ZONeSEC is a European project that ran from 2014 to 2018 to develop an open framework for enhancing the cybersecurity of wide area surveillance systems that monitor critical infrastructure. The project involved 19 partners from 9 countries. It developed novel sensors, integrated legacy sensors, and implemented a system of systems architecture with distributed processing units and a common operational picture. Three on-site integration pilots were conducted to test the system on highways, water pipelines, and gas pipelines. The final user conference in October 2017 aimed to create awareness of the solution and collect feedback from critical infrastructure operators.

1. ZONeSEC:built-in cyber-security
for wide area surveillance system
Aljosa Pasic
Atos
August 25th 2017

2. ZONeSEC at a glance
• ZONeSEC: “Towards an EU
framework for the security of Wide
zones”
– Start date: 1 December 2014
– End date: 30 November 2018 (48
months)
http://www.zonesec.eu/
Contact points:
Dimitris Kanakidis (Project Coordinator)
dkan@exus.co.uk
Jose Ramon Martinez (Technical coordinator)
jose.martinezs@atos.net
Aljosa Pasic (Exploitation manager)
aljosa.pasic@atos.net
25/9/2017

3. Introducing ZONeSEC
19 PARTNERS
9 COUNTRIES
4 PILOTS
3 FINAL DEMOS
48 MONTHS
35/9/2017

4. ZONeSEC Objectives
ZONeSEC is addressing protection of critical infrastructures that spread over wide zones.
Wide zones challenges are, among others:
45/9/2017
Characteristics Challenge Opportunities
Wide and big Scalability, variable
bandwidth, latency,
deployment and
maintainance cost…
Reusable low cost assets,
distributed pre-processing,
centralised big data
analysis, pattern
recognition,
communication gateways…
Cross-border and cross-
stakeholder environment
Interoperability, data
sharing, collaboration
complexity…
Multi-stakeholder
governance models, shared
risk and cost, joint
simulations…
Wide area Surveillance
(WAS)
Privacy Pattern recognition,
integration with ground
systems

5. 55/9/2017
ZONeSEC key challenges
Near real time Hard real time is not required. Time has to be reasonable.
Reliability of data transport Alert data should be reliable. It is mandatory that alerts don’t get lost in
transit.
Heterogeneous networks All kind of networks will be available.
Modularity All the information system should be as decoupled as possible.
Plug and play All the security capillaries can enter or leave the system at any moment
without affecting the complete architecture stability.
Scalability The resulting system or framework should be scalable to any number of
security capillaries and any arbitrary extended area.
Security Security has to be taken into account in all possible layers (excluding the
tampering of the physical devices).
Portability The resulting framework should be portable to any localization.
Legacy sensors Already existing sensors (aka “legacy sensors”) should be included in the
framework as seamlessly as possible.
Open platform The architecture will be open allowing the possible addition of new
Security capillaries and old legacy systems.

6. 65/9/2017
ZONeSEC Solution: System of
Systems (1/2)
Novel Sensors:
• Acceleration sensors. These sensors are attached
to the fence and identified abnormal movements.
• Distributed Acoustic Sensor (IDAS). IDAS is an
optoelectronic system monitoring the acoustic field
along an optical fibre cable.
• Spectral Imaging System: This is a novel multi-
sensor system with thermal, hyperspectral and
SWIR cameras.
• Mini-UAV: Two Mini-UAV systems, a multirotor and
a helicopter type, equipped with electro-optic
sensors including daylight and thermal cameras
(CM100, UAV Vision).
• Mimo Radar: Mimo Radar is a radar system capable
of the detection and tracking of people.
• ULTIMA: Ultima is a heat sensor that can be user
also for detection of leakages.
Device/sensor usually sends
raw data (i.e. signals) while a
sensing platform has the
ability to send processed data
(i.e. XML, REST objects, …)
By aggregating some sensors under a cluster
with local processing capabilities the system
will have the ability to implement higher level
distributed algorithms that identify abnormal
patterns and could raise alerts locally

7. 75/9/2017
• Legacy sensors : In the different pilots there are many legacy sensors that has to
be integrated: CCTV, Magnetic contact, IR, etc.
• SDAIM (Surveillance, Detection and Alerts Information Management) analyzes
and fuses data coming from the different sensors and was able to raise alerts to
be displayed on the COP.
• COP (Common Operational Picture): The COP displayed a 3D cartographic view
of deployed sensors and raised alerts from subsystems.
• Simulation: The simulation tools provided means to add geo-localized virtual
systems and simulate their inputs to ZONeSEC.
• Uniform Communication Module: enables interoperable and real-time
communications from heterogeneous sensor systems, following a distributed
communication architecture.
• Core: All the different sub-systems were interconnected by the ZONeSEC Core,
the integration component.
• Cyber protection platform: protect the systems from internet based attacks.
ZONeSEC Solution: System of
Systems (2/2)

