Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The SCISSOR approach to establishing situational awareness in Industrial Control Systems

595 views

Published on

The SCISSOR project designed a scalable SCADA security monitoring framework with the following characteristics: i) integration of a wide range of heterogeneous sensors; ii) a dynamically adaptable, distributed data aggregation framework; iii) advanced detection and correlation models as extensions to a conventional SIEM; iv) exploitation of modern cloud-computing concepts. Thanks to this framework, situational awareness is established in a scalable manner in near real-time by correlating events coming from very heterogeneous sensors.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

The SCISSOR approach to establishing situational awareness in Industrial Control Systems

  1. 1. The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano Salsano – University of Rome “Tor Vergata”/CNIT Christof Brandauer – Salzburg Research Symposium on Innovative Smart Grid Cybersecurity Solutions Vienna, 13th and 14th March, 2017
  2. 2. The SCISSOR Project Security In trusted SCADA and smart-grids Assystem Engineering and operation services (FR) AGH University of Science and Technology of Krakow (PL) UPMC university Pierre and Marie Curie (FR) SixSq Sàrl (CH) Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT) RADIO6ENSE (IT) Salzburg Research Forschungsgesellschaft mbH (AT) Katholieke Universiteit Leuven (BE) SEA Società Elettrica di Favignana S.p.a. (IT)
  3. 3. 3 SCISSOR in a nutshell A highly scalable ICS/SCADA security monitoring framework • Integration of a wide range of heterogeneous sensors • A dynamically adaptable, distributed data aggregation framework • Advanced detection and correlation models as extensions to a conventional SIEM • Exploitation of modern cloud-computing concepts
  4. 4. 4 Architecture
  5. 5. 55 The Favignana Test-bed
  6. 6. 6 Installation in Favignana Inside the Cabin
  7. 7. 7 Installation in Favignana Inside the Cabin
  8. 8. 88 Smart Camera 4G Router Public IP VPN Gateway RFID Antennas VPN Client RFID Reader Network TAP SEA HiperLAN Cabin Switch SCADA device SCISSOR testbed RFID Sensors SEA SCADA Supervisory Enhanced SIEM Threat detection modules Cloud in a boxVPN Client Decision & Analysis Layer Assystem SCADA Supervisory Assystem SCADA PLCs Datacenter Cloud
  9. 9. 99 SCISSOR testbed kafka flume SIEM HMI Bayesian networks Robust statisticzookeeper logstash Paris SCADA Lab Environment Favignana Smart Grid Cameras Environment sensors Network monitoring SCADADevelopers’ console
  10. 10. 10 Situational awareness is established in a scalable manner in near real-time by correlating events coming from very heterogeneous sensors Situational awareness
  11. 11. 1111 Authorized access 1. Door open: somebody inside 2. Badge detection: the system recognizes the technician 3. The technician turns on the light 4. The technician opens a cabinet 5. The technician get close the exit door and turns-off the light; the system records the exit
  12. 12. 1212 Un-authorized access and tampering 1. Open door: somebody inside 2. No badge detection: the person is not authorized and may be classified as intruder 3. The intruder turns on the light for a short time: maybe uses a torch 4. The intruder opens a cabinet 5. The temperature inside the cabinet increases: possible manumission 6. The intruder opens the door and exits.
  13. 13. 13 Events can be correlated in the SIEM correlation engine (Decision and analysis layer) Situational awareness Events can be “pre-processed” and aggregated to achieve scalability (local correlation in the Control and coordination layer)
  14. 14. 14 Thank you. Questions? Contacts Stefano Salsano University of Rome Tor Vergata / CNIT stefano.salsano@uniroma2.it Christof Brandauer Salzburg Research, Austria christof.brandauer@salzburgresearch.at This presentation on slideshare https://www.slideshare.net/stefanosalsano/the-scissor-approach-to-establishing-situational- awareness-in-industrial-control-systems
  15. 15. 15 The SCISSOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 644425 (Research and Innovation Action). The information given is the author’s view and does not necessarily represent the view of the European Commission (EC). No liability is accepted for any use that may be made of the information contained.
  16. 16. Additional information
  17. 17. 17 SCISSOR partners details (1/3) PRESENTATION OF THE SCISSOR PARTNERS Partner name & country Partner Type Key roles and technical skills in the project Assystem AEOS, France Large company - Project coordination - Data protection - Id based cryptography - Identity management & AC - SCADA systems - Human-Machine Interface - Test platform. AGH University of Science and Technology of Krakow, Poland Academy - Video surveillance & pattern recognition - Security and cryptography - Agent-based SCADA & system monitoring UPMC University Pierre and Marie Curie, France Academy - SIEM design - Decision and probability theory(Dynamic Bayesian Networks) - Graphical models - Scalable big data analytics
