Proceedings of the 13th European Conference on Cyber Warfare and Security
|
|
- Rosaline Wiggins
- 8 years ago
- Views:
Transcription
1 Proceedings of the 13th European Conference on Cyber Warfare and Security The University it of Piraeus Greece 3-4 July 2014 Edited by Andrew Liaropoulos and George Tsihrintzis A conference managed by ACPI, UK
2
3 Proceedingsofthe 13thEuropeanConferenceon CyberWarfareandSecurity ECCWS2014 TheUniversityofPiraeus Piraeus,Greece 34July2014 Editedby AndrewLiaropoulos and GeorgeTsihrintzis
4 CopyrightTheAuthors,2014.AllRightsReserved. Noreproduction,copyortransmissionmaybemadewithoutwrittenpermissionfromtheindividualauthors. Papershavebeendoubleblindpeerreviewedbeforefinalsubmissiontotheconference.Initially,paperabstractswereread andselectedbytheconferencepanelforsubmissionaspossiblepapersfortheconference. Manythankstothereviewerswhohelpedensurethequalityofthefullpapers. TheseConferenceProceedingshavebeensubmittedtoThomsonISIforindexing. Furthercopiesofthisbookandpreviousyear sproceedingscanbepurchasedfromhttp://academicbookshop.com EBookISBN:97819 EBookISSN: BookversionISBN:97819 BookVersionISSN: CDVersionISBN:97819 CDVersionISSN: PublishedbyAcademicConferencesandPublishingInternationalLimited Reading UK
5 ImprovingCyberSecurityAwarenessonIndustrialControlSystems: TheCockpitCIApproach TiagoCruz 1,JorgeProença 1,PauloSimões 1,MatthieuAubigny 2,MoussaOuedraogo 3, AntonioGraziano 4 andlasithyasakhetu 5 1 UniversityofCoimbra,Portugal 2 itrustconsulting,luxembourg 3 CentredeRecherchePubliqueHenryTudor,Luxembourg 4 SelexES,Italy 5 UniversityofSurrey,UK tjcruz@dei.uc.pt jdgomes@dei.uc.pt,aubigny@itrust.lu psimoes@dei.uc.pt,aubigny@itrust.lu aubigny@itrust.lu moussa.ouedraogo@tudor.lu antonio.graziano@selexes.com s.l.yasakethu@surrey.ac.uk Abstract: Originally isolated by design, Critical Infrastructures (CI) based on Industrial Control Systems (ICS) such as SCADA (Supervisory Control and Data Acquisition) systemswere born within the scope of industrial process control technologies.havingevolvedfromproprietarysystems,icseventuallystartedadoptingopenarchitecturesandstandards, becomingincreasinglyinterconnectedwithexistingcorporatenetworkinginfrastructuresandeventheinternet.however, asthesesystemsovercametheirisolationandmovedtowardsinterconnectedtopologies,theyalsobecamemoreexposed tothreatsthatweren tevenremotelyconceivablewhentheywerefirstdesigned.particularly,cyberthreatsareoneofthe mostsignificantproblemsthatmodernicsface,astheshortcomingsandvulnerabilitiesofthedecadeoldicstechnology someofthemknownforalongtime,butmostlydownplayedduetotheisolationofsuchsystems becomeseriousthreats thatcanultimatelycompromisehumanlives.asthesecurityneedsictandicsdomainscannotbeaddressedinthesame way,thiscallsforadomainspecificapproach tocyberthreatdetection,designedfromscratchtoaddressitsparticular needs.itmustconsidertheparticularcharacteristicsofeachnetworkingcontext,beiticsorict,inordertoprovidereal timecybersecurityawarenessforthesecurityteamsoperatinginthecontrolroom thisisoneofthemostimportant contributionsofthecockpitcifp7project( ofcis.inthispaperwepresentthecockpitcicyberdetectionandanalysislayer,alsoincludingadetaileddescriptionofits most relevant components in terms of role, integration and remote management. This paper will also show how the proposedsolutionmightbeeffectiveindealingwithsuchcyberthreats,bypresentingrelevantexamples. Keywords:criticalinfrastructureprotection,industrialcontrolsystems,SCADAsystems,IDS 1. Introduction SCADA(SupervisoryControlandDataAcquisition)isthecommonlydesignationwhichisusedtoreferasetof technologies, protocols and platforms used in Industrial Control Systems (ICS). Such systems are used in several scenarios, such as production lines automation, for controlling nuclear or thermoelectric plants, for distributiongridsandmanyotherapplications. As their scope was originally restricted to isolated environments, SCADA systems were relatively safe from externalintrusion.however,asarchitecturesevolvedscadasystemsstartedtoassimilatetechnologiesfrom theinformationandcommunicationtechnologies(ict)world,suchastcp/ipandethernetnetworking.this trend,togetherwiththeincreasingadoptionofopen,documentedprotocols,exposedseriousweaknessesin SCADA architectures. Moreover, the interconnection of the ICS network with organizational ICT network infrastructures,andevenwiththeexterior(forinstance,forconnectionwithinternalcompanysystemsorfor remotemanagement)broughtanewwaveofsecurityproblemsandattackstosuchanextentthatthenumber of externally initiated attacks on ICS systems has increased significantly, especially when compared with internalattacks(kang2011). This situation, together with inadequate systems lifecycle management procedures, disregarding regular updatesorpatching(krutz2006),increasestheprobabilityofasuccessfulattack.whilesuchproceduresare 59
6 TiagoCruzetal. trivialmatterswhicharepartoftheregularmaintenanceroutineintheictworld,theymustbedealtinan entirelydifferentwaywhenitcomestoics,mainlyfortworeasons:thefactthatsomecomponentshaveto workonacontinuousbasiswithoutinterruptions,uptothepointofworkingyearswithoutbeingreinitialized (ESCoRTS2010)(Zhu2011);duetothefactthatanysoftwarereleasemustbecarefullytestedbyequipment manufacturers before being released, or even due to endoflife support for specific devices or software frameworks. Therefore,ICSconstituteacriticalandstrategicassetthatisbeingincreasinglytargetedbymaliciousattacks, withpotentiallycatastrophicconsequences.inthiscontext,cockpitci(cockpitci)isfocusedonimprovingthe resilienceanddependabilityofcis. The idea behind the CockpitCI project is to allow the community of CI (Critical Infrastructure) owners to exchangerealtimeinformationaboutattacks(andtentativeattacks).inthisscope,eachciincorporatesits ownrealtimedistributedmonitoringsystemandperimeterintrusiondetectionsystem(pids).thesesystems areabletoaggregatethefilteredandanalyzedinformationofpotentialcyberattacksagainstsystemsusedto supporttheoperationofcisandidentifythepotentialunsecuredareaofthecis. This PIDS, which is the focus of this paper, performs many of the tasks traditionally associated with a