Ivo Friedberg

Combating advanced persistent threats

An advanced persistent threat (also known as APT) is a deliberately slow-moving cyberattack that is applied to quietly compromise interconnected information systems without revealing itself. APTs often use a variety of attack methods to get unauthorized system access initially and then gradually spread throughout the network. In contrast to traditional attacks, they are not used to interrupt services but primarily to steal intellectual property, sensitive internal business and legal documents and other data. If an attack on a system is successful, timely detection is of paramount importance to mitigate its impact and prohibit APTs from further spreading. However, recent security incidents, such as Operation Shady Rat, Operation Red October or the discovery of MiniDuke - just to name a few - have impressively demonstrated that current security mechanisms are mostly insufficient to prohibit targeted and customized attacks. This paper therefore proposes a novel anomaly detection approach which is a promising basis for modern intrusion detection systems. In contrast to other common approaches, which apply a kind of black-list approach and consider only actions and behaviour that match to well-known attack patterns and signatures of malware traces, our system works with a white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, and thus learns the normal system behaviour over time and reports all actions that differ from the created system model. In this work, we describe this system in theory and show evaluation results from a pilot study under real-world conditions.

Dealing with advanced persistent threats in smart grid ICT networks

With the increasing use of novel smart grid technologies, a comprehensive ICT network will be established in parallel to the electricity grid, which due to its large size, number of participants and access points will be exposed to similar threats as those seen on the current Internet. However, modern security systems that are applied in todays highly dynamic ICT networks, including malware scanners and intrusion detection systems, apply a kind of black-list approach, where they consider only actions and behavior that match to well-known attack patterns and signatures of malware traces. We argue that for the smart grid a more restrictive approach, that cannot be circumvented by customized malware, will increase the security level tremendously. Therefore, in this paper we present a smart white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, and thus learns the normal system behavior over time and reports all actions that differ from the created system model. The application of such a system is promising in a smart grid environment which mostly implements well-specified processes, resulting in rather predictable and static behavior. We demonstrate the application of the system in a small-scale pilot case of a real utility provider.

STPA-SafeSec: Safety and security analysis for cyber-physical systems

Abstract Cyber-physical systems tightly integrate physical processes and information and communication technologies. As todays critical infrastructures, e.g., the power grid or water distribution networks, are complex cyber-physical systems, ensuring their safety and security becomes of paramount importance. Traditional safety analysis methods, such as HAZOP, are ill-suited to assess these systems. Furthermore, cybersecurity vulnerabilities are often not considered critical, because their effects on the physical processes are not fully understood. In this work, we present STPA-SafeSec, a novel analysis methodology for both safety and security. Its results show the dependencies between cybersecurity vulnerabilities and system safety. Using this information, the most effective mitigation strategies to ensure safety and security of the system can be readily identified. We apply STPA-SafeSec to a use case in the power grid domain, and highlight its benefits.

Semi-synthetic data set generation for security software evaluation

Threats to modern ICT systems are rapidly changing these days. Organizations are not mainly concerned about virus infestation, but increasingly need to deal with targeted attacks. This kind of attacks are specifically designed to stay below the radar of standard ICT security systems. As a consequence, vendors have begun to ship self-learning intrusion detection systems with sophisticated heuristic detection engines. While these approaches are promising to relax the serious security situation, one of the main challenges is the proper evaluation of such systems under realistic conditions during development and before roll-out. Especially the wide variety of configuration settings makes it hard to find the optimal setup for a specific infrastructure. However, extensive testing in a live environment is not only cumbersome but usually also impacts daily business. In this paper, we therefore introduce an approach of an evaluation setup that consists of virtual components, which imitate real systems and human user interactions as close as possible to produce system events, network flows and logging data of complex ICT service environments. This data is a key prerequisite for the evaluation of modern intrusion detection and prevention systems. With these generated data sets, a systems detection performance can be accurately rated and tuned for very specific settings.

Cyber situational awareness through network anomaly detection: state of the art and new approaches

With a major change in the attack landscape, away from well-known attack vectors towards unique and highly tailored attacks, limitations of common rule- and signature-based security systems become more and more obvious. Novel security mechanisms can provide the means to extend existing solutions in order to provide a more sophisticated security approach. As critical infrastructures get increasingly accessible from public networks they show up on attackers’ radars. As a consequence, establishing cyber situational awareness on a higher level through incident information sharing is vital for assessing the increased risk to national security in the cyber space. But legal obligations and economical considerations limit the motivation of companies to pursue information sharing initiatives. To support companies and governmental initiatives, novel security mechanisms should inherently address limiting factors. One novel approach, AECID, is presented that accounts for the limitations of many common intrusion and anomaly detection mechanisms; and which further provides the features to support privacy-aware information sharing for cyber situational awareness.ZusammenfassungMit der nachhaltigen Änderung heutiger Angriffsmethoden, weg von gut bekannten Attacken Richtung individueller und hoch-spezialisierter Angriffe, werden die Beschränkungen gewöhnlicher Regel- und Signatur-basierter IT-Sicherheitssysteme mehr und mehr sichtbar. Neuartige Sicherheitsmechanismen haben das Potential, bestehende Lösungen diesbezüglich wesentlich zu verbessern und somit einen weitreichenderen Sicherheitsansatz zu bieten. Da kritische Infrastrukturen zunehmend auch aus öffentlichen Netzen zugänglich werden, werden sie auch vermehrt für Angreifer zu attraktiven Zielen. Als Konsequenz ist die Etablierung eines Cyber-Lagebildes auf höherer Ebene auf Basis geteilter Informationen über Cyber-Zwischenfälle entscheidend für die Beurteilung der erhöhten Gefahr für die nationale Sicherheit im Cyberspace. Aber gesetzliche Verpflichtungen und wirtschaftliche Überlegungen beschränken die Motivation von Organisationen, einen Sicherheits-kritischen Informationsaustausch voranzutreiben. Um nun Unternehmen und Regierungsinitiativen zu unterstützen, sollten neue Sicherheitsmechanismen die Faktoren, welche die Akzeptanz von Systemen für den Informationsaustausch limitieren, gezielt kompensieren. Ein neuartiger Ansatz, AECID, welcher hierbei zur Anwendung kommen könnte, wird in diesem Artikel vorgestellt. AECID berücksichtigt die angesprochenen Beschränkungen vieler gängiger Anomalie-Erkennungssysteme und unterstützt darüber hinaus jene Eigenschaften, die für einen Datenschutz-konformen Informationsaustausch zum Aufbau eines allgemeinen Lagebildverständnisses erforderlich sind.

A cyber-physical resilience metric for smart grids

The need for novel smart grid technologies is often motivated by the need for more resilient power grids. While the number of technologies that claim to increase grid resilience is growing, there is a lack of widely accepted metrics to measure the resilience of smart grid installations. The design of effective resilience metrics is made difficult by the diversity of challenges and performance measures that a smart grid is subject to. This work identifies the necessary attributes for a complete and effective resilience metric and shows that previous work falls short. It then proposes a novel approach to measure resilience that focuses on the complex interdependencies between challenges and performances in smart grids.

Evidential Network Modeling for Cyber-Physical System State Inference

Cyber-physical systems (CPSs) have dependability requirements that are associated with controlling a physical process. Cyber-attacks can result in those requirements not being met. Consequently, it is important to monitor a CPS in order to identify deviations from normal operation. A major challenge is inferring the cause of these deviations in a trustworthy manner. This is necessary to support the implementation of correct and timely control decisions, in order to mitigate cyber-attacks and other causes of reduced dependability. This paper presents evidential networks as a solution to this problem. Through the evaluation of a representative use case for cyber-physical control systems, this paper shows novel approaches to integrate low-level sensors of different types, in particular those for cyber-attack detection, and reliabilities into evidential networks. The results presented indicate that evidential networks can identify system states with an accuracy that is comparable to approaches that use classical Bayesian probabilities to describe causality. However, in addition, evidential networks provide information about the uncertainty of a derived system state, which is a significant benefit, as it can be used to build trust in the results of automatic reasoning systems.

Towards a Cyber-physical Resilience Framework for Smart Grids

As modern power grids move towards becoming a smart grid, there is an increasing reliance on the data that is transmitted and processed by ICT systems. This reliance introduces new digital attack vectors. Many of the proposed approaches that aim to address this problem largely focus on applying well-known ICT security solutions. However, what is needed are approaches that meet the complex concerns of the smart grid as a cyber-physical system. Furthermore, to support the automatic control loops that exist in a power grid, similarly automatic security and resilience mechanisms are needed that rely on minimal operator intervention. The research proposed in this paper aims to develop a framework that ensures resilient smart grid operation in light of successful cyber-attacks.

Secure Communications in Smart Grid: Networking and Protocols

Abstract The key attributes of a smarter power grid include: pervasive interconnection of smart devices; extensive data generation and collection; and rapid reaction to events across a widely dispersed physical infrastructure. Modern telecommunications technologies are being deployed across power systems to support these monitoring and control capabilities. To enable interoperability, several new communications protocols and standards have been developed over the past 10 to 20 years. These continue to be refined, even as new systems are rolled out. This new hyper-connected communications infrastructure provides an environment rich in sub-systems and physical devices that are attractive to cyber-attackers. Indeed, as smarter grid operations become dependent on interconnectivity, the communications network itself becomes a target. Consequently, we examine cyber-attacks that specifically target communications, particularly state-of-the-art standards and protocols. We further explore approaches and technologies that aim to protect critical communications networks against intrusions, and to monitor for, and detect, intrusions that infiltrate Smart Grid systems.