This Situational Awareness Reference Architecture (SARA) Guide is intended for industrial facility owners and operators as an open source guide to establishing and maintaining situational awareness. SARA is broken down into four key areas: Identity; Inventory; Activity; and Sharing. For each of these areas no-cost open source solutions are provided to allow facility owners and operators of any size or resource level to achieve a complete set of necessary capabilities. Commercial Solution Provider offer for-cost solutions which enhance each area to allow facility owners and operators to choose where appropriate options which provide greater functionality, professional support and services, and other incremental benefits.

Modern society is underpinned by an interdependent infrastructure supporting the services necessary functions. Systems which provide energy, food, water, goods, services, transportation, communication and other services rely on the availability of the others. Each of these infrastructure segments are increasingly controlled by cyber systems which improve their economic and functional effectiveness. These cyber systems bring with them changes to the risks faced by infrastructure operators and those who depend on them. Addressing these risks requires individual facilities and the aggregate infrastructure they are part of to improve the ability to maintain situational awareness.

Situational Awareness

The foundation of infrastructure protection is establishing and maintaining situational awareness at industrial facilities. As facilities become capable of establishing and maintaining awareness of the characteristics of their organizations, the composition of their systems, and their acceptable as well as actual usage they become capable of both effectively applying knowledge shared with them as well as deriving actionable knowledge which may be shared with others if and where appropriate to their context.

Situational awareness is an emergent property developed through the consistent application of appropriate tools and techniques. When facilities have internal situational awareness they are capable of effectively applying knowledge they gain from external sources. Where facilities are able to appropriately share some portion of their own situational awareness with external parties, situational awareness of the broader interdependent infrastructure emerges. This broader situational awareness is necessary to ensure the safety, stability and availability of the services provided by the infrastructure that supports communities, regions, nations and the global community.

The ICS-ISAC with its members and partners develops and maintains the Situational Awareness Reference Architecture (SARA). SARA is a repeatable, open and portable guideline which can be used by asset owners, integrators and knowledge centers to enable facility knowledge and effective participation in knowledge sharing activities. Captured within SARA are techniques including industry standards, methodologies and tools which can be applied by stakeholders to the situational awareness tasks related to their roles.

Components of Situational Awareness

Situational awareness consists of four areas of focus: Identity; Inventory; Activity; and Sharing.

Identity: Definition of the organization’s goals, structure, decisions making processes and capabilities. Identity is a comprehensive understanding of the organization’s staffing, decision making process, assets risks, threats and consequences.

Inventory: Current and accurate inventory of infrastructure components. Where the entity is an individual facility the Inventory is an index of all hardware and software components which constitute the Industrial Control System (ICS) and related industrial process. Where the entity is a municipality, region or nation the Inventory is an index of all connected facilities.

Activity: Accurate awareness of past and present activity within and between facility devices. Where the entity is an individual facility the Activity is the communication between all devices in the Inventory. Where the entity is a municipality, region or nation the pertinent Activity is the relationships and state of all connected facilities.

Sharing: Ability to acquire knowledge available from external sources as well as appropriately share knowledge with external parties.

Inbound Sharing: The primary goal of Sharing for a facility is to be able to effectively identify, acquire and apply knowledge available from external sources.

Outbound Sharing: The secondary goal of Sharing for a facility is to provide the knowledge necessary to create situational awareness of infrastructure security status at local, regional, national and international levels. Facilities must be capable of determining what if any knowledge can be shared with appropriate external parties. Knowledge shared with external parties must include only such information as the entity determines is appropriate based on legal, operational and other factors.

Structure of Shared Situational Awareness

Figure 1: Knowledge Sharing Network Structure

Figure 1 shows the overall shape of a shared situational awareness system.

Facilities: Facilities form the foundation of shared situational awareness. These include industrial entities such as those found in energy, manufacturing, water, transportation, first responders and others.

Service Providers: Service Providers work directly with facilities. These include integrators, vendors, outsourced operations providers and others. Facilities often have existing direct relationships with Service Providers.

Public Centers: Public Centers are government entities involved in infrastructure protection. These include municipal, regional, state, federal and international organizations which produce, process or share knowledge in support of infrastructure security.

