PREEMPTIVE PREventivE Methodology and Tools to protect utilities

Similar documents
Preemptive PREventivE Methodology and Tools to protect utilities

PREEMPTIVE Preventive methodology and tools to protect utilities

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Securing Industrial Control Systems

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Chapter X Security Performance Metrics

the SWIFT Customer Security

Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems

Transforming Security from Defense in Depth to Comprehensive Security Assurance

CyberArk Privileged Threat Analytics

Resilient Smart Grids

Smart Attacks require Smart Defence Moving Target Defence

External Supplier Control Obligations. Cyber Security

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Multistage Cyber-physical Attack and SCADA Intrusion Detection

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Basic Concepts in Intrusion Detection

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Developing the Sensor Capability in Cyber Security

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

CYBER RESILIENCE & INCIDENT RESPONSE

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

AAD - ASSET AND ANOMALY DETECTION DATASHEET

RSA NetWitness Suite Respond in Minutes, Not Months

CS 356 Operating System Security. Fall 2013

Automating the Top 20 CIS Critical Security Controls

Building a resilient ICS

Cyber Security of Industrial Control Systems (ICSs)

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Protecting productivity with Industrial Security Services

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Security: The Key to Affordable Unmanned Aircraft Systems

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Security by Default: Enabling Transformation Through Cyber Resilience

Information Security Controls Policy

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

The Claroty Difference

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

RiskSense Attack Surface Validation for IoT Systems

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

PRECYSE: Cyber-attack Detection and Response for Industrial Control Systems

How AlienVault ICS SIEM Supports Compliance with CFATS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Security of cyber-physical systems: an old idea

Product Security Briefing

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

IoT & SCADA Cyber Security Services

A Review on Security in Smart Grids

Introduction Challenges with using ML Guidelines for using ML Conclusions

Why you should adopt the NIST Cybersecurity Framework

Chapter X Security Performance Metrics

Threat modeling of SCADA cyber attacks

ANATOMY OF AN ATTACK!

The Future of Threat Prevention

Cyber security for digital substations. IEC Europe Conference 2017

VIKING. Vital Infrastructure, Networks, Information and Control Systems Management. A Research Project in the EU Seventh Framework Programme

A Guide to Closing All Potential VDI Security Gaps

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Are we breached? Deloitte's Cyber Threat Hunting

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

SCADA Security: How Do I Know If I ve Already Been Owned?

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

COMPUTER NETWORK SECURITY

SECURING DEVICES IN THE INTERNET OF THINGS

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

ICS Security Monitoring

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Application of Monitoring Standards for enhancing Energy System Security

Protecting Smart Buildings

Chapter 9. Firewalls

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Data Sheet. Claroty Platform: Continuous Threat Detection

Chapter X Security Performance Metrics

Cyber Moving Targets. Yashar Dehkan Asl

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Symantec Endpoint Protection Family Feature Comparison

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Detection and Analysis of Threats to the Energy Sector (DATES)

Iowa State University

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

The Connected Water Plant. Immediate Value. Long-Term Flexibility.

Transcription:

PREEMPTIVE PREventivE Methodology and Tools to protect utilities 2014 2017 1 With the financial support of FP7 Seventh Framework Programme Grant agreement no: 607093

Preemptive goal The main goal of PREEMPTIVE is to provide an innovative solution for enhancing existing procedures and methods and conceiving tools to prevent against cyber-attacks, that target utility companies relying heavily on industrial networks and automated control systems. PREEMPTIVE addresses, in particular, the prevention of cyber-attacks against hardware and software systems such as DCS, SCADA, PLC, networked electronic sensing, and monitoring and diagnostic systems used by the utilities networks. Moreover, the research aims to implement detection tools based on a dual approach comprising low direct detection (e.g. network traffic and system calls) and process misbehavior detection (e.g. automatic industrial processes to control water distribution). The work is based mainly on utilities about electricity, water and gas. We plan to achieve this goal by proposing a combination of methodologies and detection tools

Preemptive outcomes The desired main outcomes of PREEMPTIVE are: Taxonomy report Classifying the utility networks taking into account type and communication technology, sensibility to Cyber threats - already available Modelling software Models and virtual environment for simulating and gathering data on cyber attacks - Already available Software detection (network, host and process based) and event correlation tools - Software Prevention and detection tools to improve security on SCADA utility networks - expected for february 2017 Cyber Defence Methodology Framework Guidelines Risk and Vunerability Assessment Methods Standard policies, procedures and guidelines to prevent cyber attacks - expected for September 2016