Distributed Intrusion Detection System, with support for diversified and closely integrated detection and analysis techniques and tools. Each PIDS is to be deployed in the targeted area of a CI, in order to detect coordinatedcyberattacksandinordertodeploypreventionstrategiesofisolation. Through coordinated PIDS operations, it is possible to put in place a specific perimeter to detect potential coordinatedcyberattacksoncisforeachtypeofdetectedattacksorformixedcyberattacks.thecockpitci PIDSisbasedonastateoftheartdistributedintrusiondetectionarchitectureencompassingasetofdetection agents that feed realtime and soft realtime automated correlation and anomaly detection mechanisms, orchestratedtogetherbyamanagementplatform. In this paper the main aspects of the proposed PIDS architecture are presented. Section 2 discusses the problem of security in ICS/SCADA. Section 3 introduces the CockpitCI architecture. Section 4 presents the proposedpids,withsections5and6discussinganalysiscomponentsanddetectioncapabilities,respectively. Section7detailsintegrationofeventingandmanagementinterfaces.Finally,section8presentsconclusions andgivessomeinsightsintowhatfuturedirectionstheprojectmighttake. 2. AbriefoverviewofICS/SCADAsecurityissues ThedevelopmentoftheCockpitCIPIDSarchitecturewasprecededbyarequirementsanalysisphase,withthe purpose of understanding the specific characteristics and differences between ICS and conventional ICT infrastructures,fromasecuritystandpoint.thisstudyrevealedseveralandsignificantdifferencesbetweenict and ICS domains that are deeply rooted in their own particular characteristics, down to the fundamental prioritiesthatdefinewhicharethemostimportantoperationalandfunctionalpropertiesofthesystem. Whenitcomestotheirfundamentalgoverningprinciples,ICSandICTinfrastructureshaveaninvertedsetof priorities,asituationthatisoneofthemaincausesofscadainfrastructuresecurityproblems.thisispartly duetothefactthat,astheicsparadigmevolved,itwasnotaccompaniedbyanequalprogressionintermsof anindustrymindsetthatremainedunchangedalmostsincetheinceptionofsuchtechnologies.asaresult,and duetoitscriticalnature,icsoperationanddesignpracticesfrequentlyprivilegeavailabilityandreliabilityover confidentiality and data integrity a perspective that is quite the opposite from the ICT philosophy, which privilegesconfidentialityandsecurity,followedbycommunicationsintegrityand,finally,byavailability(isa ).Thiscontrastexplainswhyitisfrequenttofindalackofmutualunderstandingbetweenthecontrol systemsteamsandthesecurityitstaff,withinthesameorganization. ThedifferencesbetweentheICTandICScontextsalsomeanthatthereisno onesizefitsall solutionwhenit comestochoseandimplementsecuritymechanisms.despitethis,importingsolutionsfromtheictworldis often a necessity, which might lead to undesirable sideeffects. The fundamental premises for ICT security tools and commonplace lifecycle management procedures, such as patching and updating a system, can becometroublesomeinanics,whenfacedwithsituationssuchastheimpediment/highcostofstopping 60
7 TiagoCruzetal. production or even the explicit prohibition by the system s manufacturer. As an example, a SCADA system customermaybeunabletoinstallanupdateonanoperatingsystemunlessthemanufacturercertifiestheir softwarefortheupdate. ProductlifecycleisanothermatterthatseparatesICTfromICSsystems,withtheformerhavingsubstantially shorter lifecycles, when compared with the latter. In ICS it is frequent for mature systems to be kept in operation,sometimesfarbeyondtheirprojectedlifetime the ifain tbroke,don tfixit philosophy.this limits the possibility of implementing some security mechanisms due to the limited capabilities of existing equipment(igure2006). Moreover,SCADAcommunicationprotocols,whichareresponsiblefortheinteractionbetweenfielddevices, suchasplc(programmablelogiccontrollers)orrtu(remoteterminalunits)componentsandthestations that control and monitor them, pose security concerns. One of such examples is the Modbus protocol (Modbus 2006), originally developed by Modicon (currently part of the Schneider Electric Group) in ModbusisoneofthemostpopularprotocolsforSCADAapplications,thankstoitssimplicityandeaseofuse. However,Modbussuffersfromsecurityproblems:thelackofencryptionoranyotherprotectionmeasures exposesittodifferentvulnerabilities(triangle2002) ifwetakeintoconsiderationthatitisnotuncommonto find situations where the ICT and ICS networking contexts are blended within the corporate network, it becomescleartowhichpointsomeicsarevulnerable.despitethis,protocolssuchasmodbushavealarge lifespanandarestillbeingmassivelydeployedandused. Simplyput,whenitcomestoICS,technologyandplatformmaturityarevaluedasanimplicitrecognitionof value and reliability, and even the disclosure of security issues related to them seems to have no effect in discouragingtheirusageorpromptingtheadoptionofcountermeasurestoprotectthem.thishasbecomethe rootcauseofmanyicssecurityissuesthathavebeenexploitedwithavariabledegreeofsuccess,inrecent times,suchasthestuxnettrojan(o Murchu2011). 3. TheCockpitCIproject ToimprovetheresilienceanddependabilityofCriticalInfrastructures(CIs),theCockpitCIprojectproposesan architecture that is divided into several modules/components, whose interaction is illustrated in Figure 1 (CockpitCI 2013). Not only does this architecture aim to detect cyber threats using novel strategies for intrusion detection, along with devices specially conceived to monitor CI ICS/SCADA systems, but it also accountsforcommunicationbetweenmultipleinterdependentcis,usingasecuremediationnetwork(smn) toshareoperationalandsecurityinformation. AmongthemultiplecomponentsthatmakeuptheCockpitCIarchitecture,theDynamicPIDSprovidesthecore cyberanalysisanddetectioncapabilities,beingresponsibleforcontinuouslyassessandprotecttheelectronic security perimeter of each CI. The automatic analysis and detection mechanisms for each PIDS are fed by severalfieldadaptorsanddetectionagentsdeployedwithineachci,whichconstituteits eyes,providingthe basic information from which the ongoing security status of the CI is inferred. Also, the PIDS encompasses semiautonomous reaction capabilities, being able to deploy and activate countermeasures, in line with predefinedsecurityreactionpolicies. For each CI, an Online Integrated Risk Predictor (IRP) module works as a decision support system for managementteams,feedingoperationalindicators(suchasprocessleveldata,gatheredusingthescadatlc and ELE adaptors shown on Figure 1) and cybersecurity information (generated by the PIDS) into a set of modellingtools,toassessandpredictpropagationandthreatlevelsforpotentialcyberattacksontheci.in this scope, SCADA adaptors translate SCADA data from various components into a common data format, enabling the use of devices from different vendors and legacy SCADA HW/SW (Hardware/Software) while sharingdatawiththedetectionlayerandtheirp. TheSecureMediationNetwork(SMN)providesthemeansforexchangingsecurityinformationbetweenCIs, also enabling the use of risk prediction and other analysis mechanisms to assess threats in a global scale, accounting for CI interdependencies (as exemplified by Figure 1, which represents 2 kinds of CIs that are frequentlydependentoneachother:telecommunicationsandelectricpowerdistribution). 61
8 TiagoCruzetal. Figure1:TheCockpitCIgeneralarchitecture(CockpitCI2013) Amongthesecomponents,theCockpitCIPIDScyberanalysisanddetectionarchitectureconstitutesthemain subjectofthispaper.thenextsectionswillfocusonthepresentationandanalysisofthebasiccomponentsof the PIDS, explaining how they work together to continuously monitor and analyze the ICS/SCADA system components of a given ICS in order to perform threat detection. Also, the event correlation and anomaly detection mechanisms thatconstitute the cybersecurity analysis capabilities of the PIDS will be addressed, togetherwiththedescriptionoftheagentsandprobesthatfeedsuchthemwithinformationaboutics/scada system sstateanditsdataflows. 4. TheCockpitCIcyberdetectionandanalysislayerwithinthePIDS TheCockpitCIPIDSincorporatesseveraladvancedrealtimedetectionandanalysismechanisms,integratedto constituteacyberanalysisanddetectionlayerfortheci,asshownonfigure2.itisstructuredalongthethree different zones of the CI, each one with its own internal security perimeter: the Field Network, SCADA Process/OperationsNetworkandtheIT(InformationTechnology)Network.ThisdistinctionconfersthePIDS theabilitytodeployagentsandsecuritypoliciescustomizedtothespecificneedsandcharacteristicsofeach networkscope. Thisarchitecturewasdesignedtodealwithseveralattackscenarios,fromknownthreatstorogueevents,such as: maninthemiddle attacks, device impersonation, nonauthorized tampering, worms, trojans, denialof service attacks or flooding, among others. For this purpose, the PIDS is designed in such a way that it integratesdifferentdetectionstrategies,distributedalongdifferentlevels,namely: Detection agents and field adaptors, including agents, adaptors and extensions for existing system components, as well as specialized network probes and honeypots (Spitzner 2002) to be added to the network which are able to capture behaviour or traffic patterns (as performed by NIDS Network IDS components)aswellashost(usingtoolssuchashids/hostids,orantivirussoftware)andfielddevice monitoring. Adistributedmultizone,multilevelcorrelationstructurethatprocessestheinformationprovidedbythe security sensors, complemented by machinelearning capabilities, in the form of OneClass Support VectorMachine(OCSVM)(Ma2003)anomalydetectionmodule,basedonadaptivemachinelearning. Aggressiveusageoftopologyandsystemspecificdetectionmechanisms,basedonthefactthattherole andbehaviourofeachsystemcomponentinanicsareexpectedtobemoreconsistentovertimethanon othertypesofnetworks,analysiscomponentsarefedwithknowledgeprovidedbyanumberofsystem specific sources, such as topology databases, policy databases, and trustbased mechanisms, as well as strategicallyplacedhoneypots. TheoperationofthePIDScomponentsisorchestratedthroughaSecurityManagementPlatform(SMP),which is responsible for managing all the involved components of the solution (see Figure 2). It includes the 62
9 TiagoCruzetal. mechanismsformanagingthesecurityandcomponentsoftheinfrastructure.thesmpisresponsibleforthe maintenanceandmanagementofmonitoringprobessuchasidsandtheanalysiscomponents,alsoincluding monitoringofinplacesecurityandvulnerabilitieswithinthenetworkaswellasthemaintenanceofthelatter. Therefore,theSMPhasadualrole,dealingwithbothsecurityauditandmaintenancemechanisms. SecurityManagementPlatform NIDS NIDS Local Correlator OCSVM Modbus Honeypot HIDS HIDS NIDS FieldNetwork1 HIDS HIDS Local Correlator OCSVM Modbus Honeypot Local Correlator OCSVM Local Correlator OCSVM NIDS ITNetwork OperationsNetwork FieldNetworkN MainCorrelator Figure2:TheCockpitCIcyberdetectionandanalysislayer(redflows=management,green=eventing) The SMP performs the configuration of detection agents on the field, allowing to setup their detection thresholds and other relevant parameters. This detection threshold depends on both the risk level of the overallinfrastructure(thelevelofdetectionshallbehigheriftheprobabilityofanattacksishigher)andonthe specificdetectionneeds(e.g.incaseofabnormaleventdetectiononspecificsystem,thesmpshallbeableto verifyallsimilarcomponentsinthecistochecktheirsecuritylevel). Duetothedemandingavailabilityrequisitesandlittletolerancetodelays,thedetectionarchitectureistobe implementedusinganetworkthatisseparatefromthescadasystemnetwork(eventuallyitcanusethesame physical network, using VLAN (Virtual Local Area Network) or other types of overlay techniques for traffic separation),inordertoguaranteethatitdoesnotinterferewiththenormaloperationofthecontrolnetwork. 5. Analysislayer TheanalysiscomponentsofthePIDSprovideawaytoextractinformationfromthedatacollectedbytheagent layerordirectlyfromnetworktraces.thesecomponentsarearrangedinatwolevelarchitecturewithlocal instancesfinetunedforeachnetworkscope. 5.1 Localandglobalcorrelators Local correlators perform the first step of correlation, filtering and reducing the number and noise of the alarmsgeneratedbythedetectionlayer,whileprovidingamechanismforsecurityeventgenerationthatis able to filter, process and relate events within a network segment (e.g. alarms generated by two or more detectionagents,multipleeventsfromthesamesource). Localcorrelatorsreceivetheeventsfromlocaldetectionagents(e.g.HIDS)ontheirnetworkscopeandprocess themaccordinglywithasetofrules,forwardingsignificantresultstoaglobalcorrelationengine.thisapproach providescontextseparation,atthesametimeallowingforbetterefficiencyandscalabilityforrealtimeevent processing.afterlocalcorrelation,eventsaresenttotheglobalcorrelatorsandfromthelattertothesmn, using the Intrusion Detection Message Exchange format (Debar 2007). IDMEF defines an experimental standard for exchanging intrusion detection related events. As a standard, it can be used as a vendor or productindependentenablingintercommunicationbetweendifferentagentssuchasnidsorhoneypots. 63
10 TiagoCruzetal. As illustrated by Figure 2, local correlators receive events from the different agents such as NIDS, HIDS, Honeypots,amongothers.Theseagentsaredistinctaccordingtonetworkzoneinwhichthelocalcorrelatoris located.despiteoftherangeofdifferentagents,thelocalcorrelatorshouldusethesameinterfaceforallof them, as messages are received through an Event Bus (discussed on Section 7). This interface will allow subscribingtotheeventspublishedbytheagents.localcorrelatorsalsohaveanagentadaptorinterfacethat allowsformanagement,viathesmp. Regardingtheeventinterfacesforthemaincorrelatorwehavedifferenttypes:onetoreceiveeventsfromthe localcorrelatorsandanotheronetosendeventstothesmp,bothusinganeventbus.aslocalcorrelatorshave already previously processed received events, the main correlator can focus in MultiStep, Attack Focus Recognitioncorrelation,aswellasAlertPrioritization.Amanagementadaptorprovidestheinterfaceforthe SMPtoconfigurethecorrelator(seeFigure3). ThecorrelatorsareimplementedusingtheEsper(Esper)ComplexEventProcessing(CEP)tool.Thiswasdueto thefactthatesperisamultiplatform,flexibleandmaturetool,indevelopmentsince2006.also,performance tests have shown Esper to exhibit a goodbalance between memoryusage,cpu usage and execution time, whenprocessinghundredsofthousandsofevents. Figure3:verviewofthecorrelatorarchitecture EspercannativelyaccepteventsrepresentedinXML,amongothers,whichisusefulasIDMEF,usedbythe PIDS,isanXMLbasedformat.IfaXMLschemadocument(XSDfile)isprovidedEspercanreadtheschemaand properlypresenteventtypemetadataandvalidatestatementsthatusetheeventtypeanditsproperties.to accesstheelementsoftheeventthecorrelatorusesxpathexpressions.ifaschemaforthexmlisprovided, thexpathexpressionneededtoreferencetheattributecanbeinferredautomatically.otherwise,expressions canbemanuallyconfigured. An overview of the architecture of a PIDS correlator, based on Esper, is pictured in Figure 3. The events receivedfromtheinputadaptoraresenttotheesperruntime(epruntime);thisprovidestheinterfacetothe eventstreamprocessingruntimeservices.thestatementsareregisteredintheepruntimeandrepresentthe eventstreamqueriesand/oreventpattern.eachstatementcanhaveoneormorestatementlistenersbound tothem.whentheconditionofaqueryisverifiedespercantriggerthelistener(s)boundtotherule,insertthe resultofthestatementintoanotherstream(thatalreadyexistsoriscreatedatthattime)ordobothoptions. If a rule generates a new event, that need to be sent by the correlator to the Event Bus, the listener will interfacewiththeoutputadaptortosendit.outputeventsaregeneratedbyrulesmakinguseofinputevents, cachedevents,theinternalstateandinformationfromexternalsources. EsperstatementsareaddedtotheEPRuntimethroughtheEsperAdministrator(EPAdministrator)module.This is an administrative interface to the event streamprocessing engine. For security auditing purposes the correlator will log all events and traces of the actions performed to persistent storage. The events will be logged as they are received in thecorrelator and theepruntime shall also log the actions executed by the 64
11 TiagoCruzetal. correlator.correlationcanmakeuseofinformationtakenfromexternalsources.thesesourcescanprovide additional information related, among others, to thedefinition of thenetwork topology and other detailed systeminformation.theseexternalsources(knowledge/topologydatabases)canbequerieddirectlyfroman EPLstatement.Newrulescanbeaddedtothecorrelationenginedynamically,withoutrestartingtheengine. Usingthesamecorrelatortoolforthetwolevelsofcorrelationprovidesuniformity,sincethesamelanguageis used to express the correlation operations, and allows easier integration with the Event Bus, as the same interfaces can be used for the two levels. Using the same rule description language for both correlators simplifiesthetaskofrulemanagementbyoperatorsandsecurityexperts.additionally,somecorrelationrules canbeusedinbothcorrelatorswithouttheneedtobeconverted. 5.2 OneClasssupportvectormachines(OCSVM) OCSVM(OneClassSupportVectorMachine)areanaturalextensionofthesupportvectoralgorithmtothe caseofunlabelleddata,especiallyfordetectionofoutliers.however,unlikesvmoranyanotherclassification algorithm,ocsvmdoesnotneedanylabelleddatafortrainingoranyinformationaboutthekindofanomalyis expecting for the detection process. OCSVM principles have shown great potential in the area of anomaly detection(ma2003,li2003,schölkopf2001).moreover,ocsvmiscapableofhandlingmultipleattributed data(hsu2003,wang2004),whichiswellsuitedforscadasystems. TheadvantagesoftheOCVSMcomponentaremanifold:sinceOCSVMdoesnotrequireanysignaturesofdata tobuildthedetectionmodelitiswellsuitedforanomalybasedintrusiondetectioninscadaenvironment; sincethedetectionmechanismdoesnotrequireanypriorinformationoftheexpectedattacktypes,ocsvmis capableofdetectionbothknownandunknown(novel)attacks,besidesbeingrobusttonoiseintrainingsets. Also, algorithm behaviour can be controlled and finedtuned by the user to regulate the percentage of anomaliesexpected(thresholds,asdefinedviasmpviatheocsvmmanagementadaptor). OCSVMoperationconsistsof2steps,namely:trainingandtesting.DuringthetrainingstageOCSVMbuildsa modelfromtrainingonnormal(i.e.,obtainedfromasystemoperatingundernormalconditions,withoutany attackinprogress)dataandthenclassifiesthenewdataaseithernormalorattackbasedonitsgeometrical deviationfromthetrainingdatainthetestingstage.sincetheocsvmdetectionapproachisrobusttonoise samples, the trainingdata set can include some noise samples (i.e. data whichdoes notcorrespond to the normalbehaviour).anocsvmcomponentisdeployedinit,operationandfieldnetworkzone(s),therefore requiringdifferenttrainingsets. Oncethetrainingphaseiscomplete,theOCSVMmoduleiscapableofdetectingpossibleintrusions(abnormal behaviour)tothescadasystem,basedonrealtimecaptureofnetworktraffictraces.thedetectionmodule will classify each event whether it is a normal event or a possible intrusion. This information will then be encodedinanidmefmessageandsenttothemaincorrelator,usinganadaptorfortheeventbus,inorderto reactaccordinglytothedetectedintrusions. 6. Detectionagents Thedetectionagentsarethelowestlevelofthedetectionlayer.Theirpurposeistogatherinformationfrom the system. As the format of information provided depends on the type of detection agents used (type of probe),adaptorsallowtheacquisitionofdatafromthesysteminarecognisedformat.detectionagentsand adaptorsareessentialtofeedthelocalcorrelatorsofthedetectionlayerwithinputdataregardingsuspicious activity.thepidsencompassesseveralkindsofprobesanddetectionagents,amongwhichthemostrelevant arenextdescribed. 6.1 Threatdetectionagents Network IDS: the perimeter for each network scope is monitored using NIDS components for each one: IT NetworkNIDS,OperationsNetworkNIDS,andFieldNetworkNIDS.Thesehaveinterfacestoreportthesecurity eventstothezonecorrelatorwithintheirnetworkscope.inthepids,snort(snort)isusedforthispurpose, albeitothernidscouldbeused. 65
12 TiagoCruzetal. HostIDS:theHostIDSisdeployedinthehosts/serversofthesystem.Itiscapableofreportinganomalous behaviourinthemachinewhereitisdeployed.inthecockpitcipids,ossec(ossec)isusedforthispurpose, butotherhidscouldbeused. Honeypots:actingasdecoysandbeingcapableofdetectingattackersprobingthenetwork,honeypotsprovide anothersourceofdataforcorrelation.therearethreetypesofhoneypotsinthedetectionlayer:itnetwork, OperationsNetworkandFieldNetworkhoneypots(Simoes2013). Exec Checker (linux hosts): capable of detecting malicious network frames by sniffing the traffic, the Exec Checker (in active or passive mode) captures the different parts of an executable in the network traffic to recreatethefileandsendittoananalysistool. 6.2 Vulnerabilitydetectionagents OutputTrafficControls(linuxhosts):capableofdetectingRemoteAccessTrojans,thisspecifictoolregularly scanssystemcomponentstocheckifaremoteaccesstoolboxhasbeeninstalledoncomponentstofacilitate externalattacks. VulnerabilityChecker(windowshosts):thistoolprovidesaregularcontrolofsystemvulnerabilitytocheckif themonitoredsystemsarevulnerableornotaccordingtoanupdateddatabase.thistoolcanbecustomized foritorscadahostprofiles. ConfigurationChecker(linux/windowshosts):thistoolprovidesaregularcontrolofsystemconfigurationsto checkforunauthorizedmodification. 6.3 Securityeventdetectionagents Behaviour checker (linux/windows hosts): capable of detecting attacks/threats by analyzing lowlevel hardware/software behaviour, this specific family of detection agents retrieves hardware/software information such as temperature and CPU (Central Processing Unit) activity in order to avoid accidental or maliciousoutage. SecurityeventsgeneratedbydetectionagentsareencodedusingtheIDMEFformat.Alldetectionagentshave aseparatechannel(anotherinterfaceorsecurechannel)formanagementpurposes,enablingthesecuritystaff to adjust the configurations with the scenario requirements, via the SMP. The detection agents send their messagesbymeansofaneventbusdescribedinsection7,whichalsodetailsthemanagementinterfacesfor theagentadaptors.theseinterfaces(eventingandmanagement)weredesignedtoeaseintegrationofseveral types of detection capabilities (such as antivirus, for instance) providing wrapper components for event generationandthemanagementapi. 7. Interfacesandintegration Thischapterdescribesthetransportmechanismsandinterfacesforeventdataflowingbetweentheseveral existingcomponentsofthepids,alsoaddressingtheirmanagementinterfaces. 7.1 Theeventbus The Event Bus is the component responsible to manage the communication of the events between the differentelementsofthepids,whosearchitectureisdetailedinfigure4.eventsgeneratedbythedifferent agentswithineachzonearesenttoaneventbusbroker.thebrokeristhenresponsibletoroutethiseventsto aqueuefromwhichthelocalcorrelatorcanconsumethem.afterprocessingandcorrelating,theeventseach localcorrelatorsendstheeventstoanotherbrokerthatfeedsthemaincorrelator.theeventsproducedbythe maincorrelatoraresenttothemainbrokerthatroutesthemtoaqueuewheretheycanbesenttothesmp. 66
13 TiagoCruzetal. IT Network Operations Network Field Network NIDS HIDS Honeypot NIDS HIDS Honeypot NIDS HIDS Honeypot Event Broker Event Broker Event Broker OCSVM Local Correlator OCSVM Local Correlator OCSVM Local Correlator Event Broker Main Correlator Events Figure4:Eventbusarchitecture Security Management Platform The Event Bus uses a Message Oriented Middleware (MOM) (Banavar 1999) to provide efficient event communicationamongthe(sometimes,heterogeneous)componentsthatcomprisethepids.severalmom implementations depend on a Message Queue (MQ) system to allow asynchronous message delivery, by providingatemporarystorage,onmemoryordisk,forthemessages.messagingapplicationscommunicate witheachotherthroughamessagingsystem,actingeitherasamessageproducers(senders)orconsumers (receivers). Producers and consumers are loosely coupled, being connected through virtual channels called publishandsubscribe(onetomany)channelsorpointtopoint(onetoone)channels(chappell2004). Fortheintegrationofeventinginterfaces,theCockpitCIPIDSadoptedanEventBusbasedontheAdvanced Message Queuing Protocol(AMQP) (OASIS 2011), a wirelevel, open standard application layer protocol for MOM that defines a neutral (IDMEFcompatible) encoding scheme of byte sequences to pass over the network. An AMQP messaging system comprises three main components: publisher(s) (which assemble messagesandsendthemtoamessagequeue)consumer(s)(whichreceivemessagesfromamessagequeue) and broker(s)/server(s) (responsible for receiving messages from publishers and route them to the right consumers). TheAMQPbasedMOMbringsasetofimportantfeaturestothePIDSarchitecture,namely: Security: it supports