Private Centers: Private Centers are non-governmental entities involved in infrastructure protection. These include private research organizations, technology product and service providers, trade organizations, Information Sharing and Analysis Centers (ISACs) and others.

Data, Information and Knowledge

Data, Information and Knowledge are terms to describe different types of situational awareness intelligence.

Data: The term Data in the SARA context refers to detailed, atomic intelligence. Examples of Data include log and event messages created by devices and device configurations. Data can include specific intelligence such as the hardware and software addresses of devices, and may not be intelligence that a facility is willing or able to share with external entities.

Information: The term Information in the SARA context refers to collections of Data. Information is used by facilities and in some cases the Service Providers they work with to operate infrastructure.

Knowledge: The term Knowledge in the SARA context refers to sharable, actionable intelligence. In many cases facilities are not willing or capable of sharing Data or Information with external parties due to safety, security, liability or other reasons. Some of these facilities may find that they are able to share Knowledge for the purpose of creating broader situational awareness.

An example of actionable Knowledge that a facility may be capable of sharing might be that a facility of a certain type in a given geography had a certain experience at a given time (i.e. “a waste water facility in the Southeast United States experienced the exploitation of a cyber vulnerability yesterday”).

Establishing Situational Awareness

Identity

Identity is defined as a reasonably complete understanding of the characteristics of an entity is necessary to determine effective and necessary steps to provide security for the facility. An entity such as an industrial facility must have a reasonable understanding of its Identity before steps to improve its security posture can be chosen and prioritized in a reasonable and prudent fashion. An organization’s Identity may include aspects such as: Organizational structure; risks; threats; consequences; and capabilities. Identity is established through an assessment process which evaluates the entity.

Tools

Open source and commercial tools exist which allow facilities to establish and maintain awareness of their Identity. Establishing and maintaining awareness of the Identity of an industrial facility allows facility owners and operators to have a reasonable level of confidence that they can make reasonable and prudent decisions regarding the security of their Industrial Control Systems.

The following open source methodology provides facility owners and operators structured support for establishing and maintaining their Identity.

Industrial Control System Security Decision and Architecture Tool

Description: The Industrial Control System Security Decision and Architecture Tool (ICSSDAT) is an open source online tool maintained by Management Analytics, Inc. ICSSDAT provides facility owners and operators a structured guide to assessing their Identity.

Inventory

Inventory is defined as a reasonably complete understanding of the devices that constitute a facility’s Industrial Control System.. Establishing and maintaining awareness of Inventory involves determining the make, model and version of devices connected to the Industrial Control System as well as topology of the network which connects them.

Tools

Open source and commercial tools exist that allow facilities to establish and maintain awareness of the Inventory. Establishing and maintaining awareness of the Inventory of an Industrial Control System allows facility owners and operators to have a reasonable level of confidence that they can verify that the components of the Industrial Control System are known and constant. A facility which has established ongoing awareness of its Inventory is capable of detecting the addition or removal of devices .

The following tools provide this capability at the network and host level. Some of these tools also provide functionality in establishing and maintaining awareness of the Industrial Control System’s Activity and will be listed in both sections of this Guide.

Tripwire

Description: Tripwire is an open source tool maintained by Tripwire, Inc. which provides awareness of the Activity of host devices. Specifically, Tripwire determines the starting configuration of host devices and alerts to any changes to the configuration or composition of those devices.

Tripwire is included in the SARA Server and can also be downloaded from the Tripwire website.

Activity

Activity is defined as: “a reasonably complete understanding of the behavior of a facility’s Industrial Control System. Establishing and maintaining awareness of Activity involves determining the appropriate as well as actual communication between devices connected to the facility’s Industrial Control System.

Tools

Open source and commercial tools exist which allow facilities to establish and maintain awareness of their Activity. Establishing and maintaining awareness of the Activity of an Industrial Control System allows facility owners and operators to have a reasonable level of confidence that they can verify that the behavior of the Industrial Control System remains within acceptable parameters.

The following tools provide this capability at the network and host level. Some of these tools also provide functionality in establishing and maintaining awareness of the Industrial Control System’s Inventory as well and will be listed in both sections of this Guide.

