SlideShare a Scribd company logo

Critical Infrastructure Protection through Network Behavior Management

Enrique Martin
Enrique Martin

Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way. This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had. In this paper we will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.

Technology
1 of 20
Download to read offline
Critical Infrastructure Protection ICS Network Behavior Management By Enrique Martín García August 2014 Executive Summary Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way. This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had. In this paper we will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.
ICS Network Behavior Management Enrique Martín García August 2014 2 2 Contents INTRODUCTION ....................................................................................................................... 3 LEGAL FRAMEWORK ............................................................................................................. 3 EEUU: CYBERSECURITY FRAMEWORK FEBRERO 2014 – NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) ....................................................................................................... 3 EEUU: ES-C2M2 V1.1 FEBRUARY 2014 – DEPARTMENT OF ENERGY – DEPARTMENT OF HOMELAND SECURITY ............................................................................................................. 6 FRANCIA NATONAL SECURITY AGENCY FOR THE INFORMATION SYSTEMS (ANSSI) ..................... 7 LEY 8/2011, DE 28 DE ABRIL, POR LA QUE SE ESTABLECEN MEDIDAS PARA LA PROTECCIÓN DE LAS INFRAESTRUCTURAS CRÍTICAS. ................................................................................................ 9 RIPE – ROBUST ICS PLANNING & EVALUATION ............................................................... 10 INDICATORS .......................................................................................................................... 13 CONNECTION BETWEEN THE COMMAND CENTER AND THE SENSOR IS PROTECTED AND ENCRYPTED, ENSURING THE CONFIDENTIALITY AND INTEGRITY OF IT. ..................................... 15 INVENTORY BUILDING ............................................................................................................ 15 INVENTORY QUALITY ............................................................................................................. 16 DETAILED INTERACTION BETWEEN DEVICES ............................................................................ 18 CONCLUSION ........................................................................................................................ 19 REFERENCES ........................................................................................................................ 20 ABOUT THE AUTHOR ........................................................................................................... 20
ICS Network Behavior Management Enrique Martín García August 2014 3 3 Introduction In the last three years Critical Infrastructure Protection strategies have been empowered both the U.S and Europe. This empowerment has been achieved through standards, guidelines and Cyber Security Frameworks to the Society essential services sectors in each country. Also, new legal and regulation frameworks has been developed to rule and define the security controls, countermeasures and supervision mechanisms this kind of sites have to put in place. In all of them, as well as older safety related Information Technology (IT) standards, inventory of technology assets management mechanisms implementation is required for the Critical Operator (OC) that provides essential services from its Critical Infrastructure (CI). Furthermore, given the properties of industrial control networks, continuous monitoring of behavioral abnormalities is also requested. To effectively manage behavioral abnormalities, one should begin by establishing a baseline of the control network that covers all information assets, their interconnection and regular operations that develop between them (traffic matrix and operational matrix). Given the diversity of classifications of critical sectors and legislation in European countries, this paper will focus on the case of Spain. Legal Framework To put into context the metrics related to inventory of assets and behavior monitoring that different frameworks and standards propose, I will briefly review some of the latest updates produced at this date. EEUU: Cybersecurity Framework Febrero 2014 – National Institute of Standards and Technology (NIST) In this framework, the need to maintain an inventory of IT assets is collected on the first defined function: Identify. Under the function of Identify (ID) is the category of Asset Management (AM), and under this, six sub categories of management are established:  ID.AM-1: Organization devices and systems are inventoried  ID.AM-2: Organization Applications and Software platforms are inventoried  ID.AM-3: Communications and data streams are collected in diagrams.  ID.AM-4: External information systems are listed  ID.AM-5: Resources (Systems, devices, applications, etc.) are ranked according to their classification, criticality and business value.  ID.AM-6: Cybersecurity Roles and responsibilities for all employees and third parties are implanted.
ICS Network Behavior Management Enrique Martín García August 2014 4 4 Of these inventories, deep communications description, is often the most difficult to achieve in the OC, due to updates that industrial control networks have suffered in recent years because of the convergence of communications (TCP / IP) and connection, more or less secure, with other OC business networks. The need to maintain an updated communications and information flows inventory are located in the following standards:  CCS CSC 1  COBIT 5 DSS05.02  ISA 62443-2-1:2009 4.2.3.4  ISO / IEC 27001:2013 A.13.2.1  NIST SP 800-53 Rev. 4 AC-4, AC-3, AC-9, PL-8 FIGURE 1: NIST CYBERSECURITY FRAMEWORK FUNCTION 1 Regarding the detection of behavioral anomalies, is recognized in the third function defined by the Framework: Detect. Under the function Detect (DE) is the category of Anomalies and events (AE), and under this, five sub management categories are established:  DE.AE-1: A basic network operations and data flows for users and devices exists and is managed  DE.AE-2: The detected events are analyzed to understand the objectives of the attacks and methods.  DE.AE-3: The events collected from multiple sources and sensors are aggregated and correlated.  DE.AE-4: The impact of events is assigned  DE.AE-5: Ranks of warnings for incidents is established The need to detect anomalies in network control is found in the following standards:  COBIT 5 DSS03.01
ICS Network Behavior Management Enrique Martín García August 2014 5 5  ISA 62443-2-1:2009 4.4.3.3  NIST SP 800-53 Rev. 4 AC-4, AC-3, CM-2, SI-4 FIGURE 2: NIST CYBERSECURITY FRAMEWORK FUNCTION 3
ICS Network Behavior Management Enrique Martín García August 2014 6 6 EEUU: ES-C2M2 v1.1 February 2014 – Department of Energy – Department of Homeland Security Equivalently defined also for Oil & Natural Gas Sector (NGOs), this maturity model also establishes the need to maintain an inventory of assets, both IT and OT: FIGURE 3: INVENTORY IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU It also establishes the need to properly document the behavior of communications, as later established the need to monitor traffic anomalies in the OT and IT networks, as other international studies recommend 3
