A. Beall, H. Parkes, C. Jones
Johns Hopkins Applied Physics Laboratory, Maryland, United States
Keywords: cybersecurity, analytics, critical infrastructure, control systems, threat detection
Behavioral Alerting Sets for Control Systems (BAS/CS) is a Johns Hopkins Applied Physics Laboratory alerting framework designed to be implemented by existing technology solutions to improve the detection of advanced cyberspace adversaries. BAS/CS defines a data processing pipeline which firsts normalizes and tags host and network events with BAS/CS Event IDs, then proceeds to correlate the events using BAS/CS Rules. This two step approach reduces false positive alerts on unusual but benign user activity, and improves accuracy of alerting on malicious threats. The tagging and correlation rules defined by BAS/CS is intended to be implemented in a commercial Security Information and Event Management (SIEM) capability or analytics platform. The BAS/CS Framework has been demonstrated in exercises and production deployments, where it has successfully detect advanced living off the land adversarial activities. Implementing the BAS/CS alerting framework meets many of the alerting requirements defined in the DoD More Situational Awareness for Industrial Control Systems (MOSAICS) framework.