Motley Moose – Archive

Since 2008 – Progress Through Politics

Water LIGHTS – A Framework for Securing Water Cyber Systems

Since – as has been recently noted – Moose are ruminants, here are some thoughts I have been having on addressing cybersecurity in industrial control systems.

The articles that end up instantiated as Moose markings are by nature and fact often completely off the political reservation. This topic does have significant political implications, though, as the stability of these systems both at home and abroad pose tactical and strategic challenges to social structures and political balance. To that point it is in fact very much a matter of interest for all members of our shared social experience.

The following is a set of slides describing a program that has been developing over this year.

The premise of the program is that there are hundreds of thousands of facilities in the United States alone where cyber systems control physical processes, and where the intentional subversion of these cyber systems could cause human and social harm, and that there is a need to secure these systems in a timely and effective fashion.

This particular set of slides is made for the Water sector, where more than 18,000 US water systems remain largely unaddressed from a cybersecurity perspective.

I will be interested to see how much sense this makes to all of you. There are parts of it that I believe may cause some interesting debate, but I will let you decide which those might be. ;~)

“ICS” = Industrial Control Systems”

LIGHTS is a program run under Energysec, a 501(c) non-profit created by cybersecurity experts from the electric sector. The founders and board of LIGHTS consist of representation from the vendor, service provider, asset owner and academic segments.

The charter of LIGHTS is to provide highly-deployable low-cost cybersecurity options to ICS facilities. The purpose of these solutions is to allow for persistent and comprehensive visibility into the state and behavior of the cyber assets that compose the industrial control system. The specific method currently is based on Open Source (free and community maintained) sensor devices monitored by LIGHTS-certified Managed Security Service Providers (MSSPs).

LIGHTS was created to address the reality that the majority of industrial facilities do not have the expertise or resources to adequately address the risk to their cyber systems. Many of the individuals who build and operate these systems in small-to-medium environments have voiced their concern and requested standardized programs.

LIGHTS itself is – well – a light organization. The board certifies vendors and service providers to offer a standard menu of options. The ground-level option is an Open Source Sensor installed on a single ethernet port of the core switch on the subject facility’s network. This device is connected over an encrypted connection to the MSSP’s Security Operations Center where analysts provide constant monitoring and response capability. As options the facility can choose not to have a managed service and monitor their own Sensor (the Basement option) or upgrade to commercial products.

In the Water and Wastewater sector all of this is necessary because – like in other sectors – it is virtually certain today that every cyber device deployed has known or unknown security vulnerabilities which could be exploited. The threat of these vulnerabilities rises as a function of time, while the expertise to address it is generally not available to water operators.

The existing standards  – ANSI/AWWA G430-09 and ASME-ITI/AWWA J100-10 Risk Analysis and Management for Critical Asset Protection (RAMCAP) Standard for Risk and Resilience Management of Water and Wastewater Systems – already require water operators to account for hostile intention and provide safe service under those conditions. These and other regulations will increasingly require water facility operators to demonstrate control over cyber systems while these systems are under active attack, a necessary goal which is not foreseeably within the grasp of a majority of them.

Let’s look at the technical shape of the LIGHTS system, starting at the largest scale and drilling down.

At the top is the Energysec Tactical Analysis Center. TAC draws data from LIGHTS MSSPs in all sectors in a consistent format. As appropriate this information is anonymized meta information which does not reveal the confidential information of either the constituent organizations or of the parties to which they are responsible to, such as ratepayers.

TAC correlates and processes this data and produces actionable intelligence for use by member organizations. Energysec TAC also coordinates with other government and private centers, integrating that intelligence for it’s membership’s benefit while providing appropriate information to those centers.

TAC provides appropriate guidance to constituent organizations, including assistance with Incident Management at individual facilities, Coordinated Response during widespread and active cyber threat and current best practices.

A deployment is based on a LIGHTS Sensor getting installed on a “promiscuous span port” on the existing ethernet switch on the subject facility’s control network. This Sensor analyzes all network traffic, creating a baseline of normal conditions against which to detect the anomalous behavior characteristic of an unauthorized intrusion. The LIGHTS Certified MSSP for a given facility monitors the Sensor over an encrypted channel in 7×24 Security Operations Center. The SIEM technology required for LIGHTS MSSP certification includes the capability of automatically alerting on deviations from the facility’s security policies and/or established behavioral norms.

