Collecting logs from Industrial Control Systems
Industrial Control Systems (ICS) is a generic term that refers to different types of control systems that operate and/or automate industrial processes. These systems consist of a combination of devices, software, and networks that together achieve an objective, such as manufacturing a product or the treatment of water.
SCADA (Supervisory Control and Data Acquisition) is the most significant subsystem of ICS that allows industrial organizations to:
- control industrial processes locally or remotely
- monitor, gather, and process real-time data
- achieve high-performance data archiving
- efficiently analyze process values (trends) and messages (alarm control)
- interact with a wide range of devices using extended communication infrastructure
Industries that rely heavily on ICS include Oil and Gas, Pharmaceutical, Petrochemical, Food and Beverage, Manufacturing, Power, Recycling, Transportation, Water and Wastewater, Mining.
There are many providers of ICS solutions for various industries, some of which are Siemens, Schneider Electric, ABB, General Electric, Yokogawa, Honeywell, Emerson, and Rockwell Automation, just to name some of the larger ones.
What are the log sources?
Similar to other networked computer systems, an ICS generates a wide variety of logs. These logs provide important real-time information that can be used to determine the health and security of the system that generated them. Logs come in different formats, some are channeled through Windows Event Log, while others are saved in text files or databases. Capturing the network activity between ICS components also provides useful information on the state of the system.
Challenges in logging from ICS
In Industrial Control Systems, the standardization and formatting of logs is not as mature as in conventional computer systems. It is common for a single system or component to generate a set of logs that are stored in the same directory, but are in a completely different format. This poses a significant challenge when it comes to collect and process these logs. Yet another challenge is the widespread use of industry-specific network protocols (Modbus, PROFINET, BACNET, S7 Protocol, IEC 60870-5-104, IEC-61850, etc.) that a singe ICS might use for interacting with various devices.
How can NXLog meet these challenges?
NXLog is a versatile log collection solution capable of collecting logs from diverse sources on ICS and SCADA systems.
Most ICS and SCADA systems provide logging through Windows Event Log. Each log source in Windows Event Log has a set of Event IDs associated with it. NXLog can filter and parse such logs based on Event IDs by using the im_msvistalog module, which collects logs using the native Windows Event Log API.
The majority of logs created by ICS and SCADA systems are text-based log files. NXLog provides the im_file module for collecting logs from files. This module has a vast number of configuration options, and together with the flexibility of the NXLog language, you can collect, parse, normalize, and forward any kind of log file created by an Industrial Control System.
With NXLog, you can also collect data from all major database systems, locally or remotely, with its im_odbc and im_dbi modules respectively. Additionally, NXLog can passively capture network traffic. The im_pcap module supports the major protocols used by ICS, such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, IEC-61850, DNP3, etc.
Currently supported ICS and SCADA systems
To see a detailed guide on how to collect logs from a specific ICS system, click on its logo below.
If you do not see your SCADA system here, it simply means that we have not gotten around to document it yet. However, you can still use NXLog to collect and process logs from it. If you would like to enquire about a specific SCADA system, please contact us and we would be happy to guide you.
Sending your ICS logs to their destination
This table contains links to documentation that will help you get started with sending logs from your SCADA system to your SIEM solution.
If your preferred destination is not on the list, it simply means that we have not gotten around to document it yet. However, it is likely that NXLog can still send logs to it. If you would like to enquire about a specific destination, please contact us and we would be happy to guide you.
Download White Paper
Industrial Control Systems and SCADA security
Aggregate ICS logs from multiple sources to any destination
With the highly configurable multiple input and output routing capabilities of NXLog, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable.
This highly simplified diagram of centralized logging shows that logs can be collected from different sources and forwarded to your SIEM or Log Analytics solution of choice.