8. 8ZONeSEC overview5/9/2017
Security Capillaries
Will produce “event data”, “raw data”,
“position data”, “sensor metadata”
and also “Information State data”
towards the ZONeSEC Main System.
Clusters
Will produce “alert data” towards the
ZONeSEC Main System.
Cyber Security Agents
Will produce “alert data”, “event
data” and also “Information State
data” towards the ZONeSEC Main
System.
Main system will receive data coming from the “sensors” (Security Capillaries and Cyber Security Agents). These data will be
of different kinds:
• “Alert data”: This kind of data will be composed by “alerts” detected by the Security Clusters and “cyber-alerts”
detected by the security Agents (this last flow is internal to the ZONeSEC main core).
• “Raw data”: It will be composed by raw (unprocessed data) data coming from the Security Capillaries to be analysed
in the ZONeSEC main core by the SDAIM.
• “Information data”: it will be composed by the:
• operational state of the Security Capillaries (can be “heartbeat information” or “state information”; yet to
be decided and refined).
• “Position data”: Security Capillaries will send their position and also the changes in position (for the mini
UAV that can move).
• “Metadata of the sensors”: Security Capillaries will send their metadata like for example the angles,
frequency of readings, etc.
Cyber threats
Physical threats

9. 95/9/2017
ZONeSEC Cybersecurity
Multi agent systems, also referred to as "self-organized systems", fit ZONeSEC vision
of low cost reusable assets (also referred as plug & play & forget). In ZONeSEC every
event source or set of sources (called Security Capillaries) is considered to be an
agent.
Flexibility is needed since cyberagents can be added to, modified and reconstructed,
without the need for detailed rewriting or integration efforts
Basic idea is to encapsulate cyber-sensors within the ZONeSEC agent model and
deploy them at the strategic points in wide area CI to deliver events to intelligent
reasoning components elsewhere in the system. These encapsulated sensors are
called cyber-sentinels.
For example, cyber-sensors may perform DFI in the traffic coming from the Security
Capillaries or the ZONeSEC components. Cyber-sentinels would then integrate data
from different cyber-sensors. Normally, there would be one cyber-.sentinel for each
physical sensor cluster.

10. 105/9/2017
ZONeSEC Cybersecurity
Challenges
• To implement a multi-agent architecture capable of
capturing surveillance events from numerous and
diverse sources distributed across a large geographical
area.
• To provide agents with the ability to challenge and
verify the authenticity of event sources in the system.
• To implement cyber-sentinels as agents capable of
analyzing cyber activity and generating higher-level
abstraction events for interpretation within the central
processing framework.
• To reuse existing SIEM and open source solutions, improved with the integration
of new types of security tools/probes. This implies that the parsing/processing
logic (and code) were as much as possible decoupled from the specific
characteristics of the data format and related technologies.

11. 115/9/2017
ZONeSEC Cybersecurity solution
• Cyber-sentinels run as a daemon in the distributed processing units (DPU) where
they are deployed so they don’t need to be invoked by another process each time
a new log or event is received.
• When new event is detected the agent parses it using the plugin associated to that
file or event source
• They send the events normalized to a TCP port where the SIEM server is listening
• The cyber-monitor (SIEM monitor) will “publish” the alerts to the DDS (data
distribution service).
• Global Data Space and the COP will subscribe to a specific Topic in order to receive
these alerts.
• The core of the cyber-monitor is the correlation engine, based on the open source
high performance correlation engine Esper.
• The cyber-monitor is designed to support the execution of its processes running in
a distributed and scalable way through the Storm cluster.
• It allows the definition of different correlation processes, each of them with a
different set of security directives, data schema (type of incoming events) and
filtering policies.

12. ZONeSEC Operations
125/9/2017

13. ZONeSEC On-site Integration Pilots (OIP)
Pilot 2. Highway - ATTIKES DIADROMES
Pilot 3. Water pipelines Surveillance - AQUASERV
Pilot 4. Transnational Gas Pipeline Networks - DESFA
Pilot 1. Incident on a Highway - ACCIONA
135/9/2017

14. 145/9/2017
14
First OIP: Madrid Nov 2015
First OIP was held in ACCIONA premises near Madrid
Was the first real integration
 Vibrational sensors
 Common Operational picture
 Idas sensor
ZONeSEC overview
Architecture was still skeleton
 Proof of concept
 First real field approximation

15. 155/9/2017
15
Second OIP: Athens Dec 2016
https://sway.com/13luBZqd53wJj7Vu
Second OIP was held in Athens ATTD
premises near the airport (The
technical building at the Vrilissia
tunnel where most parts of the
equipment were installed and the
Operations Center of Attikes
Diadromes hosting the remote
Common Operational Picture (COP)
and the data fusion subsystem
(SDAIM).
 Final architecture
 Final communication layer
 Proof of concept with detection of
sabotage and explosions

16. 165/9/2017
16
Third OIP: Romania June 2017
Third OIP was held in different places
in Romania at places related to water
infrastructure.
• The cybersecurity first
development has been tested.
• Detection of SSH brute force login
attack against SCADA honeypot
deployed in the network the real
SCADA system is.
• Detection of a value change in
that SCADA honeypot.
• For the first time, the scenario
included three premises
distributed around Târgu Mures
area.

17. 175/9/2017
17
Next final users conference
October 18-19th user conference will
be held in Athens:
• Objective is to create awareness
and collect feedback
• Focus will be on final expectations
and market take up
• We expect more than 20 CIP
operators or related companies
ZONeSEC overview

18. 185/9/2017
CyberWISER project
 https://www.youtube.com/watch?v=fpHTV
E4viYw
18ZONeSEC overview
NIST 800-55
• Implementation measures to
measure execution of security
policy;
• Effectiveness/efficiency measures
to measure results of security
services delivery; and
• Impact measures to measure
business or mission consequences
of security events.

19. 195/9/2017
19
Thank you for your time!
Q&A
ZONeSEC overview
Aljosa Pasic
aljosa.pasic@atos.net