In light of recent news stories about possible cyberattacks on the U.S. power grid, we are inclined to ponder over precautions we can take to prepare for such a scenario. If you are in the public utilities industry, this blog post is for you. But, if you’re not, don’t worry. We will cover some basic principles you can follow to get your organization ready before such a cyberattack occurs.
The 2015 Ukraine power grid hack is a well-documented cyberattack that offers some insight into the techniques attackers can use to infiltrate an organization’s IT infrastructure. The very first thing hackers did after gaining access via spear-phishing emails was to take control of their SCADA system. Once the SCADA system was breached, they were able to destroy data and disable critical infrastructure. NXLog Enterprise Edition not only provides centralized log aggregation of security events that it can forward to just about any SIEM to stay on top of malware, it can also collect logs from SCADA systems.
Some of the recent news stories warn of conventional, physical attacks on the grid, as well as indirect cyberattacks on electric vehicles that may be used to bring down the power grid. An IEEE Spectrum article from 2020 mentions how researchers discovered "that large numbers of EVs can be compromised remotely over the Internet and then manipulated to overload power system equipment."
Whatever the method, the intended results are similar and can be detected early on, provided centralized logging of SCADA events are being forwarded in real-time to a SIEM.
For those of us who are not on the frontlines of the war trying to protect the power grid, we can still prepare ourselves for the fallout should hackers achieve their dastardly goals. First of all, we have to come to terms with the fact that a cyberattack of this magnitude will have some negative impact on our normal business operations. So, we will have to focus on minimizing the effects. However, the good news is, it is highly unlikely that hackers would be able to successfully attack power grids simultaneously on multiple continents. If this does ever happen, we’ve probably got bigger problems than our data to worry about.
With the cloud-based services we have today, an international organization that conducts most of its business using web portals could very likely weather such a storm with minimal impact to their bottom line.
The big cloud providers offer computing services in multiple regions. Geo-redundancy of your computing and data resources is perhaps the single best way to ensure your assets will survive any natural or man-made catastrophe. Maintaining redundant servers in multiple geographical regions is a good investment if you consider the alternative. The loss of revenue resulting from just a 24-hour period can be difficult to recover from. This way, you do not have to suffer any significant losses should your public utilities company neglect to implement centralized logging of their SCADA system.
The cornerstone of threat detection is logging. Gone are the days of simply installing antivirus software on each user’s workstation and calling it a day. This is 2022. Threat detection has to be done in real-time. Logs have to be aggregated from all assets, be they servers, workstations, network devices, or any other hardware that could be compromised. In today’s world everything generates logs, and hopefully by now, you know why it’s so important that they do. In short, organizations that care about their security deploy logging agents that monitor everything, aggregate the logs they collect and then send them to a SIEM system. Security analysts then use the insights they receive from the SIEM to monitor security events and ensure that automated countermeasures are working as designed.
Unlike NXLog, most other logging solutions lack some significant feature or functionality. If some of your assets include Windows workstations, you won’t be able to efficiently aggregate security logs from all of the sources on those devices unless you have NXLog Enterprise Edition. All it takes is one successful security breach by the right attacker on one of these unmonitored nodes for you to watch the IT infrastructure that you once knew crumbles before your eyes. The biggest challenge that most logging systems have is the ability to read and parse unstructured logs from practically any log file format and transform them into the structured format that your SIEM requires.
With NXLog, you’ll also be able to keep your costs to a minimum. For SIEMs that bill by data volume ingested, NXLog’s highly customizable filtering will allow you to send only a fraction of the log data you’re probably sending to your SIEM today. You’ll be able to discard low-value events of no security value and forward only meaningful data. Also, with NXLog’s extremely small footprint and modular design, it uses extremely little resources and can be deployed on workstations without any noticeable impact on users' day-to-day activities. Likewise, even large enterprises can use commodity hardware to build clusters of NXLog relay nodes for scaling their log aggregation needs as they continue to grow.
To summarize, NXLog provides a platform-agnostic, end-to-end log collection solution using a robust, modular, distributed architecture that is unparalleled in its flexibility, functionally, and variety of third-party integrations.
It is the all-in-one solution: one logging tool that can rule them all, and do it all.