Monitoring Rapid SCADA with Wazuh

Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and controlling industrial processes. Rapid SCADA is an open source SCADA platform used for data acquisition, automation, and remote control in industrial and critical infrastructure systems. It can be deployed on Windows or Linux endpoints, making it a flexible solution for different environments. Like all SCADA systems, it requires adequate security measures to protect against cyber threats, unauthorized access, and system manipulation.

Wazuh supports the security needs of both conventional IT systems and specialized industrial systems, including SCADA platforms like Rapid SCADA. Its flexibility allows users to tailor monitoring to their specific infrastructure. By identifying the critical components and processes within their environment, users can configure Wazuh to provide targeted visibility and protection.

Wazuh enhances the security of Rapid SCADA by:

• Protecting the endpoint running the SCADA services from malware threats such as malware infections and unauthorized access.
• Using the File Integrity Monitoring (FIM) capability to detect unauthorized modifications to SCADA configuration files.
• Monitoring SCADA logs to detect anomalies, authentication failures, or suspicious activities.
• Conducting security configuration assessments to ensure the proper setup of security controls, minimize vulnerabilities, and ensure compliance with regulatory frameworks.
• Detecting if the installed version of Rapid SCADA or other software matches known vulnerable versions. Wazuh alerts users to review detected vulnerabilities and recommends remediation actions to secure endpoints.

By integrating Wazuh with Rapid SCADA, organizations gain real-time visibility into file changes, authentication activity, configuration issues, and potential vulnerabilities. This enables proactive threat detection and timely response. While this blog post focuses on Rapid SCADA, the use cases demonstrated here can be adapted to secure other SCADA systems.

Infrastructure

We use the following setup to demonstrate how Wazuh monitors Rapid SCADA:

• Wazuh central components: A pre-configured Wazuh OVA (version 4.11.2). Follow this guide to download and deploy the virtual machine.
• Windows 11 endpoint: We call this the Rapid SCADA server in further sections.
  • Install Rapid SCADA.
  • Install Wazuh agent 4.11.2 and enroll it with the Wazuh server.

How to monitor Rapid SCADA with Wazuh

We configure Wazuh to actively monitor the Rapid SCADA server for threats and unusual behavior. Key Wazuh capabilities, including Security Configuration Assessment (SCA) and Vulnerability Detection, help ensure the security of the host running Rapid SCADA by verifying configurations and identifying vulnerabilities.

This blog post focuses on the following to detect suspicious activities: 

• Securing Rapid SCADA hosts against malware
• Monitoring Rapid SCADA files with the Wazuh FIM module
• Analyzing Rapid SCADA event logs 

Securing Rapid SCADA hosts against malware

Securing the SCADA host is important because malware infections can compromise both the endpoint and the integrity of the SCADA operations. Wazuh offers several methods for detecting malware across Windows and Linux endpoints. These techniques range from signature-based detection to behavioral analysis, and can be used individually or combined for layered protection.

Here are the malware detection capabilities supported by Wazuh:

• YARA integration: Performs offline signature-based malware detection using custom or community-supplied YARA rules.
• VirusTotal integration: Queries the VirusTotal database to verify whether a file hash matches a known malware sample.
• ClamAV logs collection: Collects logs from the ClamAV antivirus engine to generate alerts when malware is detected.
• Windows Defender logs collection: Monitors Windows Defender events to detect and respond to threats in real-time.
• Rootkits behavior detection: Identifies hidden processes, loaded kernel modules, or anomalous behaviors typical of rootkits and stealthy malware.
• CDB lists and threat intelligence: Uses community and custom threat intelligence feeds to match IPs, domains, file hashes, or HTTP user agents against known indicators of compromise (IOCs).
• Custom rules to detect malware IOC: Allows users to create customized rules to detect indicators found in log files, such as file names, hashes, registry keys, or network behavior.

These capabilities make Wazuh adaptable to different deployment needs. In SCADA environments, offline-friendly options like YARA are ideal for air-gapped systems. When internet access is available, you can use external services like VirusTotal and threat intelligence feeds to enhance detection.

