Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way.
This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had.
In this paper we will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
During the many years of my association with industrial control and plant automation systems, I, like my most other professional colleagues, have worked on the assumption that controller systems must meet industrial companies’ functional requirements; accuracy, safety & reliability, and robustness & repeatability. Industrial companies invest in control & instrumentation systems not only to secure health, safety, and environment (HSE) protection, but also to improve plant asset performance, plant availability, and profitability.
The recent advent of Stuxnet, Flame, Duqu, Havex, and such other malwares have exposed the vulnerability of industrial control systems to cyber-attacks, and thus have opened the Pandora’s Box. Cyberthreats, posing serious challenges not only to industries but also to nation states, are a reality.
In my report “Reports on Industrial Control Systems’ Cyber Security,” I have compiled few articles that are written to create the necessary awareness among the critical infrastructure industries about the real nature of the threats and to provide some suggestions both to industrial control and plat automation vendors and end-users to initiate countermeasures.
International Journal of Engineering Research and Development (IJERD)IJERD Editor
This document analyzes studies on automation in the field of information security management. It finds that about 30% of the 133 controls from ISO 27001 can be automated using existing security software tools. It also discusses how the Security Content Automation Protocol (SCAP) can automate compliance and security configuration checking. SCAP provides a standardized way for security software to communicate information about vulnerabilities and configurations. The document concludes that while some isolated automation approaches exist, integrating these approaches can help organizations maximize the benefits of automation in their information security management systems.
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Quarles & Brady
Program Overview:
What Your Company Needs to Understand to Stay Ahead of
the Competition
Companies are exponentially expanding their use and production of connected products and technologies. It is estimated that in 2021, 22.5 billion IoT devices will be shipped globally. With that growth comes a litany of legal challenges. We will discuss the scope of the IoT landscape and address some of the critical legal areas for companies using or selling IoT products, including:
Data privacy and security risks associated with use of IoT devices, The tension between engineering and marketing departments' desire to retain and mine IoT data and the legal risks of accessing, aggregating, and storing the data, Product liability and other legal issues arising from IoT devices on product liability claims, and the ever changing landscape of industry specific regulatory requirements.
User Behavior Analytics (UBA) is a tool that monitors user activities and behaviors to detect anomalies and potential security threats. It builds profiles of normal user behavior and can detect deviations from these profiles to flag abnormal activities like unusual access of sensitive data or lateral movement within a network. UBA leverages machine learning to analyze large amounts of user behavior data from multiple sources to help organizations strengthen security, ensure compliance, and optimize business processes. It provides more context than traditional security information and event management (SIEM) tools by analyzing historical user activity data.
Contractor Responsibilities under the Federal Information Security Management...padler01
This document discusses contractor responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It provides an overview of FISMA and its provisions regarding contractor systems. It notes that while FISMA language applies to contractors, agencies have struggled to effectively oversee contractor compliance. It recommends that agencies improve oversight of contractor systems and inventory of contractor-run systems, and contractually impose compliance requirements.
This document discusses cyber security in the power sector. It begins with an overview of industrial control systems used for power systems and how they are susceptible to cyber attacks. It then discusses various cyber threats to power systems, how attackers could compromise systems, and strategies to effectively defend industrial control systems for power. These strategies include using industry best practices, secure design principles like zone and conduit architecture, secure interfaces with dual firewall DMZs, secure governance policies and compliance, and increasing security awareness. The document emphasizes that complete security is impossible and an optimized, cost-effective approach is needed.
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...Enrique Martin
Esta nota técnica analiza los ciberataques físicos de mayor impacto (y por tanto de mayor riesgo) sobre las redes de control de infraestructuras críticas y propone la protección de las mismas mediante cambios organizativos y de procedimiento en los Operadores de Infraestructuras Críticas, y en el uso de nuevas tecnologías de detección de intrusión basadas en el análisis de comportamiento de protocolos industriales y la correlación de eventos operacionales.
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
This White Paper looks the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
During the many years of my association with industrial control and plant automation systems, I, like my most other professional colleagues, have worked on the assumption that controller systems must meet industrial companies’ functional requirements; accuracy, safety & reliability, and robustness & repeatability. Industrial companies invest in control & instrumentation systems not only to secure health, safety, and environment (HSE) protection, but also to improve plant asset performance, plant availability, and profitability.
The recent advent of Stuxnet, Flame, Duqu, Havex, and such other malwares have exposed the vulnerability of industrial control systems to cyber-attacks, and thus have opened the Pandora’s Box. Cyberthreats, posing serious challenges not only to industries but also to nation states, are a reality.
In my report “Reports on Industrial Control Systems’ Cyber Security,” I have compiled few articles that are written to create the necessary awareness among the critical infrastructure industries about the real nature of the threats and to provide some suggestions both to industrial control and plat automation vendors and end-users to initiate countermeasures.
International Journal of Engineering Research and Development (IJERD)IJERD Editor
This document analyzes studies on automation in the field of information security management. It finds that about 30% of the 133 controls from ISO 27001 can be automated using existing security software tools. It also discusses how the Security Content Automation Protocol (SCAP) can automate compliance and security configuration checking. SCAP provides a standardized way for security software to communicate information about vulnerabilities and configurations. The document concludes that while some isolated automation approaches exist, integrating these approaches can help organizations maximize the benefits of automation in their information security management systems.