Preemptive outcome - Taxonomy GOAL The objective of Taxonomy is to gain a comprehensive understanding of the utility operational technology infrastructure that we want to protect. We define a taxonomy to structure the collected information in a consistent way across different utility sectors. We focus on three sectors: electricity, gas and water STRUCTURE The need for a consistent organization of information is derived by the observation that it is difficult for researchers working in the area of SCADA and critical infrastructure cyber- security to obtain information about the technology and systems they aim to protect. The main information gap is how the technology is used to control the physical processes. The taxonomy includes eleven domains in three distinct utility sectors indicated as critical infrastructure: 1. electricity (generation, transmission, distribution and distributed energy resources) 2. gas (production, storage, transmission and distribution) 3. water (drinking water treatment, waste water treatment and water distribution).

Preemptive outcome - Taxonomy UTILITIES TARGETED We organize the knowledge about the different types of utilities in order to provide a reference for assessing and studying their cyber-security properties. In particular, we want the taxonomy to capture the types and characteristics of industrial processes the different systems used to control such processes, the use cases implemented by the systems the devices and network communication protocols used by these systems. The taxonomy then describe the cyber-security-related properties of all these components in such a way that cyber- attack scenarios can be built for different types of utilities, and that different security solutions can be evaluated according to the applicability and coverage they offer with regards to the technology in use at different utilities.

Preemptive outcome Taxonomy RESULTS We notice that the same automation technology process is shared across sectors and domains, with the same devices and communication protocols employed in the domain-specific automation systems. With the exception of electrical domains and the cross-sector end-user metering domain, there is a tendency among vendors to create Distributed Control Systems that are generic enough to be deployed in many different domains. COMMON VULNERABILITIES The results of our analysis indicate that different domains share common vulnerabilities that could be exploited by attackers. Despite the heterogeneous nature of utility networks, there are common components and protocols across the different domains with similar vulnerabilities. These common vulnerabilities include:. Poor networking stack implementations make components vulnerable to denial of service and buffer overflow attacks Components exposing interfaces (with default or no credentials required) that allow reconfiguring or taking control of process automation functionalities. Protocols do not define authentication or message integrity features, allowing attackers with network access to manipulate process control information

Preemptive outcome Modelling Software GOAL We build the simulation tools in order to understand consequences of cyber-attack in different components and elements of the networks and to support the testing and validation of the detection tools to develop. Simulation tools represent a safe approach to test the effectiveness of detection tools that does not require actual deployment into the operational environment hence it reduces the associated costs as well as the risks of potential loss of service. Specifically, simulation tools can generate both normal operations and attack scenarios which allow us to achieve two main goals: produce synthetic datasets of typical behavior in different domains that can be used by detection tool to gain insight about typical processes and important variables Verify the effectiveness of the detection tools developed to detect attacks that attempt to disrupt Industrial Control Systems

Preemptive outcome Modelling Software Most of the existing simulation tools are specialized for a specific sector of a specific domain while, as goal of PREEMPTIVE, we want to be able to test and validate the tools developed by the project on data coming form the different domains, namely electricity, gas and water utilities. While numerous tools exists for the simulation of electrical power grid, the presence of simulation tools is more limited for the water and the gas domain. For water domain, EPANET, that models water piping systems, seems to be the most used toolkit for the analysis of water distribution systems. For the gas domain the tool GASMOD seems to be one of the few to offer hydraulic simulation software for gas pipeline

Preemptive outcome Modelling-Software To allow the test of the detection tools on all the domains of interest we have built the following three different but complementary simulation environments: An electrical power network simulation environment, including models of distributed energy resources and smart grid control functions. This simulation environment allows to analyze the impact of attacks on the society and provides input data for anomaly detection algorithms developed process detection tool An electrical power network emulation environment that expands our potential to perform attacks in a closer-to-reality industrial environment that uses real Modbus/TCP communications. The traffic generated by this environment Is helpful to provide real data to network and host detection tool, dealing with network and software related threats detection A Matlab-based simulation environment that enables the simulation of any kind of utilities, e.g. water, gas and electricity, provided that a Matlab-Simulink block diagram is available. The virtual environments are composed of virtual images of basic components (work stations, servers, HMIs, SCADA/DCS servers and PLCs) that can be easily distributed to partners. We also provide realistic malware samples that attack Industrial Control networks from different entry points (both at system and process level). The environment constitute a useful toolkit for verify the effectiveness of the PREEMPTIVE tools against complex attack conditions and threats.