ICS Network Behavior Management Enrique Martín García August 2014 7 7 FIGURE 4: MONITORING IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU Francia Natonal Security Agency for the Information Systems (ANSSI) The National Agency for the Security of Information Systems (ANSSI), published in August, 2014 a methodology for classification of organizations using information systems for industrial control and a detailed set of security measures to be taken by each of these organizations depending on their classification. FIGURE 5: DETAILED MEASURES FOR INDUSTRIL CONTROL SYSTEMS USERS
ICS Network Behavior Management Enrique Martín García August 2014 8 8 Cybersecurity Measures to adopt, is the systematic maintenance of asset inventory of industrial control which should reflect all interconnections diagrams and flows between them, and monitoring: FIGURE 6: CYBER SECURITY MEASURES INDEX DETAILED USERS ORGANIZATIONS INDUSTRIAL CONTROL SYSTEMS
ICS Network Behavior Management Enrique Martín García August 2014 9 9 Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas. In Spain, the PIC 8/2011 Act raises the need for organizations designated as operators for critical infrastructure by CNPIC, to develop an Operator Security Plan and Specific Plan Protection which reflect detailed inventories elements that make up its industrial control network, among other assets. In particular, section 3.1 of the Specific Plan Protection Operator, "General Data Infrastructure" provides for the inclusion of at least the following information:  "On the ICT systems that manage the IC and its architecture (network map, map of communications systems map, etc.)." In Section 3.2 of the Plan itself, "Assets / Elements IC" contemplates the inclusion of at least the following information:  "Computer systems (hardware and software) used."  "Communication networks that allow data exchange and used for this IC." FIGURE 7: MINIMAL CONTENTS FOR THE PLAN DE PROTECCIÓN ESPECÍFICO (PPE) In short, all the necessary information to establish the control network normal behavior is requested.
ICS Network Behavior Management Enrique Martín García August 2014 10 10 In view of the foregoing, it seems clear that the need for asset inventory considering the establishment of a base line of behavior, will define indicators of compliance. These two realities make naturally design a set of metrics based on the inventory and management of network behavior. (Network Cyber Behavior Management TM). The following sections describe the methodology and proposed solution to define and maintain these metrics. RIPE – Robust ICS Planning & Evaluation The Robust ICS Planning and Evaluation (RIPE1 2013) Framework provides a management model based on defined quality in industrial control systems for critical processes, and in line with the proposal for Cyber-Resilience measuring from INTECO2. This model rests on the definition of three main blocks:  Technology Block (IT and OT systems)  Organizational Block (People)  Operational Block (processes and procedures) FIGURE 6: RIPE MODEL CONTEXT DIAGRAM In this Framework are measured periodically, and with a low economic impact, compliance metrics in eight areas of critical infrastructures:  Asset Inventory: For each facility / plant should be documented and periodically review all assets involved in the provision of an essential service or protect. This inventory collected for each IC integrated into all elements of Physical and Logical Security.
ICS Network Behavior Management Enrique Martín García August 2014 11 11  Connection diagram of assets: It is critical to document and review existing connectivity between assets inventoried in the previous section, in order to establish the interdependence of all the assets together and the ranking of the same when grouped in providing an essential service.  Interaction between assets: With the information gathered in the previous points, build diagrams operational flows between devices, which will complete the description of the interdependence of essential services and the subsequent monitoring of the security of the plant / installation.  Roles and functions of Staff: The staff is the first active to protect and the most fundamental part of any defense strategy of plant / facility. Maintain an updated list of all the staff of the IC and review it periodically to ensure their validity information. This information is critical to the implementation of any policy of physical and logical access.  Development of staff skills and knowledge: The level of safety of the plant / installation must be understood within the cycle of continuous improvement of provision of essential services. It is essential that the people who operate and ensure the safety of these services possess the amount of training necessary for the performance of their duties. Periodic monitoring of compliance training plans and progress in each plant facilitates tracking of periodic targets set by the CSMS.  Operating Guidelines and Procedures: The integrity of essential services may be interrupted by an erroneous or unproven and unauthorized operation. To avoid such problems, keep an updated operational guidelines are revised periodically and to minimize problems in the provision of essential services by the plant / installation set.  Planning and design changes: In line with the previous point, any new element within the IC or any new industrial process must be documented and approved by the responsible exploitation. The review of the process and associated documentation will minimize risks in the continuity of essential services and the proper maintenance of CSMS.  Assets procurement: The security requirements in the assets to be deployed in plants / facilities should be seen from the phase of acquisition of such assets. Controlling procurement processes in regard to these requirements, facilitate the integration of the same in the ongoing management of the safety of the plant / installation. Control of these eight areas will allow the completion of the impact assessment on the essential services of the plant / installation support, being consistent with the security policy defined by the OC on important issues such as safety management, training staff and management continuity Each of these areas is evaluated according to two criteria of quality targets for percentages of compliance:  Degree of completion  Accuracy of information completed
ICS Network Behavior Management Enrique Martín García August 2014 12 12 In the case of asset inventory, for example, the following criteria are applied: RIPE System inventory Quality Quality Completeness and accuracy of the system inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of components listed in the system inventory based on total number of components as identified by walk-down inspection Accuracy Percentage of components listed accurately in the system inventory as identified by walk-down inspection TABLA 1: INDICATORS VALUE CRITERIA AND CALCULATION In a specific example, after applying the valuation of these criteria in eight areas of two individual installations, we obtain the following values: FIGURE 9: TWO PLANTS COMPLIANCE POLAR DIAGRAM In the case of the plant represented by the red line, we observed a much greater compliance in areas such as asset inventory and personnel than in the plant represented by the blue line. This would allow the organization to take advantage of operational procedures to deploy from the first floor in the second, achieving improved security levels in a short space of time and with low costs.