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Quarles & Brady
Program Overview:
What Your Company Needs to Understand to Stay Ahead of
the Competition
Companies are exponentially expanding their use and production of connected products and technologies. It is estimated that in 2021, 22.5 billion IoT devices will be shipped globally. With that growth comes a litany of legal challenges. We will discuss the scope of the IoT landscape and address some of the critical legal areas for companies using or selling IoT products, including:
Data privacy and security risks associated with use of IoT devices, The tension between engineering and marketing departments' desire to retain and mine IoT data and the legal risks of accessing, aggregating, and storing the data, Product liability and other legal issues arising from IoT devices on product liability claims, and the ever changing landscape of industry specific regulatory requirements.
User Behavior Analytics (UBA) is a tool that monitors user activities and behaviors to detect anomalies and potential security threats. It builds profiles of normal user behavior and can detect deviations from these profiles to flag abnormal activities like unusual access of sensitive data or lateral movement within a network. UBA leverages machine learning to analyze large amounts of user behavior data from multiple sources to help organizations strengthen security, ensure compliance, and optimize business processes. It provides more context than traditional security information and event management (SIEM) tools by analyzing historical user activity data.
Contractor Responsibilities under the Federal Information Security Management...padler01
This document discusses contractor responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It provides an overview of FISMA and its provisions regarding contractor systems. It notes that while FISMA language applies to contractors, agencies have struggled to effectively oversee contractor compliance. It recommends that agencies improve oversight of contractor systems and inventory of contractor-run systems, and contractually impose compliance requirements.
This document discusses cyber security in the power sector. It begins with an overview of industrial control systems used for power systems and how they are susceptible to cyber attacks. It then discusses various cyber threats to power systems, how attackers could compromise systems, and strategies to effectively defend industrial control systems for power. These strategies include using industry best practices, secure design principles like zone and conduit architecture, secure interfaces with dual firewall DMZs, secure governance policies and compliance, and increasing security awareness. The document emphasizes that complete security is impossible and an optimized, cost-effective approach is needed.
Protección de infraestructuras críticas frente a ataques dirigidos a sistemas...Enrique Martin
Esta nota técnica analiza los ciberataques físicos de mayor impacto (y por tanto de mayor riesgo) sobre las redes de control de infraestructuras críticas y propone la protección de las mismas mediante cambios organizativos y de procedimiento en los Operadores de Infraestructuras Críticas, y en el uso de nuevas tecnologías de detección de intrusión basadas en el análisis de comportamiento de protocolos industriales y la correlación de eventos operacionales.
Critical Infrastructure Protection against targeted attacks on cyber-physical...Enrique Martin
This White Paper looks the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...IRJET Journal
This document presents a study on developing an algorithm for fault detection and classification of a DC motor using predictive maintenance. The study involves designing a DC motor hardware system to collect sensor data on temperature, vibration, RPM, etc. This data is then processed using MATLAB's machine learning algorithms to train predictive models. Specifically, a decision tree algorithm is able to accurately classify the motor's condition as healthy or faulty with over 95% accuracy based on the sensor data. The study demonstrates how predictive maintenance can help detect potential faults in DC motors to improve performance and reduce maintenance costs.
This document presents a preliminary study on developing a Wide Area Protection Monitoring System (WAPMS) that would automatically collect and analyze data from protection devices. The proposed system would gather information through various communication protocols, analyze the data to determine fault types and locations, and generate reports with diagnoses for operators. This would provide operators a comprehensive overview of the power system's behavior during faults to help make better decisions. The system is currently being tested in Colombia and future work involves predictive analytics to identify potential protection device failures.
This paper deals with the risk assessment of different types of electronics and mobile payment systems as well as the countermeasures to mitigate the identified risk in various electronics and mobile payment synthesis.
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
In this document we propose the ICS Network blueprinting as the method to get the highest availability and security awareness for our critical control assets. (SCADA, PLC, RTU, IED, etc)
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET Journal
This document describes an oil tank monitoring prototype system using wireless communication and an IoT controller. The system consists of two stations: a tank station with sensors to monitor level, temperature, fire, and humidity; and a control station to display the sensor data and store it in a database. The tank station transmits sensor data wirelessly to the control station using XBee modules. The control station displays the data through a graphical user interface and stores it in an SQL database and on a cloud platform. The system was tested for several months and proved able to detect flood and fire situations early to prevent damage.
A business-level review of current security standards for the energy and utility school, a look around the corner at what's coming next from the standards bodies, and a discussion of the burdens this amount of change and uncertainty is is placing on executives and security professionals in the electric utilities.
