Tiago Cruz

Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems

Abstract Modern Supervisory Control and Data Acquisition (SCADA) systems used by the electric utility industry to monitor and control electric power generation, transmission and distribution are recognized today as critical components of the electric power delivery infrastructure. SCADA systems are large, complex and incorporate increasing numbers of widely distributed components. The presence of a real time intrusion detection mechanism, which can cope with different types of attacks, is of great importance in order to defend a system against cyber attacks. This defense mechanism must be distributed, cheap and above all accurate, since false positive alarms or mistakes regarding the origin of the intrusion mean severe costs for the system. Recently an integrated detection mechanism, namely IT-OCSVM, was proposed, which is distributed in a SCADA network as a part of a distributed intrusion detection system (DIDS), providing accurate data about the origin and the time of an intrusion. In this paper we also analyze the architecture of the integrated detection mechanism and we perform extensive simulations based on real cyber attacks in a small SCADA testbed in order to evaluate the performance of the proposed mechanism.

A Cybersecurity Detection Framework for Supervisory Control and Data Acquisition Systems

This paper presents a distributed intrusion detection system (DIDS) for supervisory control and data acquisition (SCADA) industrial control systems, which was developed for the CockpitCI project. Its architecture was designed to address the specific characteristics and requirements for SCADA cybersecurity that cannot be adequately fulfilled by techniques from the information technology world, thus requiring a domain-specific approach. DIDS components are described in terms of their functionality, operation, integration, and management. Moreover, system evaluation and validation are undertaken within an especially designed hybrid testbed emulating the SCADA system for an electrical distribution grid.

Integration of PXE-based desktop solutions into broadband access networks

Presently there is a lack of remote desktop management solutions for domestic and SOHO users connected to broadband access networks. This contrasts with the enterprise LAN environment, where there are several standards, resources and frameworks for PC or thin-client management. Among these, one specific remote boot technology - the Preboot execution Environment (PXE) [1] - is now the basis for a wide array of LAN-wide desktop management applications.

Improving network security monitoring for industrial control systems

Programmable Logic Controller (PLC) technology plays an important role in the automation architectures of several critical infrastructures such as Industrial Control Systems (ICS), controlling equipment in contexts such as chemical processes, factory lines, power production plants or power distribution grids, just to mention a few examples. Despite their importance, PLCs constitute one of the weakest links in ICS security, frequently due to reasons such as the absence of secure communication mechanisms, authenticated access or system integrity checks. While events such as the Stuxnet worm have raised awareness for this problem, industry has slowly reacted, either due to reliability or cost concerns. This paper introduces the Shadow Security Unit, a low-cost device deployed in parallel with a PLC or Remote Terminal Unit (RTU), being capable of transparently intercepting its communications control channels and physical process I/O lines to continuously assess its security and operational status. The proposed device does not require significant changes to the existing control network, being able to work in standalone or integrated within an ICS protection framework.

Enabling preOS desktop management

Desktop management is probably the most resource-consuming task for the typical operations and support team, regardless of being frequently overlooked as not as complex or specialized as core network operations and management. Nowadays this scenario is even worse, since the increasing number and complexity of desktop systems was not matched by satisfactory management solutions - despite the relative success of products such as Intels Landesk or Microsofts SMS. In order to address this problem, we are exploring a different approach to desktop management, through the design and implementation of the openDMS management framework. This open source framework differs from available products in several points, such as earlier remote management mechanisms (prior to operating system load), incorporation of existing open standards, a network-centric architecture, operating system neutrality and tighter integration between traditional PC, thin clients and network PC. In this paper we discuss the current status of desktop management solutions and we present an overview of the OpenDMS approach, including its most relevant technical foundations and an application scenario.

