The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR...
Transcript of The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR...
![Page 1: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/1.jpg)
The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano Salsano – University of Rome “Tor Vergata”/CNIT Christof Brandauer – Salzburg Research
Symposium on Innovative Smart Grid Cybersecurity Solutions Vienna, 13th and 14th March, 2017
![Page 2: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/2.jpg)
The SCISSOR Project
Security In trusted SCADA and smart-grids
Assystem Engineering and operation services (FR)
AGH University of Science and Technology of Krakow (PL)
UPMC university Pierre and Marie Curie (FR)
SixSq Sàrl (CH)
Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT)
RADIO6ENSE (IT)
Salzburg Research Forschungsgesellschaft mbH (AT)
Katholieke Universiteit Leuven (BE)
SEA Società Elettrica di Favignana S.p.a. (IT)
![Page 3: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/3.jpg)
3
SCISSOR in a nutshell
A highly scalable ICS/SCADA security monitoring framework
• Integration of a wide range of heterogeneous sensors
• A dynamically adaptable, distributed data aggregation framework
• Advanced detection and correlation models as extensions to a conventional SIEM
• Exploitation of modern cloud-computing concepts
![Page 4: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/4.jpg)
4
Architecture
![Page 5: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/5.jpg)
5 5
The Favignana Test-bed
![Page 6: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/6.jpg)
6
Installation in Favignana Inside the Cabin
![Page 7: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/7.jpg)
7
Installation in Favignana Inside the Cabin
![Page 8: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/8.jpg)
8 8
Smart Camera
4G Router
Public IP
VPN Gateway
RFID Antennas VPN
Client
RFID Reader
Network TAP
SEA HiperLAN
Cabin Switch
SCADA device
SCISSOR testbed
RFID Sensors
SEA SCADA Supervisory
Enhanced SIEM
Threat detection modules
Cloud in a box VPN Client
Decision & Analysis Layer
Assystem SCADA
Supervisory
Assystem SCADA PLCs
Datacenter Cloud
![Page 9: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/9.jpg)
9 9
SCISSOR testbed
kafka
flume
SIEM
HMI
Bayesian networks
Robust statistic zookeeper
logstash
Paris SCADA Lab Environment
Favignana Smart Grid
Cameras Environment
sensors Network monitoring
SCADA Developers’ console
![Page 10: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/10.jpg)
10
Situational awareness is established in a scalable manner in near real-time by correlating events coming from very heterogeneous sensors
Situational awareness
![Page 11: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/11.jpg)
11 11
Authorized access
1. Door open: somebody inside
2. Badge detection: the system recognizes
the technician
3. The technician turns on the light
4. The technician opens a cabinet
5. The technician get close the exit door and turns-off the light; the system records the exit
![Page 12: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/12.jpg)
12 12
Un-authorized access and tampering
1. Open door: somebody inside
2. No badge detection: the person is not authorized
and may be classified as intruder
3. The intruder turns on the light for a short time: maybe uses a torch
4. The intruder opens a cabinet
5. The temperature inside the cabinet increases: possible manumission
6. The intruder opens the door and exits.
![Page 13: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/13.jpg)
13
Events can be correlated in the SIEM correlation engine (Decision and analysis layer)
Situational awareness
Events can be “pre-processed” and aggregated to achieve scalability (local correlation in the Control and coordination layer)
![Page 14: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/14.jpg)
14
Thank you. Questions? Contacts Stefano Salsano University of Rome Tor Vergata / CNIT [email protected] Christof Brandauer Salzburg Research, Austria [email protected] This presentation on slideshare https://www.slideshare.net/stefanosalsano/the-scissor-approach-to-establishing-situational-awareness-in-industrial-control-systems
![Page 15: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/15.jpg)
15
The SCISSOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 644425 (Research
and Innovation Action).
The information given is the author’s view and does not necessarily represent the view of the European Commission (EC). No liability is accepted for any use that may be
made of the information contained.
![Page 16: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/16.jpg)
Additional information
![Page 17: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/17.jpg)
17
SCISSOR partners details (1/3) PRESENTATION OF THE SCISSOR PARTNERS
Partner name & country
Partner Type
Key roles and technical skills in the project
Assystem AEOS, France Large company - Project coordination - Data protection - Id based cryptography - Identity management & AC - SCADA systems - Human-Machine Interface - Test platform.