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
This document presents a final year project report on developing a smart traffic management system using Internet of Things (IoT) technologies. It aims to optimize traffic light timing based on real-time vehicle counting data from road sensors. The proposed system would use sensors, microcontrollers, and cloud computing to monitor traffic flow and congestion at intersections, and dynamically adjust light durations on each lane accordingly. This is expected to reduce traffic delays and minimize commuting costs compared to traditional fixed-time traffic light systems. The report outlines the hardware, software, methodology, algorithms, and challenges of implementing such an IoT-based smart traffic management system.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
Now a days we are living in an era of Information Technology where each and every person has to become IT incumbent either intentionally or unintentionally. Technology plays a vital role in our day to day life since last few decades and somehow we all are depending on it in order to obtain maximum benefit and comfort. This new era equipped with latest advents of technology, enlightening world in the form of Internet of Things (IoT). Internet of things is such a specified and dignified domain which leads us to the real world scenarios where each object can perform some task while communicating with some other objects. The world with full of devices, sensors and other objects which will communicate and make human life far better and easier than ever. This paper provides an overview of current research work on IoT in terms of architecture, a technology used and applications. It also highlights all the issues related to technologies used for IoT, after the literature review of research work. The main purpose of this survey is to provide all the latest technologies, their corresponding
trends and details in the field of IoT in systematic manner. It will be helpful for further research.
Information security management guidance for discrete automationjohnnywess
This document summarizes guidance for establishing an information security management program for industrial automation departments. It finds that while standards and guidance are now readily available, implementing a comprehensive security program requires extensive cross-functional collaboration. None of the publications can be implemented alone by automation departments due to their complexity and need for interdepartmental expertise in areas like risk assessment and network segmentation. Effectively addressing vulnerabilities will require integrating security practices with existing organizational processes and acquiring new technical knowledge across roles.
Wind Turbine Monitoring System Using IoTIRJET Journal
This document describes a study on developing an IoT-based wind turbine monitoring system. Researchers installed various sensors on a wind turbine to measure parameters like temperature, humidity, pressure, rain detection, object detection and distance. The sensor data is transmitted to a cloud server and displayed on a dashboard for remote monitoring. This allows authorized personnel to track the turbine's performance, identify any issues, and schedule maintenance efficiently. Analyzing the collected operational data can also help optimize the turbine's design. The study demonstrated that this IoT-based approach provides benefits like reduced costs, improved safety and efficiency compared to traditional monitoring methods.
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTIRJET Journal
The document describes a smart industry monitoring and controlling system using IoT. It proposes a system that uses various sensors to monitor environmental conditions and safety hazards. The system sends SMS alerts and updates a web server in real time. Two tests were conducted to evaluate the functionality of the sensors and the reliability of the transmitting section by measuring SMS delivery times and updates to the web server. While the system was successful, further improvements are needed to account for network issues and service quality.
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
In September 2017 the EU Cybersecurity Package was proposed by the European Commission. The European cybersecurity industry leaders (ECIL) had delivered valuable advice and input to the EU’S CS strategy. In its latest recommendation to the EU Commission ECIL demands a more harmonized cyber policy across the Union. To secure Europe’s Digital Sovereignty and efficient Single Market oriented digital capabilities, Europe needs a holistic platform approach. Technology elements like 5G, Cloud, IoT together should be part of such a platform.
Real-time Anomaly Detection and Alert System for Video SurveillanceIRJET Journal
The document describes a proposed real-time video surveillance system that uses deep learning models to detect and classify anomalies such as theft, unauthorized access, and burglary. The system would use CenterNet and Graph Convolutional Networks to detect anomalies in real-time CCTV footage. When anomalies are detected, alerts would be sent to police stations using Twilio Video API. Information about anomalies would be stored in a database including type, severity, and location. The system aims to enhance security by automating anomaly detection and response in video surveillance.
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...IRJET Journal
This document proposes an integrated AI surveillance ecosystem that combines drones and CCTV cameras to enhance industrial health and safety monitoring. Some key points:
- The system aims to overcome limitations of human-centric monitoring by leveraging AI to analyze multiple surveillance data streams in real-time.
- Drones expand coverage to previously unreachable areas, while CCTV provides persistent monitoring. The cloud-based system allows for coordinated deployment of drones.
- An integrated command center provides a unified view of alerts and allows for timely responses. The system demonstrated superior performance over traditional monitoring in accuracy, speed, and site coverage.
- The ecosystem is proposed to monitor a variety of industrial safety concerns from PPE compliance to hazard detection
This document provides an introduction to information security. It discusses what information security is, its basic principles of confidentiality, integrity and availability. It outlines the history of information security from the 1960s to the present. It analyzes the economic impacts of information security spending and environmental factors. The document concludes that information security has become essential for organizations to securely store electronic information and protect against threats.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
More Related Content
Similar to Critical Infrastructure Protection through Network Behavior Management
Developing Algorithm for Fault Detection and Classification for DC Motor Usin...IRJET Journal
This document presents a study on developing an algorithm for fault detection and classification of a DC motor using predictive maintenance. The study involves designing a DC motor hardware system to collect sensor data on temperature, vibration, RPM, etc. This data is then processed using MATLAB's machine learning algorithms to train predictive models. Specifically, a decision tree algorithm is able to accurately classify the motor's condition as healthy or faulty with over 95% accuracy based on the sensor data. The study demonstrates how predictive maintenance can help detect potential faults in DC motors to improve performance and reduce maintenance costs.
This document presents a preliminary study on developing a Wide Area Protection Monitoring System (WAPMS) that would automatically collect and analyze data from protection devices. The proposed system would gather information through various communication protocols, analyze the data to determine fault types and locations, and generate reports with diagnoses for operators. This would provide operators a comprehensive overview of the power system's behavior during faults to help make better decisions. The system is currently being tested in Colombia and future work involves predictive analytics to identify potential protection device failures.
This paper deals with the risk assessment of different types of electronics and mobile payment systems as well as the countermeasures to mitigate the identified risk in various electronics and mobile payment synthesis.
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
In this document we propose the ICS Network blueprinting as the method to get the highest availability and security awareness for our critical control assets. (SCADA, PLC, RTU, IED, etc)
IRJET- Oil Tank Prototype based on Wireless Communication-Controller System u...IRJET Journal
This document describes an oil tank monitoring prototype system using wireless communication and an IoT controller. The system consists of two stations: a tank station with sensors to monitor level, temperature, fire, and humidity; and a control station to display the sensor data and store it in a database. The tank station transmits sensor data wirelessly to the control station using XBee modules. The control station displays the data through a graphical user interface and stores it in an SQL database and on a cloud platform. The system was tested for several months and proved able to detect flood and fire situations early to prevent damage.
A business-level review of current security standards for the energy and utility school, a look around the corner at what's coming next from the standards bodies, and a discussion of the burdens this amount of change and uncertainty is is placing on executives and security professionals in the electric utilities.
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
This document presents a final year project report on developing a smart traffic management system using Internet of Things (IoT) technologies. It aims to optimize traffic light timing based on real-time vehicle counting data from road sensors. The proposed system would use sensors, microcontrollers, and cloud computing to monitor traffic flow and congestion at intersections, and dynamically adjust light durations on each lane accordingly. This is expected to reduce traffic delays and minimize commuting costs compared to traditional fixed-time traffic light systems. The report outlines the hardware, software, methodology, algorithms, and challenges of implementing such an IoT-based smart traffic management system.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
Now a days we are living in an era of Information Technology where each and every person has to become IT incumbent either intentionally or unintentionally. Technology plays a vital role in our day to day life since last few decades and somehow we all are depending on it in order to obtain maximum benefit and comfort. This new era equipped with latest advents of technology, enlightening world in the form of Internet of Things (IoT). Internet of things is such a specified and dignified domain which leads us to the real world scenarios where each object can perform some task while communicating with some other objects. The world with full of devices, sensors and other objects which will communicate and make human life far better and easier than ever. This paper provides an overview of current research work on IoT in terms of architecture, a technology used and applications. It also highlights all the issues related to technologies used for IoT, after the literature review of research work. The main purpose of this survey is to provide all the latest technologies, their corresponding
trends and details in the field of IoT in systematic manner. It will be helpful for further research.
Information security management guidance for discrete automationjohnnywess
This document summarizes guidance for establishing an information security management program for industrial automation departments. It finds that while standards and guidance are now readily available, implementing a comprehensive security program requires extensive cross-functional collaboration. None of the publications can be implemented alone by automation departments due to their complexity and need for interdepartmental expertise in areas like risk assessment and network segmentation. Effectively addressing vulnerabilities will require integrating security practices with existing organizational processes and acquiring new technical knowledge across roles.
Wind Turbine Monitoring System Using IoTIRJET Journal
This document describes a study on developing an IoT-based wind turbine monitoring system. Researchers installed various sensors on a wind turbine to measure parameters like temperature, humidity, pressure, rain detection, object detection and distance. The sensor data is transmitted to a cloud server and displayed on a dashboard for remote monitoring. This allows authorized personnel to track the turbine's performance, identify any issues, and schedule maintenance efficiently. Analyzing the collected operational data can also help optimize the turbine's design. The study demonstrated that this IoT-based approach provides benefits like reduced costs, improved safety and efficiency compared to traditional monitoring methods.
SMART INDUSTRY MONITORING AND CONROLLING SYSTEM USING IOTIRJET Journal
The document describes a smart industry monitoring and controlling system using IoT. It proposes a system that uses various sensors to monitor environmental conditions and safety hazards. The system sends SMS alerts and updates a web server in real time. Two tests were conducted to evaluate the functionality of the sensors and the reliability of the transmitting section by measuring SMS delivery times and updates to the web server. While the system was successful, further improvements are needed to account for network issues and service quality.
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
In September 2017 the EU Cybersecurity Package was proposed by the European Commission. The European cybersecurity industry leaders (ECIL) had delivered valuable advice and input to the EU’S CS strategy. In its latest recommendation to the EU Commission ECIL demands a more harmonized cyber policy across the Union. To secure Europe’s Digital Sovereignty and efficient Single Market oriented digital capabilities, Europe needs a holistic platform approach. Technology elements like 5G, Cloud, IoT together should be part of such a platform.
