"Anonymized Metadata" is a term used to describe information that has been scrubbed of specific identification data but which maintains enough representation of events or conditions to describe these to external organizations. Anonymized metadata provides Tactical Analysis Centers (TACs) the visibility they require into current and historical cybersecurity in order to promote best practices and provide information about risks and threats. LIGHTS uses anonymized metadata to inform TACs about the state of cybersecurity among member facilities. Members must "opt in" to this process, no member information anonymized or not is shared without the express consent of the member.
- LIGHTS is a membership program who's basic operations are funded by membership dues and sponsorship.
- Membership fees are designed to be well within the operating budgets of even the smallest facilities.
- LIGHTS engages in research and development projects and pursues public and private grants to fund those activities.
- LIGHTS is a program within Energysec, a registered non-profit 501(c)(3).
The LIGHTS program is designed to provide members visibility and control over the cybersecurity of their facilities.The current structure of the LIGHTS solution involves the installation of at a minimum an Open Source LIGHTS Sensor device on the member’s site. This Sensor installs on a network tap on the core ethernet switch inside the member's industrial control system network and provides visibility into the cyber assets and activity that constitute the member's industrial control system.
A LIGHTS Approved Managed Security Service Provider (MSSP) works with new members to deploy the Sensor at the member facility, train staff if necessary and manage any commercial services or products members choose to include. LIGHTS MSSPs offer members outsourced management of the Sensor.
- The Sensor maintains a continuous inventory of the devices, network topology and vulnerabilities of the member's control system network.
- All traffic across the network is monitored allowing a baseline of normal behavior to be established and archived.
- Malicious software or the changes in network behavior that indicate intrusion - as well as any specific policies the member would like to implement - result in alerts to operators and/or active responses engineered by the member.
- The Open Source LIGHTS Sensor composition is determined by the LIGHTS Advisory Board as is appropriate to meet the security and operational needs of the LIGHTS membership over time. The current Open Source LIGHTS Sensor is based on the Open Source SIEM (OSSIM) and includes the following set of functionality:
- Security Information Management
- Intrusion Detection
- Vulnerability Assessment
- Asset Management
- Compliance Reporting and Management
- The Open Source LIGHTS Sensor is capable of receiving telemetry directly from devices capable of creating event or status information in all common formats including Syslog, Flow, SNMP, XML, RDEP and many others.
- LIGHTS MSSPs and the Open Source community maintain interoperability plug-ins for a wide range of devices found on control system networks.
- Commercial offerings from service or product providers are available to integrate any previously unsupported devices.
- Provide members visibility into and control over the cybersecurity of their industrial facilities.
- Educate, promote, and advocate the advancement of operational security awareness programs consistent with the LIGHTS model.
- Identify technologies that support elements necessary for successful operational security solutions and programs.
- Involve organizations that support and serve asset owner membership interests.
- Engage, enable, and support the exchange of operational security awareness information between asset owners, managed security service providers (MSSP) and tactical analysis centers (TAC).
- Support research, development, and deployment of technologies, processes, protocols, policies, operational frameworks, legal frameworks, and analysis techniques relating to the sharing of operational cybersecurity information.