authenticated and/or encrypted transport, using Transport Layer Security (TLS) or SimpleAuthenticationandSecurityLayer(SASL),toprotecteventsfromtamperingand/oreavesdropping. Messagereliability:itcanguaranteemessageorderingusingaqueuingbroker,ensuringthatmessages are delivered to the receiver in the same order in which the sender sent them, with support for disconnection(messagesmaybeheldinaqueuefordeferreddelivery). Resiliency:messagedeliverysemanticsprovidearangeofdeliveryoptions,withspecialemphasistothe exactlyonce and atleastonce modes. These delivery modes, guarantee the message to arrive to the intendeddestinationnomatterwhat.themessagingproviderwillretrythedeliveryofamessageupona deliveryfailure. Scalability and High Availability: it provides scalability for the communication system thanks to the publishersubscriber model. The agents can send events, publishing them to a queue/exchange in the broker, which is subscribed by a correlator to receive the messages. This allows adding additional consumerswithease,forfailoverortodistributethecorrelationloadacrossmorethanoneinstance.also, agroupofbrokerscanbeclusteredtogetherforhighavailabilityand/orscalability/loadbalancing. Moreover, the protocol is vendorneutral and platformagnostic. There are several open source implementationsformanydifferentprogramminglanguages. 67
14 TiagoCruzetal. 7.2 Managementinterfaces Foreachmanagedentitythatdoesnotprovideasuitablemanagementinterface,acomponentmanagement adaptor/coupling architecture provides an uniform API and Data Model for each component that does not exposeitsownnativemanagementinterface. TheManagementAdaptoralsoembedsanAPI/DataModelmodulethatisresponsibleformaintainingitsdata model(stateandsemantics)propertiesandalsotoprovidethewebserviceapiinterfacetomanipulatethem. AccordinglywiththemappingrulesfromtheAbstractionClass,attributesexposedbytheAPIlayermighthave severalproperties,defininganddescribingtheiraccessmode(read,write),ordatatypes.theapimakesuseof REST(REpresentativeStateTransfer)(Fielding2000)webservices,withsecuritybeingprovidedwiththehelp ofhttpswithotherauthenticationmechanismssuchasclientcertificatesorsignedrequests. The data model structure for management adaptors is standardized, being inspired on hierarchical models usuallyfoundonmanagementprotocolssuchassnmp(case2002),beingarrangedasatree.asynchronous eventsarealsosupportedthoughinclusionofeventingproperties,enablingaspecificattributetogenerate notificationswhenitsstatechanges. 8. Conclusion This paper presents the architecture of the PIDS within the CockpitCI architecture. This architecture was designed to address the special cybersecurity needs of CIs, such as ICS/SCADA systems, being based on a distributedapproachthatattemptstobringthemosteffectivedetectionmechanismsandtoolstogetherwith correlationandanomalydetectionanalysistechniques,inordertocreateasolutionthatstartswiththestate oftheartincisecurityasitsbaseline. Astrongpointofthisarchitectureliesinitscapabilityforassimilationofadiverserangeofdetectiontoolsina coherent framework with homogeneous coordination and orchestration. Using distributed twolevel correlation capabilities the PIDS is able to get a micro and macroperspective on the ongoing status of the monitoredci,whilebeingcapableofdealingwithunknownthreats,thankstotheincorporationofmachine learning anomaly detection features. Future work will address improved integration with the SMN, while expandingonfunctionalityanddiversityofdetectioncomponents. Acknowledgements The authors would like to thank the support of the CockpitCI (FP7SEC20111 Project ) and icis (IntelligentComputingintheInternetofServices CENTRO070224FEDER002003)projects. References OASIS,AdvancedMessageQueuingProtocol(AMQP),version1.0,availableat: open.org/committees/tc_home.php?wg_abbrev=amqp,july2011. Banavar,G.,Chandra,T.,Strom,R.andSturma,D.(1999)ACaseforMessageOrientedMiddleware,IBMT.J.Watson ResearchCenter,Hawthorne,NewYork. J.Caseetal.(2002)IntroductionandApplicabilityStatementsforInternetStandardManagementFramework,IETFRFC 3410,December2002. D.Chappell(2004)EnterpriseServiceBus,O'ReillyMedia,2004 CockpitCI,CockpitCIFP7SEC20111Project285647,availableat: CockpitCI(2013)CockpitCIFP7DeliverableD3.1,Requir.andReferenceArch.oftheDetectionLayer. H.Debar,D.Curry,B.Feinstein(2007)Rfc4765:Theintrusiondetectionmessageexchangeformat(IDMEF),March2007, ESCoRTS(2010),TAXONOMYofSECURITYSOLUTIONSfortheSCADASector,Deliverable2.2, EsperComplexEventProcessing,EsperTech,availableat: Fielding,R.T.(2000)ArchitecturalStylesandtheDesignofNetworkBasedSoftwareArchitectures,Ph.D.Dissertation, UniversityofCalifornia,Irvine. Hsu,C.,Chang,C.andLin,C.(2003)Apracticalguidetosupportvectorclassification,Technicalreport,Dept.ofComputer ScienceandInformationEngineering,NationalTaiwanUniversity,Taipei. Igure,V.M.;Laughter,S.A.andWilliamsR.D.(2006)SecurityissuesinSCADAnetworks,Computers;Security,Volume25, Issue7,Pages498506,2006. ISA (2007)SecurityforIndustrialAutomationandControlSystemsPart1:Terminology,Concepts,andModels, AmericanNationalStandard. 68
15 TiagoCruzetal. Kang,D.etal.,(2011)ProposalstrategiesofkeymanagementfordataencryptioninSCADAnetworkofelectricpower systems,int.journalofelectricalpower&energysys.,vol.33,iss.9,nov Krutz,R.L.(2006)SecuringScadaSystems,USA:WileyPublishing,Inc.,2006. K.Li,H.Huang,S.TianandW.Xu(2003)ImprovingoneclassSVMforanomalydetection,ProceedingsoftheSecondInt. ConferenceonMachineLearningandCybernetics,Xi an,2003. J.MaandS.Perkins(2003)Timeseriesnoveltydetectionusingoneclasssupportvectormachines,Proceedingsofthe InternationalJointConferenceonNeuralNetworks,July,2003,pp ModbusIDA(2006)ModbusApplicationProtocolSpecificationV1.1b. L.O Murchu,N.Falliere(2011)W32.Stuxnetdossier,SymantecWhitePaper,February2011. OSSEC,OpenSourceSECurity,TrendMicro,availableat: B.Schölkopf,J.Platt,J.ShaweTaylor,A.J.Smola,andR.Williamson(2001)Estimatingthesupportofahighdimensional distribution,neuralcomputation,vol.13,no.7,pp ,2001. P.Simões,T.Cruzetal.(2013)OntheuseofHoneypotsforDetectingCyberAttacksonIndustrialControlNetworks,Inproc of12theuropeanconf.oninformationwarfareandsecurity(eciw2013). SnortIDS,Sourcefire,availableat: Spitzner,L.(2002)Honeypots:TrackingHackers,AddisonWesleyProfessional. TriangleMicroWorks,Inc(2002)DNP3Overview,Raleigh,NorthCarolina, trianglemicroworks.com/documents/dnp3_overview.pdf. Y.Wang,J.Wong,andA.Miner(2004)AnomalyintrusiondetectionusingoneclassSVM,presentedat5thAnnualIEEE InformationAssuranceWorkshop,WestPoint,NewYork,2004. Zhu,Betal.(2011)AtaxonomyofCyberAttacksonSCADASystems,Proc.ofthe2011Int.Conf.onInternetofThingsand 4thInt.Conf.onCyber,PhysicalandSocialComputing(ITHINGSCPSCOM'11). 69
On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks
CIBSI 2013 Panama City, Panama, October 30 th, 2013 On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks Paulo Simões, Tiago Cruz, Jorge Gomes, Edmundo Monteiro psimoes@dei.uc.pt
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationDeltaV System Cyber-Security
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationCYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.
21, rue d Artois, F-75008 PARIS D2-102 CIGRE 2012 http : //www.cigre.org CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS Massimo Petrini (*), Emiliano Casale
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationNetwork/Cyber Security
Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationThis is a preview - click here to buy the full publication
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationIndustrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationIntrusion Detection via Machine Learning for SCADA System Protection
Intrusion Detection via Machine Learning for SCADA System Protection S.L.P. Yasakethu Department of Computing, University of Surrey, Guildford, GU2 7XH, UK. s.l.yasakethu@surrey.ac.uk J. Jiang Department
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationUpdate On Smart Grid Cyber Security
Update On Smart Grid Cyber Security Kshamit Dixit Manager IT Security, Toronto Hydro, Ontario, Canada 1 Agenda Cyber Security Overview Security Framework Securing Smart Grid 2 Smart Grid Attack Threats
More informationHow to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager
How to Choose the Right Industrial Firewall: The Top 7 Considerations Li Peng Product Manager The right industrial firewall can strengthen the safety and reliability of control systems Central to industrial
More informationCOORDINATED THREAT CONTROL
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationSCADA SYSTEMS AND SECURITY WHITEPAPER
SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of
More informationDefense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationIncident Handling. Applied Risk Management. September 2002
Incident Handling Applied Risk Management September 2002 What is Incident Handling? Incident Handling is the management of Information Security Events What is an Information Security Event? An Information
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationLesson 5: Network perimeter security
Lesson 5: Network perimeter security Alejandro Ramos Fraile aramosf@sia.es Tiger Team Manager (SIA company) Security Consulting (CISSP, CISA) Perimeter Security The architecture and elements that provide
More informationSecurity Issues in SCADA Networks
Security Issues in SCADA Networks by V. M. Igure, S. A. Laughter, and R. D. Williams Computers & Security, 25(7): 498-506, 2006 presented by Ruilong Deng Postdoctoral Research Fellow School of Electrical
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security
More informationInnovative Defense Strategies for Securing SCADA & Control Systems
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
More informationSecuring Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
More informationIndustrial Security Solutions
Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationEffective Threat Management. Building a complete lifecycle to manage enterprise threats.
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
More informationWHITE PAPER. Enabling predictive analysis in service oriented BPM solutions.
WHITE PAPER Enabling predictive analysis in service oriented BPM solutions. Summary Complex Event Processing (CEP) is a real time event analysis, correlation and processing mechanism that fits in seamlessly
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationImplementing Cisco IOS Network Security v2.0 (IINS)
Implementing Cisco IOS Network Security v2.0 (IINS) Course Overview: Implementing Cisco IOS Network Security (IINS) v2.0 is a five-day instructor-led course that is presented by Cisco Learning Partners
More informationSecure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment
Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Introduction 1 Distributed SCADA security 2 Radiflow Defense-in-Depth tool-set 4 Network Access
More informationRealization of Security Events Management System via OPENSTF
Realization of Security Events Management System via OPENSTF Lance Yoo www.antpower.org Requirements Analysis of Security Event Management Background of Security Event Management Requirement We could not
More informationSecuring Distribution Automation
Securing Distribution Automation Jacques Benoit, Cooper Power Systems Serge Gagnon, Hydro-Québec Luc Tétreault, Hydro-Québec Western Power Delivery Automation Conference Spokane, Washington April 2010
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationGE Measurement & Control. Cyber Security for NERC CIP Compliance
GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes
More informationIoT & SCADA Cyber Security Services
IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087, Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 4, 60 Edward St, Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au
More informationISACA rudens konference
ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial
More informationRemote Services. Managing Open Systems with Remote Services
Remote Services Managing Open Systems with Remote Services Reduce costs and mitigate risk with secure remote services As control systems move from proprietary technology to open systems, there is greater
More informationVALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur 603203.
VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur 603203. DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING Year & Semester : II / III Section : CSE Subject Code : CP7028 Subject Name : ENTERPRISE
More informationIntrusion Detection from Simple to Cloud
Intrusion Detection from Simple to Cloud ICTN 6865 601 December 7, 2015 Abstract Intrusion detection was used to detect security vulnerabilities for a long time. The methods used in intrusion detection
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationHost/Platform Security. Module 11
Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationIT Security and OT Security. Understanding the Challenges
IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control
More informationSoftware Defined Security Mechanisms for Critical Infrastructure Management
Software Defined Security Mechanisms for Critical Infrastructure Management SESSION: CRITICAL INFRASTRUCTURE PROTECTION Dr. Anastasios Zafeiropoulos, Senior R&D Architect, Contact: azafeiropoulos@ubitech.eu
More informationCYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric
CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric Challenges What challenges are there for Cyber Security in Industrial
More informationSCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005
SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems
More informationIntrusion Detection Systems
Intrusion Detection Systems Intrusion Detection Systems Intrusion Detection Systems: Overview IDS Acronyms & Definition Components Recognition & Response Security Interoperability & Cooperation HIDS NIDS
More informationRecommended 802.11 Wireless Local Area Network Architecture
NATIONAL SECURITY AGENCY Ft. George G. Meade, MD I332-008R-2005 Dated: 23 September 2005 Network Hardware Analysis and Evaluation Division Systems and Network Attack Center Recommended 802.11 Wireless
More informationLifecycle Solutions & Services. Managed Industrial Cyber Security Services
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationHow To Protect Your Network From Attack
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de
More informationIntrusion Detection System (IDS)
Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes
More informationEmerging Technologies Shaping the Future of Data Warehouses & Business Intelligence
Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence Service Oriented Architecture SOA and Web Services John O Brien President and Executive Architect Zukeran Technologies
More informationCloud security architecture
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
More informationA Review on Network Intrusion Detection System Using Open Source Snort
, pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,
More informationInformation Technology Policy
Information Technology Policy Security Information and Event Management Policy ITP Number Effective Date ITP-SEC021 October 10, 2006 Category Supersedes Recommended Policy Contact Scheduled Review RA-ITCentral@pa.gov
More informationICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro
ICS, SCADA, and Non-Traditional Incident Response Kyle Wilhoit Threat Researcher, Trend Micro 1 $whoami Threat Researcher, FTR, Trend Micro Threat Researcher at Trend Micro- research and blogger on criminal
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationChapter 1: Introduction
Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure
More informationIntrusion Detection Systems
Intrusion Detection Systems Advanced Computer Networks 2007 Reinhard Wallner reinhard.wallner@student.tugraz.at Outline Introduction Types of IDS How works an IDS Attacks to IDS Intrusion Prevention Systems
More informationIntegrated On-Line Risk Prediction: Think Globally and Act Locally. Dr. Chiara Foglietta, chiara.foglietta@uniroma3.it
Integrated On-Line Risk Prediction: Think Globally and Act Locally Dr. Chiara Foglietta, chiara.foglietta@uniroma3.it Final Workshop Rome, December 16th, 2014 Motivation and Background Power Grid Operating
More informationNew Era in Cyber Security. Technology Development
New Era in Cyber New Era in Cyber Security Security Technology Technology Development Development Combining the Power of the Oil and Gas Industry, DHS, and the Vendor Community to Combat Cyber Security
More informationIntegration Misuse and Anomaly Detection Techniques on Distributed Sensors
Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Shih-Yi Tu Chung-Huang Yang Kouichi Sakurai Graduate Institute of Information and Computer Education, National Kaohsiung Normal
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationDeveloping the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
More informationHardware/Software Deployment Strategies. Introduction to Information System Components. Chapter 1 Part 4 of 4 CA M S Mehta, FCA
Hardware/Software Deployment Strategies Introduction to Information System Components Chapter 1 Part 4 of 4 CA M S Mehta, FCA 1 Hardware/Software Deployment Strategies Learning Objectives Task Statements
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationIS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
More informationTraffic Analyzer Based on Data Flow Patterns
AUTOMATYKA 2011 Tom 15 Zeszyt 3 Artur Sierszeñ*, ukasz Sturgulewski* Traffic Analyzer Based on Data Flow Patterns 1. Introduction Nowadays, there are many systems of Network Intrusion Detection System
More informationEnterprise Service Bus Defined. Wikipedia says (07/19/06)
Enterprise Service Bus Defined CIS Department Professor Duane Truex III Wikipedia says (07/19/06) In computing, an enterprise service bus refers to a software architecture construct, implemented by technologies
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationIntrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of
Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code
More informationIntrusion Detection Systems with Correlation Capabilities
Intrusion Detection Systems with Correlation Capabilities Daniel Johansson danjo133@student.liu.se Pär Andersson paran213@student.liu.se Abstract Alert correlation in network intrusion detection systems
More informationUnified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice
Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government
More informationCyber Security for SCADA/ICS Networks
Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationMitra Innovation Leverages WSO2's Open Source Middleware to Build BIM Exchange Platform
Mitra Innovation Leverages WSO2's Open Source Middleware to Build BIM Exchange Platform May 2015 Contents 1. Introduction... 3 2. What is BIM... 3 2.1. History of BIM... 3 2.2. Why Implement BIM... 4 2.3.
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More information8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day
Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.
More informationCybersecurity considerations for electrical distribution systems
White Paper WP152002EN Supersedes January 2014 electrical distribution systems Authors Max Wandera, Brent Jonasson, Jacques Benoit, James Formea, Tim Thompson, Zwicks Tang, Dennis Grinberg, Andrew Sowada,
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationOpen Enterprise Architectures for a Substation Password Management System
CIGRÉ Canada 21, rue d Artois, F-75008 PARIS (154) Conference on Power Systems http : //www.cigre.org Toronto, October 4-6, 2009 Open Enterprise Architectures for a Substation Password Management System
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationCloak and Secure Your Critical Infrastructure, ICS and SCADA Systems
Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems Building Security into Your Industrial Internet Phillip Allison Tempered Networks Discussion topics Threats to network security TCP/IP
More information