The SCISSOR project aims to establish situational awareness in industrial control systems through a highly scalable security monitoring framework. The framework integrates a wide range of heterogeneous sensors, uses a distributed data aggregation approach, and advanced detection and correlation models. It exploits cloud computing concepts. The architecture includes sensors, local correlation and aggregation layers, and a decision and analysis layer. The framework was tested on a real industrial control system in Favignana, Italy using various sensors.

1. The SCISSOR approach to establishing situational
awareness in Industrial Control Systems
Stefano Salsano – University of Rome “Tor Vergata”/CNIT
Christof Brandauer – Salzburg Research
Symposium on Innovative Smart Grid Cybersecurity Solutions
Vienna, 13th and 14th March, 2017

2. The SCISSOR Project
Security In trusted SCADA and smart-grids
Assystem Engineering and operation services (FR)
AGH University of Science and Technology of Krakow (PL)
UPMC university Pierre and Marie Curie (FR)
SixSq Sàrl (CH)
Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT)
RADIO6ENSE (IT)
Salzburg Research Forschungsgesellschaft mbH (AT)
Katholieke Universiteit Leuven (BE)
SEA Società Elettrica di Favignana S.p.a. (IT)

3. 3
SCISSOR in a nutshell
A highly scalable ICS/SCADA security monitoring framework
• Integration of a wide range of heterogeneous sensors
• A dynamically adaptable, distributed data aggregation framework
• Advanced detection and correlation models as extensions to a conventional SIEM
• Exploitation of modern cloud-computing concepts

4. 4
Architecture

5. 55
The Favignana Test-bed

6. 6
Installation in Favignana
Inside the Cabin

7. 7
Installation in Favignana
Inside the Cabin

8. 88
Smart Camera
4G Router
Public IP
VPN
Gateway
RFID
Antennas
VPN
Client
RFID
Reader
Network
TAP
SEA
HiperLAN
Cabin
Switch
SCADA
device
SCISSOR testbed
RFID
Sensors
SEA SCADA
Supervisory
Enhanced
SIEM
Threat
detection
modules
Cloud in a boxVPN
Client
Decision &
Analysis Layer
Assystem
SCADA
Supervisory
Assystem
SCADA
PLCs
Datacenter
Cloud

9. 99
SCISSOR testbed
kafka
flume
SIEM
HMI
Bayesian networks
Robust statisticzookeeper
logstash
Paris SCADA
Lab Environment
Favignana
Smart Grid
Cameras
Environment
sensors
Network
monitoring
SCADADevelopers’
console

10. 10
Situational awareness is established in a scalable manner in near real-time
by correlating events coming from very heterogeneous sensors
Situational awareness

11. 1111
Authorized access
1. Door open: somebody inside
2. Badge detection: the system recognizes
the technician
3. The technician turns on the light
4. The technician opens a cabinet
5. The technician get close the exit door and
turns-off the light; the system records the
exit

12. 1212
Un-authorized access and tampering
1. Open door: somebody inside
2. No badge detection: the person is not authorized
and may be classified as intruder
3. The intruder turns on the light for a short time:
maybe uses a torch
4. The intruder opens a cabinet
5. The temperature inside the cabinet increases:
possible manumission
6. The intruder opens the door and exits.

13. 13
Events can be correlated in the SIEM correlation engine
(Decision and analysis layer)
Situational awareness
Events can be “pre-processed” and aggregated to achieve scalability
(local correlation in the Control and coordination layer)

14. 14
Thank you. Questions?
Contacts
Stefano Salsano
University of Rome Tor Vergata / CNIT
stefano.salsano@uniroma2.it
Christof Brandauer
Salzburg Research, Austria
christof.brandauer@salzburgresearch.at
This presentation on slideshare
https://www.slideshare.net/stefanosalsano/the-scissor-approach-to-establishing-situational-
awareness-in-industrial-control-systems

15. 15
The SCISSOR project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No. 644425 (Research
and Innovation Action).
The information given is the author’s view and does not necessarily represent the view
of the European Commission (EC). No liability is accepted for any use that may be
made of the information contained.

16. Additional information

17. 17
SCISSOR partners details (1/3)
PRESENTATION OF THE SCISSOR PARTNERS
Partner name & country Partner Type Key roles and technical skills in the project
Assystem AEOS, France Large company - Project coordination
- Data protection
- Id based cryptography
- Identity management & AC
- SCADA systems
- Human-Machine Interface
- Test platform.
AGH University of Science
and Technology of Krakow,
Poland
Academy - Video surveillance & pattern recognition
- Security and cryptography
- Agent-based SCADA & system monitoring
UPMC University Pierre
and Marie Curie, France
Academy - SIEM design
- Decision and probability theory(Dynamic
Bayesian Networks)
- Graphical models
- Scalable big data analytics

18. 18
Partner name & country Partner Type Key roles and technical skills in the project
SixSq Sàrl, Swiss SME - Software integration and testing expertise
- Cloud expertise and technologies
- Automated cloud deployment
- Systems architecture and design
Consorzio Nazionale
Interuniversitario per le
Telecomunicazioni (CNIT),
Italy
Research center - Technical Project coordination
- Overall system architecture
- Traffic Monitoring and stream analytics
- Platform-independent API for monitoring
- Attribute-based encryption
- Smart grid engineering
- HMI usability design and assessment
Radio6ense, Italy SME - Pervasive sensor tags
- Sensor data gathering and filtering
- Mobile data acquisition devices
PRESENTATION OF THE SCISSOR PARTNERS
SCISSOR partners details (2/3)

