Int. J. of Critical Infrastructures, Vol. x, No. x, 2017 1

PREEMPTIVE: an Integrated Approach toIntrusion Detection and Prevention in IndustrialControl Systems

E. Etcheves Miciolino, D. Di Noto

Vitrociset S.p.A., Rome, ItalyE-mail: {e.miciolino.somm, d.dinoto.somm}@vitrociset.it

F. Griscioli, M. Pizzonia

Universita degli Studi “Roma Tre”, Rome, ItalyE-mail: {griscioli, pizzonia}@ing.uniroma3.it

J. Kippe, S. Pfrang

Fraunhofer IOSB, Karlsruhe, GermanyE-mail:{joerg.kippe, steffen.pfrang}@iosb.fraunhofer.de

X. Clotet, G. Leon

Aplicaciones en Informatica Avanzada (AIA) S.L., Sant Cugat , SpainE-mail: {clotetx, leonge}@aia.es

F.B. Kassim, D. Lund

HW Communications Ltd, Lancaster, UKE-mail: {k.babatunde, dlund}@hwcomms.com

E. CostanteSecurityMatters B.V., Eindhoven, The Nederlands

E-mail: elisa.costante@secmatters.com

Abstract: Cyber-security of Industrial Control Systems (ICSs) is notoriously hard dueto the peculiar constraints of the specific context. At the same time, the use of specificallycrafted malware to target ICSs is an established offensive mean for opposing organizations,groups, or countries. We provide an overview of the results attained by the Preemptiveproject to improve the cyber-security of ICSs. Preemptive devised several integratedtools for detection and prevention of intrusions in this context. It also provides a way tocorrelate many small events giving rise to more significant ones, and shows the wholecyber-security state to the user by means of specific Human-Machine Interfaces.

Keywords: cyber-security, SCADA protection, ICS security, IDS, events correlation

Biographical Notes

Estefanıa Etcheves Miciolino received her Ph.D. in2016 from University Campus Bio-Medico of Rome,Italy, with a thesis entitled “Cyber-Physical Securityof SCADA Systems Against Physical Faults, CyberThreats and Generic Malicious Attacks”. She is currentlyemployed in Vitrociset S.p.A. as System Engineer andher main tasks lie in the SCADA security. Her researchinterests are in the field of SCADA systems’ security,Fault Diagnosis and Critical Infrastructures Protection.She has five publications in scientific journals and eightconference and workshop papers, one of which received

the 2014 CIPRNet Young CRITIS Award as the bestconference paper.

Dario Di Noto received the M.Sc. degree in BiomedicalEngineer in 2016 from University Campus Bio-Medicoof Rome. He is currently employed at Vitrociset S.p.A.,where his tasks are based on ATC (Air Traffic Control)systems and is currently involved in European and ExtraEuropean projects. His research interests are CriticalInfrastructures security, mainly airport facilities, andinformation technology.

Copyright c© 2012 Inderscience Enterprises Ltd.

Copyright c© 2016 Inderscience Enterprises Ltd.

2 E. Etcheves Miciolino et al.

Federico Griscioli received the M.S. degree inTelecommunication Engineering from Tor VergataUniversity, Rome. He is currently a Ph.D student atthe Engineering Department of “Roma Tre” University,Italy. His research interests include cyber-security,especially in the context of industrial control systems,software defined networks and penetration tests.

Maurizio Pizzonia is Assistant Professor at “Roma Tre”University, Italy. His research interests lie in designof algorithms and software systems for cyber-security,Internet analysis, and information visualization. Hepublished more than 40 papers in scientific conferencesand journals, and served as coordinator for researchunits and work packages in two European projects.He is very much oriented in solving real problemsand in devising innovative solutions that can lead toapplications. In 2011, Maurizio Pizzonia co-founded astart up in cloud security. He teaches cyber-securitycourses since 2004.

Jorg Kippe holds a degree in Electrical Engineeringfrom the University of Hannover and today he ismember of a research group working on the security ofnetworked systems at Fraunhofer IOSB in Karlsruhe,Germany. In 1999 he joined the Fraunhofer NOC project(an internal project responsible for the provision ofnetwork connectivity and central network services toall (about 100) Fraunhofer locations and worked onservice administration, network/service managementand network security solutions. Since 2010 he isfocusing towards IT security solutions for industrialautomation networks and the control systems of CriticalInfrastructures.

Steffen Pfrang received his diploma degree in computerscience from the Karlsruhe Institute of Technologyin 2012. After university, he joined the FraunhoferIOSB in Karlsruhe and worked in the departmentsfor Secure Communication Architectures (SKA) andInformation Management and Production Control onthe European Union FP7 projects PRECYSE andPREEMPTIVE, both dealing with cyber-security forCritical Infrastructures. Since 2014, his work also focuseson cyber-security for industrial automation networkswithin the Fraunhofer IOSB IT Security Laboratoryfor Industrial Production. His research interests includecyber-security, applied security for industrial automationnetworks and Critical Infrastructures, security testingand intrusion detection.

Xavier Clotet Fons received his Ph.D. in Physics in2014 from Universitat de Barcelona and Ecole NormaleSuperieure de Lyon (Nonlinear Physics Group andLaboratoire de Physique). He worked as a Postdoc atthe Complex Matter and Nonlinear Physics Laboratoryat Clark University (MA, USA). He has a strongbackground in experimental physics, data analysis andmathematical modelling. He has six publications in

peer-reviewed scientific journals and five conferencepapers. He works at Grupo AIA since 2015 in the R&Dand Big Data unit. The main tasks developed are relatedto development of R&D projects on innovative tools forthe electric sector related to extreme weather events andcritical infrastructure security.

Gladys Leon received her Ph.D. in Physics in 2008 fromthe Universite de Geneve, Switzerland. He was a visitingpostdoc for 3 years in the Material Science Instituteof Madrid, CSIC. She received a Master in RenewableEnergies and Hydrogen in 2011 from CSIC, Spain.She has a strong background in theoretical physics,simulations of complex systems and mathematicalmodeling. She works in Group AIA since 2012 in theEnergy Unit, in tasks related to R&D in power systemmodeling and simulation, development of R&D projectsfocusing on innovative tools for the electric sector andcritical infrastructure security. She has more than 10publications in scientific journals and 4 conferencepapers.

Fatai Babatunde Kassim received his M.Sc. degreein Digital Signal Processes and Intelligent Systemsfrom Lancaster University in 2011. He is currentlyworking with HW Communication as R&D Engineer.His research areas of interest include Cyber-Physicalsecurity for National Critical Infrastructure Protection,Machine Learning, Risk Assessment and Managementfor National Critical Infrastructure and Softwaredevelopment using different programming languagessuch as Java, Python, C++ and MySQL.

David Lund joined HW Communication in 1997 andoversees all technical aspects of HWC’s Secure andResilient communications team. Following work as asilicon test engineer for Texas Instruments, he joinedHWC and obtained his Ph.D. with respect to HWC’sR&D on Reconfigurable Digital Communication systemsin 2001, with the supervision from Lancaster University.For over 10 years he has managed and overseen manyR&D and product development projects. His key focusaims towards Secure and Resilient Communication,which covers many factors from the resilience of Criticalinfrastructures through to the reliability of mobilephone, and onwards to the protection of personalinformation.

Elisa Costante received her Ph.D. in Mathematicsand Computer Science in 2015 from the EindhovenUniversity of Technology (Security Group). Her thesisentitled “Privacy throughout the Data Cycle” focuseson data leakage protection and privacy evaluationtechniques. From 2015, she works as researcher atSecurityMatters B.V., where she became Head ofResearch in 2016. She manages internal and externalresearch activities, including European projects. Hermain research topics include network security for cyber-physical and SCADA systems, network behavioral

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 3

modeling and cyber-attacks mitigation. She has sevenconference and workshop papers and four publicationsin scientific journals.

