Piroska Haller

A connection pattern-based approach to detect network traffic anomalies in critical infrastructures

Recent trends in Critical Infrastructures (CIs), e.g., power plants and energy smart grids, showed an increased use of commodity, off-the-shelf Information and Communication Technologies (ICT) hardware and software. Although this enabled the implementation of a broad palette of new features, the pervasive use of ICT, especially within the core of CIs, i.e., in Industrial Control Systems (ICSs), attracted a new class of attacks in which cyber disturbances propagate to the physical dimension of CIs. To ensure a more effective detection of cyber attacks against the ICS of CIs, we have developed SPEAR, a systematic approach that automatically configures anomaly detection engines to detect attacks that violate connection patterns specific to ICSs. The approach is validated by experimental scenarios including traffic traces from real industrial equipment and real malware (Stuxnet).

A clustering-based approach to detect cyber attacks in process control systems

Modern Process Control Systems (PCS) exhibit an increasing trend towards the pervasive adoption of commodity, off-the-shelf Information and Communication Technologies (ICT). This has brought significant economical and operational benefits, but it also shifted the architecture of PCS from a completely isolated environment to an open, “system of systems” integration with traditional ICT systems, susceptible to traditional computer attacks. In this paper we present a novel approach to detect cyber attacks targeting measurements sent to control hardware, i.e., typically to Programmable Logical Controllers (PLC). The approach builds on the Gaussian mixture model to cluster sensor measurement values and a cluster assessment technique known as silhouette. We experimentally demonstrate that in this particular problem the Gaussian mixture clustering outperforms the k-means clustering algorithm. The effectiveness of the proposed technique is tested in a scenario involving the simulated Tennessee-Eastman chemical process and three different cyber attacks.

Data clustering-based anomaly detection in industrial control systems

Modern Networked Critical Infrastructures (NCI), involving cyber and physical systems, are exposed to intelligent cyber attacks targeting the stable operation of these systems. In order to ensure anomaly awareness, the observed data can be used in accordance with data mining techniques to develop Intrusion Detection Systems (IDS) or Anomaly Detection Systems (ADS). There is an increase in the volume of sensor data generated by both cyber and physical sensors, so there is a need to apply Big Data technologies for real-time analysis of large data sets. In this paper, we propose a clustering based approach for detecting cyber attacks that cause anomalies in NCI. Various clustering techniques are explored to choose the most suitable for clustering the time-series data features, thus classifying the states and potential cyber attacks to the physical system. The Hadoop implementation of MapReduce paradigm is used to provide a suitable processing environment for large datasets. A case study on a NCI consisting of multiple gas compressor stations is presented.

A survey on cloud-based software platforms to implement secure smart grids

Smart Grid has been characterized as the next generation power grid in which modern Information and Communication Technologies (ICT) will improve control, reliability and safety. Although the adoption of generic off-the-shelf ICT in Smart Grid provisions indisputable advantages and benefits, it raises several issues concerning the reliability and security of communications - the core infrastructure of Smart Grid. Cloud computing has developed and evolved over the past years becoming a real choice for Smart Grids infrastructure because of the availability, scalability, performance and interoperability that it offers. In this paper we present a survey of the existing cloud-based software platforms for implementing secure Smart Grids. Security issues like authentication and authorization of users, data encryption, availability, attacker impact, detection and trust management have received significant attention in previous work. Nevertheless, as shown in this paper, their integration and adaptation to emerging fields such as Smart Grid is still in an embryonic state. As such, we report recent advancements and software platforms specifically for Smart Grid and we outline several issues as well as suggestions for designing security-aware platforms for Smart Grid.

Cyber-Security-Aware Network Design of Industrial Control Systems

The pervasive adoption of traditional information and communication technologies hardware and software in industrial control systems (ICS) has given birth to a unique technological ecosystem encapsulating a variety of objects ranging from sensors and actuators to video surveillance cameras and generic PCs. Despite their invaluable advantages, these advanced ICS create new design challenges, which expose them to significant cyber threats. To address these challenges, an innovative ICS network design technique is proposed in this paper to harmonize the traditional ICS design requirements pertaining to strong architectural determinism and real-time data transfer with security recommendations outlined in the ISA-62443.03.02 standard. The proposed technique accommodates security requirements by partitioning the network into security zones and by provisioning critical communication channels, known as security conduits, between two or more security zones. The ICS network design is formulated as an integer linear programming (ILP) problem that minimizes the cost of the installation. Real-time data transfer limitations and security requirements are included as constraints imposing the selection of specific traffic paths, the selection of routing nodes, and the provisioning of security zones and conduits. The security requirements of cyber assets denoted by traffic and communication endpoints are determined by a cyber attack impact assessment technique proposed in this paper. The sensitivity of the proposed techniques to different parameters is evaluated in a first scenario involving the IEEE 14-bus model and in a second scenario involving a large network topology based on generated data. Experimental results demonstrate the efficiency and scalability of the ILP model.

Experimental assessment of network design approaches for protecting industrial control systems

This paper surveys and provides experimental results related to network design techniques focused on enhancing the security of industrial control systems. It analyzes defense-in-depth strategies, network segmentation, network firewall configurations and the role of intrusion prevention systems, intrusion detection systems and anomaly detection systems. The paper also studies the applicability of emerging technologies in the area of IP networks, including software-defined networking, network functions virtualization and next generation firewalls in securing industrial control systems. The main contribution of this paper is the experimental assessment of existing and future network design approaches in the presence of real malware (e.g., Stuxnet) and synthetic attacks (e.g., denial-of-service attacks). The experimental results confirm the importance of defense-in-depth strategies and also highlight the embryonic state of software-defined networking security, which requires profound transformation and validation in order to be embraced by the industrial control system community.

Designing Optimal and Resilient Intrusion Detection Architectures for Smart Grids

We formulate two intrusion detection system (IDS) design problems for smart grids. The first one optimally places IDS devices on communication paths, while the second one addresses the resilient communications requirement and enhances the first problem with the provisioning of

A framework for designing resilient distributed intrusion detection systems for critical infrastructures

{K}

Using Sensitivity Analysis and Cross-Association for the Design of Intrusion Detection Systems in Industrial Cyber-Physical Systems

distinct back-up paths and additional IDS devices. The developed problems harmonize real-time communication requirements with the infrastructure’s resource limitations (e.g., bandwidth), detection requirements, and the available budget. A heuristic approach is developed based on the column-generation model to reduce the computation time. Experimental results comprising the Romanian 440 kV and 220 kV power transmission networks, the Romanian Educational Communication Network, alongside synthetic topologies demonstrate the effectiveness and applicability of the heuristic methodology on large problem instances.

A hierarchical control plane for software-defined networks-based industrial control systems

The complexity and scale of critical infrastructures, their strong security requirements and increasing costs require comprehensive methodologies for provisioning cost-effective distributed intrusion detection systems. This paper introduces a novel framework for designing resilient distributed intrusion detection systems. The framework leverages the output of a risk assessment methodology to identify and rank critical communications flows. These flows are integrated in an optimization problem that minimizes the number of deployed detection devices while enforcing a shortest-path routing algorithm to minimize communications delays. The framework engages a resilient distributed intrusion detection design algorithm that accounts for the possibility that detection devices may be compromised or fail. The algorithm optimally positions detection devices to ensure that the infrastructure is resilient to at most K communications path failures. Experimental results demonstrate the effectiveness of the distributed intrusion detection design framework.