Data Analytics for a Secure Smart Grid - The SPARKS Project · Data Analytics for a Secure Smart...
Transcript of Data Analytics for a Secure Smart Grid - The SPARKS Project · Data Analytics for a Secure Smart...
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Data Analytics for a Secure Smart Grid
Dr. Silvio La Porta Senior Research Scientist EMC Research Europe Ireland COE.
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Agenda
APT modus operandi Data Analysis and Security SPARKS Data Analytics Module
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Anatomy of an Attack | Anatomy of a Response
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
APT Kill Chain
Advanced Persistent Threat (APT)
Phishing and Zero Day
Attack
An handful of users are
targeted by two phishing attacks: One user opens
Zero day payload (CVE-02011-ZZZX)
Backdoor
The user machine is accessed
remotely by RAT like PlugX
Lateral Movement
Attacker elevates
access to important user, service and
admin accounts, as well specific system
Data Gathering
Data is acquired from target servers and
staged for exfiltration
Exfiltrate
Data is exfiltrated via encryption file over
ftp to external, compromised
machine at a hosting provider
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Traditional Security Is Not Working
Source: Verizon 2013 Data Breach Investigations Report
97% of breaches led to compromise within “days” or less
with 72% leading to data exfiltration in the same time
78% of breaches took “weeks” or more to
discover 66% took “months or
more”
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Big Data on Security
More sophisticated adversaries and sophisticated methods. Limited human capacity combined with massive amounts of events
– 40% of all survey respondents are overwhelmed with the security data they already collect
– 35% have insufficient time or expertise to analyse what they collect
Security tools, tactics and defences becoming outdated: – Content is static and not as dynamic as the threat
landscape – Segregated by too many point products, tool
interfaces, disparate data sets 1 EMA, The Rise of Data-Driven Security, Crawford, Aug 2012 Survey Sample Size = 200
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Evolution of Data Analytics in Security
BI and Compliance
driven
Investigation Driven
Behavior metrics driven
Data-science driven
Data goes in, hard to extract value
Fast queries over large data
Single source metrics, single correlation, rule based, high false positive
Leverage full contextual info, multi-source, automatic, for low false positives
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Data Science: The Next Security Frontier
Beyond signatures Beyond simple metrics for thresholding Beyond manual engineering of rules Monitor each and every entity in its
environmental context with 360° view over long time window with advanced mathematics
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Comprehensive Visibility
“See everything happening in my environment and
normalize it”
High Powered Analytics
“Give me the speed and smarts to detect,
investigate and prioritize potential threats”
Big Data Infrastructure
“Need a fast and scalable infrastructure to
conduct real time and long term analysis”
Today’s Security Requirements
Integrated Intelligence “Help me understand what to look for and
what others have discovered”
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Systems
Data
Public & Private Threat Intelligence
Governance
Network
Compliance
Incident Management
Remediation
Investigate & Analyze
Visualize
Respond
Alert & Report
Analytics
Apps
Big Data
Store
Applying Intelligent Driven Security Analytics
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SPARKS’ Security analytics test Env. Enable New (?) attacks
NESCOR attack trees Formulation
SCADA BMS DB (e.g WSN)
<new sources>
Power Measurements
Log Files
Example of AMI.29: Unauthorized Device Acquires HAN
Access and Steals Private Information
Patt
ern
Gen
erat
ion
Demo site attack down-selection
Final demonstration
Use Security Analytics as inputs for
designing resilient control algorithms
LIVE
Install Security Analytics solutions In UTRC
Middleware
SCADA controller SCADA NEODYNE
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SPARKS Sec. Info. Analytics Component
The module will be composed by two main components – Static Rules Validator – Auto-Detector
Auto-Detector
Static Rules Validator
SPARKS Sec. Info. Analytics Component
Resilient Control System
G.U.I.
