Proceedings of the 13th European Conference on Cyber Warfare and Security The University it of Piraeus Greece 3-4 July 2014 Edited by Andrew Liaropoulos and George Tsihrintzis A conference managed by ACPI, UK
Proceedingsofthe 13thEuropeanConferenceon CyberWarfareandSecurity ECCWS2014 TheUniversityofPiraeus Piraeus,Greece 34July2014 Editedby AndrewLiaropoulos and GeorgeTsihrintzis
CopyrightTheAuthors,2014.AllRightsReserved. Noreproduction,copyortransmissionmaybemadewithoutwrittenpermissionfromtheindividualauthors. Papershavebeendoubleblindpeerreviewedbeforefinalsubmissiontotheconference.Initially,paperabstractswereread andselectedbytheconferencepanelforsubmissionaspossiblepapersfortheconference. Manythankstothereviewerswhohelpedensurethequalityofthefullpapers. TheseConferenceProceedingshavebeensubmittedtoThomsonISIforindexing. Furthercopiesofthisbookandpreviousyear sproceedingscanbepurchasedfromhttp://academicbookshop.com EBookISBN:97819 EBookISSN:20488610 BookversionISBN:97819 BookVersionISSN:20488602 CDVersionISBN:97819 CDVersionISSN:20488629 PublishedbyAcademicConferencesandPublishingInternationalLimited Reading UK 441189724148 www.academicpublishing.org
ImprovingCyberSecurityAwarenessonIndustrialControlSystems: TheCockpitCIApproach TiagoCruz 1,JorgeProença 1,PauloSimões 1,MatthieuAubigny 2,MoussaOuedraogo 3, AntonioGraziano 4 andlasithyasakhetu 5 1 UniversityofCoimbra,Portugal 2 itrustconsulting,luxembourg 3 CentredeRecherchePubliqueHenryTudor,Luxembourg 4 SelexES,Italy 5 UniversityofSurrey,UK tjcruz@dei.uc.pt jdgomes@dei.uc.pt,aubigny@itrust.lu psimoes@dei.uc.pt,aubigny@itrust.lu aubigny@itrust.lu moussa.ouedraogo@tudor.lu antonio.graziano@selexes.com s.l.yasakethu@surrey.ac.uk Abstract: Originally isolated by design, Critical Infrastructures (CI) based on Industrial Control Systems (ICS) such as SCADA (Supervisory Control and Data Acquisition) systemswere born within the scope of industrial process control technologies.havingevolvedfromproprietarysystems,icseventuallystartedadoptingopenarchitecturesandstandards, becomingincreasinglyinterconnectedwithexistingcorporatenetworkinginfrastructuresandeventheinternet.however, asthesesystemsovercametheirisolationandmovedtowardsinterconnectedtopologies,theyalsobecamemoreexposed tothreatsthatweren tevenremotelyconceivablewhentheywerefirstdesigned.particularly,cyberthreatsareoneofthe mostsignificantproblemsthatmodernicsface,astheshortcomingsandvulnerabilitiesofthedecadeoldicstechnology someofthemknownforalongtime,butmostlydownplayedduetotheisolationofsuchsystems becomeseriousthreats thatcanultimatelycompromisehumanlives.asthesecurityneedsictandicsdomainscannotbeaddressedinthesame way,thiscallsforadomainspecificapproach tocyberthreatdetection,designedfromscratchtoaddressitsparticular needs.itmustconsidertheparticularcharacteristicsofeachnetworkingcontext,beiticsorict,inordertoprovidereal timecybersecurityawarenessforthesecurityteamsoperatinginthecontrolroom thisisoneofthemostimportant contributionsofthecockpitcifp7project(http://cockpitci.eu),whichaimsatimprovingtheresilienceanddependability ofcis.inthispaperwepresentthecockpitcicyberdetectionandanalysislayer,alsoincludingadetaileddescriptionofits most relevant components in terms of role, integration and remote management. This paper will also show how the proposedsolutionmightbeeffectiveindealingwithsuchcyberthreats,bypresentingrelevantexamples. Keywords:criticalinfrastructureprotection,industrialcontrolsystems,SCADAsystems,IDS 1. Introduction SCADA(SupervisoryControlandDataAcquisition)isthecommonlydesignationwhichisusedtoreferasetof technologies, protocols and platforms used in Industrial Control Systems (ICS). Such systems are used in several scenarios, such as production lines automation, for controlling nuclear or thermoelectric plants, for distributiongridsandmanyotherapplications. As their scope was originally restricted to isolated environments, SCADA systems were relatively safe from externalintrusion.however,asarchitecturesevolvedscadasystemsstartedtoassimilatetechnologiesfrom theinformationandcommunicationtechnologies(ict)world,suchastcp/ipandethernetnetworking.this trend,togetherwiththeincreasingadoptionofopen,documentedprotocols,exposedseriousweaknessesin SCADA architectures. Moreover, the interconnection of the ICS network with organizational ICT network infrastructures,andevenwiththeexterior(forinstance,forconnectionwithinternalcompanysystemsorfor remotemanagement)broughtanewwaveofsecurityproblemsandattackstosuchanextentthatthenumber of externally initiated attacks on ICS systems has increased significantly, especially when compared with internalattacks(kang2011). This situation, together with inadequate systems lifecycle management procedures, disregarding regular updatesorpatching(krutz2006),increasestheprobabilityofasuccessfulattack.whilesuchproceduresare 59
TiagoCruzetal. trivialmatterswhicharepartoftheregularmaintenanceroutineintheictworld,theymustbedealtinan entirelydifferentwaywhenitcomestoics,mainlyfortworeasons:thefactthatsomecomponentshaveto workonacontinuousbasiswithoutinterruptions,uptothepointofworkingyearswithoutbeingreinitialized (ESCoRTS2010)(Zhu2011);duetothefactthatanysoftwarereleasemustbecarefullytestedbyequipment manufacturers before being released, or even due to endoflife support for specific devices or software frameworks. Therefore,ICSconstituteacriticalandstrategicassetthatisbeingincreasinglytargetedbymaliciousattacks, withpotentiallycatastrophicconsequences.inthiscontext,cockpitci(cockpitci)isfocusedonimprovingthe resilienceanddependabilityofcis. The idea behind the CockpitCI project is to allow the community of CI (Critical Infrastructure) owners to exchangerealtimeinformationaboutattacks(andtentativeattacks).inthisscope,eachciincorporatesits ownrealtimedistributedmonitoringsystemandperimeterintrusiondetectionsystem(pids).thesesystems areabletoaggregatethefilteredandanalyzedinformationofpotentialcyberattacksagainstsystemsusedto supporttheoperationofcisandidentifythepotentialunsecuredareaofthecis. This PIDS, which is the focus of this paper, performs many of the tasks traditionally associated with a Distributed Intrusion Detection System, with support for diversified and closely integrated detection and analysis techniques and tools. Each PIDS is to be deployed in the targeted area of a CI, in order to detect coordinatedcyberattacksandinordertodeploypreventionstrategiesofisolation. Through coordinated PIDS operations, it is possible to put in place a specific perimeter to detect potential coordinatedcyberattacksoncisforeachtypeofdetectedattacksorformixedcyberattacks.thecockpitci PIDSisbasedonastateoftheartdistributedintrusiondetectionarchitectureencompassingasetofdetection agents that feed realtime and soft realtime automated correlation and anomaly detection mechanisms, orchestratedtogetherbyamanagementplatform. In this paper the main aspects of the proposed PIDS architecture are presented. Section 2 discusses the problem of security in ICS/SCADA. Section 3 introduces the CockpitCI architecture. Section 4 presents the proposedpids,withsections5and6discussinganalysiscomponentsanddetectioncapabilities,respectively. Section7detailsintegrationofeventingandmanagementinterfaces.Finally,section8presentsconclusions andgivessomeinsightsintowhatfuturedirectionstheprojectmighttake. 2. AbriefoverviewofICS/SCADAsecurityissues ThedevelopmentoftheCockpitCIPIDSarchitecturewasprecededbyarequirementsanalysisphase,withthe purpose of understanding the specific characteristics and differences between ICS and conventional ICT infrastructures,fromasecuritystandpoint.thisstudyrevealedseveralandsignificantdifferencesbetweenict and ICS domains that are deeply rooted in their own particular characteristics, down to the fundamental prioritiesthatdefinewhicharethemostimportantoperationalandfunctionalpropertiesofthesystem. Whenitcomestotheirfundamentalgoverningprinciples,ICSandICTinfrastructureshaveaninvertedsetof priorities,asituationthatisoneofthemaincausesofscadainfrastructuresecurityproblems.thisispartly duetothefactthat,astheicsparadigmevolved,itwasnotaccompaniedbyanequalprogressionintermsof anindustrymindsetthatremainedunchangedalmostsincetheinceptionofsuchtechnologies.asaresult,and duetoitscriticalnature,icsoperationanddesignpracticesfrequentlyprivilegeavailabilityandreliabilityover confidentiality and data integrity a perspective that is quite the opposite from the ICT philosophy, which privilegesconfidentialityandsecurity,followedbycommunicationsintegrityand,finally,byavailability(isa 99.00.01).Thiscontrastexplainswhyitisfrequenttofindalackofmutualunderstandingbetweenthecontrol systemsteamsandthesecurityitstaff,withinthesameorganization. ThedifferencesbetweentheICTandICScontextsalsomeanthatthereisno onesizefitsall solutionwhenit comestochoseandimplementsecuritymechanisms.despitethis,importingsolutionsfromtheictworldis often a necessity, which might lead to undesirable sideeffects. The fundamental premises for ICT security tools and commonplace lifecycle management procedures, such as patching and updating a system, can becometroublesomeinanics,whenfacedwithsituationssuchastheimpediment/highcostofstopping 60
TiagoCruzetal. production or even the explicit prohibition by the system s manufacturer. As an example, a SCADA system customermaybeunabletoinstallanupdateonanoperatingsystemunlessthemanufacturercertifiestheir softwarefortheupdate. ProductlifecycleisanothermatterthatseparatesICTfromICSsystems,withtheformerhavingsubstantially shorter lifecycles, when compared with the latter. In ICS it is frequent for mature systems to be kept in operation,sometimesfarbeyondtheirprojectedlifetime the ifain tbroke,don tfixit philosophy.this limits the possibility of implementing some security mechanisms due to the limited capabilities of existing equipment(igure2006). Moreover,SCADAcommunicationprotocols,whichareresponsiblefortheinteractionbetweenfielddevices, suchasplc(programmablelogiccontrollers)orrtu(remoteterminalunits)componentsandthestations that control and monitor them, pose security concerns. One of such examples is the Modbus protocol (Modbus 2006), originally developed by Modicon (currently part of the Schneider Electric Group) in 1979. ModbusisoneofthemostpopularprotocolsforSCADAapplications,thankstoitssimplicityandeaseofuse. However,Modbussuffersfromsecurityproblems:thelackofencryptionoranyotherprotectionmeasures exposesittodifferentvulnerabilities(triangle2002) ifwetakeintoconsiderationthatitisnotuncommonto find situations where the ICT and ICS networking contexts are blended within the corporate network, it becomescleartowhichpointsomeicsarevulnerable.despitethis,protocolssuchasmodbushavealarge lifespanandarestillbeingmassivelydeployedandused. Simplyput,whenitcomestoICS,technologyandplatformmaturityarevaluedasanimplicitrecognitionof value and reliability, and even the disclosure of security issues related to them seems to have no effect in discouragingtheirusageorpromptingtheadoptionofcountermeasurestoprotectthem.thishasbecomethe rootcauseofmanyicssecurityissuesthathavebeenexploitedwithavariabledegreeofsuccess,inrecent times,suchasthestuxnettrojan(o Murchu2011). 3. TheCockpitCIproject ToimprovetheresilienceanddependabilityofCriticalInfrastructures(CIs),theCockpitCIprojectproposesan architecture that is divided into several modules/components, whose interaction is illustrated in Figure 1 (CockpitCI 2013). Not only does this architecture aim to detect cyber threats using novel strategies for intrusion detection, along with devices specially conceived to monitor CI ICS/SCADA systems, but it also accountsforcommunicationbetweenmultipleinterdependentcis,usingasecuremediationnetwork(smn) toshareoperationalandsecurityinformation. AmongthemultiplecomponentsthatmakeuptheCockpitCIarchitecture,theDynamicPIDSprovidesthecore cyberanalysisanddetectioncapabilities,beingresponsibleforcontinuouslyassessandprotecttheelectronic security perimeter of each CI. The automatic analysis and detection mechanisms for each PIDS are fed by severalfieldadaptorsanddetectionagentsdeployedwithineachci,whichconstituteits eyes,providingthe basic information from which the ongoing security status of the CI is inferred. Also, the PIDS encompasses semiautonomous reaction capabilities, being able to deploy and activate countermeasures, in line with predefinedsecurityreactionpolicies. For each CI, an Online Integrated Risk Predictor (IRP) module works as a decision support system for managementteams,feedingoperationalindicators(suchasprocessleveldata,gatheredusingthescadatlc and ELE adaptors shown on Figure 1) and cybersecurity information (generated by the PIDS) into a set of modellingtools,toassessandpredictpropagationandthreatlevelsforpotentialcyberattacksontheci.in this scope, SCADA adaptors translate SCADA data from various components into a common data format, enabling the use of devices from different vendors and legacy SCADA HW/SW (Hardware/Software) while sharingdatawiththedetectionlayerandtheirp. TheSecureMediationNetwork(SMN)providesthemeansforexchangingsecurityinformationbetweenCIs, also enabling the use of risk prediction and other analysis mechanisms to assess threats in a global scale, accounting for CI interdependencies (as exemplified by Figure 1, which represents 2 kinds of CIs that are frequentlydependentoneachother:telecommunicationsandelectricpowerdistribution). 61
TiagoCruzetal. Figure1:TheCockpitCIgeneralarchitecture(CockpitCI2013) Amongthesecomponents,theCockpitCIPIDScyberanalysisanddetectionarchitectureconstitutesthemain subjectofthispaper.thenextsectionswillfocusonthepresentationandanalysisofthebasiccomponentsof the PIDS, explaining how they work together to continuously monitor and analyze the ICS/SCADA system components of a given ICS in order to perform threat detection. Also, the event correlation and anomaly detection mechanisms thatconstitute the cybersecurity analysis capabilities of the PIDS will be addressed, togetherwiththedescriptionoftheagentsandprobesthatfeedsuchthemwithinformationaboutics/scada system sstateanditsdataflows. 4. TheCockpitCIcyberdetectionandanalysislayerwithinthePIDS TheCockpitCIPIDSincorporatesseveraladvancedrealtimedetectionandanalysismechanisms,integratedto constituteacyberanalysisanddetectionlayerfortheci,asshownonfigure2.itisstructuredalongthethree different zones of the CI, each one with its own internal security perimeter: the Field Network, SCADA Process/OperationsNetworkandtheIT(InformationTechnology)Network.ThisdistinctionconfersthePIDS theabilitytodeployagentsandsecuritypoliciescustomizedtothespecificneedsandcharacteristicsofeach networkscope. Thisarchitecturewasdesignedtodealwithseveralattackscenarios,fromknownthreatstorogueevents,such as: maninthemiddle attacks, device impersonation, nonauthorized tampering, worms, trojans, denialof service attacks or flooding, among others. For this purpose, the PIDS is designed in such a way that it integratesdifferentdetectionstrategies,distributedalongdifferentlevels,namely: Detection agents and field adaptors, including agents, adaptors and extensions for existing system components, as well as specialized network probes and honeypots (Spitzner 2002) to be added to the network which are able to capture behaviour or traffic patterns (as performed by NIDS Network IDS components)aswellashost(usingtoolssuchashids/hostids,orantivirussoftware)andfielddevice monitoring. Adistributedmultizone,multilevelcorrelationstructurethatprocessestheinformationprovidedbythe security sensors, complemented by machinelearning capabilities, in the form of OneClass Support VectorMachine(OCSVM)(Ma2003)anomalydetectionmodule,basedonadaptivemachinelearning. Aggressiveusageoftopologyandsystemspecificdetectionmechanisms,basedonthefactthattherole andbehaviourofeachsystemcomponentinanicsareexpectedtobemoreconsistentovertimethanon othertypesofnetworks,analysiscomponentsarefedwithknowledgeprovidedbyanumberofsystem specific sources, such as topology databases, policy databases, and trustbased mechanisms, as well as strategicallyplacedhoneypots. TheoperationofthePIDScomponentsisorchestratedthroughaSecurityManagementPlatform(SMP),which is responsible for managing all the involved components of the solution (see Figure 2). It includes the 62
TiagoCruzetal. mechanismsformanagingthesecurityandcomponentsoftheinfrastructure.thesmpisresponsibleforthe maintenanceandmanagementofmonitoringprobessuchasidsandtheanalysiscomponents,alsoincluding monitoringofinplacesecurityandvulnerabilitieswithinthenetworkaswellasthemaintenanceofthelatter. Therefore,theSMPhasadualrole,dealingwithbothsecurityauditandmaintenancemechanisms. SecurityManagementPlatform NIDS NIDS Local Correlator OCSVM Modbus Honeypot HIDS HIDS NIDS FieldNetwork1 HIDS HIDS Local Correlator OCSVM Modbus Honeypot Local Correlator OCSVM Local Correlator OCSVM NIDS ITNetwork OperationsNetwork FieldNetworkN MainCorrelator Figure2:TheCockpitCIcyberdetectionandanalysislayer(redflows=management,green=eventing) The SMP performs the configuration of detection agents on the field, allowing to setup their detection thresholds and other relevant parameters. This detection threshold depends on both the risk level of the overallinfrastructure(thelevelofdetectionshallbehigheriftheprobabilityofanattacksishigher)andonthe specificdetectionneeds(e.g.incaseofabnormaleventdetectiononspecificsystem,thesmpshallbeableto verifyallsimilarcomponentsinthecistochecktheirsecuritylevel). Duetothedemandingavailabilityrequisitesandlittletolerancetodelays,thedetectionarchitectureistobe implementedusinganetworkthatisseparatefromthescadasystemnetwork(eventuallyitcanusethesame physical network, using VLAN (Virtual Local Area Network) or other types of overlay techniques for traffic separation),inordertoguaranteethatitdoesnotinterferewiththenormaloperationofthecontrolnetwork. 5. Analysislayer TheanalysiscomponentsofthePIDSprovideawaytoextractinformationfromthedatacollectedbytheagent layerordirectlyfromnetworktraces.thesecomponentsarearrangedinatwolevelarchitecturewithlocal instancesfinetunedforeachnetworkscope. 5.1 Localandglobalcorrelators Local correlators perform the first step of correlation, filtering and reducing the number and noise of the alarmsgeneratedbythedetectionlayer,whileprovidingamechanismforsecurityeventgenerationthatis able to filter, process and relate events within a network segment (e.g. alarms generated by two or more detectionagents,multipleeventsfromthesamesource). Localcorrelatorsreceivetheeventsfromlocaldetectionagents(e.g.HIDS)ontheirnetworkscopeandprocess themaccordinglywithasetofrules,forwardingsignificantresultstoaglobalcorrelationengine.thisapproach providescontextseparation,atthesametimeallowingforbetterefficiencyandscalabilityforrealtimeevent processing.afterlocalcorrelation,eventsaresenttotheglobalcorrelatorsandfromthelattertothesmn, using the Intrusion Detection Message Exchange format (Debar 2007). IDMEF defines an experimental standard for exchanging intrusion detection related events. As a standard, it can be used as a vendor or productindependentenablingintercommunicationbetweendifferentagentssuchasnidsorhoneypots. 63
TiagoCruzetal. As illustrated by Figure 2, local correlators receive events from the different agents such as NIDS, HIDS, Honeypots,amongothers.Theseagentsaredistinctaccordingtonetworkzoneinwhichthelocalcorrelatoris located.despiteoftherangeofdifferentagents,thelocalcorrelatorshouldusethesameinterfaceforallof them, as messages are received through an Event Bus (discussed on Section 7). This interface will allow subscribingtotheeventspublishedbytheagents.localcorrelatorsalsohaveanagentadaptorinterfacethat allowsformanagement,viathesmp. Regardingtheeventinterfacesforthemaincorrelatorwehavedifferenttypes:onetoreceiveeventsfromthe localcorrelatorsandanotheronetosendeventstothesmp,bothusinganeventbus.aslocalcorrelatorshave already previously processed received events, the main correlator can focus in MultiStep, Attack Focus Recognitioncorrelation,aswellasAlertPrioritization.Amanagementadaptorprovidestheinterfaceforthe SMPtoconfigurethecorrelator(seeFigure3). ThecorrelatorsareimplementedusingtheEsper(Esper)ComplexEventProcessing(CEP)tool.Thiswasdueto thefactthatesperisamultiplatform,flexibleandmaturetool,indevelopmentsince2006.also,performance tests have shown Esper to exhibit a goodbalance between memoryusage,cpu usage and execution time, whenprocessinghundredsofthousandsofevents. Figure3:verviewofthecorrelatorarchitecture EspercannativelyaccepteventsrepresentedinXML,amongothers,whichisusefulasIDMEF,usedbythe PIDS,isanXMLbasedformat.IfaXMLschemadocument(XSDfile)isprovidedEspercanreadtheschemaand properlypresenteventtypemetadataandvalidatestatementsthatusetheeventtypeanditsproperties.to accesstheelementsoftheeventthecorrelatorusesxpathexpressions.ifaschemaforthexmlisprovided, thexpathexpressionneededtoreferencetheattributecanbeinferredautomatically.otherwise,expressions canbemanuallyconfigured. An overview of the architecture of a PIDS correlator, based on Esper, is pictured in Figure 3. The events receivedfromtheinputadaptoraresenttotheesperruntime(epruntime);thisprovidestheinterfacetothe eventstreamprocessingruntimeservices.thestatementsareregisteredintheepruntimeandrepresentthe eventstreamqueriesand/oreventpattern.eachstatementcanhaveoneormorestatementlistenersbound tothem.whentheconditionofaqueryisverifiedespercantriggerthelistener(s)boundtotherule,insertthe resultofthestatementintoanotherstream(thatalreadyexistsoriscreatedatthattime)ordobothoptions. If a rule generates a new event, that need to be sent by the correlator to the Event Bus, the listener will interfacewiththeoutputadaptortosendit.outputeventsaregeneratedbyrulesmakinguseofinputevents, cachedevents,theinternalstateandinformationfromexternalsources. EsperstatementsareaddedtotheEPRuntimethroughtheEsperAdministrator(EPAdministrator)module.This is an administrative interface to the event streamprocessing engine. For security auditing purposes the correlator will log all events and traces of the actions performed to persistent storage. The events will be logged as they are received in thecorrelator and theepruntime shall also log the actions executed by the 64
TiagoCruzetal. correlator.correlationcanmakeuseofinformationtakenfromexternalsources.thesesourcescanprovide additional information related, among others, to thedefinition of thenetwork topology and other detailed systeminformation.theseexternalsources(knowledge/topologydatabases)canbequerieddirectlyfroman EPLstatement.Newrulescanbeaddedtothecorrelationenginedynamically,withoutrestartingtheengine. Usingthesamecorrelatortoolforthetwolevelsofcorrelationprovidesuniformity,sincethesamelanguageis used to express the correlation operations, and allows easier integration with the Event Bus, as the same interfaces can be used for the two levels. Using the same rule description language for both correlators simplifiesthetaskofrulemanagementbyoperatorsandsecurityexperts.additionally,somecorrelationrules canbeusedinbothcorrelatorswithouttheneedtobeconverted. 5.2 OneClasssupportvectormachines(OCSVM) OCSVM(OneClassSupportVectorMachine)areanaturalextensionofthesupportvectoralgorithmtothe caseofunlabelleddata,especiallyfordetectionofoutliers.however,unlikesvmoranyanotherclassification algorithm,ocsvmdoesnotneedanylabelleddatafortrainingoranyinformationaboutthekindofanomalyis expecting for the detection process. OCSVM principles have shown great potential in the area of anomaly detection(ma2003,li2003,schölkopf2001).moreover,ocsvmiscapableofhandlingmultipleattributed data(hsu2003,wang2004),whichiswellsuitedforscadasystems. TheadvantagesoftheOCVSMcomponentaremanifold:sinceOCSVMdoesnotrequireanysignaturesofdata tobuildthedetectionmodelitiswellsuitedforanomalybasedintrusiondetectioninscadaenvironment; sincethedetectionmechanismdoesnotrequireanypriorinformationoftheexpectedattacktypes,ocsvmis capableofdetectionbothknownandunknown(novel)attacks,besidesbeingrobusttonoiseintrainingsets. Also, algorithm behaviour can be controlled and finedtuned by the user to regulate the percentage of anomaliesexpected(thresholds,asdefinedviasmpviatheocsvmmanagementadaptor). OCSVMoperationconsistsof2steps,namely:trainingandtesting.DuringthetrainingstageOCSVMbuildsa modelfromtrainingonnormal(i.e.,obtainedfromasystemoperatingundernormalconditions,withoutany attackinprogress)dataandthenclassifiesthenewdataaseithernormalorattackbasedonitsgeometrical deviationfromthetrainingdatainthetestingstage.sincetheocsvmdetectionapproachisrobusttonoise samples, the trainingdata set can include some noise samples (i.e. data whichdoes notcorrespond to the normalbehaviour).anocsvmcomponentisdeployedinit,operationandfieldnetworkzone(s),therefore requiringdifferenttrainingsets. Oncethetrainingphaseiscomplete,theOCSVMmoduleiscapableofdetectingpossibleintrusions(abnormal behaviour)tothescadasystem,basedonrealtimecaptureofnetworktraffictraces.thedetectionmodule will classify each event whether it is a normal event or a possible intrusion. This information will then be encodedinanidmefmessageandsenttothemaincorrelator,usinganadaptorfortheeventbus,inorderto reactaccordinglytothedetectedintrusions. 6. Detectionagents Thedetectionagentsarethelowestlevelofthedetectionlayer.Theirpurposeistogatherinformationfrom the system. As the format of information provided depends on the type of detection agents used (type of probe),adaptorsallowtheacquisitionofdatafromthesysteminarecognisedformat.detectionagentsand adaptorsareessentialtofeedthelocalcorrelatorsofthedetectionlayerwithinputdataregardingsuspicious activity.thepidsencompassesseveralkindsofprobesanddetectionagents,amongwhichthemostrelevant arenextdescribed. 6.1 Threatdetectionagents Network IDS: the perimeter for each network scope is monitored using NIDS components for each one: IT NetworkNIDS,OperationsNetworkNIDS,andFieldNetworkNIDS.Thesehaveinterfacestoreportthesecurity eventstothezonecorrelatorwithintheirnetworkscope.inthepids,snort(snort)isusedforthispurpose, albeitothernidscouldbeused. 65
TiagoCruzetal. HostIDS:theHostIDSisdeployedinthehosts/serversofthesystem.Itiscapableofreportinganomalous behaviourinthemachinewhereitisdeployed.inthecockpitcipids,ossec(ossec)isusedforthispurpose, butotherhidscouldbeused. Honeypots:actingasdecoysandbeingcapableofdetectingattackersprobingthenetwork,honeypotsprovide anothersourceofdataforcorrelation.therearethreetypesofhoneypotsinthedetectionlayer:itnetwork, OperationsNetworkandFieldNetworkhoneypots(Simoes2013). Exec Checker (linux hosts): capable of detecting malicious network frames by sniffing the traffic, the Exec Checker (in active or passive mode) captures the different parts of an executable in the network traffic to recreatethefileandsendittoananalysistool. 6.2 Vulnerabilitydetectionagents OutputTrafficControls(linuxhosts):capableofdetectingRemoteAccessTrojans,thisspecifictoolregularly scanssystemcomponentstocheckifaremoteaccesstoolboxhasbeeninstalledoncomponentstofacilitate externalattacks. VulnerabilityChecker(windowshosts):thistoolprovidesaregularcontrolofsystemvulnerabilitytocheckif themonitoredsystemsarevulnerableornotaccordingtoanupdateddatabase.thistoolcanbecustomized foritorscadahostprofiles. ConfigurationChecker(linux/windowshosts):thistoolprovidesaregularcontrolofsystemconfigurationsto checkforunauthorizedmodification. 6.3 Securityeventdetectionagents Behaviour checker (linux/windows hosts): capable of detecting attacks/threats by analyzing lowlevel hardware/software behaviour, this specific family of detection agents retrieves hardware/software information such as temperature and CPU (Central Processing Unit) activity in order to avoid accidental or maliciousoutage. SecurityeventsgeneratedbydetectionagentsareencodedusingtheIDMEFformat.Alldetectionagentshave aseparatechannel(anotherinterfaceorsecurechannel)formanagementpurposes,enablingthesecuritystaff to adjust the configurations with the scenario requirements, via the SMP. The detection agents send their messagesbymeansofaneventbusdescribedinsection7,whichalsodetailsthemanagementinterfacesfor theagentadaptors.theseinterfaces(eventingandmanagement)weredesignedtoeaseintegrationofseveral types of detection capabilities (such as antivirus, for instance) providing wrapper components for event generationandthemanagementapi. 7. Interfacesandintegration Thischapterdescribesthetransportmechanismsandinterfacesforeventdataflowingbetweentheseveral existingcomponentsofthepids,alsoaddressingtheirmanagementinterfaces. 7.1 Theeventbus The Event Bus is the component responsible to manage the communication of the events between the differentelementsofthepids,whosearchitectureisdetailedinfigure4.eventsgeneratedbythedifferent agentswithineachzonearesenttoaneventbusbroker.thebrokeristhenresponsibletoroutethiseventsto aqueuefromwhichthelocalcorrelatorcanconsumethem.afterprocessingandcorrelating,theeventseach localcorrelatorsendstheeventstoanotherbrokerthatfeedsthemaincorrelator.theeventsproducedbythe maincorrelatoraresenttothemainbrokerthatroutesthemtoaqueuewheretheycanbesenttothesmp. 66
TiagoCruzetal. IT Network Operations Network Field Network NIDS HIDS Honeypot NIDS HIDS Honeypot NIDS HIDS Honeypot Event Broker Event Broker Event Broker OCSVM Local Correlator OCSVM Local Correlator OCSVM Local Correlator Event Broker Main Correlator Events Figure4:Eventbusarchitecture Security Management Platform The Event Bus uses a Message Oriented Middleware (MOM) (Banavar 1999) to provide efficient event communicationamongthe(sometimes,heterogeneous)componentsthatcomprisethepids.severalmom implementations depend on a Message Queue (MQ) system to allow asynchronous message delivery, by providingatemporarystorage,onmemoryordisk,forthemessages.messagingapplicationscommunicate witheachotherthroughamessagingsystem,actingeitherasamessageproducers(senders)orconsumers (receivers). Producers and consumers are loosely coupled, being connected through virtual channels called publishandsubscribe(onetomany)channelsorpointtopoint(onetoone)channels(chappell2004). Fortheintegrationofeventinginterfaces,theCockpitCIPIDSadoptedanEventBusbasedontheAdvanced Message Queuing Protocol(AMQP) (OASIS 2011), a wirelevel, open standard application layer protocol for MOM that defines a neutral (IDMEFcompatible) encoding scheme of byte sequences to pass over the network. An AMQP messaging system comprises three main components: publisher(s) (which assemble messagesandsendthemtoamessagequeue)consumer(s)(whichreceivemessagesfromamessagequeue) and broker(s)/server(s) (responsible for receiving messages from publishers and route them to the right consumers). TheAMQPbasedMOMbringsasetofimportantfeaturestothePIDSarchitecture,namely: Security: it supports authenticated and/or encrypted transport, using Transport Layer Security (TLS) or SimpleAuthenticationandSecurityLayer(SASL),toprotecteventsfromtamperingand/oreavesdropping. Messagereliability:itcanguaranteemessageorderingusingaqueuingbroker,ensuringthatmessages are delivered to the receiver in the same order in which the sender sent them, with support for disconnection(messagesmaybeheldinaqueuefordeferreddelivery). Resiliency:messagedeliverysemanticsprovidearangeofdeliveryoptions,withspecialemphasistothe exactlyonce and atleastonce modes. These delivery modes, guarantee the message to arrive to the intendeddestinationnomatterwhat.themessagingproviderwillretrythedeliveryofamessageupona deliveryfailure. Scalability and High Availability: it provides scalability for the communication system thanks to the publishersubscriber model. The agents can send events, publishing them to a queue/exchange in the broker, which is subscribed by a correlator to receive the messages. This allows adding additional consumerswithease,forfailoverortodistributethecorrelationloadacrossmorethanoneinstance.also, agroupofbrokerscanbeclusteredtogetherforhighavailabilityand/orscalability/loadbalancing. Moreover, the protocol is vendorneutral and platformagnostic. There are several open source implementationsformanydifferentprogramminglanguages. 67
TiagoCruzetal. 7.2 Managementinterfaces Foreachmanagedentitythatdoesnotprovideasuitablemanagementinterface,acomponentmanagement adaptor/coupling architecture provides an uniform API and Data Model for each component that does not exposeitsownnativemanagementinterface. TheManagementAdaptoralsoembedsanAPI/DataModelmodulethatisresponsibleformaintainingitsdata model(stateandsemantics)propertiesandalsotoprovidethewebserviceapiinterfacetomanipulatethem. AccordinglywiththemappingrulesfromtheAbstractionClass,attributesexposedbytheAPIlayermighthave severalproperties,defininganddescribingtheiraccessmode(read,write),ordatatypes.theapimakesuseof REST(REpresentativeStateTransfer)(Fielding2000)webservices,withsecuritybeingprovidedwiththehelp ofhttpswithotherauthenticationmechanismssuchasclientcertificatesorsignedrequests. The data model structure for management adaptors is standardized, being inspired on hierarchical models usuallyfoundonmanagementprotocolssuchassnmp(case2002),beingarrangedasatree.asynchronous eventsarealsosupportedthoughinclusionofeventingproperties,enablingaspecificattributetogenerate notificationswhenitsstatechanges. 8. Conclusion This paper presents the architecture of the PIDS within the CockpitCI architecture. This architecture was designed to address the special cybersecurity needs of CIs, such as ICS/SCADA systems, being based on a distributedapproachthatattemptstobringthemosteffectivedetectionmechanismsandtoolstogetherwith correlationandanomalydetectionanalysistechniques,inordertocreateasolutionthatstartswiththestate oftheartincisecurityasitsbaseline. Astrongpointofthisarchitectureliesinitscapabilityforassimilationofadiverserangeofdetectiontoolsina coherent framework with homogeneous coordination and orchestration. Using distributed twolevel correlation capabilities the PIDS is able to get a micro and macroperspective on the ongoing status of the monitoredci,whilebeingcapableofdealingwithunknownthreats,thankstotheincorporationofmachine learning anomaly detection features. Future work will address improved integration with the SMN, while expandingonfunctionalityanddiversityofdetectioncomponents. Acknowledgements The authors would like to thank the support of the CockpitCI (FP7SEC20111 Project 285647) and icis (IntelligentComputingintheInternetofServices CENTRO070224FEDER002003)projects. References OASIS,AdvancedMessageQueuingProtocol(AMQP),version1.0,availableat:https://www.oasis open.org/committees/tc_home.php?wg_abbrev=amqp,july2011. Banavar,G.,Chandra,T.,Strom,R.andSturma,D.(1999)ACaseforMessageOrientedMiddleware,IBMT.J.Watson ResearchCenter,Hawthorne,NewYork. J.Caseetal.(2002)IntroductionandApplicabilityStatementsforInternetStandardManagementFramework,IETFRFC 3410,December2002. D.Chappell(2004)EnterpriseServiceBus,O'ReillyMedia,2004 CockpitCI,CockpitCIFP7SEC20111Project285647,availableat:http://CockpitCI.eu. CockpitCI(2013)CockpitCIFP7DeliverableD3.1,Requir.andReferenceArch.oftheDetectionLayer. H.Debar,D.Curry,B.Feinstein(2007)Rfc4765:Theintrusiondetectionmessageexchangeformat(IDMEF),March2007, http://www.ietf.org/rfc/rfc4765.txt. ESCoRTS(2010),TAXONOMYofSECURITYSOLUTIONSfortheSCADASector,Deliverable2.2, EsperComplexEventProcessing,EsperTech,availableat:http://www.espertech.com/products/esper.php. Fielding,R.T.(2000)ArchitecturalStylesandtheDesignofNetworkBasedSoftwareArchitectures,Ph.D.Dissertation, UniversityofCalifornia,Irvine. Hsu,C.,Chang,C.andLin,C.(2003)Apracticalguidetosupportvectorclassification,Technicalreport,Dept.ofComputer ScienceandInformationEngineering,NationalTaiwanUniversity,Taipei. Igure,V.M.;Laughter,S.A.andWilliamsR.D.(2006)SecurityissuesinSCADAnetworks,Computers;Security,Volume25, Issue7,Pages498506,2006. ISA99.00.01(2007)SecurityforIndustrialAutomationandControlSystemsPart1:Terminology,Concepts,andModels, AmericanNationalStandard. 68
TiagoCruzetal. Kang,D.etal.,(2011)ProposalstrategiesofkeymanagementfordataencryptioninSCADAnetworkofelectricpower systems,int.journalofelectricalpower&energysys.,vol.33,iss.9,nov.2011. Krutz,R.L.(2006)SecuringScadaSystems,USA:WileyPublishing,Inc.,2006. K.Li,H.Huang,S.TianandW.Xu(2003)ImprovingoneclassSVMforanomalydetection,ProceedingsoftheSecondInt. ConferenceonMachineLearningandCybernetics,Xi an,2003. J.MaandS.Perkins(2003)Timeseriesnoveltydetectionusingoneclasssupportvectormachines,Proceedingsofthe InternationalJointConferenceonNeuralNetworks,July,2003,pp.17411745. ModbusIDA(2006)ModbusApplicationProtocolSpecificationV1.1b. L.O Murchu,N.Falliere(2011)W32.Stuxnetdossier,SymantecWhitePaper,February2011. OSSEC,OpenSourceSECurity,TrendMicro,availableat:http://www.ossec.net. B.Schölkopf,J.Platt,J.ShaweTaylor,A.J.Smola,andR.Williamson(2001)Estimatingthesupportofahighdimensional distribution,neuralcomputation,vol.13,no.7,pp.14431472,2001. P.Simões,T.Cruzetal.(2013)OntheuseofHoneypotsforDetectingCyberAttacksonIndustrialControlNetworks,Inproc of12theuropeanconf.oninformationwarfareandsecurity(eciw2013). SnortIDS,Sourcefire,availableat:http://www.snort.org. Spitzner,L.(2002)Honeypots:TrackingHackers,AddisonWesleyProfessional. TriangleMicroWorks,Inc(2002)DNP3Overview,Raleigh,NorthCarolina,http://www. trianglemicroworks.com/documents/dnp3_overview.pdf. Y.Wang,J.Wong,andA.Miner(2004)AnomalyintrusiondetectionusingoneclassSVM,presentedat5thAnnualIEEE InformationAssuranceWorkshop,WestPoint,NewYork,2004. Zhu,Betal.(2011)AtaxonomyofCyberAttacksonSCADASystems,Proc.ofthe2011Int.Conf.onInternetofThingsand 4thInt.Conf.onCyber,PhysicalandSocialComputing(ITHINGSCPSCOM'11). 69