probe:

The SAT-IC probe is to be used on little industrial systems where it is not possible to install the standard SAT-IC probe because of one or several of the following reasons:

      • There is not enough space to install the probe.
      • Special assembly requirements in rack (rail DIN, etc.).
      • Unfavourable environmental conditions (humidity, temperature, dust, etc.).
      • The traffic to be analysed does not exceed 5mbps throughput


How are events sent to the central system?

Events are transported securely through an encrypted tunnel via the Agency's Internet output to the Central System, thus guaranteeing the information's confidentiality and integrity. The connection between the individual probe and the central system can be established in two ways:

  • Connection of the probe to the Internet through the Internet infrastructure of the attached Agency.
  • Direct connection of the probe to an Internet connection independent of the Agency's network.


What information is sent to the central system?

The probes only send security alerts to the central system generated after detecting some type of event, defined in the detection rules within the system, and which match potentially harmful traffic patterns, known behaviour of certain types of malicious code or unusual or potentially dangerous uses of industrial control systems. At no time is the Agency's industrial traffic sent to the central system, thus maintaining privacy in communications.


What kind of attacks can the SAT-ICS service detect?

The purpose of the probe is to detect attacks on the Agency's industrial networks and to provide a rapid and effective response to incidents, although the detection work will focus mainly on detecting anomalous or potentially dangerous activity in the CSIs and on detecting intrusion attempts on these networks. The basis of the service lies in identifying situations that may pose a risk to the control infrastructure and in defining rules to detect them, based on knowledge of how this type of industrial system is operated.

One characteristic of the SAT-ICS system is that it can work with industrial protocols, also analysing the payload of the packets (Deep Packet Inspection or DPI) to identify the purpose of a given command: downloading or loading programs into PLCs, scanning the control network to identify the equipment that is part of it or sending potentially dangerous commands, for example. It is now possible to analyse the traffic of the main protocols used in this type of environment (Siemens S7COM, Omron FINS, Rockwell Ethernet IP, Modbus, IEC-60.870-104, DNP3, etc.) and new protocols are continuously added to the list. There is also the possibility of implementing analysis of specific protocols developed for an organisation.


What is the SAT portal?

The EWS portal is the place where staff responsible for cybersecurity in the attached Agency's CSIs get a real time view of the events generated by their probe and sent to the central system. It also provides access to the LUCIA tool that manages incidents detected by the probe and reported to the agency.

Similarly, it is also possible to access statistics and reports on the service offered by this Early Warning System.

Access to this portal is available to Agency staff once the probe has been installed and the Agency is attached to the Internet EWS.


Who manages the probe?

The probe is managed and administered by the technical staff of the CCN-CERT, to keep a system as homogeneous as possible. Management and administration tasks include daily updates of detection rules, operating system updates, application updates, application and operating system security patches, customisation of detection rules, etc.


Who will have access to my Agency's information?

Only the ICT security officers selected by the Agency for this purpose and the system administrators, i.e. the CCN-CERT expert team monitoring the central probe system, will have access to the information of the attached Agency. No other person will have access to this information. It is important to know that no Agency will have access to information from other agencies and will only be able to see the security status of its own network, although distributed event detection will be used to generate system intelligence in an automated manner.

In this sense, as in all matters within the competence of the National Cryptologic Centre, the policy will maintain confidentiality for the information being processed at all times.


Who can subscribe to this service?

Any organisation belonging to the public sector or to companies and organisations of strategic interest to the country that depend on ICS technologies for their operation can join the Early Warning System SAT-ICS, by contacting the CCN-CERT.


What information will I receive if I subscribe to the SAT-ICS service?

An Agency that is attached to the SAT-ICS Early Warning System will receive periodic service status reports. Among other information, reports include anomalous activity and attacks detected in each Agency, incidents managed over a period of time and a list of all unresolved incidents.

Similarly, it will receive an annual report that will include the probe activity during this period and indicators that will make it possible to assess both the service offered by the EWS and the Agency's response capacity in terms of resolving the security incidents.


How will I receive incident information?

To receive notification of incidents, the Agency attached to the SAT-ICS Early Warning System must have an e-mail account to receive notifications concerning security incidents. This email account should be unique and it is therefore recommended that the Agency should set up a mailing list so that all staff who are responsible for investigating security incidents will receive notifications.

Information regarding the security incidents detected by the technical staff of the CCN-CERT will be available in the LUCIA tool, which will be accessible to the Security Officers of the Agencies that have signed up to this service, where they will be able to follow up on the notified incidents and where they will be able to report on the actions taken to resolve them. LUCIA is the ticketing tool for security incident management developed by the CCN-CERT (more information about LUCIA can be found at https://www.ccn-cert.cni.es/herramientas-de-ciberseguridad/lucia.html).

Although information regarding security incidents reported to the Agency will be available in the LUCIA tool, in view of the possible need for information exchange regarding security incidents via e-mail, it will be necessary for the Agency to generate a PGP/GPG key pair to exchange information in encrypted form if necessary. Once the PGP/GPG keys associated with this e-mail account have been generated, the Agency must send the public key to the CCN-CERT in order to encrypt the information that it would like to send in encrypted form. Likewise, the CCN-CERT will provide the public key of the email account used for incident notification so that the Agency can also send you encrypted information if necessary.



More information (pdf)




Go back

Este sitio web utiliza cookies propias y de terceros para el correcto funcionamiento y visualización del sitio web por parte del usuario, así como la recogida de estadísticas. Si continúa navegando, consideramos que acepta su uso. Puede cambiar la configuración u obtener más información.Modificar configuración