SCADA Controller
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Static Rules Validator
The component will search for systems’ asserts violations – Rules List contains the assertions to verify – Adapter translate the rules in common language – Parser get the rules and search for negative or
positive outliers
Static Rules Validator
Rules list
Parser
Adapter
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Intra-Meter Security Analytics
28 Measured Variables
VA VB VC IA IB IC IN PA PB PC
18 Calculated Variables VAB, VBC, VCA
QA, SA
QB, SB
QC, SC
PTotal, QTotal, Stotal
Power Factor EActive+,EActive- EReactive+,EReactive- EApparent
28 + 18 = 46 Cross-Checking Value ~2 month of data 14,5 Million observations
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Intra-Meter Security Analytics
18 Cross-Checking Equations
cos−1𝑉𝐴
2+𝑉𝐵2−𝑉𝐴𝐵
2
2𝑉𝐴𝑉𝐵+ cos−1
𝑉𝐵2+𝑉𝐶
2−𝑉𝐵𝐶2
2𝑉𝐵𝑉𝐶+ cos−1
𝑉𝐶2+𝑉𝐴
2−𝑉𝐶𝐴2
2𝑉𝐶𝑉𝐴= 360°
VA VB VC IA IB IC IN VAB VBC VCA
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Real Time Analysis
Equations need not be followed exactly, e.g., unsynchronised sampling
We let the rule be followed approximately – for each equation, difference or ratio of LHS and RHS are calculated
𝐸𝐸𝐸𝐸𝐸 = 12𝜋
cos−1𝑉𝐴
2+𝑉𝐵2−𝑉𝐴𝐵
2
2𝑉𝐴𝑉𝐵+ cos−1
𝑉𝐵2+𝑉𝐶
2−𝑉𝐵𝐶2
2𝑉𝐵𝑉𝐶+ cos−1
𝑉𝐶2+𝑉𝐴
2−𝑉𝐶𝐴2
2𝑉𝐶𝑉𝐴
We calculate and store histograms of all errors in normal operation
In real time, we evaluate the current error and compute its probability
If probability is too low, we flag the equation and display total number of equations violated
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Daily Analysis
At the end of the day, we compute the histogram for the day’s errors
We use the Kullback-Leibler distance of this histogram from the historical distribution as a measure to check whether a deviation exists
If deviation is too high, we generate an alarm indicating that there might have been an attack present during the whole day
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Nominal Value Check
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Rules list example
"Phase A Active Power Error", "Phase B Active Power Error", "Phase C Active Power Error", "Phase A Reactive Power Error", "Phase B Reactive Power Error", "Phase C Reactive Power Error", "Phase A Apparent Power Error 1", "Phase B Apparent Power Error 1", "Phase C Apparent Power Error 1", "Phase A Apparent Power Error 2", "Phase B Apparent Power Error 2", "Phase C Apparent Power Error 2", "Total Active Power Error", "Total Apparent Power Error", "Power Factor Error 1", "Power Factor Error 2", "Voltage Phase Error", "Neutral Current Error"
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Nimbus Meters
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Global View
Meter E01 last 24H detections Num. of observation in a day = 1935360
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Detail of a Meter (EM10)
Time
Number of Nominal Value Outliers
Number of Rules that generated outliers
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Disconnection
Connected Back
Threshold to trigger the alarm
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Distribution Distance
The system checks the current day distribution against historical data distribution using the Kullback-Leibler distance
:
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Auto-Detector The component will use machine learning
technique to evaluate the entire system state – Rules Extractor get data from last readings – Historical KB compare the new feature with system
history – Evaluator use tolerance to reduce FP and noise
Auto-Detector
Rules Extractor
Evaluator
Historical KB
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Work in progress Data analytics Algorithm basic features :
– Patterns Detection and Patterns Violation (example battery is charged everyday between 7am-12am and discharged between 6pm-10pm)
– Inter Meter checks – Dynamic rules and checks in the interface – Interactive interface to zoom in time frames
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Thank You for your attention Questions