ICS Network Behavior Management Enrique Martín García August 2014 13 13 In the following point we will define indicators from the RIPE Technology Block for industrial control networks that define the expected behavior pattern (Blueprint) for these networks:  Asset Inventory  Representation of the connection assets  Detailed interaction between them Indicators The calculation of the indicators defined by the previous reference frame must be generated and updated with minimal effort. To do this we propose the use of SCAB solution (Security Awareness Control Box) for SCADA systems and technology-based deep inspection of behavior control protocols. (DPBI). SCAB is a system of monitoring and anomaly detection that analyzes network traffic and detects unusual events of the network (eg, cyber attacks or operational errors) using detection technology based firms not by building pattern behavior of the network automatically and unattended. The pattern of behavior built by the solution, define:  Connection Models  Protocols used  Message Types protocols  Messages fields  Values of the fields of the messages This information set define the White List in our control network operations. Today, SCAB allows monitoring and inspection of the following protocols: Protocolos Deep Protocol Behavior Inspector Perfil de conexión MMS   Modbus/TCP   OPC-DA   IEC 101/104   DNP3   IEC 61850   ICCP TASE.2   CSLib (ABB)   DMS (ABB)   S7 (Siemens)   SMB/CIFS  
ICS Network Behavior Management Enrique Martín García August 2014 14 14 Protocolos Deep Protocol Behavior Inspector Perfil de conexión RPC/DCOM   PVSS  LDAP  NetBIOS  HTTP  FTP  SSH  SSL  SMTP  IMAP  POP3  VNC/RFB  RTSP  AFP  TABLE 2: SCAB SUPPORTED PROTOCOLS SCAB solution architecture is the following: FIGURE 10: SCAB SOLUTION ARCHITECTURE
ICS Network Behavior Management Enrique Martín García August 2014 15 15 Command Center collects intelligence monitoring from various sensors, and features:  Web-based user interface (supported browsers: Google Chrome, Mozilla Firefox, Internet Explorer (≥ 9), Safari)  Large set of alert filters  An extensible workflow engine work for processing incoming email to different delivery systems (eg, SIM / SIEM) by user-defined rules  An extensible motor tasks for scheduling tasks, such as sending reports, the synchronization of the internal clock, optimizing the internal database, etc;  Access control based on roles for users. In production environments, multiple monitoring sensors can be used to control different network segments and report the observed traffic and threats detected to a single command center. Connection between the command center and the sensor is protected and encrypted, ensuring the confidentiality and integrity of it. Inventory Building After connecting SCAB sensors to network, we can start the learning phase. At this stage, SCAB autonomously builds our pattern of network behavior. The following flow is shown below: FIGURE 11: CONTROL NETWORK BEHAVIORAL BLUEPRINT CREATION We can customize the behavior pattern if necessary just adding, modifying or deleting connections using a text editor. Any changes to these patterns are audited and stored in the sensor itself safely.
ICS Network Behavior Management Enrique Martín García August 2014 16 16 FIGURE 12: CONNECTION MATRIX EDITOR After finishing the learning phase, we got the ICS Local Network Communication Profile. In that moment SCAB knows every tuple allowed in the ICS network: Src IP,Src Port -> Dest. IP,Dest Port This is something hard to get in a multipurpose Local Area Network (even a Home one) without having several changes (Alerts) per hour. From that moment we can be alerted by:  New devices on the network and out of inventory  Devices trying connections out of the model and inventory.  Devices receiving information from others out of the model and inventory. Inventory Quality As we saw in the initial example, this indicator is calculated as follows: RIPE Asset inventory Quality Quality Completeness and accuracy of the system inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of components listed in the system inventory based on total number of components as identified by SCAB Accuracy Percentage of components listed accurately in the system inventory as identified by SCAB TABLE 3: INVENTORY INDICATORS VALUE CRITERIA AND CALCULATION
ICS Network Behavior Management Enrique Martín García August 2014 17 17 Representing the active connections From the information gathered by SCAB in their learning phase, it is easy to represent graphically the interactions of the nodes of the control network, and build an easily upgradeable diagram. RIPE Connections Diagram Quality Quality Completeness and accuracy of the connections inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of connections listed in the inventory based on total number of connections identified by SCAB Accuracy Percentage of connections listed accurately in the inventory as identified by SCAB TABLE 4: CONNECTIONS INDICATORS VALUE CRITERIA AND CALCULATION A connection collected digraph example could be the following: FIGURE 12: SCAB SHELF-LEARNING CONNECTION DIGRAPH
ICS Network Behavior Management Enrique Martín García August 2014 18 18 Detailed interaction between devices FIGURE 13: SCAB SHELF-LEARNING FUNCTIONS OPERATIONAL MATRIX Among the information contained in the pattern of network behavior of self-generated check we can see that, not only the connections between devices and ports are set according to a certain protocol, but also messages and values (control functions) are being used in our network. SCADA server connects to PLCs using the MODBUS protocol and running only functions 3 and 16. In this way, we can establish compliance with this indicator periodically, plus real-time detect unusual transactions or malicious control commands. . RIPE Functional Interaction Quality Quality Completeness and accuracy of the Functional interactions inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of Functional interactions listed in the inventory based on total number of Functional interactions identified by SCAB Accuracy Percentage of Functional interactions listed accurately in the inventory as identified by SCAB TABLE 5: FUNCTIONAL INTERACTION INDICATORS VALUE CRITERIA AND CALCULATION
ICS Network Behavior Management Enrique Martín García August 2014 19 19 Conclusion It seems clear need to review the cyber security level of ICs, but this review should not rely solely on documentary evidence of auditing but also on objective criteria to ensure quality monitoring and enable continuous improvement of the IC itself. The use of indicators about the quality of inventory assets, the correct representation of the connection and updated functional operational interaction between them, allow us monitoring the behavior of the control network that provides essential services and the security of the plant or facility. The SCAB solution allows easy maintenance of these three indicators and continuous monitoring by deep industrial protocols behavior inspection, thereby maintaining the security level required for our Critical Infrastructure.
ICS Network Behavior Management Enrique Martín García August 2014 20 20 References [1]: The RIPE Framework: A Process-Driven Approach towards Effective and Sustainable Industrial Control System Security – 2013 Ralph Langner: http://www.langner.com/en/wp-content/uploads/2013/09/The-RIPE-Framework.pdf [2] “Ciber-Resiliencia: Aproximación a un marco de medición” – 2014 INTECO: http://www.inteco.es/extfrontinteco/img/File/Estudios/int_ciber_resiliencia_marco_medicion. pdf [3]: Monitoring Industrial Control Systems to improve operations and security - 2013: http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_monitoring_EU.pdf About the Author Enrique Martín García is Director of the Centre of Excellence for Cyber Security Division within the IT Consulting & Integration Services - Global Solutions at Schneider Electric. He has over 25 years experience in the world of information technology, many of whom have been involved in projects design and implementation of security solutions. Since 2013 it has been responsible for designing the portfolio of services and solutions in Cyber Security for ITC, participating in various conferences in which he has given various presentations on advanced protection solutions for industrial control networks protocols.