Monitoring Rapid SCADA configuration files with the Wazuh FIM module

The Wazuh File Integrity Monitoring (FIM) module can track changes to configuration files and other sensitive data used by Rapid SCADA.

Important directories to monitor include:

• C:\SCADA\Config\
• C:\SCADA\ScadaServer\Config\
• C:\SCADA\ScadaWeb\Config\
• C:\SCADA\ScadaAgent\Config\
• C:\SCADA\ScadaComm\Config\
• C:\SCADA\BaseDAT\

These directories contain configuration files, user and role data, and core settings that define how Rapid SCADA components operate. Unauthorized changes to these files could indicate misconfiguration, tampering, or malicious activity. Monitoring them helps ensure operational integrity and provides early detection of suspicious behavior.

Configuring the Wazuh FIM module on the Rapid SCADA server

Perform the following steps on the Rapid SCADA server to configure the Wazuh FIM module to monitor the sensitive directories in real-time:

1. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and add the configuration below:

<ossec_config>
  <syscheck>
    <directories whodata="yes" report_changes="yes">C:\Program Files\SCADA\BaseDAT, C:\Program Files\SCADA\Config, C:\Program Files\SCADA\ScadaAgent\Config, C:\Program Files\SCADA\ScadaComm\Config, C:\Program Files\SCADA\ScadaServer\Config, C:\Program Files\SCADA\ScadaWeb\config</directories>
  </syscheck>
</ossec_config>

Where:

• The whodata="yes" setting enables real-time detection and logs the user and process responsible for changes to monitored files.
• The report_changes="yes" option enables Wazuh to log the specific differences between previous and current file versions.

2. Restart the Wazuh agent via PowerShell with Administrator privileges to apply the changes:

# Restart-Service -Name wazuh

Configuring the Wazuh server

Perform the following steps on the Wazuh server to create custom rules to trigger alerts when the Wazuh agent detects changes in the monitored directories:

1. Create a new rule file rapid_scada_rules.xml in the /var/ossec/etc/rules/ directory to save the Rapid SCADA rules:

# touch /var/ossec/etc/rules/rapid_scada_rules.xml

2. Modify the ownership and permissions of the /var/ossec/etc/rules/rapid_scada_rules.xml file:

# chown wazuh:wazuh /var/ossec/etc/rules/rapid_scada_rules.xml
# chmod 660 /var/ossec/etc/rules/rapid_scada_rules.xml

3. Add the following rules to the /var/ossec/etc/rules/rapid_scada_rules.xml file:

<group name="syscheck,rapid_scada,">

  <rule id="110051" level="0">
    <if_sid>550</if_sid>
    <field name="file">:\Program Files\SCADA\\w+</field>
    <description>Rapid SCADA: File modified.</description>
  </rule>

  <!-- Alert only when file content changes, not just metadata -->
  <rule id="110052" level="7">
    <if_sid>110051</if_sid>
    <field name="file">:\Program Files\SCADA\\w+</field>
    <field name="changed_content" negate="yes">^No content changes were found for this file\.$</field>
    <description>Rapid SCADA: File modified - $(file).</description>
    <mitre>
      <id>T1565.001</id>
    </mitre>
  </rule>

  <rule id="110053" level="7">
    <if_sid>553</if_sid>
    <field name="file">:\Program Files\SCADA\\w+</field>
    <description>Rapid SCADA: File deleted - $(file).</description>
    <mitre>
      <id>T1070.004</id>
      <id>T1485</id>
    </mitre>
  </rule>

  <rule id="110054" level="7">
    <if_sid>554</if_sid>
    <field name="file">:\Program Files\SCADA\\w+</field>
    <description>Rapid SCADA: File added - $(file).</description>
  </rule>

  <rule id="110055" level="10">
    <if_sid>110052</if_sid>
    <field name="file">config\.xml$</field>
    <description>Rapid SCADA: Configuration file modified - $(file).</description>
    <mitre>
      <id>T1565.001</id>
    </mitre>
  </rule>