Preemptive outcome Modelling Software

Preemptive outcome - Software Detection Graphic Interface T6.3 Alarms from correlation (WEB -HTML 5) Critical alarms from tools VBrain BI (Historical Detection and Prediction) BI MODULE (WEKA) VBrain Server (Real Time Detection) RDBMS/SQL SERVER 7 TCP/UDP QUEUES WINDOWS SERVER T7.3 FTP CEF CEF CEF CE F LINUX SERVER VULNERBILITY ASSESMENT T4.4 LINUX SERVER NETWORK FLOW DETECTION T7.1 LINUX SERVER NETWORK PAYLOAD DETECTION T7.1 LINUX SERVER PROCESS DETECTION T6.1/6.2 ICS/SCADA network ICS/SCADA network HOST DETECTION T7.2 Integrity of personal storage devices IP/ IP/ IP/ Host based tool (HIDS) standard IT

Preemptive outcome - Software Detection The architecture is composed of: The ICS/SCADA network - the test bed of a simulated scenario (as that of the modelling software) or real scenarios located at IEC (electricity producer in Israel) premises The detection tools for network, host and process events detection are composed of: The host detection tools - 3 different agents collecting events from: Host-based standard devices (Workstation, Laptop) Host-based embedded devices (PLC, RTU) Integrity-based (USB pen) The network detection tool composed of: A Linux server for flow detection monitoring network anomalous behavior in the packets traffic A Linux server for payload detection analyzing packets content to check for anomalies A process detection tool on a Linux server to detect any anomalous condition in the operating state of a group of devices A vulnerability assessment tool on a Linux server which scans the network to detect the existing devices with main information (IP address, Operating System, version, open sockets ) The correlation engine to correlate events from all detection tool composed by: A real time detection tool which parses all events coming from the tools and stores them in a Data Base for later processing. The process also sends high severity events value to the graphical interface An historical detection and prediction tool to analyze all events and correlate them to identify APT and events which were not detected by the detection tool as possible attacks The graphic interface where alarm events from the correlation tool are displayed

Preemptive outcome Software detection - Correlation tool

Preemptive outcome Software Detection - Network Tool The two detection methods we propose belong to two distinct but complementary areas: Payload-based approaches rely on information extracted from the data contained in the payload of network packets to detect intrusions (e.g. malicious data injection) Flow-based approaches rely on aggregated network flow information (e.g. the number of messages exchanged between two hosts) to identify malicious activities The main results include: 1. A novel technology for payload-based IDS that from the payload of network packets detects anomalous behavior in ICS/SCADA network. The new technology creates probabilistic models for commands and device status sent over the network and identifies anomalies as deviations from such models. The payload-based IDS we propose has 2 main components: scan the network for the presence of indicators of compromise (defined by analyzing SCADA specific protocol vulnerabilities) learn and make a model of the normal behaviour for process variables describing commands (e.g. function codes) or device status (e.g. a circuit breaker is opened/closed) and detects deviations from such models as an anomaly. In this way we can detect attacks that e.g. use injection techniques to modify process variables in order to cause damages and disruption (e.g. changing the level setpoint of a tank to overflow it). 2. A novel method for flow-based IDS which leverages a two-layer detector combining signature-based and heuristic-based approaches for detecting advanced threats and zero-day attacks. Here, the deterministic layer embeds the knowledge of well-known attacks (e.g. syn-floood) into signatures, while the heuristic-layer learns communication patterns and uses such patterns to detect intrusions In particular, the heuristic layer focuses on learning communication patterns between Programmable Logic Controller (PLC) and Human Machine Interface (HMI).

Preemptive outcome Software Detection - Network tool Network-based monitoring and detection solutions that have the following advantages over host-based ones: Networks-based IDS (Intrusion Detection System) are typically passive and agent-less, i.e. no additional traffic is injected into the network and no agents need to be installed over the components. These characteristics make network-based IDS less-intrusive and easier to adopt than e.g. host-based IDS. Network-based IDS have a more global view of the status of the system since they monitor the communications between several (possibly all) the hosts in the network, while host-based solutions typically focus on detecting attacks that target a specific component (e.g. a server or a host). Network-based solutions are more versatile than host-based ones, since they are platform independent and they can be easily deployed no matters the variety of operative systems and components coming from different vendors that are present in an organization.