Recommended

Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Quarles & Brady
 
IRJET -User Behaviour Analysis
IRJET -User Behaviour AnalysisIRJET -User Behaviour Analysis
IRJET -User Behaviour AnalysisIRJET Journal
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Cyber security in power sector
Cyber security in power sectorCyber security in power sector
Cyber security in power sectorP K Agarwal
 
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...Enrique Martin
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
 

Recommended

Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Quarles & Brady
 
IRJET -User Behaviour Analysis
IRJET -User Behaviour AnalysisIRJET -User Behaviour Analysis
IRJET -User Behaviour AnalysisIRJET Journal
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Cyber security in power sector
Cyber security in power sectorCyber security in power sector
Cyber security in power sectorP K Agarwal
 
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...Enrique Martin
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
 
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...IRJET Journal
 
Afa wea
Afa weaAfa wea
Afa weaAlaa Eladl
 
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Jörgen Gade
 
Assessment and Mitigation of Risks Involved in Electronics Payment Systems
Assessment and Mitigation of Risks Involved in Electronics Payment Systems Assessment and Mitigation of Risks Involved in Electronics Payment Systems
Assessment and Mitigation of Risks Involved in Electronics Payment Systems International Journal of Science and Research (IJSR)
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
 
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET Journal
 
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010Andy Bochman
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
 
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...Luxembourg Institute of Science and Technology
 
A Literature Survey on Internet of Things (IoT)
A Literature Survey on Internet of Things (IoT)A Literature Survey on Internet of Things (IoT)
A Literature Survey on Internet of Things (IoT)Eswar Publications
 
Critical infrastructures governance exploring scada cybernetics through archi...
Critical infrastructures governance exploring scada cybernetics through archi...Critical infrastructures governance exploring scada cybernetics through archi...
Critical infrastructures governance exploring scada cybernetics through archi...Luxembourg Institute of Science and Technology
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automationjohnnywess
 
Wind Turbine Monitoring System Using IoT
Wind Turbine Monitoring System Using IoTWind Turbine Monitoring System Using IoT
Wind Turbine Monitoring System Using IoTIRJET Journal
 
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTSMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTIRJET Journal
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
Real-time Anomaly Detection and Alert System for Video Surveillance
Real-time Anomaly Detection and Alert System for Video SurveillanceReal-time Anomaly Detection and Alert System for Video Surveillance
Real-time Anomaly Detection and Alert System for Video SurveillanceIRJET Journal
 
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...IRJET Journal
 
Report on Information Security
Report on Information SecurityReport on Information Security
Report on Information SecurityUraz Pokharel
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

More Related Content

Similar to Critical Infrastructure Protection through Network Behavior Management

Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...IRJET Journal
 
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Jörgen Gade
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
 