  <rule id="110056" level="10">
    <if_sid>110053</if_sid>
    <field name="file">config\.xml$</field>
    <description>Rapid SCADA: Configuration file deleted - $(file).</description>
    <mitre>
      <id>T1070.004</id>
      <id>T1485</id>
    </mitre>
  </rule>

  <rule id="110057" level="10">
    <if_sid>110054</if_sid>
    <field name="file">config\.xml$</field>
    <description>Rapid SCADA: Configuration file added - $(file).</description>
  </rule>

  <rule id="110058" level="10">
    <if_sid>110052</if_sid>
    <field name="file">user\.dat$|role\.dat$|roleref\.dat$</field>
    <description>Rapid SCADA: User account manipulation - $(file) modified.</description>
    <mitre>
      <id>T1098</id>
    </mitre>
  </rule>

  <rule id="110059" level="10">
    <if_sid>110053</if_sid>
    <field name="file">user\.dat$|role\.dat$|roleref\.dat$</field>
    <description>Rapid SCADA: User account manipulation - $(file) deleted.</description>
    <mitre>
      <id>T1098</id>
    </mitre>
  </rule>

  <rule id="110060" level="10">
    <if_sid>110054</if_sid>
    <field name="file">user\.dat$|role\.dat$|roleref\.dat$</field>
    <description>Rapid SCADA: User account manipulation - $(file) created.</description>
    <mitre>
      <id>T1098</id>
    </mitre>
  </rule>

</group>

Where:

• Rule ID 110051 is the base rule that detects file modifications within any of the monitored Rapid SCADA directories.
• Rule ID 110052 detects modifications where the file content changes, excluding metadata-only changes.
• Rule ID 110053 detects file deletion within any of the monitored Rapid SCADA directories.
• Rule ID 110054 detects file creation within any of the monitored Rapid SCADA directories.
• Rule ID 110055 detects modifications to Rapid SCADA configuration files.
• Rule ID 110056 detects the deletion of Rapid SCADA configuration files.
• Rule ID 110057 detects the creation of new Rapid SCADA configuration files.
• Rule ID 110058 detects user account manipulation by monitoring changes to user.dat, role.dat, and roleref.dat in Rapid SCADA.
• Rule ID 110059 detects user account manipulation when user.dat, role.dat, or roleref.dat files are deleted from Rapid SCADA.
• Rule ID 110060 detects user account manipulation when new user.dat, role.dat, or roleref.dat files are created in Rapid SCADA.

4. Restart the Wazuh manager service to apply the changes:

# systemctl restart wazuh-manager

Analyzing Rapid SCADA event logs

Rapid SCADA generates several log files that record critical system activities, errors, and user interactions. These logs are an essential source of security and operational insights. By configuring the Wazuh agent to monitor these logs, you can detect suspicious activity, system failures, and unauthorized access attempts.

The main log files generated by Rapid SCADA include:

• ScadaServer.log: Captures server-side operations such as process initialization, communication with devices, and service status.
• ScadaAgent.log: Logs interactions between the server and remote communication agents.
• ScadaWeb.log: Records web interface access, user logins, and web-related errors.
• ScadaComm.log: Captures low-level interactions between the SCADA server and field devices such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and sensors.

Configuring the Wazuh agent to monitor Rapid SCADA log files

Perform the following steps on the Rapid SCADA server to configure the Wazuh agent to forward Rapid SCADA logs to the Wazuh server for analysis:

1. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf configuration file and append the configuration below:

<ossec_config>

  <localfile>
    <location>C:\Program Files\SCADA\ScadaServer\Log\ScadaServer.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <localfile>
    <location>C:\Program Files\SCADA\ScadaAgent\Log\ScadaAgent.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <localfile>
    <location>C:\Program Files\SCADA\ScadaWeb\log\ScadaWeb.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <localfile>
    <location>C:\Program Files\SCADA\ScadaComm\Log\ScadaComm.log</location>
    <log_format>syslog</log_format>
  </localfile>

</ossec_config>

2. Restart the Wazuh agent via PowerShell with Administrator privileges to apply the changes:

# Restart-Service -Name wazuh

Creating custom rules and decoders for Rapid SCADA on the Wazuh server

Perform the following steps on the Wazuh server to create the decoders and rules necessary for alerting events from Rapid SCADA:

1. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="rapid-scada-ip">
  <parent>windows-date-format</parent>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent" type="pcre2">^\[.+\]\[.+$\]\[\w\w\w\] .+, IP .+</prematch>
  <regex offset="after_parent" type="pcre2">^\[(.+)\]\[.+$\]\[(\w\w\w)\] (.+, IP) (\d+\.\d+\.\d+\.\d+|\S+)</regex>
  <order>hostname, status, message, srcip</order>
</decoder>

<decoder name="rapid-scada-no-ip">
  <parent>windows-date-format</parent>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent" type="pcre2">^\[.+\]\[.+$\]\[\w\w\w\]</prematch>
  <regex offset="after_parent" type="pcre2">^\[(.+)\]\[.+$\]\[(\w\w\w)\] (.+)</regex>
  <order>hostname, status, message</order>
</decoder>

2. Add the following rules to the /var/ossec/etc/rules/rapid_scada_rules.xml file:

<group name="rapid_scada,">

  <rule id="110061" level="3">
    <decoded_as>rapid-scada-no-ip</decoded_as>
    <location type="pcre2">ScadaServer\.log$|ScadaAgent\.log$|ScadaWeb\.log$|ScadaComm\.log$</location>
    <description>Rapid SCADA: $(status) - $(message).</description>
  </rule>

  <rule id="110062" level="5">
    <if_sid>110061</if_sid>
    <status>^ERR$</status>
    <description>Rapid SCADA: $(status) - $(message).</description>
  </rule>

  <rule id="110063" level="3">
    <decoded_as>rapid-scada-ip</decoded_as>
    <location type="pcre2">ScadaServer\.log$|ScadaAgent\.log$|ScadaWeb\.log$|ScadaComm\.log$</location>
    <description>Rapid SCADA: $(status) - $(message) $(srcip).</description>
  </rule>

  <rule id="110064" level="5">
    <if_sid>110063</if_sid>
    <status>^ERR$</status>
    <description>Rapid SCADA: $(status) - $(message) $(srcip).</description>
  </rule>

  <rule id="110065" level="5">
    <if_sid>110064</if_sid>
    <field name="message">Unsuccessful login attempt for user</field>
    <description>Rapid SCADA: $(status) - $(message) $(srcip).</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>

  <rule id="110066" level="10" frequency="8" timeframe="120">
    <if_matched_sid>110065</if_matched_sid>
    <same_source_ip />
    <description>Rapid SCADA: Brute force (multiple failed logins).</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>

</group>

Where:

• Rule ID 110061 matches Rapid SCADA log events that do not include an IP address.
• Rule ID 110062 detects error events without an IP address by using rule 110061 as its parent rule.
• Rule ID 110063 matches Rapid SCADA log events that include an IP address.
• Rule ID 110064 detects error events with an IP address by using rule 110063 as its parent rule.
• Rule ID 110065 detects failed login attempts in Rapid SCADA.
• Rule ID 110066 identifies brute force login attempts based on repeated failures.

3. Restart the Wazuh manager service to apply the changes:

# systemctl restart wazuh-manager

Test the configuration

We test the configuration by triggering alerts for file integrity monitoring, user account manipulation, and brute force detection.

We use the HelloWorld sample project provided by Rapid SCADA to simulate realistic activity and perform tests. This project contains basic configurations that are ideal for testing and demonstration purposes.

We use the Administrator tool which is bundled with Rapid SCADA to manage the imported project. The tool provides a graphical interface for managing configuration settings, including user accounts and roles. It is automatically installed on the Windows endpoint during the Rapid SCADA installation.

Perform the following steps on the Rapid SCADA server to set up a project to test the configuration:

1. Copy the sample project to your Documents folder using PowerShell:

> Copy-Item "C:\Program Files\SCADA\ProjectSamples\HelloWorld" -Destination "$env:USERPROFILE\Documents" -Recurse

2. Launch the Administrator tool by searching for “Administrator” in the Windows Start menu:

3. Import the copied HelloWorld project from your Documents folder:

4. Upload the new configuration to Rapid SCADA by clicking the Upload Configuration button at the top navigation bar. In the pop-up window, keep the default settings and click Upload to apply the new configuration:

As soon as we upload the configuration, Wazuh generates alerts, which we can visualize on the Wazuh dashboard.

The alerts generated from the setup are generic. In the following subsections, we simulate specific actions and verify that Wazuh triggers alerts for each case.

Modify configuration to trigger FIM alerts

Perform the following steps in the Administrator tool to trigger a file integrity monitoring (FIM) event:

1. Open the ScadaServerConfig.xml file by navigating to Default > Server > Configuration Files in the left panel:

2. Set the value of the <StopWait> field to 15, then save the changes and upload the configuration:

Visualize relevant FIM alerts by applying the filter rule.groups: rapid_scada AND syscheck on the Wazuh dashboard:

Rule ID 110055 is triggered when the configuration file is modified.

Simulate user account manipulation

Perform the following steps in the Administrator tool to trigger a user account manipulation event:

1. Open the Users table by navigating to Configuration Database > Primary Tables in the left panel:

2. Enable a new user account, configure the name, password, and role, then save and upload the configuration:

Visualize relevant FIM alerts by applying the filter rule.groups: rapid_scada AND syscheck on the Wazuh dashboard:

Rule ID 110058 triggers an alert based on the user account creation.

Simulate brute force attack

Perform the following steps to simulate a brute force attack against the Rapid SCADA web user interface (UI):

1. Optional: Allow inbound connections on port 10008 by running the following command on the Rapid SCADA server via PowerShell with Administrator privileges. This is required only if you plan to access the web UI from a remote host:

> New-NetFirewallRule -DisplayName "Allow Rapid SCADA web UI" -Direction Inbound -Protocol TCP -LocalPort 10008 -Action Allow

2. Navigate to http://<RAPID_SCADA_IP_ADDRESS>:10008 from a browser on any endpoint with connectivity to the Rapid SCADA server. Replace <RAPID_SCADA_IP_ADDRESS> with the IP address of the Rapid SCADA server. Use localhost if you are testing from the Rapid SCADA server itself.

3. Make at least eight failed login attempts within two minutes by entering incorrect username and password combinations to trigger the brute force detection rule.

Visualize relevant brute force alerts by applying the filter rule.groups: rapid_scada on the Wazuh dashboard: 

Wazuh detects the brute force attack with rule ID 110066 after multiple failed authentication attempts.

Conclusion

In this blog post, we have explored how Wazuh can be utilized to enhance the security of Rapid SCADA. Wazuh offers capabilities like malware detection, File Integrity Monitoring (FIM), and log analysis. These capabilities help organizations detect potential security threats in real-time to ensure the integrity and security of their SCADA environment.

Additionally, the Wazuh Security Configuration Assessment (SCA) and Vulnerability Detection capabilities further strengthen the monitoring and security of SCADA systems. These features help identify vulnerabilities and ensure that the SCADA environment adheres to security best practices, providing an additional layer of protection.

Wazuh shows its versatility by supporting specialized industrial systems such as SCADA. Users with custom configurations can expand their monitoring capabilities through the flexible setup Wazuh provides. Refer to the Wazuh documentation and previous blog posts, or reach out to the Wazuh community for guidance.

Overall, integrating Wazuh with Rapid SCADA provides a comprehensive and proactive approach to securing industrial systems. It enables organizations to monitor, detect, and respond to threats in their environment. Additionally, it helps ensure compliance with regulatory requirements.

References

• Rapid SCADA