Before the ACI TTP is adopted, ICS and IT managers should establish what a FMC network is as it pertains to their specific installations and missions. The ACI TTP defines FMC as a functional recovery point for both the ICS and the SCADA. Once this is defined, ICS and IT managers should capture the FMC condition of their network entry points (e.g., firewalls, routers, remote access terminals, wireless access points, etc.), network topology, network data flow, and machine/device configurations, then store these in a secure location. This information should be kept under configuration management and updated every time changes are made to the network. This information forms the FMC baseline. The FMC baseline is used to determine normal operational conditions versus anomalous conditions of the ICS.

The ACI TTP is a great set of tactical procedures that can work well for ICS and IT networks.  When Argus is used in a network, the comprehensive network audit flow records that it generates can be used to establish FMC baselines of network flow.  The FMC baseline is not one data set, it really is a large collection of statistical data that describes the statistical behavior of all the entities in the network.   Its purpose is to provide the baseline information of what is normal in the network, and by comparison, you can realize abnormal behavior.

The Argus clients library has fundamental programs that are designed to generate network data baselines that can be used as a part of the FMC baseline.  The principal program that we use is racluster.1.  racluster is flexible enough to generate flow baselines for any aspect of network behavior.  And when stored, using programs like rasqlinsert.1, a system can be realized that can generate basic network baselines that extend for 12 months.