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET Journal
 
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010Andy Bochman
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
 
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
 
A Literature Survey on Internet of Things (IoT)
A Literature Survey on Internet of Things (IoT)A Literature Survey on Internet of Things (IoT)
A Literature Survey on Internet of Things (IoT)Eswar Publications
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automationjohnnywess
 
Wind Turbine Monitoring System Using IoT
Wind Turbine Monitoring System Using IoTWind Turbine Monitoring System Using IoT
Wind Turbine Monitoring System Using IoTIRJET Journal
 
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTSMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTIRJET Journal
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
Real-time Anomaly Detection and Alert System for Video Surveillance
Real-time Anomaly Detection and Alert System for Video SurveillanceReal-time Anomaly Detection and Alert System for Video Surveillance
Real-time Anomaly Detection and Alert System for Video SurveillanceIRJET Journal
 
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...IRJET Journal
 
Report on Information Security
Report on Information SecurityReport on Information Security
Report on Information SecurityUraz Pokharel
 

Similar to Critical Infrastructure Protection through Network Behavior Management (20)

Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...
 
Afa wea
Afa weaAfa wea
Afa wea
 
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
Iic tsn testbed_char_mapping_of_converged_traffic_types_whitepaper_20180328
 
Assessment and Mitigation of Risks Involved in Electronics Payment Systems
Assessment and Mitigation of Risks Involved in Electronics Payment Systems Assessment and Mitigation of Risks Involved in Electronics Payment Systems
Assessment and Mitigation of Risks Involved in Electronics Payment Systems
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
 
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...
 
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...
 
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
A Literature Survey on Internet of Things (IoT)
A Literature Survey on Internet of Things (IoT)A Literature Survey on Internet of Things (IoT)
A Literature Survey on Internet of Things (IoT)
 
Critical infrastructures governance exploring scada cybernetics through archi...
Critical infrastructures governance exploring scada cybernetics through archi...Critical infrastructures governance exploring scada cybernetics through archi...
Critical infrastructures governance exploring scada cybernetics through archi...
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automation
 
Wind Turbine Monitoring System Using IoT
Wind Turbine Monitoring System Using IoTWind Turbine Monitoring System Using IoT
Wind Turbine Monitoring System Using IoT
 
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTSMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOT
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
Real-time Anomaly Detection and Alert System for Video Surveillance
Real-time Anomaly Detection and Alert System for Video SurveillanceReal-time Anomaly Detection and Alert System for Video Surveillance
Real-time Anomaly Detection and Alert System for Video Surveillance
 
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...
 
Report on Information Security
Report on Information SecurityReport on Information Security
Report on Information Security
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Critical Infrastructure Protection through Network Behavior Management