Preemptive outcome Software Detection - Host Tool We focus our research on three different but complementary areas: 1. malicious payload detection for embedded devices used in ICS environments 2. malware detection in standard IT components deployed in ICS environments 3. integrity of personal and company storage devices

Preemptive outcome Software Detection - Host While network-based approaches remain one of more accurate and less invasive approaches to detecting attacks against Industrial Control Systems (ICS), they also suffer from a number of limitations, which indicate that they should be complemented with host-based approaches. Reasons why it is important to examine host-based approaches include: The threats we are tackling in the context of PREEMPTIVE involve sophisticated attackers with internal knowledge about the ICS network and its components (the so-called Advanced Persistent Threats (APTs). In this scenario, an adversary may be able to gain direct access to its target without alerting network-based sensors. Generalizing, adopting only network monitoring approaches can potentially miss a number of attack vectors. In the cases in which an attacker manages to deliver a malicious payload without sending the exploit over the network (for instance by injecting it inside legitimate documents and project les) a network-based approach would not be able to report the intrusion. Network-based approaches are not aware of the internal operating system processes and of their mutual interactions. As a result, there is a significant loss of context information that could instead be used to improve the detection accuracy, particularly of process-based threats.

Preemptive outcome Software Detection - Process Tool This tool realizes the the detection of anomalies at industrial process level. For this purpose, the tool is first dedicated to the characterization of normal operation states in Critical Infrastructures (CI), and negative representation of data since the detection tool is based in Artificial Immune System (AIS). Among the different algorithms composing the so called AIS group, this report concentrates in Negative Selection Algorithm (NSA) which seems to be the most appropriate choice for dealing with the type of data coming from CI and the detection of anomalies that could come either from cyber-attacks or malfunctioning of any element or area of the industrial network under study. An important requirement in the implementation of such algorithm is the definition of the "Self" sample that denes the normal state of the system, which in this case corresponds to the normal operation state of the specific utility being monitored and any event laying outside the "Self" would be considered an anomaly. This definition of the "Self" is obtained trough the characterization of the Normal State Operation (NOS) applying different methods of data analysis,

Preemptive outcome - Cyber Defence Methodology Framework GOAL Final goal is the developing of the guidelines for improving Critical Infrastructures (CIs) surveillance with specialization for the utility networks that consist in a white paper for security managers describing how to improve the surveillance of CI using the lesson learned from the evaluation of the PREEMPTIVE methodology and innovative technologies STRUCTURE To our understanding a methodology framework should be comprised of catalogues of countermeasures, which may be organizational or technical. Organizational countermeasures are best practices related to the organization of work flows and the distribution of responsibilities Technical countermeasures are related to the deployment of devices and software components and their appropriate configuration and settings The aim is to analyse the forthcoming and existing standards, dealing with ICT security management, and to harmonize Risk and Vulnerability Assessment methods and standard practices to improve prevention detection procedures against cyber threats, introducing the capabilities to detect the zero day attacks and their signatures This approach aims to close the gap between a theoretical level and the practical utility networks world. Whereas these approaches are dedicated to the protection of general IT infrastructures, consideration of the particular requirements of utility networks supporting the operation of critical infrastructures is still immature.

Preemptive outcome - Cyber Defence Methodology Framework In order to reach this target, we evaluate the state of the art within this field. Based on that, we look for gaps that could be filled up with the new methodology. Therefore, we have reviewed security approaches ranging from the general IT, to Critical Infrastructures, and up to the Smart Grids and extracted countermeasures proposed to mitigate security breaches. Arranged in fine-grained groups, we have based on this collection of countermeasures a gap analysis which resulted in the description of seven weak points in the state of the art implementation. IT security standard: SANS Critical Security Controls Critical Infrastructure security standards: Guide to Industrial Control Systems Security from the NIST International Standard IEC 62443 \Industrial communication networks - Network and system security North American Electric Reliability Corporation Critical Infrastructure Protection standard (NERC CIP) Smart grid security standard: NISTIR 7628-Guidelines for Smart Grid Cyber Security ETSI TS 102 689 ETSI TS 187 001 We evaluated the state of the art of the above standard by analyzing and comparing security frameworks, standards and recommendations and identifying the existing gaps. We describe the developed methodology with special regard on how the PREEMPTIVE tools help to close those gaps.

Thank You for Your attention! Giorgio Sinibaldi Project Coordinator (Vitrociset) g.sinibaldi@vitrociset.it WEBSITE: www.preeemptive.eu With the financial support of FP7 Seventh Framework Programme Grant agreement no: 607093

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback