Proceedings of the 13th European Conference on Cyber Warfare and Security

Similar documents
On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

INTRUSION DETECTION SYSTEMS and Network Security

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

DeltaV System Cyber-Security

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Network/Cyber Security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

This is a preview - click here to buy the full publication

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Chapter 9 Firewalls and Intrusion Prevention Systems

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Designing a security policy to protect your automation solution

Intrusion Detection via Machine Learning for SCADA System Protection

Guideline on Auditing and Log Management

Update On Smart Grid Cyber Security

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

COORDINATED THREAT CONTROL

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

SCADA SYSTEMS AND SECURITY WHITEPAPER

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Taxonomy of Intrusion Detection System

Incident Handling. Applied Risk Management. September 2002

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Lesson 5: Network perimeter security

Security Issues in SCADA Networks

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

CSCE 465 Computer & Network Security

Innovative Defense Strategies for Securing SCADA & Control Systems

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Industrial Security Solutions

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Protecting Your Organisation from Targeted Cyber Intrusion

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

WHITE PAPER. Enabling predictive analysis in service oriented BPM solutions.

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Implementing Cisco IOS Network Security v2.0 (IINS)

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Realization of Security Events Management System via OPENSTF

Securing Distribution Automation

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

GE Measurement & Control. Cyber Security for NERC CIP Compliance

IoT & SCADA Cyber Security Services

ISACA rudens konference

Remote Services. Managing Open Systems with Remote Services

VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur

Intrusion Detection from Simple to Cloud

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Host/Platform Security. Module 11

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

IT Security and OT Security. Understanding the Challenges

Software Defined Security Mechanisms for Critical Infrastructure Management

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Intrusion Detection Systems

Recommended Wireless Local Area Network Architecture

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

How To Manage Security On A Networked Computer System

How To Protect Your Network From Attack

Intrusion Detection System (IDS)

Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence

Cloud security architecture

A Review on Network Intrusion Detection System Using Open Source Snort

Information Technology Policy

ICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro

External Supplier Control Requirements

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

IDS / IPS. James E. Thiel S.W.A.T.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 1: Introduction

Intrusion Detection Systems

Integrated On-Line Risk Prediction: Think Globally and Act Locally. Dr. Chiara Foglietta,

New Era in Cyber Security. Technology Development

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

CTS2134 Introduction to Networking. Module Network Security

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Hardware/Software Deployment Strategies. Introduction to Information System Components. Chapter 1 Part 4 of 4 CA M S Mehta, FCA

Final exam review, Fall 2005 FSU (CIS-5357) Network Security


Traffic Analyzer Based on Data Flow Patterns

Enterprise Service Bus Defined. Wikipedia says (07/19/06)

SANS Top 20 Critical Controls for Effective Cyber Defense

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection Systems with Correlation Capabilities

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Cyber Security for SCADA/ICS Networks

Analyzing HTTP/HTTPS Traffic Logs

Mitra Innovation Leverages WSO2's Open Source Middleware to Build BIM Exchange Platform

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Cybersecurity considerations for electrical distribution systems

GoodData Corporation Security White Paper

Evaluation of different Open Source Identity management Systems

Open Enterprise Architectures for a Substation Password Management System

FREQUENTLY ASKED QUESTIONS

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Transcription:

Proceedings of the 13th European Conference on Cyber Warfare and Security The University it of Piraeus Greece 3-4 July 2014 Edited by Andrew Liaropoulos and George Tsihrintzis A conference managed by ACPI, UK

Proceedingsofthe 13thEuropeanConferenceon CyberWarfareandSecurity ECCWS2014 TheUniversityofPiraeus Piraeus,Greece 34July2014 Editedby AndrewLiaropoulos and GeorgeTsihrintzis

CopyrightTheAuthors,2014.AllRightsReserved. Noreproduction,copyortransmissionmaybemadewithoutwrittenpermissionfromtheindividualauthors. Papershavebeendoubleblindpeerreviewedbeforefinalsubmissiontotheconference.Initially,paperabstractswereread andselectedbytheconferencepanelforsubmissionaspossiblepapersfortheconference. Manythankstothereviewerswhohelpedensurethequalityofthefullpapers. TheseConferenceProceedingshavebeensubmittedtoThomsonISIforindexing. Furthercopiesofthisbookandpreviousyear sproceedingscanbepurchasedfromhttp://academicbookshop.com EBookISBN:97819 EBookISSN:20488610 BookversionISBN:97819 BookVersionISSN:20488602 CDVersionISBN:97819 CDVersionISSN:20488629 PublishedbyAcademicConferencesandPublishingInternationalLimited Reading UK 441189724148 www.academicpublishing.org

ImprovingCyberSecurityAwarenessonIndustrialControlSystems: TheCockpitCIApproach TiagoCruz 1,JorgeProença 1,PauloSimões 1,MatthieuAubigny 2,MoussaOuedraogo 3, AntonioGraziano 4 andlasithyasakhetu 5 1 UniversityofCoimbra,Portugal 2 itrustconsulting,luxembourg 3 CentredeRecherchePubliqueHenryTudor,Luxembourg 4 SelexES,Italy 5 UniversityofSurrey,UK tjcruz@dei.uc.pt jdgomes@dei.uc.pt,aubigny@itrust.lu psimoes@dei.uc.pt,aubigny@itrust.lu aubigny@itrust.lu moussa.ouedraogo@tudor.lu antonio.graziano@selexes.com s.l.yasakethu@surrey.ac.uk Abstract: Originally isolated by design, Critical Infrastructures (CI) based on Industrial Control Systems (ICS) such as SCADA (Supervisory Control and Data Acquisition) systemswere born within the scope of industrial process control technologies.havingevolvedfromproprietarysystems,icseventuallystartedadoptingopenarchitecturesandstandards, becomingincreasinglyinterconnectedwithexistingcorporatenetworkinginfrastructuresandeventheinternet.however, asthesesystemsovercametheirisolationandmovedtowardsinterconnectedtopologies,theyalsobecamemoreexposed tothreatsthatweren tevenremotelyconceivablewhentheywerefirstdesigned.particularly,cyberthreatsareoneofthe mostsignificantproblemsthatmodernicsface,astheshortcomingsandvulnerabilitiesofthedecadeoldicstechnology someofthemknownforalongtime,butmostlydownplayedduetotheisolationofsuchsystems becomeseriousthreats thatcanultimatelycompromisehumanlives.asthesecurityneedsictandicsdomainscannotbeaddressedinthesame way,thiscallsforadomainspecificapproach tocyberthreatdetection,designedfromscratchtoaddressitsparticular needs.itmustconsidertheparticularcharacteristicsofeachnetworkingcontext,beiticsorict,inordertoprovidereal timecybersecurityawarenessforthesecurityteamsoperatinginthecontrolroom thisisoneofthemostimportant contributionsofthecockpitcifp7project(http://cockpitci.eu),whichaimsatimprovingtheresilienceanddependability ofcis.inthispaperwepresentthecockpitcicyberdetectionandanalysislayer,alsoincludingadetaileddescriptionofits most relevant components in terms of role, integration and remote management. This paper will also show how the proposedsolutionmightbeeffectiveindealingwithsuchcyberthreats,bypresentingrelevantexamples. Keywords:criticalinfrastructureprotection,industrialcontrolsystems,SCADAsystems,IDS 1. Introduction SCADA(SupervisoryControlandDataAcquisition)isthecommonlydesignationwhichisusedtoreferasetof technologies, protocols and platforms used in Industrial Control Systems (ICS). Such systems are used in several scenarios, such as production lines automation, for controlling nuclear or thermoelectric plants, for distributiongridsandmanyotherapplications. As their scope was originally restricted to isolated environments, SCADA systems were relatively safe from externalintrusion.however,asarchitecturesevolvedscadasystemsstartedtoassimilatetechnologiesfrom theinformationandcommunicationtechnologies(ict)world,suchastcp/ipandethernetnetworking.this trend,togetherwiththeincreasingadoptionofopen,documentedprotocols,exposedseriousweaknessesin SCADA architectures. Moreover, the interconnection of the ICS network with organizational ICT network infrastructures,andevenwiththeexterior(forinstance,forconnectionwithinternalcompanysystemsorfor remotemanagement)broughtanewwaveofsecurityproblemsandattackstosuchanextentthatthenumber of externally initiated attacks on ICS systems has increased significantly, especially when compared with internalattacks(kang2011). This situation, together with inadequate systems lifecycle management procedures, disregarding regular updatesorpatching(krutz2006),increasestheprobabilityofasuccessfulattack.whilesuchproceduresare 59

TiagoCruzetal. trivialmatterswhicharepartoftheregularmaintenanceroutineintheictworld,theymustbedealtinan entirelydifferentwaywhenitcomestoics,mainlyfortworeasons:thefactthatsomecomponentshaveto workonacontinuousbasiswithoutinterruptions,uptothepointofworkingyearswithoutbeingreinitialized (ESCoRTS2010)(Zhu2011);duetothefactthatanysoftwarereleasemustbecarefullytestedbyequipment manufacturers before being released, or even due to endoflife support for specific devices or software frameworks. Therefore,ICSconstituteacriticalandstrategicassetthatisbeingincreasinglytargetedbymaliciousattacks, withpotentiallycatastrophicconsequences.inthiscontext,cockpitci(cockpitci)isfocusedonimprovingthe resilienceanddependabilityofcis. The idea behind the CockpitCI project is to allow the community of CI (Critical Infrastructure) owners to exchangerealtimeinformationaboutattacks(andtentativeattacks).inthisscope,eachciincorporatesits ownrealtimedistributedmonitoringsystemandperimeterintrusiondetectionsystem(pids).thesesystems areabletoaggregatethefilteredandanalyzedinformationofpotentialcyberattacksagainstsystemsusedto supporttheoperationofcisandidentifythepotentialunsecuredareaofthecis. This PIDS, which is the focus of this paper, performs many of the tasks traditionally associated with a Distributed Intrusion Detection System, with support for diversified and closely integrated detection and analysis techniques and tools. Each PIDS is to be deployed in the targeted area of a CI, in order to detect coordinatedcyberattacksandinordertodeploypreventionstrategiesofisolation. Through coordinated PIDS operations, it is possible to put in place a specific perimeter to detect potential coordinatedcyberattacksoncisforeachtypeofdetectedattacksorformixedcyberattacks.thecockpitci PIDSisbasedonastateoftheartdistributedintrusiondetectionarchitectureencompassingasetofdetection agents that feed realtime and soft realtime automated correlation and anomaly detection mechanisms, orchestratedtogetherbyamanagementplatform. In this paper the main aspects of the proposed PIDS architecture are presented. Section 2 discusses the problem of security in ICS/SCADA. Section 3 introduces the CockpitCI architecture. Section 4 presents the proposedpids,withsections5and6discussinganalysiscomponentsanddetectioncapabilities,respectively. Section7detailsintegrationofeventingandmanagementinterfaces.Finally,section8presentsconclusions andgivessomeinsightsintowhatfuturedirectionstheprojectmighttake. 2. AbriefoverviewofICS/SCADAsecurityissues ThedevelopmentoftheCockpitCIPIDSarchitecturewasprecededbyarequirementsanalysisphase,withthe purpose of understanding the specific characteristics and differences between ICS and conventional ICT infrastructures,fromasecuritystandpoint.thisstudyrevealedseveralandsignificantdifferencesbetweenict and ICS domains that are deeply rooted in their own particular characteristics, down to the fundamental prioritiesthatdefinewhicharethemostimportantoperationalandfunctionalpropertiesofthesystem. Whenitcomestotheirfundamentalgoverningprinciples,ICSandICTinfrastructureshaveaninvertedsetof priorities,asituationthatisoneofthemaincausesofscadainfrastructuresecurityproblems.thisispartly duetothefactthat,astheicsparadigmevolved,itwasnotaccompaniedbyanequalprogressionintermsof anindustrymindsetthatremainedunchangedalmostsincetheinceptionofsuchtechnologies.asaresult,and duetoitscriticalnature,icsoperationanddesignpracticesfrequentlyprivilegeavailabilityandreliabilityover confidentiality and data integrity a perspective that is quite the opposite from the ICT philosophy, which privilegesconfidentialityandsecurity,followedbycommunicationsintegrityand,finally,byavailability(isa 99.00.01).Thiscontrastexplainswhyitisfrequenttofindalackofmutualunderstandingbetweenthecontrol systemsteamsandthesecurityitstaff,withinthesameorganization. ThedifferencesbetweentheICTandICScontextsalsomeanthatthereisno onesizefitsall solutionwhenit comestochoseandimplementsecuritymechanisms.despitethis,importingsolutionsfromtheictworldis often a necessity, which might lead to undesirable sideeffects. The fundamental premises for ICT security tools and commonplace lifecycle management procedures, such as patching and updating a system, can becometroublesomeinanics,whenfacedwithsituationssuchastheimpediment/highcostofstopping 60

TiagoCruzetal. production or even the explicit prohibition by the system s manufacturer. As an example, a SCADA system customermaybeunabletoinstallanupdateonanoperatingsystemunlessthemanufacturercertifiestheir softwarefortheupdate. ProductlifecycleisanothermatterthatseparatesICTfromICSsystems,withtheformerhavingsubstantially shorter lifecycles, when compared with the latter. In ICS it is frequent for mature systems to be kept in operation,sometimesfarbeyondtheirprojectedlifetime the ifain tbroke,don tfixit philosophy.this limits the possibility of implementing some security mechanisms due to the limited capabilities of existing equipment(igure2006). Moreover,SCADAcommunicationprotocols,whichareresponsiblefortheinteractionbetweenfielddevices, suchasplc(programmablelogiccontrollers)orrtu(remoteterminalunits)componentsandthestations that control and monitor them, pose security concerns. One of such examples is the Modbus protocol (Modbus 2006), originally developed by Modicon (currently part of the Schneider Electric Group) in 1979. ModbusisoneofthemostpopularprotocolsforSCADAapplications,thankstoitssimplicityandeaseofuse. However,Modbussuffersfromsecurityproblems:thelackofencryptionoranyotherprotectionmeasures exposesittodifferentvulnerabilities(triangle2002) ifwetakeintoconsiderationthatitisnotuncommonto find situations where the ICT and ICS networking contexts are blended within the corporate network, it becomescleartowhichpointsomeicsarevulnerable.despitethis,protocolssuchasmodbushavealarge lifespanandarestillbeingmassivelydeployedandused. Simplyput,whenitcomestoICS,technologyandplatformmaturityarevaluedasanimplicitrecognitionof value and reliability, and even the disclosure of security issues related to them seems to have no effect in discouragingtheirusageorpromptingtheadoptionofcountermeasurestoprotectthem.thishasbecomethe rootcauseofmanyicssecurityissuesthathavebeenexploitedwithavariabledegreeofsuccess,inrecent times,suchasthestuxnettrojan(o Murchu2011). 3. TheCockpitCIproject ToimprovetheresilienceanddependabilityofCriticalInfrastructures(CIs),theCockpitCIprojectproposesan architecture that is divided into several modules/components, whose interaction is illustrated in Figure 1 (CockpitCI 2013). Not only does this architecture aim to detect cyber threats using novel strategies for intrusion detection, along with devices specially conceived to monitor CI ICS/SCADA systems, but it also accountsforcommunicationbetweenmultipleinterdependentcis,usingasecuremediationnetwork(smn) toshareoperationalandsecurityinformation. AmongthemultiplecomponentsthatmakeuptheCockpitCIarchitecture,theDynamicPIDSprovidesthecore cyberanalysisanddetectioncapabilities,beingresponsibleforcontinuouslyassessandprotecttheelectronic security perimeter of each CI. The automatic analysis and detection mechanisms for each PIDS are fed by severalfieldadaptorsanddetectionagentsdeployedwithineachci,whichconstituteits eyes,providingthe basic information from which the ongoing security status of the CI is inferred. Also, the PIDS encompasses semiautonomous reaction capabilities, being able to deploy and activate countermeasures, in line with predefinedsecurityreactionpolicies. For each CI, an Online Integrated Risk Predictor (IRP) module works as a decision support system for managementteams,feedingoperationalindicators(suchasprocessleveldata,gatheredusingthescadatlc and ELE adaptors shown on Figure 1) and cybersecurity information (generated by the PIDS) into a set of modellingtools,toassessandpredictpropagationandthreatlevelsforpotentialcyberattacksontheci.in this scope, SCADA adaptors translate SCADA data from various components into a common data format, enabling the use of devices from different vendors and legacy SCADA HW/SW (Hardware/Software) while sharingdatawiththedetectionlayerandtheirp. TheSecureMediationNetwork(SMN)providesthemeansforexchangingsecurityinformationbetweenCIs, also enabling the use of risk prediction and other analysis mechanisms to assess threats in a global scale, accounting for CI interdependencies (as exemplified by Figure 1, which represents 2 kinds of CIs that are frequentlydependentoneachother:telecommunicationsandelectricpowerdistribution). 61

TiagoCruzetal. Figure1:TheCockpitCIgeneralarchitecture(CockpitCI2013) Amongthesecomponents,theCockpitCIPIDScyberanalysisanddetectionarchitectureconstitutesthemain subjectofthispaper.thenextsectionswillfocusonthepresentationandanalysisofthebasiccomponentsof the PIDS, explaining how they work together to continuously monitor and analyze the ICS/SCADA system components of a given ICS in order to perform threat detection. Also, the event correlation and anomaly detection mechanisms thatconstitute the cybersecurity analysis capabilities of the PIDS will be addressed, togetherwiththedescriptionoftheagentsandprobesthatfeedsuchthemwithinformationaboutics/scada system sstateanditsdataflows. 4. TheCockpitCIcyberdetectionandanalysislayerwithinthePIDS TheCockpitCIPIDSincorporatesseveraladvancedrealtimedetectionandanalysismechanisms,integratedto constituteacyberanalysisanddetectionlayerfortheci,asshownonfigure2.itisstructuredalongthethree different zones of the CI, each one with its own internal security perimeter: the Field Network, SCADA Process/OperationsNetworkandtheIT(InformationTechnology)Network.ThisdistinctionconfersthePIDS theabilitytodeployagentsandsecuritypoliciescustomizedtothespecificneedsandcharacteristicsofeach networkscope. Thisarchitecturewasdesignedtodealwithseveralattackscenarios,fromknownthreatstorogueevents,such as: maninthemiddle attacks, device impersonation, nonauthorized tampering, worms, trojans, denialof service attacks or flooding, among others. For this purpose, the PIDS is designed in such a way that it integratesdifferentdetectionstrategies,distributedalongdifferentlevels,namely: Detection agents and field adaptors, including agents, adaptors and extensions for existing system components, as well as specialized network probes and honeypots (Spitzner 2002) to be added to the network which are able to capture behaviour or traffic patterns (as performed by NIDS Network IDS components)aswellashost(usingtoolssuchashids/hostids,orantivirussoftware)andfielddevice monitoring. Adistributedmultizone,multilevelcorrelationstructurethatprocessestheinformationprovidedbythe security sensors, complemented by machinelearning capabilities, in the form of OneClass Support VectorMachine(OCSVM)(Ma2003)anomalydetectionmodule,basedonadaptivemachinelearning. Aggressiveusageoftopologyandsystemspecificdetectionmechanisms,basedonthefactthattherole andbehaviourofeachsystemcomponentinanicsareexpectedtobemoreconsistentovertimethanon othertypesofnetworks,analysiscomponentsarefedwithknowledgeprovidedbyanumberofsystem specific sources, such as topology databases, policy databases, and trustbased mechanisms, as well as strategicallyplacedhoneypots. TheoperationofthePIDScomponentsisorchestratedthroughaSecurityManagementPlatform(SMP),which is responsible for managing all the involved components of the solution (see Figure 2). It includes the 62

TiagoCruzetal. mechanismsformanagingthesecurityandcomponentsoftheinfrastructure.thesmpisresponsibleforthe maintenanceandmanagementofmonitoringprobessuchasidsandtheanalysiscomponents,alsoincluding monitoringofinplacesecurityandvulnerabilitieswithinthenetworkaswellasthemaintenanceofthelatter. Therefore,theSMPhasadualrole,dealingwithbothsecurityauditandmaintenancemechanisms. SecurityManagementPlatform NIDS NIDS Local Correlator OCSVM Modbus Honeypot HIDS HIDS NIDS FieldNetwork1 HIDS HIDS Local Correlator OCSVM Modbus Honeypot Local Correlator OCSVM Local Correlator OCSVM NIDS ITNetwork OperationsNetwork FieldNetworkN MainCorrelator Figure2:TheCockpitCIcyberdetectionandanalysislayer(redflows=management,green=eventing) The SMP performs the configuration of detection agents on the field, allowing to setup their detection thresholds and other relevant parameters. This detection threshold depends on both the risk level of the overallinfrastructure(thelevelofdetectionshallbehigheriftheprobabilityofanattacksishigher)andonthe specificdetectionneeds(e.g.incaseofabnormaleventdetectiononspecificsystem,thesmpshallbeableto verifyallsimilarcomponentsinthecistochecktheirsecuritylevel). Duetothedemandingavailabilityrequisitesandlittletolerancetodelays,thedetectionarchitectureistobe implementedusinganetworkthatisseparatefromthescadasystemnetwork(eventuallyitcanusethesame physical network, using VLAN (Virtual Local Area Network) or other types of overlay techniques for traffic separation),inordertoguaranteethatitdoesnotinterferewiththenormaloperationofthecontrolnetwork. 5. Analysislayer TheanalysiscomponentsofthePIDSprovideawaytoextractinformationfromthedatacollectedbytheagent layerordirectlyfromnetworktraces.thesecomponentsarearrangedinatwolevelarchitecturewithlocal instancesfinetunedforeachnetworkscope. 5.1 Localandglobalcorrelators Local correlators perform the first step of correlation, filtering and reducing the number and noise of the alarmsgeneratedbythedetectionlayer,whileprovidingamechanismforsecurityeventgenerationthatis able to filter, process and relate events within a network segment (e.g. alarms generated by two or more detectionagents,multipleeventsfromthesamesource). Localcorrelatorsreceivetheeventsfromlocaldetectionagents(e.g.HIDS)ontheirnetworkscopeandprocess themaccordinglywithasetofrules,forwardingsignificantresultstoaglobalcorrelationengine.thisapproach providescontextseparation,atthesametimeallowingforbetterefficiencyandscalabilityforrealtimeevent processing.afterlocalcorrelation,eventsaresenttotheglobalcorrelatorsandfromthelattertothesmn, using the Intrusion Detection Message Exchange format (Debar 2007). IDMEF defines an experimental standard for exchanging intrusion detection related events. As a standard, it can be used as a vendor or productindependentenablingintercommunicationbetweendifferentagentssuchasnidsorhoneypots. 63

TiagoCruzetal. As illustrated by Figure 2, local correlators receive events from the different agents such as NIDS, HIDS, Honeypots,amongothers.Theseagentsaredistinctaccordingtonetworkzoneinwhichthelocalcorrelatoris located.despiteoftherangeofdifferentagents,thelocalcorrelatorshouldusethesameinterfaceforallof them, as messages are received through an Event Bus (discussed on Section 7). This interface will allow subscribingtotheeventspublishedbytheagents.localcorrelatorsalsohaveanagentadaptorinterfacethat allowsformanagement,viathesmp. Regardingtheeventinterfacesforthemaincorrelatorwehavedifferenttypes:onetoreceiveeventsfromthe localcorrelatorsandanotheronetosendeventstothesmp,bothusinganeventbus.aslocalcorrelatorshave already previously processed received events, the main correlator can focus in MultiStep, Attack Focus Recognitioncorrelation,aswellasAlertPrioritization.Amanagementadaptorprovidestheinterfaceforthe SMPtoconfigurethecorrelator(seeFigure3). ThecorrelatorsareimplementedusingtheEsper(Esper)ComplexEventProcessing(CEP)tool.Thiswasdueto thefactthatesperisamultiplatform,flexibleandmaturetool,indevelopmentsince2006.also,performance tests have shown Esper to exhibit a goodbalance between memoryusage,cpu usage and execution time, whenprocessinghundredsofthousandsofevents. Figure3:verviewofthecorrelatorarchitecture EspercannativelyaccepteventsrepresentedinXML,amongothers,whichisusefulasIDMEF,usedbythe PIDS,isanXMLbasedformat.IfaXMLschemadocument(XSDfile)isprovidedEspercanreadtheschemaand properlypresenteventtypemetadataandvalidatestatementsthatusetheeventtypeanditsproperties.to accesstheelementsoftheeventthecorrelatorusesxpathexpressions.ifaschemaforthexmlisprovided, thexpathexpressionneededtoreferencetheattributecanbeinferredautomatically.otherwise,expressions canbemanuallyconfigured. An overview of the architecture of a PIDS correlator, based on Esper, is pictured in Figure 3. The events receivedfromtheinputadaptoraresenttotheesperruntime(epruntime);thisprovidestheinterfacetothe eventstreamprocessingruntimeservices.thestatementsareregisteredintheepruntimeandrepresentthe eventstreamqueriesand/oreventpattern.eachstatementcanhaveoneormorestatementlistenersbound tothem.whentheconditionofaqueryisverifiedespercantriggerthelistener(s)boundtotherule,insertthe resultofthestatementintoanotherstream(thatalreadyexistsoriscreatedatthattime)ordobothoptions. If a rule generates a new event, that need to be sent by the correlator to the Event Bus, the listener will interfacewiththeoutputadaptortosendit.outputeventsaregeneratedbyrulesmakinguseofinputevents, cachedevents,theinternalstateandinformationfromexternalsources. EsperstatementsareaddedtotheEPRuntimethroughtheEsperAdministrator(EPAdministrator)module.This is an administrative interface to the event streamprocessing engine. For security auditing purposes the correlator will log all events and traces of the actions performed to persistent storage. The events will be logged as they are received in thecorrelator and theepruntime shall also log the actions executed by the 64

TiagoCruzetal. correlator.correlationcanmakeuseofinformationtakenfromexternalsources.thesesourcescanprovide additional information related, among others, to thedefinition of thenetwork topology and other detailed systeminformation.theseexternalsources(knowledge/topologydatabases)canbequerieddirectlyfroman EPLstatement.Newrulescanbeaddedtothecorrelationenginedynamically,withoutrestartingtheengine. Usingthesamecorrelatortoolforthetwolevelsofcorrelationprovidesuniformity,sincethesamelanguageis used to express the correlation operations, and allows easier integration with the Event Bus, as the same interfaces can be used for the two levels. Using the same rule description language for both correlators simplifiesthetaskofrulemanagementbyoperatorsandsecurityexperts.additionally,somecorrelationrules canbeusedinbothcorrelatorswithouttheneedtobeconverted. 5.2 OneClasssupportvectormachines(OCSVM) OCSVM(OneClassSupportVectorMachine)areanaturalextensionofthesupportvectoralgorithmtothe caseofunlabelleddata,especiallyfordetectionofoutliers.however,unlikesvmoranyanotherclassification algorithm,ocsvmdoesnotneedanylabelleddatafortrainingoranyinformationaboutthekindofanomalyis expecting for the detection process. OCSVM principles have shown great potential in the area of anomaly detection(ma2003,li2003,schölkopf2001).moreover,ocsvmiscapableofhandlingmultipleattributed data(hsu2003,wang2004),whichiswellsuitedforscadasystems. TheadvantagesoftheOCVSMcomponentaremanifold:sinceOCSVMdoesnotrequireanysignaturesofdata tobuildthedetectionmodelitiswellsuitedforanomalybasedintrusiondetectioninscadaenvironment; sincethedetectionmechanismdoesnotrequireanypriorinformationoftheexpectedattacktypes,ocsvmis capableofdetectionbothknownandunknown(novel)attacks,besidesbeingrobusttonoiseintrainingsets. Also, algorithm behaviour can be controlled and finedtuned by the user to regulate the percentage of anomaliesexpected(thresholds,asdefinedviasmpviatheocsvmmanagementadaptor). OCSVMoperationconsistsof2steps,namely:trainingandtesting.DuringthetrainingstageOCSVMbuildsa modelfromtrainingonnormal(i.e.,obtainedfromasystemoperatingundernormalconditions,withoutany attackinprogress)dataandthenclassifiesthenewdataaseithernormalorattackbasedonitsgeometrical deviationfromthetrainingdatainthetestingstage.sincetheocsvmdetectionapproachisrobusttonoise samples, the trainingdata set can include some noise samples (i.e. data whichdoes notcorrespond to the normalbehaviour).anocsvmcomponentisdeployedinit,operationandfieldnetworkzone(s),therefore requiringdifferenttrainingsets. Oncethetrainingphaseiscomplete,theOCSVMmoduleiscapableofdetectingpossibleintrusions(abnormal behaviour)tothescadasystem,basedonrealtimecaptureofnetworktraffictraces.thedetectionmodule will classify each event whether it is a normal event or a possible intrusion. This information will then be encodedinanidmefmessageandsenttothemaincorrelator,usinganadaptorfortheeventbus,inorderto reactaccordinglytothedetectedintrusions. 6. Detectionagents Thedetectionagentsarethelowestlevelofthedetectionlayer.Theirpurposeistogatherinformationfrom the system. As the format of information provided depends on the type of detection agents used (type of probe),adaptorsallowtheacquisitionofdatafromthesysteminarecognisedformat.detectionagentsand adaptorsareessentialtofeedthelocalcorrelatorsofthedetectionlayerwithinputdataregardingsuspicious activity.thepidsencompassesseveralkindsofprobesanddetectionagents,amongwhichthemostrelevant arenextdescribed. 6.1 Threatdetectionagents Network IDS: the perimeter for each network scope is monitored using NIDS components for each one: IT NetworkNIDS,OperationsNetworkNIDS,andFieldNetworkNIDS.Thesehaveinterfacestoreportthesecurity eventstothezonecorrelatorwithintheirnetworkscope.inthepids,snort(snort)isusedforthispurpose, albeitothernidscouldbeused. 65

TiagoCruzetal. HostIDS:theHostIDSisdeployedinthehosts/serversofthesystem.Itiscapableofreportinganomalous behaviourinthemachinewhereitisdeployed.inthecockpitcipids,ossec(ossec)isusedforthispurpose, butotherhidscouldbeused. Honeypots:actingasdecoysandbeingcapableofdetectingattackersprobingthenetwork,honeypotsprovide anothersourceofdataforcorrelation.therearethreetypesofhoneypotsinthedetectionlayer:itnetwork, OperationsNetworkandFieldNetworkhoneypots(Simoes2013). Exec Checker (linux hosts): capable of detecting malicious network frames by sniffing the traffic, the Exec Checker (in active or passive mode) captures the different parts of an executable in the network traffic to recreatethefileandsendittoananalysistool. 6.2 Vulnerabilitydetectionagents OutputTrafficControls(linuxhosts):capableofdetectingRemoteAccessTrojans,thisspecifictoolregularly scanssystemcomponentstocheckifaremoteaccesstoolboxhasbeeninstalledoncomponentstofacilitate externalattacks. VulnerabilityChecker(windowshosts):thistoolprovidesaregularcontrolofsystemvulnerabilitytocheckif themonitoredsystemsarevulnerableornotaccordingtoanupdateddatabase.thistoolcanbecustomized foritorscadahostprofiles. ConfigurationChecker(linux/windowshosts):thistoolprovidesaregularcontrolofsystemconfigurationsto checkforunauthorizedmodification. 6.3 Securityeventdetectionagents Behaviour checker (linux/windows hosts): capable of detecting attacks/threats by analyzing lowlevel hardware/software behaviour, this specific family of detection agents retrieves hardware/software information such as temperature and CPU (Central Processing Unit) activity in order to avoid accidental or maliciousoutage. SecurityeventsgeneratedbydetectionagentsareencodedusingtheIDMEFformat.Alldetectionagentshave aseparatechannel(anotherinterfaceorsecurechannel)formanagementpurposes,enablingthesecuritystaff to adjust the configurations with the scenario requirements, via the SMP. The detection agents send their messagesbymeansofaneventbusdescribedinsection7,whichalsodetailsthemanagementinterfacesfor theagentadaptors.theseinterfaces(eventingandmanagement)weredesignedtoeaseintegrationofseveral types of detection capabilities (such as antivirus, for instance) providing wrapper components for event generationandthemanagementapi. 7. Interfacesandintegration Thischapterdescribesthetransportmechanismsandinterfacesforeventdataflowingbetweentheseveral existingcomponentsofthepids,alsoaddressingtheirmanagementinterfaces. 7.1 Theeventbus The Event Bus is the component responsible to manage the communication of the events between the differentelementsofthepids,whosearchitectureisdetailedinfigure4.eventsgeneratedbythedifferent agentswithineachzonearesenttoaneventbusbroker.thebrokeristhenresponsibletoroutethiseventsto aqueuefromwhichthelocalcorrelatorcanconsumethem.afterprocessingandcorrelating,theeventseach localcorrelatorsendstheeventstoanotherbrokerthatfeedsthemaincorrelator.theeventsproducedbythe maincorrelatoraresenttothemainbrokerthatroutesthemtoaqueuewheretheycanbesenttothesmp. 66

TiagoCruzetal. IT Network Operations Network Field Network NIDS HIDS Honeypot NIDS HIDS Honeypot NIDS HIDS Honeypot Event Broker Event Broker Event Broker OCSVM Local Correlator OCSVM Local Correlator OCSVM Local Correlator Event Broker Main Correlator Events Figure4:Eventbusarchitecture Security Management Platform The Event Bus uses a Message Oriented Middleware (MOM) (Banavar 1999) to provide efficient event communicationamongthe(sometimes,heterogeneous)componentsthatcomprisethepids.severalmom implementations depend on a Message Queue (MQ) system to allow asynchronous message delivery, by providingatemporarystorage,onmemoryordisk,forthemessages.messagingapplicationscommunicate witheachotherthroughamessagingsystem,actingeitherasamessageproducers(senders)orconsumers (receivers). Producers and consumers are loosely coupled, being connected through virtual channels called publishandsubscribe(onetomany)channelsorpointtopoint(onetoone)channels(chappell2004). Fortheintegrationofeventinginterfaces,theCockpitCIPIDSadoptedanEventBusbasedontheAdvanced Message Queuing Protocol(AMQP) (OASIS 2011), a wirelevel, open standard application layer protocol for MOM that defines a neutral (IDMEFcompatible) encoding scheme of byte sequences to pass over the network. An AMQP messaging system comprises three main components: publisher(s) (which assemble messagesandsendthemtoamessagequeue)consumer(s)(whichreceivemessagesfromamessagequeue) and broker(s)/server(s) (responsible for receiving messages from publishers and route them to the right consumers). TheAMQPbasedMOMbringsasetofimportantfeaturestothePIDSarchitecture,namely: Security: it supports authenticated and/or encrypted transport, using Transport Layer Security (TLS) or SimpleAuthenticationandSecurityLayer(SASL),toprotecteventsfromtamperingand/oreavesdropping. Messagereliability:itcanguaranteemessageorderingusingaqueuingbroker,ensuringthatmessages are delivered to the receiver in the same order in which the sender sent them, with support for disconnection(messagesmaybeheldinaqueuefordeferreddelivery). Resiliency:messagedeliverysemanticsprovidearangeofdeliveryoptions,withspecialemphasistothe exactlyonce and atleastonce modes. These delivery modes, guarantee the message to arrive to the intendeddestinationnomatterwhat.themessagingproviderwillretrythedeliveryofamessageupona deliveryfailure. Scalability and High Availability: it provides scalability for the communication system thanks to the publishersubscriber model. The agents can send events, publishing them to a queue/exchange in the broker, which is subscribed by a correlator to receive the messages. This allows adding additional consumerswithease,forfailoverortodistributethecorrelationloadacrossmorethanoneinstance.also, agroupofbrokerscanbeclusteredtogetherforhighavailabilityand/orscalability/loadbalancing. Moreover, the protocol is vendorneutral and platformagnostic. There are several open source implementationsformanydifferentprogramminglanguages. 67

TiagoCruzetal. 7.2 Managementinterfaces Foreachmanagedentitythatdoesnotprovideasuitablemanagementinterface,acomponentmanagement adaptor/coupling architecture provides an uniform API and Data Model for each component that does not exposeitsownnativemanagementinterface. TheManagementAdaptoralsoembedsanAPI/DataModelmodulethatisresponsibleformaintainingitsdata model(stateandsemantics)propertiesandalsotoprovidethewebserviceapiinterfacetomanipulatethem. AccordinglywiththemappingrulesfromtheAbstractionClass,attributesexposedbytheAPIlayermighthave severalproperties,defininganddescribingtheiraccessmode(read,write),ordatatypes.theapimakesuseof REST(REpresentativeStateTransfer)(Fielding2000)webservices,withsecuritybeingprovidedwiththehelp ofhttpswithotherauthenticationmechanismssuchasclientcertificatesorsignedrequests. The data model structure for management adaptors is standardized, being inspired on hierarchical models usuallyfoundonmanagementprotocolssuchassnmp(case2002),beingarrangedasatree.asynchronous eventsarealsosupportedthoughinclusionofeventingproperties,enablingaspecificattributetogenerate notificationswhenitsstatechanges. 8. Conclusion This paper presents the architecture of the PIDS within the CockpitCI architecture. This architecture was designed to address the special cybersecurity needs of CIs, such as ICS/SCADA systems, being based on a distributedapproachthatattemptstobringthemosteffectivedetectionmechanismsandtoolstogetherwith correlationandanomalydetectionanalysistechniques,inordertocreateasolutionthatstartswiththestate oftheartincisecurityasitsbaseline. Astrongpointofthisarchitectureliesinitscapabilityforassimilationofadiverserangeofdetectiontoolsina coherent framework with homogeneous coordination and orchestration. Using distributed twolevel correlation capabilities the PIDS is able to get a micro and macroperspective on the ongoing status of the monitoredci,whilebeingcapableofdealingwithunknownthreats,thankstotheincorporationofmachine learning anomaly detection features. Future work will address improved integration with the SMN, while expandingonfunctionalityanddiversityofdetectioncomponents. Acknowledgements The authors would like to thank the support of the CockpitCI (FP7SEC20111 Project 285647) and icis (IntelligentComputingintheInternetofServices CENTRO070224FEDER002003)projects. References OASIS,AdvancedMessageQueuingProtocol(AMQP),version1.0,availableat:https://www.oasis open.org/committees/tc_home.php?wg_abbrev=amqp,july2011. Banavar,G.,Chandra,T.,Strom,R.andSturma,D.(1999)ACaseforMessageOrientedMiddleware,IBMT.J.Watson ResearchCenter,Hawthorne,NewYork. J.Caseetal.(2002)IntroductionandApplicabilityStatementsforInternetStandardManagementFramework,IETFRFC 3410,December2002. D.Chappell(2004)EnterpriseServiceBus,O'ReillyMedia,2004 CockpitCI,CockpitCIFP7SEC20111Project285647,availableat:http://CockpitCI.eu. CockpitCI(2013)CockpitCIFP7DeliverableD3.1,Requir.andReferenceArch.oftheDetectionLayer. H.Debar,D.Curry,B.Feinstein(2007)Rfc4765:Theintrusiondetectionmessageexchangeformat(IDMEF),March2007, http://www.ietf.org/rfc/rfc4765.txt. ESCoRTS(2010),TAXONOMYofSECURITYSOLUTIONSfortheSCADASector,Deliverable2.2, EsperComplexEventProcessing,EsperTech,availableat:http://www.espertech.com/products/esper.php. Fielding,R.T.(2000)ArchitecturalStylesandtheDesignofNetworkBasedSoftwareArchitectures,Ph.D.Dissertation, UniversityofCalifornia,Irvine. Hsu,C.,Chang,C.andLin,C.(2003)Apracticalguidetosupportvectorclassification,Technicalreport,Dept.ofComputer ScienceandInformationEngineering,NationalTaiwanUniversity,Taipei. Igure,V.M.;Laughter,S.A.andWilliamsR.D.(2006)SecurityissuesinSCADAnetworks,Computers;Security,Volume25, Issue7,Pages498506,2006. ISA99.00.01(2007)SecurityforIndustrialAutomationandControlSystemsPart1:Terminology,Concepts,andModels, AmericanNationalStandard. 68

TiagoCruzetal. Kang,D.etal.,(2011)ProposalstrategiesofkeymanagementfordataencryptioninSCADAnetworkofelectricpower systems,int.journalofelectricalpower&energysys.,vol.33,iss.9,nov.2011. Krutz,R.L.(2006)SecuringScadaSystems,USA:WileyPublishing,Inc.,2006. K.Li,H.Huang,S.TianandW.Xu(2003)ImprovingoneclassSVMforanomalydetection,ProceedingsoftheSecondInt. ConferenceonMachineLearningandCybernetics,Xi an,2003. J.MaandS.Perkins(2003)Timeseriesnoveltydetectionusingoneclasssupportvectormachines,Proceedingsofthe InternationalJointConferenceonNeuralNetworks,July,2003,pp.17411745. ModbusIDA(2006)ModbusApplicationProtocolSpecificationV1.1b. L.O Murchu,N.Falliere(2011)W32.Stuxnetdossier,SymantecWhitePaper,February2011. OSSEC,OpenSourceSECurity,TrendMicro,availableat:http://www.ossec.net. B.Schölkopf,J.Platt,J.ShaweTaylor,A.J.Smola,andR.Williamson(2001)Estimatingthesupportofahighdimensional distribution,neuralcomputation,vol.13,no.7,pp.14431472,2001. P.Simões,T.Cruzetal.(2013)OntheuseofHoneypotsforDetectingCyberAttacksonIndustrialControlNetworks,Inproc of12theuropeanconf.oninformationwarfareandsecurity(eciw2013). SnortIDS,Sourcefire,availableat:http://www.snort.org. Spitzner,L.(2002)Honeypots:TrackingHackers,AddisonWesleyProfessional. TriangleMicroWorks,Inc(2002)DNP3Overview,Raleigh,NorthCarolina,http://www. trianglemicroworks.com/documents/dnp3_overview.pdf. Y.Wang,J.Wong,andA.Miner(2004)AnomalyintrusiondetectionusingoneclassSVM,presentedat5thAnnualIEEE InformationAssuranceWorkshop,WestPoint,NewYork,2004. Zhu,Betal.(2011)AtaxonomyofCyberAttacksonSCADASystems,Proc.ofthe2011Int.Conf.onInternetofThingsand 4thInt.Conf.onCyber,PhysicalandSocialComputing(ITHINGSCPSCOM'11). 69

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information