  • 1. Critical Infrastructure Protection ICS Network Behavior Management By Enrique Martín García August 2014 Executive Summary Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way. This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had. In this paper we will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.
  • 2. ICS Network Behavior Management Enrique Martín García August 2014 2 2 Contents INTRODUCTION ....................................................................................................................... 3 LEGAL FRAMEWORK ............................................................................................................. 3 EEUU: CYBERSECURITY FRAMEWORK FEBRERO 2014 – NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) ....................................................................................................... 3 EEUU: ES-C2M2 V1.1 FEBRUARY 2014 – DEPARTMENT OF ENERGY – DEPARTMENT OF HOMELAND SECURITY ............................................................................................................. 6 FRANCIA NATONAL SECURITY AGENCY FOR THE INFORMATION SYSTEMS (ANSSI) ..................... 7 LEY 8/2011, DE 28 DE ABRIL, POR LA QUE SE ESTABLECEN MEDIDAS PARA LA PROTECCIÓN DE LAS INFRAESTRUCTURAS CRÍTICAS. ................................................................................................ 9 RIPE – ROBUST ICS PLANNING & EVALUATION ............................................................... 10 INDICATORS .......................................................................................................................... 13 CONNECTION BETWEEN THE COMMAND CENTER AND THE SENSOR IS PROTECTED AND ENCRYPTED, ENSURING THE CONFIDENTIALITY AND INTEGRITY OF IT. ..................................... 15 INVENTORY BUILDING ............................................................................................................ 15 INVENTORY QUALITY ............................................................................................................. 16 DETAILED INTERACTION BETWEEN DEVICES ............................................................................ 18 CONCLUSION ........................................................................................................................ 19 REFERENCES ........................................................................................................................ 20 ABOUT THE AUTHOR ........................................................................................................... 20
  • 3. ICS Network Behavior Management Enrique Martín García August 2014 3 3 Introduction In the last three years Critical Infrastructure Protection strategies have been empowered both the U.S and Europe. This empowerment has been achieved through standards, guidelines and Cyber Security Frameworks to the Society essential services sectors in each country. Also, new legal and regulation frameworks has been developed to rule and define the security controls, countermeasures and supervision mechanisms this kind of sites have to put in place. In all of them, as well as older safety related Information Technology (IT) standards, inventory of technology assets management mechanisms implementation is required for the Critical Operator (OC) that provides essential services from its Critical Infrastructure (CI). Furthermore, given the properties of industrial control networks, continuous monitoring of behavioral abnormalities is also requested. To effectively manage behavioral abnormalities, one should begin by establishing a baseline of the control network that covers all information assets, their interconnection and regular operations that develop between them (traffic matrix and operational matrix). Given the diversity of classifications of critical sectors and legislation in European countries, this paper will focus on the case of Spain. Legal Framework To put into context the metrics related to inventory of assets and behavior monitoring that different frameworks and standards propose, I will briefly review some of the latest updates produced at this date. EEUU: Cybersecurity Framework Febrero 2014 – National Institute of Standards and Technology (NIST) In this framework, the need to maintain an inventory of IT assets is collected on the first defined function: Identify. Under the function of Identify (ID) is the category of Asset Management (AM), and under this, six sub categories of management are established:  ID.AM-1: Organization devices and systems are inventoried  ID.AM-2: Organization Applications and Software platforms are inventoried  ID.AM-3: Communications and data streams are collected in diagrams.  ID.AM-4: External information systems are listed  ID.AM-5: Resources (Systems, devices, applications, etc.) are ranked according to their classification, criticality and business value.  ID.AM-6: Cybersecurity Roles and responsibilities for all employees and third parties are implanted.
  • 4. ICS Network Behavior Management Enrique Martín García August 2014 4 4 Of these inventories, deep communications description, is often the most difficult to achieve in the OC, due to updates that industrial control networks have suffered in recent years because of the convergence of communications (TCP / IP) and connection, more or less secure, with other OC business networks. The need to maintain an updated communications and information flows inventory are located in the following standards:  CCS CSC 1  COBIT 5 DSS05.02  ISA 62443-2-1:2009 4.2.3.4  ISO / IEC 27001:2013 A.13.2.1  NIST SP 800-53 Rev. 4 AC-4, AC-3, AC-9, PL-8 FIGURE 1: NIST CYBERSECURITY FRAMEWORK FUNCTION 1 Regarding the detection of behavioral anomalies, is recognized in the third function defined by the Framework: Detect. Under the function Detect (DE) is the category of Anomalies and events (AE), and under this, five sub management categories are established:  DE.AE-1: A basic network operations and data flows for users and devices exists and is managed  DE.AE-2: The detected events are analyzed to understand the objectives of the attacks and methods.  DE.AE-3: The events collected from multiple sources and sensors are aggregated and correlated.  DE.AE-4: The impact of events is assigned  DE.AE-5: Ranks of warnings for incidents is established The need to detect anomalies in network control is found in the following standards:  COBIT 5 DSS03.01
  • 5. ICS Network Behavior Management Enrique Martín García August 2014 5 5  ISA 62443-2-1:2009 4.4.3.3  NIST SP 800-53 Rev. 4 AC-4, AC-3, CM-2, SI-4 FIGURE 2: NIST CYBERSECURITY FRAMEWORK FUNCTION 3
  • 6. ICS Network Behavior Management Enrique Martín García August 2014 6 6 EEUU: ES-C2M2 v1.1 February 2014 – Department of Energy – Department of Homeland Security Equivalently defined also for Oil & Natural Gas Sector (NGOs), this maturity model also establishes the need to maintain an inventory of assets, both IT and OT: FIGURE 3: INVENTORY IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU It also establishes the need to properly document the behavior of communications, as later established the need to monitor traffic anomalies in the OT and IT networks, as other international studies recommend 3
  • 7. ICS Network Behavior Management Enrique Martín García August 2014 7 7 FIGURE 4: MONITORING IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU Francia Natonal Security Agency for the Information Systems (ANSSI) The National Agency for the Security of Information Systems (ANSSI), published in August, 2014 a methodology for classification of organizations using information systems for industrial control and a detailed set of security measures to be taken by each of these organizations depending on their classification. FIGURE 5: DETAILED MEASURES FOR INDUSTRIL CONTROL SYSTEMS USERS