AGH University of Science and Technology of Krakow, Poland
Academy - Video surveillance & pattern recognition - Security and cryptography - Agent-based SCADA & system monitoring
UPMC University Pierre and Marie Curie, France
Academy
- SIEM design - Decision and probability theory(Dynamic Bayesian Networks) - Graphical models - Scalable big data analytics
![Page 18: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/18.jpg)
18
Partner name & country
Partner Type
Key roles and technical skills in the project
SixSq Sàrl, Swiss
SME - Software integration and testing expertise - Cloud expertise and technologies - Automated cloud deployment - Systems architecture and design
Consorzio Nazionale Interuniversitario per le Telecomunicazioni (CNIT), Italy
Research center - Technical Project coordination - Overall system architecture - Traffic Monitoring and stream analytics - Platform-independent API for monitoring - Attribute-based encryption - Smart grid engineering - HMI usability design and assessment
Radio6ense, Italy
SME - Pervasive sensor tags - Sensor data gathering and filtering - Mobile data acquisition devices
PRESENTATION OF THE SCISSOR PARTNERS
SCISSOR partners details (2/3)
![Page 19: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/19.jpg)
19
PRESENTATION OF THE SCISSOR PARTNERS
Partner name & country
Partner Type
Key roles and technical skills in the project
Salzburg Research Forschungsgesellschaft mbH, Austria
Research center - Control framework - Monitoring agents design - Semantic modelling of events - Security policies
Katholieke Universiteit Leuven, Belgium
Academy - Detection of abnormal values in multivariate, high-dimensional, data sets - Robust dimensionality reduction
Società Elettrica Favignana, Italy
Power plant and smart grid provider
- Requirements - Integration with the existing SCADA - Roll out of the real world trial
SCISSOR partners details (3/3)
![Page 20: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/20.jpg)
20
Wireless passive Sensor Network (PSN) for Environment Monitoring MONITORING LAYER
Water/Humidity + RSSI
temperature
light
NUVLA Box
RFID reader
LAN Cable
Electrical Equipment
stac
k Antenna 1 Antenna 2
Events • Authorized and un-
authorized access
• Equipment overload
• Flooding and Fire
• Human Interaction with devices
• Device Tampering
camera
![Page 21: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/21.jpg)
21
radioBOARD: Layout MONITORING LAYER: ENVIRONMENT SENSORS
The board may be configured for different applications and placements by connecting or disconnecting electrical traces
67m
m
28mm
Electromagnetic Coupler with tuning elements
Expander: external sensors + optional Battery/solar cell
Energy Harvester with tuning elements
![Page 22: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/22.jpg)
22 22
Access
Flooding Humidity and light
Temperature (Harness overload)
Manumission Events & Sensors
TEST BED: ENVIRONMENT SENSORS
![Page 23: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/23.jpg)
23
Device Placements reader and antennas
TEST BED: ENVIRONMENT SENSORS
reader
antenna
![Page 24: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/24.jpg)
24
Device Placements access and light
Light sensor
Door-open sensor
TEST BED: ENVIRONMENT SENSORS
![Page 25: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/25.jpg)
25
Device Placement temperature
Transformer overload (PT-1000)
Cabinet temperature
TEST BED: ENVIRONMENT SENSORS
![Page 26: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/26.jpg)
26
Device Placement manual tampering
TEST BED: ENVIRONMENT SENSORS
![Page 27: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/27.jpg)
27
SCADA logs
Demo steps
DEMO - INTEGRATION
• Logs were collected from a simulated electrical network SCADA system
• these logs are sent by beats to the Edge Agent • classical log parser • transformation and publishing to SMI
@datasource:[/opt/zmq-bash-push]: ./play_scada.sh &
![Page 28: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/28.jpg)
28
Environmental sensors
Demo steps
DEMO - INTEGRATION
• sensor data was measured by the Radio6ense prototype installed in Favignana
• sent to the Edge Agent via ZeroMQ • parsing of native sensor output • transformation and publishing to SMI
• dynamic reconfiguration of the Edge Agent filtering • drop / forward RSSI data
@datasource:[/opt/zmq-bash-push]: ./play_envfile.sh &
![Page 29: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/29.jpg)
29
Network monitoring
Demo steps
DEMO - INTEGRATION
• live integration of a distributed streamon instance • streamon probe is configured to detect Modbus device scans • replay of such a previously recorded device scan
• detection by streamon probe, emission of alerts towards to Edge Agent via ZeroMQ
• parsing of the native streamon output • transformation and publishing to SMI
@streamon:[/home/vagrant/Streamon]: ./start.sh config/modbus_device_scan.xml @streamon:[/home/vagrant/Streamon]: tcpreplay -i eth1 config/traces/device_scan.pcap
1456245861397357097 00000001 E1 LOW "Modbus Device Scanning Suspected" ip_src=127.0.0.30 ip_dst=127.0.0.5 rate=2.147463 dst_port=502 1456245866421830452 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.15 rate=3.121049 dst_port=502 1456245866421874608 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.12 rate=3.526514 dst_port=502 1456245866432175844 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.17 rate=3.931980 dst_port=502
![Page 30: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/30.jpg)
30
Smart camera
Demo steps
DEMO - INTEGRATION
• Events were produced by a Smart Camera • analysis of a video presented in the morning session
• these events are sent to the Edge Agent via ZeroMQ • original timing is preserved
• parsing of the native sensor output • transformation and publishing to SMI
@datasource:[/opt/zmq-bash-push]: ./play_camfile.sh &
![Page 31: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/31.jpg)
31
SCISSOR's SIEM : Prelude SIEM Design & Development
![Page 32: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/32.jpg)
32
SCADA platform in the Assystem testbed
A Use Case for SCISSOR validation
ASSYSTEM ADVANCED SCADA PLATFORM
A virtualized process Complex scenarios handling
Direct occurrences of process events Systemic approach
A generic SCADA based system PLC based control
Use of industrial protocols Typical SCADA HMI
Logs generation: process monitoring, supervision/PLC software, operating systems
Historian Reporting
Report
![Page 33: The SCISSOR approach to establishing situational awareness in … · 2017. 4. 6. · The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff4cbbd755cf5458a38101b/html5/thumbnails/33.jpg)
33
Distributed Cloud Platform CLOUD PLATFORM AND INTEGRATION
Seamless integration of a traditional Datacenter Cloud platform and a “Cloud-in-a-box” platform