Snort

Description: Snort is an open source tool maintained by Cisco Systems, Inc. which provides awareness of the Activity of an Industrial Control System network. Specifically, Snort is a Network Intrusion Detection (NIDS) tool which monitors network traffic and creates alerts based on a range of changes to network activity.

Snort can be downloaded from the Snort Community website.

Suricata

Description: Suricata is an open source tool maintained by the Open Information Security Foundation (OSIF) which provides awareness of the Activity of an Industrial Control System network. Specifically, Snort is a Network Intrusion Detection System (NIDS) tool which monitors network traffic and creates alerts based on a range of changes to network activity.

Suricata can be downloaded from the Suricata Community website.

Tripwire

Description: Tripwire is an open source tool maintained by Tripwire, Inc. which provides awareness of the Activity of host devices. Specifically, Tripwire determines the starting configuration of host devices and alerts to any changes to the configuration or composition of those devices.

Tripwire can be downloaded from the Tripwire, Inc. website.

Sharing

Sharing is defined as the ability to: consume and appropriately apply relevant knowledge received from external sources in a timely and appropriate manner; and where deemed appropriate within the Identity of the organization, to derive and share Knowledge with external parties.

Tools and Standards

Open source tools and standards exist which allow facilities to establish and maintain Sharing relationships with appropriate external parties. In this section sources and applications of such tools and methodologies is provided. Commercial solution providers offer for-cost options for establishing and maintaining Sharing relationships with appropriate external parties.

Tools: Soltra

Soltra is a freely available information sharing platform provided as a virtual machine. Soltra uses the STIX schema to represent shareable knowledge and the TAXII protocol to share knowledge between itself and external Soltra or other TAXII compatible platforms. Soltra can be installed by a facility, service provider or knowledge sharing center and peered with one or more external TAXII platforms.

Soltra is maintained by a non-profit organization which provides support and other options on a fee basis. Information about Soltra can be found on the Soltra website.

Tools: ActiveMQ

ActiveMQ (Active Message Queue) is an open source tool maintained by the Apache Foundation which allows two or more parties to share knowledge in an automated fashion.

ActiveMQ can be downloaded from the ActiveMQ community website.

Standards: Transports

A Transport is a means to move knowledge between the facility and an external party.

TAXII

TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII, through its member specifications, defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. TAXII is not a specific information sharing initiative or application and does not attempt to define trust agreements, governance, or other non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, enabling organizations to share the information they choose with the partners they choose.

TAXII is the preferred method of exchanging information represented using the Structured Threat Information Expression (STIX™) language, enabling organizations to share structured cyber threat information in a secure and automated manner.

Standards: Schemas

A Schema is a means to represent knowledge for automated sharing over a Transport.

STIX

STIX (Structured Threat Information eXpression) is a collaborative community-driven effort managed to define and develop a standardized language to represent structured cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. STIX is an open community effort sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

Operating as DHS’s Federally Funded Research and Development Center (FFRDC), MITRE has copyrighted the STIX Language for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users.

The STIX community website provides information on the schema and access to the community of users and developers.

Choosing Sharing Partners

Each facility must choose one or more partners to share knowledge with. The facility may choose to only participate in Inbound Sharing and not share any of its internal knowledge with external parties. These choices should be made with an initial understanding of the facility’s Identity.

When choosing a sharing partner for Inbound Sharing, the facility should seek to work with a partner who aggregates external knowledge from a reasonable number of external sources. Service Providers such as Integrators and Vendors may provide such Knowledge Feeds. Regional or national public-sector Knowledge Centers - such as Fusion Centers or CERTs – may provide such Knowledge Feeds. Private-sector centers such as industry associations may provide such Knowledge Feeds. The ICS-ISAC provides Inbound Knowledge Feeds to member organizations through its portal.

When choosing a sharing partner for Outbound Sharing, the facility should use the understanding of their Identity to review the implications of sharing internal Knowledge with external parties and make appropriate determinations on what Knowledge to share with which external parties, if any. Issues to consider will include: operational security; legal liability; duty to protect customer information; and regulatory compliance.