19. 19
PRESENTATION OF THE SCISSOR PARTNERS
Partner name & country Partner Type Key roles and technical skills in the project
Salzburg Research
Forschungsgesellschaft
mbH, Austria
Research center - Control framework
- Monitoring agents design
- Semantic modelling of events
- Security policies
Katholieke Universiteit
Leuven, Belgium
Academy - Detection of abnormal values in
multivariate, high-dimensional, data sets
- Robust dimensionality reduction
Società Elettrica
Favignana, Italy
Power plant and
smart grid
provider
- Requirements
- Integration with the existing SCADA
- Roll out of the real world trial
SCISSOR partners details (3/3)

20. 20
Wireless passive Sensor Network (PSN) for Environment Monitoring
MONITORING LAYER
Water/Humidity
+ RSSI
temperature
light
NUVLA Box
RFID
reader
LAN
Cable
Electrical
Equipment
stack
Antenna 1 Antenna 2
Events
• Authorized and un-
authorized access
• Equipment overload
• Flooding and Fire
• Human Interaction
with devices
• Device Tampering
camera

21. 21
radioBOARD: Layout
MONITORING LAYER: ENVIRONMENT SENSORS
The board may be configured for different applications and
placements by connecting or disconnecting electrical traces
67mm
28mm
Electromagnetic
Coupler with tuning
elements
Expander: external
sensors + optional
Battery/solar cell
Energy Harvester
with tuning elements

22. 2222
Access
Flooding Humidity and light
Temperature (Harness overload)
Manumission
Events & Sensors
TEST BED: ENVIRONMENT SENSORS

23. 23
Device Placements
reader and antennas
TEST BED: ENVIRONMENT SENSORS
reader
antenna

24. 24
Device Placements
access and light
Light sensor
Door-open
sensor
TEST BED: ENVIRONMENT SENSORS

25. 25
Device Placement
temperature
Transformer overload
(PT-1000)
Cabinet temperature
TEST BED: ENVIRONMENT SENSORS

26. 26
Device Placement
manual tampering
TEST BED: ENVIRONMENT SENSORS

27. 27
SCADA logs
Demo steps
DEMO - INTEGRATION
• Logs were collected from a simulated electrical network SCADA system
• these logs are sent by beats to the Edge Agent
• classical log parser
• transformation and publishing to SMI
@datasource:[/opt/zmq-bash-push]: ./play_scada.sh &

28. 28
Environmental sensors
Demo steps
DEMO - INTEGRATION
• sensor data was measured by the Radio6ense prototype installed in Favignana
• sent to the Edge Agent via ZeroMQ
• parsing of native sensor output
• transformation and publishing to SMI
• dynamic reconfiguration of the Edge Agent filtering
• drop / forward RSSI data
@datasource:[/opt/zmq-bash-push]: ./play_envfile.sh &

29. 29
Network monitoring
Demo steps
DEMO - INTEGRATION
• live integration of a distributed streamon instance
• streamon probe is configured to detect Modbus device scans
• replay of such a previously recorded device scan
• detection by streamon probe, emission of alerts towards to Edge Agent via ZeroMQ
• parsing of the native streamon output
• transformation and publishing to SMI
@streamon:[/home/vagrant/Streamon]: ./start.sh config/modbus_device_scan.xml
@streamon:[/home/vagrant/Streamon]: tcpreplay -i eth1 config/traces/device_scan.pcap
1456245861397357097 00000001 E1 LOW "Modbus Device Scanning Suspected" ip_src=127.0.0.30 ip_dst=127.0.0.5 rate=2.147463 dst_port=502
1456245866421830452 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.15 rate=3.121049 dst_port=502
1456245866421874608 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.12 rate=3.526514 dst_port=502
1456245866432175844 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.17 rate=3.931980 dst_port=502

30. 30
Smart camera
Demo steps
DEMO - INTEGRATION
• Events were produced by a Smart Camera
• analysis of a video presented in the morning session
• these events are sent to the Edge Agent via ZeroMQ
• original timing is preserved
• parsing of the native sensor output
• transformation and publishing to SMI
@datasource:[/opt/zmq-bash-push]: ./play_camfile.sh &

31. 31
SCISSOR's SIEM : Prelude
SIEM Design & Development
Routers
Switches
Mail
Servers
OS
Servers
Snort IDS
Firewalls
Prelude-LML
Prelude-Manager
Prelude-Correlator
Databases
Administration
Console
Apache + Prewikka
IDMEF
Alerts
IDMEF
Alerts
IDMEF
Alerts
Logs
Logs
Logs
Logs
Logs
HTTPS
Other IDS
IDMEF
Alerts
TLS
TLS
TLS
TLS

32. 32
SCADA platform in the Assystem testbed
A Use Case for SCISSOR validation
ASSYSTEM ADVANCED SCADA PLATFORM
A virtualized process
Complex scenarios handling
Direct occurrences of process events
Systemic approach
A generic SCADA based system
PLC based control
Use of industrial protocols
Typical SCADA HMI
Logs generation: process monitoring,
supervision/PLC software, operating systems
Historian
Reporting
Report

33. 33
Distributed Cloud Platform
CLOUD PLATFORM AND INTEGRATION
Seamless integration of a traditional
Datacenter Cloud platform and a
“Cloud-in-a-box” platform