  • 8. ICS Network Behavior Management Enrique Martín García August 2014 8 8 Cybersecurity Measures to adopt, is the systematic maintenance of asset inventory of industrial control which should reflect all interconnections diagrams and flows between them, and monitoring: FIGURE 6: CYBER SECURITY MEASURES INDEX DETAILED USERS ORGANIZATIONS INDUSTRIAL CONTROL SYSTEMS
  • 9. ICS Network Behavior Management Enrique Martín García August 2014 9 9 Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas. In Spain, the PIC 8/2011 Act raises the need for organizations designated as operators for critical infrastructure by CNPIC, to develop an Operator Security Plan and Specific Plan Protection which reflect detailed inventories elements that make up its industrial control network, among other assets. In particular, section 3.1 of the Specific Plan Protection Operator, "General Data Infrastructure" provides for the inclusion of at least the following information:  "On the ICT systems that manage the IC and its architecture (network map, map of communications systems map, etc.)." In Section 3.2 of the Plan itself, "Assets / Elements IC" contemplates the inclusion of at least the following information:  "Computer systems (hardware and software) used."  "Communication networks that allow data exchange and used for this IC." FIGURE 7: MINIMAL CONTENTS FOR THE PLAN DE PROTECCIÓN ESPECÍFICO (PPE) In short, all the necessary information to establish the control network normal behavior is requested.
  • 10. ICS Network Behavior Management Enrique Martín García August 2014 10 10 In view of the foregoing, it seems clear that the need for asset inventory considering the establishment of a base line of behavior, will define indicators of compliance. These two realities make naturally design a set of metrics based on the inventory and management of network behavior. (Network Cyber Behavior Management TM). The following sections describe the methodology and proposed solution to define and maintain these metrics. RIPE – Robust ICS Planning & Evaluation The Robust ICS Planning and Evaluation (RIPE1 2013) Framework provides a management model based on defined quality in industrial control systems for critical processes, and in line with the proposal for Cyber-Resilience measuring from INTECO2. This model rests on the definition of three main blocks:  Technology Block (IT and OT systems)  Organizational Block (People)  Operational Block (processes and procedures) FIGURE 6: RIPE MODEL CONTEXT DIAGRAM In this Framework are measured periodically, and with a low economic impact, compliance metrics in eight areas of critical infrastructures:  Asset Inventory: For each facility / plant should be documented and periodically review all assets involved in the provision of an essential service or protect. This inventory collected for each IC integrated into all elements of Physical and Logical Security.
  • 11. ICS Network Behavior Management Enrique Martín García August 2014 11 11  Connection diagram of assets: It is critical to document and review existing connectivity between assets inventoried in the previous section, in order to establish the interdependence of all the assets together and the ranking of the same when grouped in providing an essential service.  Interaction between assets: With the information gathered in the previous points, build diagrams operational flows between devices, which will complete the description of the interdependence of essential services and the subsequent monitoring of the security of the plant / installation.  Roles and functions of Staff: The staff is the first active to protect and the most fundamental part of any defense strategy of plant / facility. Maintain an updated list of all the staff of the IC and review it periodically to ensure their validity information. This information is critical to the implementation of any policy of physical and logical access.  Development of staff skills and knowledge: The level of safety of the plant / installation must be understood within the cycle of continuous improvement of provision of essential services. It is essential that the people who operate and ensure the safety of these services possess the amount of training necessary for the performance of their duties. Periodic monitoring of compliance training plans and progress in each plant facilitates tracking of periodic targets set by the CSMS.  Operating Guidelines and Procedures: The integrity of essential services may be interrupted by an erroneous or unproven and unauthorized operation. To avoid such problems, keep an updated operational guidelines are revised periodically and to minimize problems in the provision of essential services by the plant / installation set.  Planning and design changes: In line with the previous point, any new element within the IC or any new industrial process must be documented and approved by the responsible exploitation. The review of the process and associated documentation will minimize risks in the continuity of essential services and the proper maintenance of CSMS.  Assets procurement: The security requirements in the assets to be deployed in plants / facilities should be seen from the phase of acquisition of such assets. Controlling procurement processes in regard to these requirements, facilitate the integration of the same in the ongoing management of the safety of the plant / installation. Control of these eight areas will allow the completion of the impact assessment on the essential services of the plant / installation support, being consistent with the security policy defined by the OC on important issues such as safety management, training staff and management continuity Each of these areas is evaluated according to two criteria of quality targets for percentages of compliance:  Degree of completion  Accuracy of information completed
  • 12. ICS Network Behavior Management Enrique Martín García August 2014 12 12 In the case of asset inventory, for example, the following criteria are applied: RIPE System inventory Quality Quality Completeness and accuracy of the system inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of components listed in the system inventory based on total number of components as identified by walk-down inspection Accuracy Percentage of components listed accurately in the system inventory as identified by walk-down inspection TABLA 1: INDICATORS VALUE CRITERIA AND CALCULATION In a specific example, after applying the valuation of these criteria in eight areas of two individual installations, we obtain the following values: FIGURE 9: TWO PLANTS COMPLIANCE POLAR DIAGRAM In the case of the plant represented by the red line, we observed a much greater compliance in areas such as asset inventory and personnel than in the plant represented by the blue line. This would allow the organization to take advantage of operational procedures to deploy from the first floor in the second, achieving improved security levels in a short space of time and with low costs.