Real-time Anomaly Detection and Alert System for Video SurveillanceIRJET Journal
The document describes a proposed real-time video surveillance system that uses deep learning models to detect and classify anomalies such as theft, unauthorized access, and burglary. The system would use CenterNet and Graph Convolutional Networks to detect anomalies in real-time CCTV footage. When anomalies are detected, alerts would be sent to police stations using Twilio Video API. Information about anomalies would be stored in a database including type, severity, and location. The system aims to enhance security by automating anomaly detection and response in video surveillance.
Integrated AI Surveillance Ecosystem: Enhancing Industrial Health and Safety ...IRJET Journal
This document proposes an integrated AI surveillance ecosystem that combines drones and CCTV cameras to enhance industrial health and safety monitoring. Some key points:
- The system aims to overcome limitations of human-centric monitoring by leveraging AI to analyze multiple surveillance data streams in real-time.
- Drones expand coverage to previously unreachable areas, while CCTV provides persistent monitoring. The cloud-based system allows for coordinated deployment of drones.
- An integrated command center provides a unified view of alerts and allows for timely responses. The system demonstrated superior performance over traditional monitoring in accuracy, speed, and site coverage.
- The ecosystem is proposed to monitor a variety of industrial safety concerns from PPE compliance to hazard detection
This document provides an introduction to information security. It discusses what information security is, its basic principles of confidentiality, integrity and availability. It outlines the history of information security from the 1960s to the present. It analyzes the economic impacts of information security spending and environmental factors. The document concludes that information security has become essential for organizations to securely store electronic information and protect against threats.
Similar to Critical Infrastructure Protection through Network Behavior Management (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Critical Infrastructure Protection through Network Behavior Management
1. Critical Infrastructure Protection
ICS Network Behavior Management
By Enrique Martín García
August 2014
Executive Summary
Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way.
This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had.
In this paper we will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.
2. ICS Network Behavior Management
Enrique Martín García
August 2014
2
2
Contents
INTRODUCTION ....................................................................................................................... 3
LEGAL FRAMEWORK ............................................................................................................. 3
EEUU: CYBERSECURITY FRAMEWORK FEBRERO 2014 – NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) ....................................................................................................... 3
EEUU: ES-C2M2 V1.1 FEBRUARY 2014 – DEPARTMENT OF ENERGY – DEPARTMENT OF HOMELAND SECURITY ............................................................................................................. 6
FRANCIA NATONAL SECURITY AGENCY FOR THE INFORMATION SYSTEMS (ANSSI) ..................... 7
LEY 8/2011, DE 28 DE ABRIL, POR LA QUE SE ESTABLECEN MEDIDAS PARA LA PROTECCIÓN DE LAS INFRAESTRUCTURAS CRÍTICAS. ................................................................................................ 9
RIPE – ROBUST ICS PLANNING & EVALUATION ............................................................... 10
INDICATORS .......................................................................................................................... 13
CONNECTION BETWEEN THE COMMAND CENTER AND THE SENSOR IS PROTECTED AND ENCRYPTED, ENSURING THE CONFIDENTIALITY AND INTEGRITY OF IT. ..................................... 15
INVENTORY BUILDING ............................................................................................................ 15
INVENTORY QUALITY ............................................................................................................. 16
DETAILED INTERACTION BETWEEN DEVICES ............................................................................ 18
CONCLUSION ........................................................................................................................ 19
REFERENCES ........................................................................................................................ 20
ABOUT THE AUTHOR ........................................................................................................... 20
3. ICS Network Behavior Management
Enrique Martín García
August 2014
3
3
Introduction
In the last three years Critical Infrastructure Protection strategies have been empowered both the U.S and Europe. This empowerment has been achieved through standards, guidelines and Cyber Security Frameworks to the Society essential services sectors in each country.
Also, new legal and regulation frameworks has been developed to rule and define the security controls, countermeasures and supervision mechanisms this kind of sites have to put in place.
In all of them, as well as older safety related Information Technology (IT) standards, inventory of technology assets management mechanisms implementation is required for the Critical Operator (OC) that provides essential services from its Critical Infrastructure (CI).
Furthermore, given the properties of industrial control networks, continuous monitoring of behavioral abnormalities is also requested.
To effectively manage behavioral abnormalities, one should begin by establishing a baseline of the control network that covers all information assets, their interconnection and regular operations that develop between them (traffic matrix and operational matrix).
Given the diversity of classifications of critical sectors and legislation in European countries, this paper will focus on the case of Spain.
Legal Framework
To put into context the metrics related to inventory of assets and behavior monitoring that different frameworks and standards propose, I will briefly review some of the latest updates produced at this date.
EEUU: Cybersecurity Framework Febrero 2014 – National Institute of Standards and Technology (NIST)
In this framework, the need to maintain an inventory of IT assets is collected on the first defined function: Identify.
Under the function of Identify (ID) is the category of Asset Management (AM), and under this, six sub categories of management are established:
ID.AM-1: Organization devices and systems are inventoried
ID.AM-2: Organization Applications and Software platforms are inventoried
ID.AM-3: Communications and data streams are collected in diagrams.
ID.AM-4: External information systems are listed
ID.AM-5: Resources (Systems, devices, applications, etc.) are ranked according to their classification, criticality and business value.
ID.AM-6: Cybersecurity Roles and responsibilities for all employees and third parties are implanted.
4. ICS Network Behavior Management
Enrique Martín García
August 2014
4
4
Of these inventories, deep communications description, is often the most difficult to achieve in the OC, due to updates that industrial control networks have suffered in recent years because of the convergence of communications (TCP / IP) and connection, more or less secure, with other OC business networks.
The need to maintain an updated communications and information flows inventory are located in the following standards:
CCS CSC 1
COBIT 5 DSS05.02
ISA 62443-2-1:2009 4.2.3.4
ISO / IEC 27001:2013 A.13.2.1
NIST SP 800-53 Rev. 4 AC-4, AC-3, AC-9, PL-8
FIGURE 1: NIST CYBERSECURITY FRAMEWORK FUNCTION 1
Regarding the detection of behavioral anomalies, is recognized in the third function defined by the Framework: Detect.
Under the function Detect (DE) is the category of Anomalies and events (AE), and under this, five sub management categories are established:
DE.AE-1: A basic network operations and data flows for users and devices exists and is managed
DE.AE-2: The detected events are analyzed to understand the objectives of the attacks and methods.
DE.AE-3: The events collected from multiple sources and sensors are aggregated and correlated.
DE.AE-4: The impact of events is assigned
DE.AE-5: Ranks of warnings for incidents is established
The need to detect anomalies in network control is found in the following standards:
COBIT 5 DSS03.01
5. ICS Network Behavior Management
Enrique Martín García
August 2014
5
5
ISA 62443-2-1:2009 4.4.3.3
NIST SP 800-53 Rev. 4 AC-4, AC-3, CM-2, SI-4
FIGURE 2: NIST CYBERSECURITY FRAMEWORK FUNCTION 3
6. ICS Network Behavior Management
Enrique Martín García
August 2014
6
6
EEUU: ES-C2M2 v1.1 February 2014 – Department of Energy – Department of Homeland Security
Equivalently defined also for Oil & Natural Gas Sector (NGOs), this maturity model also establishes the need to maintain an inventory of assets, both IT and OT:
FIGURE 3: INVENTORY IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU
It also establishes the need to properly document the behavior of communications, as later established the need to monitor traffic anomalies in the OT and IT networks, as other international studies recommend 3
7. ICS Network Behavior Management
Enrique Martín García
August 2014
7
7
FIGURE 4: MONITORING IN THE CYBERSECURITY CAPABILITY AND MATURITY MODEL FOR THE ELECTRIC SECTOR IN EEUU
Francia Natonal Security Agency for the Information Systems (ANSSI)
The National Agency for the Security of Information Systems (ANSSI), published in August, 2014 a methodology for classification of organizations using information systems for industrial control and a detailed set of security measures to be taken by each of these organizations depending on their classification.
FIGURE 5: DETAILED MEASURES FOR INDUSTRIL CONTROL SYSTEMS USERS
8. ICS Network Behavior Management
Enrique Martín García
August 2014
8
8
Cybersecurity Measures to adopt, is the systematic maintenance of asset inventory of industrial control which should reflect all interconnections diagrams and flows between them, and monitoring:
FIGURE 6: CYBER SECURITY MEASURES INDEX DETAILED USERS ORGANIZATIONS INDUSTRIAL CONTROL SYSTEMS
9. ICS Network Behavior Management
Enrique Martín García
August 2014
9
9
Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas.
In Spain, the PIC 8/2011 Act raises the need for organizations designated as operators for critical infrastructure by CNPIC, to develop an Operator Security Plan and Specific Plan Protection which reflect detailed inventories elements that make up its industrial control network, among other assets.
In particular, section 3.1 of the Specific Plan Protection Operator, "General Data Infrastructure" provides for the inclusion of at least the following information:
"On the ICT systems that manage the IC and its architecture (network map, map of communications systems map, etc.)."
In Section 3.2 of the Plan itself, "Assets / Elements IC" contemplates the inclusion of at least the following information:
"Computer systems (hardware and software) used."
"Communication networks that allow data exchange and used for this IC."
FIGURE 7: MINIMAL CONTENTS FOR THE PLAN DE PROTECCIÓN ESPECÍFICO (PPE)
In short, all the necessary information to establish the control network normal behavior is requested.
10. ICS Network Behavior Management
Enrique Martín García
August 2014
10
10
In view of the foregoing, it seems clear that the need for asset inventory considering the establishment of a base line of behavior, will define indicators of compliance. These two realities make naturally design a set of metrics based on the inventory and management of network behavior. (Network Cyber Behavior Management TM).
The following sections describe the methodology and proposed solution to define and maintain these metrics.
RIPE – Robust ICS Planning & Evaluation
The Robust ICS Planning and Evaluation (RIPE1 2013) Framework provides a management model based on defined quality in industrial control systems for critical processes, and in line with the proposal for Cyber-Resilience measuring from INTECO2.
This model rests on the definition of three main blocks:
Technology Block (IT and OT systems)
Organizational Block (People)
Operational Block (processes and procedures)
FIGURE 6: RIPE MODEL CONTEXT DIAGRAM
In this Framework are measured periodically, and with a low economic impact, compliance metrics in eight areas of critical infrastructures:
Asset Inventory: For each facility / plant should be documented and periodically review all assets involved in the provision of an essential service or protect. This inventory collected for each IC integrated into all elements of Physical and Logical Security.
11. ICS Network Behavior Management
Enrique Martín García
August 2014
11
11
Connection diagram of assets: It is critical to document and review existing connectivity between assets inventoried in the previous section, in order to establish the interdependence of all the assets together and the ranking of the same when grouped in providing an essential service.
Interaction between assets: With the information gathered in the previous points, build diagrams operational flows between devices, which will complete the description of the interdependence of essential services and the subsequent monitoring of the security of the plant / installation.
Roles and functions of Staff: The staff is the first active to protect and the most fundamental part of any defense strategy of plant / facility. Maintain an updated list of all the staff of the IC and review it periodically to ensure their validity information. This information is critical to the implementation of any policy of physical and logical access.
Development of staff skills and knowledge: The level of safety of the plant / installation must be understood within the cycle of continuous improvement of provision of essential services. It is essential that the people who operate and ensure the safety of these services possess the amount of training necessary for the performance of their duties. Periodic monitoring of compliance training plans and progress in each plant facilitates tracking of periodic targets set by the CSMS.
Operating Guidelines and Procedures: The integrity of essential services may be interrupted by an erroneous or unproven and unauthorized operation. To avoid such problems, keep an updated operational guidelines are revised periodically and to minimize problems in the provision of essential services by the plant / installation set.
Planning and design changes: In line with the previous point, any new element within the IC or any new industrial process must be documented and approved by the responsible exploitation. The review of the process and associated documentation will minimize risks in the continuity of essential services and the proper maintenance of CSMS.
Assets procurement: The security requirements in the assets to be deployed in plants / facilities should be seen from the phase of acquisition of such assets. Controlling procurement processes in regard to these requirements, facilitate the integration of the same in the ongoing management of the safety of the plant / installation.
Control of these eight areas will allow the completion of the impact assessment on the essential services of the plant / installation support, being consistent with the security policy defined by the OC on important issues such as safety management, training staff and management continuity
Each of these areas is evaluated according to two criteria of quality targets for percentages of compliance:
Degree of completion
Accuracy of information completed
12. ICS Network Behavior Management
Enrique Martín García
August 2014
12
12
In the case of asset inventory, for example, the following criteria are applied:
RIPE System inventory Quality
Quality
Completeness and accuracy of the system inventory
Computation: Accuracy * Completeness / 100
Completeness
Percentage of components listed in the system inventory based on total number of components as identified by walk-down inspection
Accuracy
Percentage of components listed accurately in the system inventory as identified by walk-down inspection
TABLA 1: INDICATORS VALUE CRITERIA AND CALCULATION
In a specific example, after applying the valuation of these criteria in eight areas of two individual installations, we obtain the following values:
FIGURE 9: TWO PLANTS COMPLIANCE POLAR DIAGRAM
In the case of the plant represented by the red line, we observed a much greater compliance in areas such as asset inventory and personnel than in the plant represented by the blue line.
This would allow the organization to take advantage of operational procedures to deploy from the first floor in the second, achieving improved security levels in a short space of time and with low costs.
13. ICS Network Behavior Management
Enrique Martín García
August 2014
13
13
In the following point we will define indicators from the RIPE Technology Block for industrial control networks that define the expected behavior pattern (Blueprint) for these networks:
Asset Inventory
Representation of the connection assets
Detailed interaction between them
Indicators
The calculation of the indicators defined by the previous reference frame must be generated and updated with minimal effort. To do this we propose the use of SCAB solution (Security Awareness Control Box) for SCADA systems and technology-based deep inspection of behavior control protocols. (DPBI).
SCAB is a system of monitoring and anomaly detection that analyzes network traffic and detects unusual events of the network (eg, cyber attacks or operational errors) using detection technology based firms not by building pattern behavior of the network automatically and unattended.
The pattern of behavior built by the solution, define:
Connection Models
Protocols used
Message Types protocols
Messages fields
Values of the fields of the messages
This information set define the White List in our control network operations.
Today, SCAB allows monitoring and inspection of the following protocols:
Protocolos Deep Protocol Behavior Inspector Perfil de conexión
MMS
Modbus/TCP
OPC-DA
IEC 101/104
DNP3
IEC 61850
ICCP TASE.2
CSLib (ABB)
DMS (ABB)
S7 (Siemens)
SMB/CIFS
15. ICS Network Behavior Management
Enrique Martín García
August 2014
15
15
Command Center collects intelligence monitoring from various sensors, and features:
Web-based user interface (supported browsers: Google Chrome, Mozilla Firefox, Internet Explorer (≥ 9), Safari)
Large set of alert filters
An extensible workflow engine work for processing incoming email to different delivery systems (eg, SIM / SIEM) by user-defined rules
An extensible motor tasks for scheduling tasks, such as sending reports, the synchronization of the internal clock, optimizing the internal database, etc;
Access control based on roles for users.
In production environments, multiple monitoring sensors can be used to control different network segments and report the observed traffic and threats detected to a single command center.
Connection between the command center and the sensor is protected and encrypted, ensuring the confidentiality and integrity of it.
Inventory Building
After connecting SCAB sensors to network, we can start the learning phase. At this stage, SCAB autonomously builds our pattern of network behavior.
The following flow is shown below:
FIGURE 11: CONTROL NETWORK BEHAVIORAL BLUEPRINT CREATION
We can customize the behavior pattern if necessary just adding, modifying or deleting connections using a text editor.
Any changes to these patterns are audited and stored in the sensor itself safely.
16. ICS Network Behavior Management
Enrique Martín García
August 2014
16
16
FIGURE 12: CONNECTION MATRIX EDITOR
After finishing the learning phase, we got the ICS Local Network Communication Profile.
In that moment SCAB knows every tuple allowed in the ICS network:
Src IP,Src Port -> Dest. IP,Dest Port
This is something hard to get in a multipurpose Local Area Network (even a Home one) without having several changes (Alerts) per hour.
From that moment we can be alerted by:
New devices on the network and out of inventory
Devices trying connections out of the model and inventory.
Devices receiving information from others out of the model and inventory.
Inventory Quality
As we saw in the initial example, this indicator is calculated as follows:
RIPE Asset inventory Quality
Quality
Completeness and accuracy of the system inventory
Computation: Accuracy * Completeness / 100
Completeness
Percentage of components listed in the system inventory based on total number of components as identified by SCAB
Accuracy
Percentage of components listed accurately in the system inventory as identified by SCAB
TABLE 3: INVENTORY INDICATORS VALUE CRITERIA AND CALCULATION
17. ICS Network Behavior Management
Enrique Martín García
August 2014
17
17
Representing the active connections
From the information gathered by SCAB in their learning phase, it is easy to represent graphically the interactions of the nodes of the control network, and build an easily upgradeable diagram.
RIPE Connections Diagram Quality
Quality
Completeness and accuracy of the connections inventory
Computation: Accuracy * Completeness / 100
Completeness
Percentage of connections listed in the inventory based on total number of connections identified by SCAB
Accuracy
Percentage of connections listed accurately in the inventory as identified by SCAB
TABLE 4: CONNECTIONS INDICATORS VALUE CRITERIA AND CALCULATION
A connection collected digraph example could be the following:
FIGURE 12: SCAB SHELF-LEARNING CONNECTION DIGRAPH
18. ICS Network Behavior Management
Enrique Martín García
August 2014
18
18
Detailed interaction between devices
FIGURE 13: SCAB SHELF-LEARNING FUNCTIONS OPERATIONAL MATRIX
Among the information contained in the pattern of network behavior of self-generated check we can see that, not only the connections between devices and ports are set according to a certain protocol, but also messages and values (control functions) are being used in our network.
SCADA server connects to PLCs using the MODBUS protocol and running only functions 3 and 16.
In this way, we can establish compliance with this indicator periodically, plus real-time detect unusual transactions or malicious control commands.
.
RIPE Functional Interaction Quality
Quality
Completeness and accuracy of the Functional interactions inventory
Computation: Accuracy * Completeness / 100
Completeness
Percentage of Functional interactions listed in the inventory based on total number of Functional interactions identified by SCAB
Accuracy
Percentage of Functional interactions listed accurately in the inventory as identified by SCAB
TABLE 5: FUNCTIONAL INTERACTION INDICATORS VALUE CRITERIA AND CALCULATION
19. ICS Network Behavior Management
Enrique Martín García
August 2014
19
19
Conclusion
It seems clear need to review the cyber security level of ICs, but this review should not rely solely on documentary evidence of auditing but also on objective criteria to ensure quality monitoring and enable continuous improvement of the IC itself.
The use of indicators about the quality of inventory assets, the correct representation of the connection and updated functional operational interaction between them, allow us monitoring the behavior of the control network that provides essential services and the security of the plant or facility.
The SCAB solution allows easy maintenance of these three indicators and continuous monitoring by deep industrial protocols behavior inspection, thereby maintaining the security level required for our Critical Infrastructure.
20. ICS Network Behavior Management
Enrique Martín García
August 2014
20
20
References
[1]: The RIPE Framework: A Process-Driven Approach towards Effective and
Sustainable Industrial Control System Security – 2013 Ralph Langner: http://www.langner.com/en/wp-content/uploads/2013/09/The-RIPE-Framework.pdf
[2] “Ciber-Resiliencia: Aproximación a un marco de medición” – 2014 INTECO: http://www.inteco.es/extfrontinteco/img/File/Estudios/int_ciber_resiliencia_marco_medicion. pdf
[3]: Monitoring Industrial Control Systems to improve operations and security - 2013: http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_monitoring_EU.pdf
About the Author
Enrique Martín García is Director of the Centre of Excellence for Cyber Security Division within the IT Consulting & Integration Services - Global Solutions at Schneider Electric.
He has over 25 years experience in the world of information technology, many of whom have been involved in projects design and implementation of security solutions.
Since 2013 it has been responsible for designing the portfolio of services and solutions in Cyber Security for ITC, participating in various conferences in which he has given various presentations on advanced protection solutions for industrial control networks protocols.