Efficient and secure M2M communications for smart metering

Machine-to-Machine technology supports several application scenarios, such as smart metering, automotive, healthcare and city monitoring. Smart metering applications have attracted the interest of companies and governments since these applications bring many benefits (e.g. costs reduction and increased reliability) for production, monitoring and distribution of utilities, such as gas, water and electricity. Multi-hop wireless communication is a cost-effective technology for smart metering applications because it extends the wireless range and enables fast deployment. Smart metering data communicated via wireless multi-hop approaches needs mechanisms that makes the communication less vulnerable to security threats and saves the device resources. Data encryption and data aggregation mechanisms emerge as potential solutions to fulfill these requirements. However, the simultaneous execution of data encryption and data aggregation mechanisms is not a trivial task. This is because the data encryption prevents the data aggregation mechanism to summarize the data along the path. Another challenge is to manage both mechanisms according to the concurrent Machine-to-Machine (M2M) applications interests. In this context, we present sMeter, which is a framework that deals with multiple applications interests, avoiding interest conflicts of concurrent users and supporting the management of data aggregation and data encryption. sMeter is implemented using low-cost hardware in an indoor environment. The communication is performed via a wireless multi-hop technology, and the performance of this communication is evaluated in terms of delay, data reception ratio and received signal strength indication.

A Distributed IDS for Industrial Control Systems

Cyber-threats are one of the most significant problems faced by modern Industrial Control Systems ICS, such as SCADA Supervisory Control and Data Acquisition systems, as the vulnerabilities of ICS technology become serious threats that can ultimately compromise human lives. This situation demands a domain-specific approach to cyber threat detection within ICS, which is one of the most important contributions of the CockpitCI FP7 project http://CockpitCI.eu. Specifically, this paper will present the CockpitCI distributed Intrusion Detection System IDS for ICS, which provides its core cyber-detection and analysis capabilities, also including a description of its components, in terms of role, operation, integration, and remote management. Moreover, it will also introduce and describe new domain-specific solutions for ICS security such as the SCADA Honeypot and the Shadow Security Unit, which are part of the CockcpitCI IDS framework.

A Framework for Internet Media Services Delivery to the Home Environment

In this paper, we propose a framework that enables Internet service providers (ISPs) to provide multimedia content to generic devices located inside the domestic networks of their customers (such as PCs and generic media players) in a seamless manner. In order to achieve this transparent integration between ISP-provided multimedia content and generic consumer media players, the domestic gateway becomes a managed UPnP AV/DLNA (Universal Plug and Play/Digital Living Network Alliance) media server, which can be dynamically updated by the broadband operator using Broadband Forum’s CPE (Customer Premises Equipment) WAN Management Protocol (CWMP) extensions specifically designed for this purpose. This framework enables the domestic gateway to become a mediator for both operator-provided and Internet media content, provided through UPnP services visible inside the domestic LAN. The adoption of a neutral UPnP/DLNA architecture that uses plugins to abstract each service allows it to become independent of the domestic gateway platform, allowing ISPs to easily add support for new media services while better coping with protocol updates. The proposed framework has been developed and validated in the scope of the project S3P, in cooperation between the University of Coimbra and Portugal Telecom’s PT Inovação innovation and R&D unit.

Specialized Honeypots for SCADA Systems

In this chapter we examine the role of specialized honeypots for detecting and profiling cyber attacks on SCADA-based Industrial Control Systems, debate how to implement such honeypots and provide a complete example of such an appliance. The honeypot concept has been used in general-purpose intrusion detection systems for a long time, with well-recognized contributions in revealing and analysing cyber attacks. However, a number of specialized requirements associated with SCADA systems within Industrial Control Systems in general are not addressed by typical honeypots. In this paper we discuss how the different approaches to security of typical information systems and industrial control systems lead to the need of specialized SCADA honeypots for process control networks. Based on that discussion, we propose a reference architecture for a SCADA network honeypot, discuss possible implementation strategies—based on the lessons learned from the development of a proof-of-concept Modbus honeypot—and propose two alternative deployment strategies, one based on low cost hardware appliances physically and logically located in the automation or field networks and the other based on virtualized field network honeypots physically located in the datacentre and logically located in the field or automation network.

Keeping an eye on your security through assurance indicators

Despite the incommensurable effort made from across computer sciences disciplines to provide more secure systems, compromising the security of a system has now become a very common and stark reality for organizations of all sizes and from a variety of sectors. The lax in the technology has often been cited as the salient cause of systems insecurity. In this paper we advocate the need for a Security Assurance (SA) system to be embedded within current IT systems. Such a system has the potential to address one facet of cyber insecurity, which is the exploit of lax within the deployed security and its underlining policy. We discuss the challenges associated to such an SA assessment and present the flavor of its evaluation and monitoring through an initial prototype. By providing indicators on the status of a security matter that is more and more devolved to the provider as it is the case in the cloud, the SA tool can be used as a means of fostering better security transparency between a cloud provider and client.