  • 13. ICS Network Behavior Management Enrique Martín García August 2014 13 13 In the following point we will define indicators from the RIPE Technology Block for industrial control networks that define the expected behavior pattern (Blueprint) for these networks:  Asset Inventory  Representation of the connection assets  Detailed interaction between them Indicators The calculation of the indicators defined by the previous reference frame must be generated and updated with minimal effort. To do this we propose the use of SCAB solution (Security Awareness Control Box) for SCADA systems and technology-based deep inspection of behavior control protocols. (DPBI). SCAB is a system of monitoring and anomaly detection that analyzes network traffic and detects unusual events of the network (eg, cyber attacks or operational errors) using detection technology based firms not by building pattern behavior of the network automatically and unattended. The pattern of behavior built by the solution, define:  Connection Models  Protocols used  Message Types protocols  Messages fields  Values of the fields of the messages This information set define the White List in our control network operations. Today, SCAB allows monitoring and inspection of the following protocols: Protocolos Deep Protocol Behavior Inspector Perfil de conexión MMS   Modbus/TCP   OPC-DA   IEC 101/104   DNP3   IEC 61850   ICCP TASE.2   CSLib (ABB)   DMS (ABB)   S7 (Siemens)   SMB/CIFS  
  • 14. ICS Network Behavior Management Enrique Martín García August 2014 14 14 Protocolos Deep Protocol Behavior Inspector Perfil de conexión RPC/DCOM   PVSS  LDAP  NetBIOS  HTTP  FTP  SSH  SSL  SMTP  IMAP  POP3  VNC/RFB  RTSP  AFP  TABLE 2: SCAB SUPPORTED PROTOCOLS SCAB solution architecture is the following: FIGURE 10: SCAB SOLUTION ARCHITECTURE
  • 15. ICS Network Behavior Management Enrique Martín García August 2014 15 15 Command Center collects intelligence monitoring from various sensors, and features:  Web-based user interface (supported browsers: Google Chrome, Mozilla Firefox, Internet Explorer (≥ 9), Safari)  Large set of alert filters  An extensible workflow engine work for processing incoming email to different delivery systems (eg, SIM / SIEM) by user-defined rules  An extensible motor tasks for scheduling tasks, such as sending reports, the synchronization of the internal clock, optimizing the internal database, etc;  Access control based on roles for users. In production environments, multiple monitoring sensors can be used to control different network segments and report the observed traffic and threats detected to a single command center. Connection between the command center and the sensor is protected and encrypted, ensuring the confidentiality and integrity of it. Inventory Building After connecting SCAB sensors to network, we can start the learning phase. At this stage, SCAB autonomously builds our pattern of network behavior. The following flow is shown below: FIGURE 11: CONTROL NETWORK BEHAVIORAL BLUEPRINT CREATION We can customize the behavior pattern if necessary just adding, modifying or deleting connections using a text editor. Any changes to these patterns are audited and stored in the sensor itself safely.
  • 16. ICS Network Behavior Management Enrique Martín García August 2014 16 16 FIGURE 12: CONNECTION MATRIX EDITOR After finishing the learning phase, we got the ICS Local Network Communication Profile. In that moment SCAB knows every tuple allowed in the ICS network: Src IP,Src Port -> Dest. IP,Dest Port This is something hard to get in a multipurpose Local Area Network (even a Home one) without having several changes (Alerts) per hour. From that moment we can be alerted by:  New devices on the network and out of inventory  Devices trying connections out of the model and inventory.  Devices receiving information from others out of the model and inventory. Inventory Quality As we saw in the initial example, this indicator is calculated as follows: RIPE Asset inventory Quality Quality Completeness and accuracy of the system inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of components listed in the system inventory based on total number of components as identified by SCAB Accuracy Percentage of components listed accurately in the system inventory as identified by SCAB TABLE 3: INVENTORY INDICATORS VALUE CRITERIA AND CALCULATION
  • 17. ICS Network Behavior Management Enrique Martín García August 2014 17 17 Representing the active connections From the information gathered by SCAB in their learning phase, it is easy to represent graphically the interactions of the nodes of the control network, and build an easily upgradeable diagram. RIPE Connections Diagram Quality Quality Completeness and accuracy of the connections inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of connections listed in the inventory based on total number of connections identified by SCAB Accuracy Percentage of connections listed accurately in the inventory as identified by SCAB TABLE 4: CONNECTIONS INDICATORS VALUE CRITERIA AND CALCULATION A connection collected digraph example could be the following: FIGURE 12: SCAB SHELF-LEARNING CONNECTION DIGRAPH
  • 18. ICS Network Behavior Management Enrique Martín García August 2014 18 18 Detailed interaction between devices FIGURE 13: SCAB SHELF-LEARNING FUNCTIONS OPERATIONAL MATRIX Among the information contained in the pattern of network behavior of self-generated check we can see that, not only the connections between devices and ports are set according to a certain protocol, but also messages and values (control functions) are being used in our network. SCADA server connects to PLCs using the MODBUS protocol and running only functions 3 and 16. In this way, we can establish compliance with this indicator periodically, plus real-time detect unusual transactions or malicious control commands. . RIPE Functional Interaction Quality Quality Completeness and accuracy of the Functional interactions inventory Computation: Accuracy * Completeness / 100 Completeness Percentage of Functional interactions listed in the inventory based on total number of Functional interactions identified by SCAB Accuracy Percentage of Functional interactions listed accurately in the inventory as identified by SCAB TABLE 5: FUNCTIONAL INTERACTION INDICATORS VALUE CRITERIA AND CALCULATION
  • 19. ICS Network Behavior Management Enrique Martín García August 2014 19 19 Conclusion It seems clear need to review the cyber security level of ICs, but this review should not rely solely on documentary evidence of auditing but also on objective criteria to ensure quality monitoring and enable continuous improvement of the IC itself. The use of indicators about the quality of inventory assets, the correct representation of the connection and updated functional operational interaction between them, allow us monitoring the behavior of the control network that provides essential services and the security of the plant or facility. The SCAB solution allows easy maintenance of these three indicators and continuous monitoring by deep industrial protocols behavior inspection, thereby maintaining the security level required for our Critical Infrastructure.
  • 20. ICS Network Behavior Management Enrique Martín García August 2014 20 20 References [1]: The RIPE Framework: A Process-Driven Approach towards Effective and Sustainable Industrial Control System Security – 2013 Ralph Langner: http://www.langner.com/en/wp-content/uploads/2013/09/The-RIPE-Framework.pdf [2] “Ciber-Resiliencia: Aproximación a un marco de medición” – 2014 INTECO: http://www.inteco.es/extfrontinteco/img/File/Estudios/int_ciber_resiliencia_marco_medicion. pdf [3]: Monitoring Industrial Control Systems to improve operations and security - 2013: http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_monitoring_EU.pdf About the Author Enrique Martín García is Director of the Centre of Excellence for Cyber Security Division within the IT Consulting & Integration Services - Global Solutions at Schneider Electric. He has over 25 years experience in the world of information technology, many of whom have been involved in projects design and implementation of security solutions. Since 2013 it has been responsible for designing the portfolio of services and solutions in Cyber Security for ITC, participating in various conferences in which he has given various presentations on advanced protection solutions for industrial control networks protocols.