LIGHTS Sensors are based on the Open Source SIEM (OSSIM). OSSIM is the most commonly used SIEM technology and does not introduce product or licensing costs into the base LIGHTS offering. LIGHTS Sensors include an integrated suite of Open Source cybersecurity tools including Intrusion Detection and Vulnerability Assessment to provide a consistent and complete operational framework.

Lemnos was a DoE-funded initiative intended to establish and demonstrate multi-vendor interoperability among control system cybersecurity components. Encryption and event message standards are the two main goals of the project.

The initial Event Messaging effort focused on pushing vendors to conform a set of syslog event messages to a common standard. However, coordinating vendor development is problematic at best and much installed equipment using existing messaging may not be updated for an extended period of time.

The Lemnos project has solved this issue by designating the Open Source SIEM (OSSIM) as the standard collection method for interoperable event messaging. OSSIM is maintained by AlienVault and the Open Source community and is used at more than half of all SIEM deployments globally, providing a stable platform for the purpose.  OSSIM includes a Standard Event Taxonomy: event messages such as syslog produced by vendor equipment are sent to OSSIM and automatically mapped to this Standard Event Taxonomy, allowing for standardized policies and reporting.

This common event taxonomy is an essential component of the LIGHTS framework, allowing constituent facilities to produce standardized data and LIGHTS MSSPs to provide consistent
and economical services. This standardization also supports the infrastructure necessary for ETAC to provide standardized responses and recommendations to constituent organizations, increasing effectiveness and efficiency of the national cybersecurity management and response system.

With its consistent and modular structure, LIGHTS provides an option which can scale to address the risk over reasonable timeframes. The framework lends itself to providing forensic evidence of regulatory compliance and is flexible enough to reflect evolutions in regulated requirements.

Most importantly, LIGHTS provides automated visibility into system behavior and the deviations that can indicate loss of control through attack, equips facilities with a response capability and allows them to engage with cross-industry centers of awareness and expertise.


  1. Rashaverak

    of attitude-altering compounds into our bodies and to adulterate our precious bodily fluids.  Upon the order of Comrade Obama, all negative and unmutual attitudes will fade into oblivion, like a bad dream!



    More seriously, will the routines that these open-source sensors run be periodically updated, to reflect changes in vectors and methods of attack?  Will the updates occur automatically, or will they require human intervention? Is this in itself a potential vulnerability, either through failure to update if manual intervention is required, or through the dissemination of a counterfeit “update” by a ne’er-do-well?  

  2. When Irene hit, the Deerfield Inn got flooded. A lot of areas got hit, but the Inn got hit because of dam releases up river. Two were controlled releases, and were accounted for, but one was an automatic release when the levels surged, and to be fair, IF the release hadn’t happened when it did, a lot more folks would have gotten hit by flooding. Deerfield took a hit, and a few million in damages around town, including the $1.5M hit that the Inn is going take to be repaired.

    These automatic systems did their job. They released water in a fashion that controlled river flow to keep the areas hit minimized. Had they failed, the damage in the Valley would have been catastrophic on a level that hasn’t been seen since the ’39 flood.  It sucks, because my job pretty much went down with the water’s rise, but the damage could have been a lot worse, and a lot more widespread, and that would have crippled a fair part of Western Mass.

    The possibility of damage hitting control hubs for infrastructure like water is a spooky concept, but to be fair, most of the folks who are thinking about doing damage here, are thinking flashier, though with the rise in competition with the Chinese, it is not a bad question set to be asking, and preparing for.  

  3. spacemanspiff

    Mind blowing stuff. It’s not that complicated when broken down like this and it would seem to be obvious (ly), important.

    So are you wearing that awesome time you had on in that video from China you uploaded a while back?  

  4. The service seems to put a lot of faith in their ability to assess and certify vendors.  I assume those vendors then would have the ability to interact with the control systems with increased authority, but how do you actually do that.  If I were a nasty person I’d buy one of your vendors that was already certified and I’d then introduce my stuxnet or whatever with what might appear like LIGHTS approval.

    Are you not concerned that people on your network being standardized makes you a uniform target?  In other words if some hacker pwns you doesn’t that mean they pwn everyone?

Comments are closed.