  18. 18. 18 Partner name & country Partner Type Key roles and technical skills in the project SixSq Sàrl, Swiss SME - Software integration and testing expertise - Cloud expertise and technologies - Automated cloud deployment - Systems architecture and design Consorzio Nazionale Interuniversitario per le Telecomunicazioni (CNIT), Italy Research center - Technical Project coordination - Overall system architecture - Traffic Monitoring and stream analytics - Platform-independent API for monitoring - Attribute-based encryption - Smart grid engineering - HMI usability design and assessment Radio6ense, Italy SME - Pervasive sensor tags - Sensor data gathering and filtering - Mobile data acquisition devices PRESENTATION OF THE SCISSOR PARTNERS SCISSOR partners details (2/3)
  19. 19. 19 PRESENTATION OF THE SCISSOR PARTNERS Partner name & country Partner Type Key roles and technical skills in the project Salzburg Research Forschungsgesellschaft mbH, Austria Research center - Control framework - Monitoring agents design - Semantic modelling of events - Security policies Katholieke Universiteit Leuven, Belgium Academy - Detection of abnormal values in multivariate, high-dimensional, data sets - Robust dimensionality reduction Società Elettrica Favignana, Italy Power plant and smart grid provider - Requirements - Integration with the existing SCADA - Roll out of the real world trial SCISSOR partners details (3/3)
  20. 20. 20 Wireless passive Sensor Network (PSN) for Environment Monitoring MONITORING LAYER Water/Humidity + RSSI temperature light NUVLA Box RFID reader LAN Cable Electrical Equipment stack Antenna 1 Antenna 2 Events • Authorized and un- authorized access • Equipment overload • Flooding and Fire • Human Interaction with devices • Device Tampering camera
  21. 21. 21 radioBOARD: Layout MONITORING LAYER: ENVIRONMENT SENSORS The board may be configured for different applications and placements by connecting or disconnecting electrical traces 67mm 28mm Electromagnetic Coupler with tuning elements Expander: external sensors + optional Battery/solar cell Energy Harvester with tuning elements
  22. 22. 2222 Access Flooding Humidity and light Temperature (Harness overload) Manumission Events & Sensors TEST BED: ENVIRONMENT SENSORS
  23. 23. 23 Device Placements reader and antennas TEST BED: ENVIRONMENT SENSORS reader antenna
  24. 24. 24 Device Placements access and light Light sensor Door-open sensor TEST BED: ENVIRONMENT SENSORS
  25. 25. 25 Device Placement temperature Transformer overload (PT-1000) Cabinet temperature TEST BED: ENVIRONMENT SENSORS
  26. 26. 26 Device Placement manual tampering TEST BED: ENVIRONMENT SENSORS
  27. 27. 27 SCADA logs Demo steps DEMO - INTEGRATION • Logs were collected from a simulated electrical network SCADA system • these logs are sent by beats to the Edge Agent • classical log parser • transformation and publishing to SMI @datasource:[/opt/zmq-bash-push]: ./play_scada.sh &
  28. 28. 28 Environmental sensors Demo steps DEMO - INTEGRATION • sensor data was measured by the Radio6ense prototype installed in Favignana • sent to the Edge Agent via ZeroMQ • parsing of native sensor output • transformation and publishing to SMI • dynamic reconfiguration of the Edge Agent filtering • drop / forward RSSI data @datasource:[/opt/zmq-bash-push]: ./play_envfile.sh &
  29. 29. 29 Network monitoring Demo steps DEMO - INTEGRATION • live integration of a distributed streamon instance • streamon probe is configured to detect Modbus device scans • replay of such a previously recorded device scan • detection by streamon probe, emission of alerts towards to Edge Agent via ZeroMQ • parsing of the native streamon output • transformation and publishing to SMI @streamon:[/home/vagrant/Streamon]: ./start.sh config/modbus_device_scan.xml @streamon:[/home/vagrant/Streamon]: tcpreplay -i eth1 config/traces/device_scan.pcap 1456245861397357097 00000001 E1 LOW "Modbus Device Scanning Suspected" ip_src=127.0.0.30 ip_dst=127.0.0.5 rate=2.147463 dst_port=502 1456245866421830452 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.15 rate=3.121049 dst_port=502 1456245866421874608 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.12 rate=3.526514 dst_port=502 1456245866432175844 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.17 rate=3.931980 dst_port=502
  30. 30. 30 Smart camera Demo steps DEMO - INTEGRATION • Events were produced by a Smart Camera • analysis of a video presented in the morning session • these events are sent to the Edge Agent via ZeroMQ • original timing is preserved • parsing of the native sensor output • transformation and publishing to SMI @datasource:[/opt/zmq-bash-push]: ./play_camfile.sh &
  31. 31. 31 SCISSOR's SIEM : Prelude SIEM Design & Development Routers Switches Mail Servers OS Servers Snort IDS Firewalls Prelude-LML Prelude-Manager Prelude-Correlator Databases Administration Console Apache + Prewikka IDMEF Alerts IDMEF Alerts IDMEF Alerts Logs Logs Logs Logs Logs HTTPS Other IDS IDMEF Alerts TLS TLS TLS TLS
  32. 32. 32 SCADA platform in the Assystem testbed A Use Case for SCISSOR validation ASSYSTEM ADVANCED SCADA PLATFORM A virtualized process Complex scenarios handling Direct occurrences of process events Systemic approach A generic SCADA based system PLC based control Use of industrial protocols Typical SCADA HMI Logs generation: process monitoring, supervision/PLC software, operating systems Historian Reporting Report
  33. 33. 33 Distributed Cloud Platform CLOUD PLATFORM AND INTEGRATION Seamless integration of a traditional Datacenter Cloud platform and a “Cloud-in-a-box” platform

×