1 Introduction

Industrial Control Systems (ICSs) are involved in controlprocesses of several kinds of critical infrastructures, likeenergy production and distribution, water distribution,and transportation. In the past decade, a growth ofcyber-attacks against ICSs has been observed [1].Historically, SCADA (Supervisory, Control and DataAcquisition) systems, PLCs (Programmable LogicControllers), RTUs (Remote Terminal Units) and otherelements of ICSs are built to provide high levels ofavailability, safety and reliability, but are not preparedto contrast software attacks effectively. Specifically,crafted malware can be used by attackers to alter anindustrial process, possibly endangering human lives, orto gather industrial secrets. In several cases reported,the target of the attack to a Critical Infrastructurewas an organization aiming at gaining some marketor political advantage. This kind of attackers mayhave available much larger resources than averagehackers, being therefore able to perform quite advancedattacks. This kind of attacks are usually referred to asAdvanced Persistent Threats (APTs). APTs may includeexploits to several zero-day vulnerabilities, may performspecial actions to evade antiviruses, and may carry outinfiltration inside organisations that stay undetected foryears (see for example [2, 3]).

A number of standardisation efforts aimed atproviding guidelines for cyber-security within the ICScontext (see for example [4, 5, 6]). Usually, they strive tofit standard IT (Information Technologies) approachesand tools to ICSs. Indeed, ICSs are very special systems,what makes the application of usual approaches hard.A quite deep analysis of the shortcomings of currentstandards is provided in [7].

In this paper, we provide an overview of the resultsobtained in the framework of the Preemptive project [8].The goal of Preemptive was to improve the cyber-security of ICSs by developing innovative methods andtools to detect and protect them from cyber-intrusions,aiming at being effective even for those involvingAPTs. Each Preemptive tool addresses a particulardetection and/or prevention problem, focusing on one ofseveral aspects, e.g., industrial process, communicationnetwork, embedded devices, SCADA servers, or the useof USB thumb devices. The Preemptive project hasalso devised a specific risk analysis methodology [9],whose description is outside the scope of this paper.Special care was put to consider the peculiarities of theICSs, both for exploiting the advantages of the specificcontext and for taking into account its constraints. Aremarkable feature of the Preemptive approach is thecombination of data coming from all tools into a singlestream for real-time analysis, and its storage into a single

database for historical analysis. Any detected event isreported to the user into customised Human-MachineInterfaces (HMIs), which show the cyber-security stateof the ICS and its evolution over time, highlightingthe occurrence of anomalies to the operators. In thedescribed framework, correlation operations are carriedout over the detected events, so that small, apparentlyirrelevant and independent, events coming from differentdetection tools can be aggregated into one single eventwith higher severity, allowing the operator to handleit properly. To conclude, a tool for asset assessmentprovides the baseline inventory for both event correlationand risk assessment methodology.

This paper is organised as follows. Section 3provides an overview of the project and introducesits comprehensive architecture. Sections form 4 to 9are dedicated to the description of each detection orprevention tool. The asset assessment tool and theengine that correlates security events are illustrated inSections 10 and 12. Section 13 shows the results of arealistic testbed. Section 14 discusses limitations andhypothesis. Conclusions are drawn in Section 15.

2 State of the Art

Preemptive is a quite large project. In this section,we provide only an overview of the most relevantreferences. More specific references are provided in eachsection that addresses each tool, where we also highlightadvancements with respect to the specific state of theart.

Examples of surveys about Network-based IntrusionDetection Systems (IDSs) are [10, 11, 12]. Specificresults for SCADA systems are listed in [13]. A possibletaxonomy for IDSs derived from literature is providedin Figure 1, while a taxonomy of Host-based IntrusionDetection techniques is provided in [14].

Examples of different approaches that can be foundin literature are [15, 16, 17, 18, 19, 20]. Yang et al. [21]proposed an approach tailored for SCADA systems.

General techniques for anomaly detection in discretesequences are described in [22].

Part of the Preemptive research work performsanomaly detection on data representing the evolution ofthe industrial process. The used techniques belong to theclass of Artificial Immune Systems [23] and in particularto the class of Negative Selection Algorithms (NSA) [24].

Concerning intrusion detection in embedded systems,Reeves et al. [25] propose a rootkit detector. Cui etal. [26] propose a “symbiote” mechanism, specificallydesigned to inject intrusion detection functionality intothe firmware of the device. Hardware based solutionswere also proposed in [27, 28, 29, 30].

4 E. Etcheves Miciolino et al.

Figure 1 A Taxonomy for IDS.

3 The Preemptive Project

The Preemptive (PREventivE Methodology and Toolsto protect utilitIEs) FP7 European Project aims atproviding innovative solutions to enhance cyber-securityof ICSs. It proposes tools and methodologies to detectand prevent cyber-attacks targeting ICSs of utilitycompanies [31]. Preemptive combines typical low-leveldetection tools (e.g., dealing with network traffic andsystem calls), with process-level misbehaviour detectiontools, which are able to detect anomalies by analysing thephysical quantities measured on the system. Thereby,the main contribution of Preemptive consists in thecombination of process, network and host IDSs able tomonitor the whole critical infrastructure, by means of acorrelation engine that collects all the events, warningsand alarms generated by the different tools, elaboratingruntime and historical data to identify APTs, zero-daysattacks and other possible complex attacks.

All these components have been designed taking intoaccount common ICSs and SCADA vulnerabilities thatmay be exploited by resourceful and motivated attackers,among which we can distinguish:

• poor networking stack implementations, that makecomponents vulnerable to Denial of Service (DoS)and buffer overflow attacks;

• components exposing interfaces, that allow theconfiguration or control of process automationfunctionalities;

• protocols not defining user authentication ordata integrity features, that allow attackers withnetwork access to manipulate process controlinformation.

For what concerns the architecture, the tools andmodules that constitute the Preemptive platform andmonitor the ICS components, devices and networks areeight, namely:

Host level IDSs:

• IT-HIDS (Host IDS for IT components): monitorsand checks anomalies in standard IT devices(e.g., SCADA servers, historian server, engineeringworkstations).

• ED-HIDS (Host IDS for Embedded Devices):monitors and checks anomalies in embeddeddevices (e.g., PLCs, RTUs).

• HIS (Host-based Integrity System): checks theintegrity of storage devices (e.g., USB thumbdrives).

Network level IDSs:

• P-NIDS (Payload-based Network IDS): analysesthe packets’ content to check anomalies.

• F-NIDS (Flow-based Network IDS): monitors thenetwork looking for anomalous traffic behaviours.

•

Process level IDSs:

• PR-IDS (Process Related IDS): detects anyabnormal behaviour in the normal operation ofthe industrial process.

Discovery Tools:

• ASAS (ASset ASsessment): vulnerabilityassessment tool that scans the network to discoverthe existing devices and provides hosts andnetwork information (e.g., IP address, OperatingSystem (OS), software version, open ports, andknown vulnerabilities).

Correlation tool:

• CAEA (Context Aware Event Analysis):constitutes the core of the correlation engine,aiming at the integration and correlation of all theevents/alarms raised by and collected from thetools.

The Preemptive platform’s architecture is depicted inFigure 2.

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 5

Figure 2 General architecture of the Preemptive platform.

4 IT-HIDS: Host-based IDS for ITcomponents used in ICS

The aim of the Host-based Intrusion Detection Systemsfor standard IT components (IT-HIDS) is to detectmalicious events performed against a standard IT devicesused in an ICS environment. Particularly we considera computer system which hosts application softwaresare used for the SCADA system operation. The goalof the tool is to monitor the overall activities of thehost while avoiding any attempt to disrupt the normalsystem’s operations. Jyothsna et al. [14] present areview of anomaly based intrusion detection systems .Jiankun et al. [15] propose an HIDS detection enginebased on modeling system call sequences with HiddenMarkov Model (HMM), which is the statistical modelclosely related to our work. A limit of this approach isthe time required for detection of an anomaly. Creechet al. [18] propose a semantic approach to host-baseddetection using contiguous and discontiguous systemcall patterns. The drawbacks is that the overheadimposed by the decision engine does not meet the timeconstraints required in ICS environments. Yang et al. [21]propose an IDS for SCADA systems which monitorsthe host resource consumption and builds profiles ofnormal consumption based on time and leveraging autoassociative kernel regression empirical modeling andsequence probability ratio test. This approach focuses onthe detection of vulnerabilities exploitable from the ICSnetwork and therefore it lacks of the ability to detectinsider threats, such as malicious operations perpetratedby an operator in the control room.

The tool design comprises three modules, as shownin Figure 3:

Figure 3 Architecture of the IT-HIDS tool.

1. Processes and Resources Capturing: usedto monitor and capture the process informationon the host machine, including the CPU usageand network traffic information. The gatheredinformation is then stored in specific directoriesfor further analysis by the host manager activityaggregator.

2. Activity aggregator: parses the informationcaptured by the process and resource capturingcomponent, so that it can be processed by theheuristic analysis component.

3. Learning and Detection: the same algorithmused in the Flow-based Network IDS (F-NIDS,described in Section 8) approach is implementedfor the IT-HIDS tool. The main difference consistsin the data provided. During the learning phase,the samples of normal system usage are fed toa One Class Support Vector Machine (OCSVM)classification algorithm, which builds a baseline,i.e., a region assumed to represent normal resource

6 E. Etcheves Miciolino et al.

consumption. During the detection phase, thesamples are compared to the baseline. Anysample which differs from the normal resourceconsumption area less than a certain boundaryis assumed to be normal, while samples that areoutside of the boundary are considered malicious.The boundary selection might vary betweendifferent computer systems.

The dataset used for tool validation is based onthe experiments conducted in a control environmentthat mimics the application softwares used in an ICSnetwork.

5 ED-HIDS: Host-based IDS for EmbeddedDevices

Embedded systems represent critical components in ICSsand are characterized by limited computational resourcesand functionalities. Most PLCs were designed relyingheavily on a “perfect” isolation (air gap) from anypossible source of cyber-attacks. Recent attacks haveshown this cannot be considered a safe assumption andPLCs are shown to be extremely vulnerable (see, forexample, Beresford [32]).

In Preemptive, we propose the ED-HIDS tool, aHost-based Intrusion Detection System developed forembedded systems employed for ICS purposes (e.g.,PLC, IED) . This tool is able to detect attacksthat aim to hijack the control flow of a process andexecute arbitrary code, exploiting memory corruptionvulnerabilities. In order to make the ED-HIDS toolpractically applicable in a real ICS environment, thedevelopment requirements fulfilled were: (I) it wasdesigned for embedded devices running modern OSs; (II) it does not require any hardware modification;(III) it consumes limited CPU overhead, and (IV) itdoes not require any virtualisation support. Ourapproach assumes the embedded devices are equippedwith security mechanisms commonly implemented byvendors, the so-called minimum security baseline,specified as follows:

• ASLR (Address Space Layout Randomization): ageneral security mechanism;

• NX memory: prevents executable and writablememory;

• Full stack canaries/cookies: aids in stack-overflowmitigation;

• Full RELRO: aids in GOT-overwrite (and similar)attack mitigation;

• Heap protection: aids in heap overflow mitigation;

• Double free checking: aids in double freemitigation.

The aforementioned minimum security baseline restrictsthe number of techniques that could be used byadversaries to attack embedded devices to a well-knownand limited set of memory corruption exploitations. Thisallows us to trigger inspection only at specific pointsduring the execution of an application. ConsideringReturn Oriented Programming (ROP) as a control flowattack, the ED-HIDS tool employs a gadget blacklistcontaining addresses of all ROP gadgets. Such a blacklistis built for all the applications to be monitored, as wellas for the shared library they use, and it checks whethera memory address represents the beginning of a possibleROP gadget or not.

The architecture of the proposed solution consists intwo components:

1. Monitor: it is responsible of inspecting theexecution of the applications to be protected. Ifthe control is transferred to an address present inthe ROP gadget blacklist, it triggers a heuristic-checking routine passing to it the state of themonitored application.

2. Heuristic routine: it contains a CPU emulatorthat performs the instruction placed in the addresspassed by the monitor. Its goal is to identifyattempts of ROP payload execution. Thereby, forevery instruction executed by the emulator, thecorresponding address is matched against the ROPgadget blacklist of the application or library.

The ED-HIDS tool does not inspect any input bufferwhen checking whether the instruction to be performedis a ROP gadget or not. The monitor layer triggers theheuristic routine only when an address matches an entryof the gadget blacklist. As a consequence, ED-HIDS haslow CPU overhead and high performances.

6 HIS: Host-based Integrity System

High profile attackers and APTs are known to exploitUSB thumb drives as an effective spreading vector.There are a number of products on the market thatspecifically address security for storage devices (e.g.,see [33, 34]) and USB thumb drives (e.g., see [35, 36]).These solutions are mostly focused on confidentialitywhile integrity is addressed on a file basis or on ablock basis allowing attacks like restoration of previousversions of files/blocks or deletion of files to passundetected. Further, all solutions adopts password-based

Figure 4 Promiscuous use of a USB thumb drive.

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 7

authentication, but once the user is authenticated, fullaccess to data is allowed, and a malware can easily infectthe stored files. Our approach provides full integrityprotection of critical data on USB thumb drives, is notbased on user authentication, and allows the user to usesecurely its own regular and cheap USB memory in bothICS systems and other, possibly insecure, equipments.

The HIS (Host-based Integrity System) tool isdesigned to prevent any malware or tampered data tospread into the ICS by exploiting thumb drives or genericRemovable Storage Devices (RSDs). In our approach,the set of all machines is partitioned into a criticalrealm and a regular realm. An “infection” in the criticalrealm can have a big impact on the physical process.The critical realm requires special protection and isessentially made by ICS devices. Regular machines areregular IT devices, that can be owned by the utilityoperator or privately held by employees.

In our model, threats originate in the regular realmand spread into the critical realm by means of maliciousor accidental writing on RSDs. Consider the file copyscenario with promiscuous use of a thumb drive that isdepicted in Figure 4: (i) a critical machine (e.g., anengineering workstation) writes some data (e.g., a newPLC logic) into the thumb drive, (ii) the thumb driveis plugged into a possibly compromised regular machine,which can infect the logic or add other malicious filesin the thumb drive, and (iii) the thumb drive is pluggedinto a critical machine (e.g., a SCADA server) that isthe destination of the file copy and also the target of theattack.

Our goal is to allow the operator to perform thiskind of promiscuous use while preventing potentiallymalicious data or code originated from regular machinesto spread into critical ones. We do this by introducinga form of cryptography-based access control solely incritical machines, which are the only trusted part in ourapproach. Our problem fits the well known Biba integritymodel [37], where each machine is associated with anintegrity level. The rules of this model deny any flow ofinformation from the lower level to higher level and canbe summarized with the statement “no read down, nowrite up”. This model is implemented in recent versionsof the Windows OS [38] as a form of access control onthe filesystem and, in principle, can be adopted also inICS environments. However, when dealing with RSDsthis is not possible, since we require them to be usableeven on untrusted machines.

In our approach, each RSD contains one or morespecial directories, that we call secure zones. Anymachine can read or write a secure zone. For criticalmachines, these operations are performed under theprotection of HIS, while for regular machines they arenot. For critical machines, it is strictly forbidden toperform read operations on parts of an RSD that donot belong to a secure zone. HIS, installed in criticalmachines, redefines the semantic of usual read and writeoperations at the system call level, hence, applicationsare automatically and transparently protected at each

Figure 5 The elements of the HIS and their positionswithin a critical machine and a removable storagedevice.

read or write operation issued by standard means. Thisis also true for any piece of ICS-specific software like, forexample, a SCADA suite. The details of HIS approachare depicted in Figure 5. We created HIS by leveragingavailable open source software that allows a developer torealize a filesystem solely developing code that runs inuser space, specifically Dokany [39] and FUSE [40].

Each critical machine keeps its private key anda corresponding certificate (signed by a uniqueCertification Authority), which are generated during theinstallation of HIS. Given a certain state of the securezone Z, a hash of its whole current content is denoted byh(Z). For each secure zone Z, the RSD stores a signatureof Z and a last writer certificate. When the content ofZ is updated by a critical machine M , it computes thesignature of h(Z) by using its private key and stores it inthe RSD as the signature of Z along with its certificate aslast writer certificate of Z. Another critical machine M ′

can check the integrity of Z relying only on the contentof the RSD and on its locally stored public key of thecertification authority.

A critical aspect for the efficiency of HIS is the timecomplexity of updating the hash h(Z) upon writing ofa small quantity of data (with respect to the contentof the filesystem) and of checking the integrity of theresult of a read operation of a small quantity of data.We adopt a specifically tailored Authenticated DataStructure (ADS), stored on the same RSD for eachsecure zone, to speed up both cases. Further detailsabout ADSs and their use for storage systems can befound in [41, 42, 43]. A more formal description of HIS,comprising a deep security analysis and applicabilityconsiderations, can be found in [44].

8 E. Etcheves Miciolino et al.

Recently, the BadUSB [45] class of attacks wasdisclosed, where a USB thumb drive hosts a maliciousfirmware that mimics a human-interface device, like, forexample, a keyboard. HIS cannot prevent attacks ofthis kind. However, within Preemptive this problem wasaddressed by developing a specific hardware. The detailsof this work are provided in [46].

7 P-NIDS: Payload-based Network IDS

The P-NIDS is a Network Intrusion Detection System(NIDS) that aims at detecting semantic attacks to ICSsby analysing the content of the payload of networkpackets.

Network packets typically consist of two main parts:a header containing information necessary to thedelivery of the message, and a payload with theactual data that is delivered. Existing Payload-basedNIDS solutions aim primarily at: i) detecting variationsin the length or contents of the payload in order toidentify threats such as buffer overflow or injectionattacks [47, 48, 49], ii) detecting deviations from theprotocol specification by using a policy-based [50] or alearning-based approach [51] to identify attacks that,e.g., exploit protocol vulnerabilities, and iii) detectingsemantic-attacks to the control process by relying on thepresence or the engineering of an accurate specificationof the actual physical behaviour of the system [52, 53].As such, none of the existing solutions is able todetect semantic-attacks, i.e., attacks that undermine thesemantic of a process by tampering with measuringreadings or by crafting malicious commands, without theavailability of a complete characterization of the controlprocess.

With the P-NIDS we enhance the state-of-the-art asfollows:

• we provide a solution to monitor process variableswith zero to minimal input from domain expertsbeing required. To this end, we first learn variables’trend and we then detect deviations from theirnormal behaviour that might indicate the presenceof a semantic-attack. Specifically, we providedistinct techniques to deal with continuous andbinary variables, as well as with a set of (binary)variables that are interdependent;

• we provide a technique that, based on a pre-analysis of the process variables observed over thenetwork, permits to automatically classify themand suggest a list of variables that are goodcandidates for the monitoring. Thanks to thistechnique, the P-NIDS can be deployed even incases where process specification documents arenot available, thus it requires minimum input fromthe operators;

• we identify a wide set of indicators of compromise(IOCs) for several ICS-specific protocols. An IOC

is represented by a set of conditions that, if presenton a network, might suggest the presence of anintrusion.

The main functionalities of the P-NIDS tool, sketchedin Figure 6, are:

1. Traffic capture and process variablesextraction: initially, the network traffic iscollected and parsed. For example, the P-NIDScould monitor the traffic between a SCADA anda PLC. At this level the raw packets need tobe captured and decoded, and application levelmessages need to be parsed in order to identifythe different variables and associated values. Inaddition, it is important to provide a mechanismthat allows a listener to be notified when a newdata point for a specific variable is available, sothat such value can be taken into account. Tosuch end, we have built a Script Engine on topof SilentDefense, the intrusion detection system ofSecurityMatters [54]. While SilentDefense providesthe functionalities to capture and parse networktraffic, the Script Engine provides an eventmanagement mechanism that generates callbackswhen specific events (e.g., the availability of a newdata point) occur.

2. Variable selection and characterization: oncethe variables and their values have been extractedfrom the network, it is necessary to characterizethem. For example, based on their data type(e.g., whether they are continuous, constant,binary or discrete) one might guess whethera variable represent a physical measurement, asetpoint, a status or a command. In addition, itshould be possible to distinct critical variables fromnon-critical ones. Consider that the number ofvariables present in an industrial control system istypically very high and monitoring all of them isimpracticable, as it would lead to high operationalcosts for alerts analysis. Two approaches could befollowed to obtain meaningful information aboutprocess variables: i) leverage the knowledge ofdomain experts; or ii) apply heuristics to infer suchinformation directly from the network data (e.g., avariable can be classified a constant in case onlya single value has been ever observed during thelearning period). Although the first method is themost accurate, it is also the most expensive onesince it requires significant effort and time fromoperators. For this reason, we provide a techniquethat leverages data coming from the network toinfer information about the variables.

3. Learning and Detection: once the set of criticalvariables has been identified, it is necessary tolearn their normal behaviour in order to detect anydangerous deviation. During the learning phase,we should understand how such variable changes

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 9

Figure 6 The P-NIDS tool general approach.

over time and how its value depends from itspast values or other variables’ values. Obtainingan accurate prediction model, during detectionwe can compare the results of our predictionswith the current values : in case the distancebetween the predictions and the actual valuesis too high, we can assume that an anomalousbehaviour is ongoing, hence we can raise an alertto notify the interested party. Clearly, choosing theright prediction model for a variable depends onmultiple factors such as the type of the variableand its statistical properties. With our P-NIDSwe apply distinct techniques for different kindsof variables. Specifically, we use autoregressionto model continuous variables, variable-lengthMarkov chain to model single binary variables andBayesian network to model a system of binaryvariables.

The P-NIDS tool has been validated on (simulatedand real) data coming from several domains. Accordingto our results, the P-NIDS is able to:

• detect irregularities over the values of continuousand binary variables that might indicate asemantic attack (e.g., activities as performed byStuxnet);

• detect anomalies in the behaviour of a systemof variables, that might indicate the presence ofa semantic attack acting over multiple variables(e.g., the Aurora attack); and

• carry out the detection in an agnostic fashion,meaning we need very limited or no inputfrom domain experts or configuration files. This

characteristic facilitates the applicability of ourapproach in different domains, enhancing itsadoptability.

8 F-NIDS: Flow-based Network IDS

The aim of the Flow-based Network Intrusion DetectionSystem (F-NIDS) is to detect network anomalousactivities on ICSs network traffic.

State-of-the-art of flow-based NIDS can be classifiedas (i) pattern-based solutions that learn the amountof flows in a network [55], (ii) time-based solutionsthat analyse the network flow by looking at thepacket timings [56]; and (iii) clustering-based solutionsthat aggregate flows to form clusters of similar flowrecords [57]. Most of the existing solutions deploy asingle approach for their detection so, as far as we know,the F-NIDS is the fist example of a hybrid solutionthat embeds deterministic rules and learning approachtogether. With our F-NIDS we enhance the state of theart by (i) creating a flow-based NIDS that is designed todeal with ICS-specific protocols such as Modbus/TCPand (ii) being able to detect anomalies in the traffic flowthat might indicate the presence of a flood attack, a man-in-the-middle or a denial-of-service.

The design uses a two-layer detection approach,consisting in deterministic and heuristic methods. Thedeterministic approach is used to check the validityof IP addresses on the network, to make sure an IPaddress is not used for snooping or attacks. This stagecontributes to the logic IP collector for MITM attackdetection. On the other hand, the heuristic approach isused to identify flow-based anomalous behaviours on the

10 E. Etcheves Miciolino et al.

Figure 7 Architecture of the F-NIDS tool.

network, analysing the packet size, flow size and packetsper second.

The F-NIDS tool comprises four different modules, asshown in Figure 7, specifically:

1. Flow information capturing and extractor:during this stage, the traffic exchange between thefield devices and the SCADA servers is collectedand the IP header information is parsed andtransformed into flow data. We capture only trafficwith ICS-specific protocols. Although our solutionhas been implemented for Modbus/TCP it can beeasily extended to any other protocol.

2. Logic Protocol and IP collector: once thedata about the traffic flow is collected and storedin the database, the valid IPs and protocols forthe network are to be identified. To such end,we apply the deterministic approach, relying onthe information provided by operators about thevalid IP address and protocols that are used withinnetwork we are monitoring, which is then white-listed.

3. Network flow information aggregator: thenetwork flow aggregator extracts from the datathe right features that enable the learning of thetraffic flow. These features are computed per eachflow and include: (i) number of packets per second,(ii) flow size, and (ii) packet size. These can becomputed regardless of the flow direction or for agiven source-destination pair.

4. Learning and Detection: the set of featuresextracted during the previous phase are thenpassed to the learning and detection phase.Initially, the chosen feature to be monitoredtypically exchanged in each flow is registered.During detection an alert is raised if the there is a

variation between the observed parameter and thelearned one.

The learning and detection techniques are implementedusing the One Class Support Vector Machine (OCSVM)algorithm. This approach employs sequential minimaloptimization to solve the quadratic programmingproblem using Lagrange multipliers [58]. The algorithmmaps the data into a high dimensional feature spacethrough a kernel and performs iteration to find themaximal margin hyperplane that best fits the separationof training dataset.

In the case of ICS networks, the network flow trafficcan be related to the sample dataset which can berepresented by a numeric dataset, in order to identifylower and upper bounds using the heuristic approach.The OCSVM is able to dynamically learn and detectthe boundary in datasets based on the input parametergiven. The OCSVM approach has been used by [59] fordeep packet inspection in ICS networks.

The tool has been tested and validated withsimulated data obtained from the emulation of microgrids and from a simulated water tank, implementedwithin the Preemptive project. The datasets includethe normal operation of certain operational conditionsand malicious activities, due to port scanning and ARPspoofing.

9 PR-IDS: Process Related IDS

The Process Related Intrusion Detection System (PR-IDS) tool analyses data at the industrial process level,i.e., the physical domain. In literature, it is common tofind solutions that aim at protecting ICSes gatheringinformation at the communication level. Only in rarecases the detection is performed using information fromprocess level. Thetaray [60] monitors ICSes in real-timeusing data collected at the process level. ICS2 On-Guardsystem [61] adopts a machine learning technique tocharacterize the normal behaviour of the system anddetect deviations it. These tools are commercial andinformation about their detailed operation or abouttheir performance are not available. Therefore, actualcomparison with respect PR-IDS cannot be performed.

The tool is designed to raise an alarm or warningas soon as it detects an abnormal behaviour in themonitored process(es). The PR-IDS tool receives fromthe control system all the measurement variablesavailable from the network in real-time.

The set of measurements is first processed todefine the operation states of the system by applyingdifferent methods of data analysis, in particularmethods for scaling the measurement values andfor dimensionality reduction (like principal componentanalysis). Those states may correspond to normal orabnormal functioning conditions of the utility.

The PR-IDS tool bases its detection capabilitieson the Negative Selection Algorithm (NSA) [24], that

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 11

belongs to the group of Artificial Immune Systemscomputational techniques [23]. NSA’s underlying ideais the possibility to distinguish between a self and anon-self behaviour of a system by generating a set ofdetectors that cover the non-self region of the operationstates. In this context, self is defined by the set of normaloperation states (NOS) of the monitored process, whileany event laying outside the self subset of operationstates is considered an anomaly.

The V-detector algorithm implementation of a NSAis used as the base algorithm for detection [62, 63]. V-detector allows the generation of variable-sized detectorsand the use of real-value representation, among otherdifferential features, to obtain the set of detectors.

The detection system works basically in two phases:

(I) The training phase, that requires historical datato characterize the NOS and generate the detector set;and (II) the detection phase, that performs detectiononce the group of detectors has been obtained and thesystem is connected to the process level. All incomingdata is tagged, in real-time, as normal or abnormal,according to the result of the detection algorithm.

Both the training and detection phases consistmainly of three sequential processes: normalization,dimensional reduction and detection. The tool workflowis summarized in Fig 8(a).

An example of the operation state space is shownin Fig 8(b). A set of normal operation states (graycircles) and the detectors generated around them (greencircles) are displayed. In addition, an operation stateis detected as abnormal, since its state vector falls on aregion covered by detectors (black and red circle).

For the implementation of the tool, a multi-agentarchitecture approach has been adopted to tackle thecomplex problem arising in any industrial process fromthe analysis a large number of physical variablesmonitored in real-time. Agents are independentlyrunning entities (that monitor a specific part ofthe process, area of the system, etc.) and can beadded, removed and reconfigured without altering theother components, and without restarting the localIDSs. The tool’s architecture was built over an opensource distributed real-time computation system ApacheStorm.

The tool has been tested and validated withsimulated data originated within the Preemptive project,that included normal operation and known anomalies,and real data provided by members of the projectConsortium. In all cases, the detection rates obtainedwere above 90% and up to 100% in some cases.Results of an implementation of the multi-agentapproach analysing electrical simulations performed,within the project framework, by IREC colleagues inthe CIGRE MV model system with DER (distributedenergy resources) is available at [64]. Single- and multi-agent approaches have been compared, obtaining betterresults in the latter.

Figure 8 Top: workflow inside the PR-IDS tool consistingmainly on three sequential phases: normalization,dimensional reduction and detection. Bottom:example of a set of normal operation states, thedetectors generated around them, and anabnormal operation state.

10 ASAS: ASset ASsessment

The ASAS tool aims to support the Event Analysisas well as Asset Assessment Process during theapplication of the Security Assessment Methodology [9]devise within Preemptive. ASAS provides access toautomatically generated network models to enhancethe event correlation process carried out by theCAEA tool. Concerning the Security AssessmentMethodology, the network models are used off-line asa network documentation automatically generated frominformation available in the network.

12 E. Etcheves Miciolino et al.

Figure 9 Overview of the ASAS implementationarchitecture.

The idea to support the intrusion detection processby network information dates back to 1998 [65]. In2001 [66] and 2004 [67] M. Roesch introduced toconcept of a Target-based IDS (TIDS) and Real TimeNetwork Awareness (RNA). He mentioned that actualnetwork security devices are working in a contextualvacuum as they have no knowledge about networktopology, network assets and asset criticality. Thiskind of information can be collected passively oractively. Passive collection has the advantage not todisturb any critical network elements, but it candiscover only systems that are communicating. Activeprobing is certainly much faster but put additionalnetwork load and may disturb network elements. Inbetween are approaches using network managementmethods which may use out of band communication(separate management networks) and have minimal riskof disturbances as normal means of communicationare used. A comprehensive survey on passive detectionmethods is provided by [68]. Systematic networkmodelling may be used to present the collectedinformation. A formal way of description is the approachof [69] and [70]. A rich data model description can befound in [71] and [72]. An approach based on IETFRFCs is provided by [73], [74] and [75]. They use thehigh-level data modelling language YANG [76], which isaccompanied by [77]

As shown in Figure 9, ASAS is actually a suite thatcomprises the following modules: a Topology Server, anInventory Server and a Vulnerability Server. They havedifferent levels of intrusiveness with respect to the ICS.The Inventory Server is totally passive and uses only amirror stream from the target network. The TopologyServer makes use of the infrastructure components andqueries via network management techniques the switchesthat provides the target network. In contrast to these less

intruding components, the Vulnerability Server works inan active way: it targets directly the servers, PLCs andRTUs. All modules are implemented using existing opensource products.

1. Inventory Server: provides node and servicediscovery and OS fingerprinting by passivelylistening to the network traffic. This way, activedevices can be discovered. This module is basedon the open source product PRADS [78]. Theoutput of this module is analysed and transformedinto an XML-encoded inventory model. The modelspecification has been done using the modellinglanguage YANG, which guarantees a standard-based description of the network.

2. Topology Server: performs link discovery andgenerates a model describing the topologicalstructure of a network. This model is basedon the discovery function of the open sourcenetwork management platform OpenNMS [79].This function performs SNMP-based collectionof topology related information and stores theminto a SQL database from which an XML-encoded topology model is generated. The modelspecification has been done, as above, using themodelling language YANG.

3. Vulnerability Server: is based on OpenVAS(Open Vulnerability Assessment System), aframework for vulnerability scanning andvulnerability management. OpenVAS [80] is theopen source fork of Nessus and targets mainlyOffice IT. Since Office components like Windowsservers are widely-used in ICSs, OpenVAS couldbe used as-is for assessing servers belonging toSCADA systems. Nevertheless, OpenVAS is notaware of peculiarities of industrial equipment and,therefore, does not check for vulnerabilities inPLCs and RTUs. In order to overcome this issue,we implemented the specific Network VulnerabilityTests (NVTs) to extend the testing features ofOpenVAS. Implemented as a wrapper, a NVTruns the external testing scripts, captures theiroutput and feeds it into OpenVAS.

Security scans in the ICS network are scheduled ona regular basis. Once they are completed, an updatedasset report formated in Asset Reporting Format (ARF)is generated and made available to the CAEA tool.

11 Data Collection and Storing

Each of the aforementioned tools have been designedfor a specific scope. The Preemptive approach consistsin collecting heterogeneous data from host, process andnetwork IDSs, combining the capabilities of multipletools that are singularly able to detect a specific setof anomalies and cyber-attacks. The goal is thereby to

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 13

perform correlation and analysis based on data miningtechniques to provide the operators with a broaderand improved view. This allows them to adequatelymonitor the cyber-security state of the whole system andmakes possible the detection of anomalous behaviours,intrusions, and attacks that are better identified afterthe aggregation of heterogeneous events.

As depicted in Figure 2, when an event, warning oralarm is raised from one or more of the detection modulescomposing the Preemptive platform, a well defined set ofinformation identifying the event is formatted and sentto the VBrain Adapter. The data commonly used for thispurpose includes date and time (timestamp), the toolthat triggered the event, event type, importance rating(severity) and action performed (if any). In addition,detailed information about the event is provided, suchas the anomaly source (host, device, process or service),destination, exploitation methods, among others. Giventhe data heterogeneity, it was important to choose aunique format able to normalise the input messagesfor the correlation engine and integrate the acquiredinformation in a standardized manner. To this end,the tools generate messages according to the CEFformat [81], adapted for our purposes, and the VBrainAdapter collects all the alerts received through adedicated socket, allowing their processing and storage.

It is also worthy to consider that topologies andconfigurations in the target systems may change overtime, as elements and devices can be dynamically addedand removed from the network. Thereby, the CAEAtool is able to adapt according to network managementinformation sent from the ASAS tool. In addition, as thetools work in a standalone fashion, timestamps accuracyand consistency has been managed by employing theNetwork Time Protocol (NTP), so as to avoid time-related analysis problems and association errors.

The VBrain Adapter, that represents the interfacebetween the Preemptive tools and the correlation engine,is composed by two modules:

• a TCP/UDP listener that gathers the CEFmessages and XML files sent by the tools;

• a module that checks the syntax of the receivedmessages, parses the fields, stores the data in thedatabase, and makes it available to the CAEA tool.

12 CAEA: Context Aware Event Analysis

Complex events can be detected as a collection ofsingular events taking place over time or spread overdifferent devices, hosts or network segments. Thereby,the correlation engine aims to find relations amongseemingly unrelated alarms and events, in order to detectpotentially complex unknown attacks.

Real-time operation can be crucial when dealingwith the most critical parts of an ICS. Detecting amalicious intruder targeting physical processes in real-time can make a vital difference in terms of public

safety and security. Thereby, the Context Aware EventAnalysis tool is composed of a runtime analysis moduleand a historical analysis module. As previously stated,the data parsed by the VBrain Adapter is sent bothto the runtime data analysis module of the correlatorengine and stored in a dedicated database. The latteris periodically queried by the historical analysis modulefor further processing and data mining. Thereby, bothCAEA modules produce alarms as outputs, which aremade visible to the operators through the PreemptiveHMI.

1. Runtime Data Analysis: it has been designedto detect a priori known events by means ofa predefined set of correlation rules. Such a sethas been obtained considering all the availableinformation provided by the different detectiontools and the specific operating context. Hence, ifone or more of the default conditions is matched,an alarm is triggered and displayed on thePreemptive HMI. To such end, a Complex EventProcessing (CEP) module has been employed,which performs a matching between the streamof incoming events against a known pattern, andallows to elaborate a large number of alarms innear-real-time. Specifically, NEsper [82] (the .Netavailable version of Esper) has been chosen, asit enables the development of applications thatprocess large volumes of incoming messages orevents from multiple sources, analysing the eventson the basis of predefined rules, and responding toconditions of interest in real-time.

Some of the main advantages provided by thistechnique are the near-real-time capabilities of thetool, the ability to analyse a potentially unlimitedstream of data, and the possibility to arbitrarilymodify the set of rules, depending on the events tobe revealed. Exploiting this last feature, the CAEAengine can be easily updated with new correlationrules for known or potential threats, and it is alsopossible to create, edit and customise correlationrules in order to improve its detection performancewith the know-how and past experiences of theexperts.

2. Historical Data Analysis: is based onevent mining techniques, implemented on all theacquired data that is stored on the database tostudy the frequency of attempted attacks andto reduce the number of false positive alarms.To such end, an implementation of the Apriorialgorithm [83], has been employed, developed forthe discovery of association rules and frequent itemset mining. In this framework, an association ruleexpresses an association between items, events inour case. It states that if an event takes place onecan be confident (with a certain probability) thatanother event of the set took or will take place.The association rules assessment is carried out by

14 E. Etcheves Miciolino et al.

setting two parameters defined by the algorithm:the support, that indicates how frequently the itemset appears in the database, and the confidence,indicating how often the rule has been found to betrue. The choice of these two parameters allows tomodulate the type of rules to be found, and therebythe objective of the correlation tool. For example,APTs’ detection has been addressed by loweringthe support (event repeating few times) and settinga high confidence (the same sequence of eventsis triggered each time it takes place). Moreover,several instances of the Apriori algorithm canbe run with different parameters settings over thesame database in order to retrieve different typesof events correlations.

The set of association rules obtained by the historicaldata analysis module is then provided to the runtimedata analysis module, making them available for thenear-real time detection. In addition, as the foundassociation rules actually constitute a particularlycombined set of anomalous events, an alert is triggeredon the Preemptive HMI.

Given the large number of rules that may be foundby the use of this type of algorithms, the operator know-how still represents a required contribution. Hence, ithas been developed as a decision support system, anda mechanism to acknowledge the new found rules hasbeen implemented, making it possible to discard all thoserules that would not provide any further informationor added value to the CAEA tool. Aside Apriori, thesystem’s flexibility allows to implement different typesof algorithms for data mining and association rulesinduction.

13 Tools Integration and Evaluation

Several tests have been carried out in the testbedenvironment Hybrid Environment for Development andValidation (HEDVa), located at the IEC laboratory.It is composed by a combination of virtual machines(VMs), and real field devices. As basis for thevalidation of the Preemptive platform, we exploiteda SCADA/HMI Server, a database (Historian), anEngineering workstation, an attacker machine, a virtualswitch, and a physical switch, a firewall and 11RUTs/PLCs (see Figure 10), all connected by a numberof Virtual Local Area Networks (VLANs).

The HEDVa allows the emulation of high, mediumand low voltage distribution and transmission grids,implemented on the RTUs using real historical data.For the Preemptive framework validation we chosethe medium voltage distribution grid as testbedenvironment, where the voltage and current values arenot actually obtained from real power sources, butare provided by a master hidden PLC that sendsprecomputed values, related to real consumption datacaptured in a 24h scenario.

As depicted in Figure 10, the Preemptive tools havebeen implemented in HEDVa as follows:

• IT-HIDS is installed in the SCADA Server as anactivity monitoring agent;

• PR-IDS is deployed as a VM and analyses bothprocess data flowing on one of the VLANs and datastored in the Historian by the SCADA Server;

• P-NIDS is on a dedicated VM, analysing traffic toand from the SCADA/HMI Server;

• F-NIDS is on a dedicated VM and acquires dataflowing among the control network and the fielddevices;

• HIS is installed on Servers and the Engineeringworkstation;

• ED-HIDS is installed on a field device, emulatedby a Raspberry-PI;

• ASAS is a VM gathering data from all the VLANs;

• CAEA and the Preemptive HMI are installed on aVM, collecting data from the VLAN and displayingthe alarms triggered by the various tools to theoperator;

• the attacker machine is connected to differentVLANs, so as to be able to launch attacks to thevarious devices of the testbed.

A wide number of cyber-attacks has been performed,among which MitM for data manipulation, bufferoverflow, malicious request to field devices, malware onUSB drives and on host devices, and fuzzing attacks.Table 1 shows the detection results for each type ofattack, demonstrating that these are all detected by atleast one Preemptive tool. More specifically, the HIS,IT-HIDS and F-NIDS tools are able to alert when anattack is entering a system before perpetrating damagesto the physical system. The P-NIDS, PR-IDS and ED-HIDS can alert once the attacker has already managedto enter the system and it is aiming at compromising thephysical process. Finally, the CAEA enriches the alertswith semantic information and provides to the operatoradditional details, useful to arrest or mitigate the attack.The result is visualised by the Preemptive HMI, as inthe example shown in Figure 11.

14 Discussion

As the vast majority of security countermeasures, thetools presented in this paper shows strengths as well aslimitations. This section provides some discussions aboutthem.

[B.2]The Preemptive platform mostly targetsdetection of attacks, albeit prevention is addressedfor USB thumb drives. Most of the effort was put

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 15

Figure 10 The HEDVa testbed and its use for the Preemptive project.

Attack P-NIDS PR-IDS F-NIDS IT-HIDS ED-HIDS HIS CAEA

MitM & data manipulation X∗ X X∗ X∗

Buffer overflow X X X XMalware on USB X

Fuzzing XMalicious request XMalware on Host X

Table 1 Summary of the attacks and detection results. (∗ The effectiveness depends on the kind of data manipulation.)

into detecting unknown (zero-day) attacks whichmight be part of an APT. Hence, the platform issupposed to be used in a context where baseline risksmitigation is performed by adopting other conventionalcountermeasures.

Each tool provides a unique trade-off betweeneffectiveness in pursuing its specific objectives andcertain assumptions on the applicative context but alltools strive to be compatible with the peculiar needs ofan industrial context. Several tools (IT-HIDS, P-NIDS,F-NIDS, and PR-IDS) embrace the anomaly detectionapproach in which deviation from a baseline behaviouris recognised as malicious. Regardless from the specifictechnique adopted, this approach has the following weakpoints.

1. The assessment of the baseline (training orlearning) must be performed on a data set whichundoubtedly represents correct behaviour.

2. When the system legitimately evolves, changing itsbehaviour, false positives are detected.

3. A human intervention for re-training is neededwhen system evolves.

4. The set of behaviours detected as malicious ismostly implicitly described, essentially impossibleto manually tune, and the generalisations withrespect to the provided baseline depends on thechosen underlying technique.

Considering the extreme stability over time of ICSes,Items 2 and 3 have a small impact. Item 1 requires anappropriate procedure to collect data sets for future use.Regarding Item 4, a possible approach for mitigating itis to associate a rule-based engine to allow for manually-configured exceptions.

The tools that are supposed to detect or preventintrusions on hosts (IT-HIDS and HIS) have the

16 E. Etcheves Miciolino et al.

Figure 11 Example of detected attacks as shown in the Preemptive HMI.

problem to require the installation of new software,which might me problematic in practice. For ED-HIDS it even requires to change PLC kernel, whichmake that contribution essentially a proof-of-conceptthat can inspire some vendor to include that featurein its products. The ASAS assessment tool, has theobvious limitation that cannot be employed to detectvulnerabilities which are not known to the communityof the libraries on which it is based. Concerning thecorrelation engine (CAEA), the current implementationof the runtime data analysis is rule-based, which impliesthat configuration should be carried out by an expert.A small help is provided by the historic data analysis,which suggests rules to be adopted in the runtime part.However, at the moment, its accuracy is bound to properparameter tuning of the underlying Apriori algorithm.

Table 2 summarises the tools with their timescaleof action. The tools whose action is immediate have nomemory and perform their analyse, and possibly detectanomalies, for each sample of data that is provided tothem. In those cases, since the time spent in performingthe analysis is negligible, timescale is essentially fixed bythe technology context in which they act (e.g., networkpacket transmissions and system calls). Others need toknow some history before the analysis and introduces adelay (like F-NIDS and IT-HIDS).

15 Conclusions

Industrial Control Systems are sensible targets forhigh profile attacks, which are able to circumventtraditional protection methods like antiviruses. Cyber-attacks against ICSs represent a serious risk for thesociety and can be considered a new weapon for opposite

countries and terrorists. In this paper, we presentedan overview of the results attained in the frameworkof the Preemptive European project, which providesinnovative methods and tools to detect and protect ICSsfrom cyber-intrusion. We illustrated the Preemptivearchitecture and the tools’ functionalities, which performdetection at host, network, and process levels. TheContext Aware Event Analysis tool correlates eventsraised by the different tools and sends them to theHumane-Machine Interface that make operators awareabout the status of the system in terms of security.Thereby, the peculiarity of Preemptive is the capabilityof the proposed solution to correlate several events,which individually would appear to be irrelevant,allowing the detection of skilled attacks that otherwisemay be hidden.

The tools have been tested using real data providedby the End Users Advisory Board that supported theproject over time. Our experimental results have shownthe feasibility of an integrated approach to cyber-attacksdetection and prevention that can greatly improve cyber-security awareness in the current ICS context.

Concerning future research directions, we think thatthe needs in terms of cyber-security awareness willbe shaped by the adoption of ICS models tailoredto support Industry 4.0. In particular, technologieslike cloud computing, Internet of Things, and artificialintelligence, along with the trend to distribute decisionsand control, will provide formidable opportunities formalicious agents that are likely to require specificdetection and prevention strategies.

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 17

Tool Level Action Approach Timescale of action

IT-HIDS host detectionanomalaydetection

In the order of one millisecond.

ED-HIDSembedded

devicesdetection heuristic

Immediate, at the timescale ofinterrupt handling

HIS host prevention cryptographicImmediate, at the timescale of system

calls.

P-NIDS network detectionanomalaydetection

Immediate, at the timescale of networkprotocol communication.

F-NIDS network detectionanomalaydetection

In the order of a few minutes.

PR-IDS process detectionanomalaydetection

Immediate, at the timescale of processmeasures.

ASASnetwork and

hostvulnerabilityassessment

passive andactive

n/a

CAEA correlation detection rule-based Depends on rules

Table 2 Summary of the tools with some of their features.

Acknowledgements

This work has been supported by the EuropeanCommission through project FP7-SEC-607093-PREEMPTIVE funded by the 7th Framework Program.

The authors would like to thank E. Zambon(University of Twente, The Nederlands) for his valuablecontribution on Section 5 “ED-HIDS: Host IDS forEmbedded Devices used in ICS”, and to A. Ursini, G.Sinibaldi and L. Morabito (Vitrociset S.p.A., Italy) fortheir hard work in the Preemptive project.

References

[1] ICS-CERT. Incident response summary report2009-2011. Technical report, ICS-CERT, 2011.

[2] Nikos Virvilis, Dimitris Gritzalis, and TheodorosApostolopoulos. Trusted computing vs. advancedpersistent threats: Can a defender win this game? InUbiquitous Intelligence and Computing, 2013 IEEEUIC/ATC, pages 396–403. IEEE, 2013.

[3] Nicolas Falliere, Liam O Murchu, and Eric Chien.W32. stuxnet dossier. White paper, SymantecCorp., Security Response, 5, 2011.

[4] Keith Stouffer, Joe Falco, and Karen Scarfone.Nist special publication 800-82 - guide to industrialcontrol systems (ics) security, may 2013.

[5] International Electrotechnical Commission (IEC).IEC 62443 Industrial communication networks -Network and system security, 2015.

[6] North American Electric Reliability Corporation(NERC). Critical Infrastructure Protection (NERCCIP). http://www.nerc.com/pa/Stand/Pages/

CIPStandards.aspx, 2013.

[7] J. Kippe, D. Meier, S. Pfrang, R. Barbosa,A. Skene, T. Kassim, M. Pizzonia, F. Griscioli,E. Zambon, and A. Ursini. Security frameworks:State of the art evaluation. Technical report, ThePreemptive project, 2015. http://preemptive.

eu/wp-content/uploads/2016/05/preemptive_

d4.1.pdf.

[8] Preemptive: Preventive methodology and tools toprotect utilities. March 2014 – February 2017.Funded by the European Commission under FP7,G.A. 607093. On-line. http://preemptive.eu.

[9] J. Kippe, D. Meier, S. Pfrang, X. Clotet Fons,G. Eliana Leon, M. Wrightson, , A. Skene,T. Kassim, M. Pizzonia, F. Griscioli, E. Zambon,E. Etcheves Miciolino, and A. Ursini. Preemptivemethodology reference. Technical report, ThePreemptive project, 2015. http://preemptive.

eu/wp-content/uploads/2016/05/preemptive_

d4.2.pdf.

[10] Jonathan J. Davis and Andrew J. Clark. Datapreprocessing for anomaly based network intrusiondetection: A review. Computers & Security,30(67):353 – 375, 2011.

[11] F. Sabahi and A. Movaghar. Intrusion detection: Asurvey. In Systems and Networks Communications,2008. ICSNC ’08. 3rd International Conference on,pages 23–26, Oct 2008.

[12] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu,A. Pras, and B. Stiller. An overview of ip flow-based intrusion detection. Communications SurveysTutorials, IEEE, 12(3):343–356, 2010.

[13] Zhu B. and Sastry S. Scada-specificintrusion/prevention systems: A survey andtaxonomy. Department of Electrical Engineeringand Computer Science.

18 E. Etcheves Miciolino et al.

[14] V. Jyothsna and V.V. Rama Prasad. A Reviewof Anomaly based Intrusion Detection Systems.International Journal of Computer Applications,28(7):26–35, August 2011.

[15] Jiankun Hu, Xinghuo Yu, Dong Qiu, and Hsiao-HwaChen. A simple and efficient hidden Markov modelscheme for host-based anomaly intrusion detection.Network, IEEE, 23(1):42–47, 2009.

[16] Christina Warrender, Stephanie Forrest, and BarakPearlmutter. Detecting intrusions using systemcalls: Alternative data models. In Proc. of the 1999IEEE Symposium on Security and Privacy, pages133–145. IEEE, 1999.

[17] Lanzi Andrea, Balzarotti Davide, KruegelChristopher, and Christodorescu Kidra Engin.AccessMiner: Using System-Centric Models forMalware Protection. In Proceedings of the17th Annual Computer Security ApplicationsConference, Chicago, Illinois, USA, 2010. ACM.

[18] Gideon Creech and Jiankun Hu. A SemanticApproach to Host-Based Intrusion DetectionSystems Using Contiguousand DiscontiguousSystem Call Patterns. IEEE Transactions onComputers, 63(4):807–819, 2014.

[19] David Wagner and Drew Dean. Intrusion Detectionvia Static Analysis. Technical report, U.C. Berkeley,2001.

[20] Miao Wang, Cheng Zhang, and Jingjing Yu.Native API based windows anomaly intrusiondetection method using SVM. In Proc. ofthe IEEE International Conference on SensorNetworks, Ubiquitous, and Trustworthy Computing,volume 11. IEEE, 2006.

[21] Dayu Yang, Alexander Usynin, and J Wesley Hines.Anomaly-based intrusion detection for SCADAsystems. In Proc. of the 5th international topicalmeeting on nuclear plant instrumentation, controland human machine interface technologies, pages12–16, 2006.

[22] V. Chandola, A. Banerjee, and V. Kumar.Anomaly detection for discrete sequences: Asurvey. Knowledge and Data Engineering, IEEETransactions on, 24(5):823–839, May 2012.

[23] AISWeb: The Online Home of ArtificialImmune Systems. http://www.artificial-immune-systems.org/.

[24] Stephanie Forrest, A.S. Perelson, L. Allen, andR. Cherukuri. Self-nonself discrimination in acomputer. Proceedings of 1994 IEEE ComputerSociety Symposium on Research in Security andPrivacy, 1994.

[25] Jason Reeves, Ashwin Ramaswamy, MichaelLocasto, Sergey Bratus, and Sean Smith. Intrusiondetection for resource-constrained embeddedcontrol systems in the power grid. InternationalJournal of Critical Infrastructure Protection,5(2):74–83, 2012.

[26] Ang Cui and Salvatore J Stolfo. Defendingembedded systems with software symbiotes. InRecent Advances in Intrusion Detection, pages 358–377. Springer, 2011.

[27] F.A.T. Abad, J. van der Woude, Yi Lu, S. Bak,M. Caccamo, Lui Sha, R. Mancuso, and S. Mohan.On-chip control flow integrity check for real timeembedded systems. In Cyber-Physical Systems,Networks, and Applications (CPSNA), 2013 IEEE1st International Conference on, pages 26–31, Aug2013.

[28] Aurelien Francillon, Daniele Perito, and ClaudeCastelluccia. Defending embedded systems againstcontrol flow attacks. In Proceedings of the FirstACM Workshop on Secure Execution of UntrustedCode, SecuCode ’09, pages 19–26, New York, NY,USA, 2009. ACM.

[29] Lucas Davi, Patrick Koeberl, and Ahmad-RezaSadeghi. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection ofembedded systems against software exploitation. InProceedings of the 51st Annual Design AutomationConference, DAC ’14, pages 133:1–133:6, New York,NY, USA, 2014. ACM.

[30] Carlos Aguayo Gonzalez and Alan Hinton.Detecting malicious software execution inprogrammable logic controllers using powerfingerprinting. In Jonathan Butts and SujeetShenoi, editors, Critical Infrastructure ProtectionVIII, volume 441 of IFIP Advances in Informationand Communication Technology, pages 15–27.Springer Berlin Heidelberg, 2014.

[31] A. Valentini and G. Sinibaldi. PREEMPTIVE -PREventivE Methodology and Tools to protectutilitIEs. In Fast abstracts at InternationalConference on Computer Safety, Reliability, andSecurity (SAFECOMP), Trondheim, Norway,September 2016.

[32] Dillon Beresford. Exploiting siemens simatic s7 plcs.Black Hat USA, 2011.

[33] Bitlocker drive encryption overview.On-line http://windows.microsoft.

com/en-US/windows-vista/

BitLocker-Drive-Encryption-Overview.

[34] The gnu privacy guard. On-line https://www.

gnupg.org/.

PREEMPTIVE: an Integrated Approach to Intrusion Detection and Prevention in ICSs 19

[35] Ironkey product. http://www.ironkey.com/

en-US/encrypted-storage-drives/.

[36] Sandisk usb flash drive. http://www.sandisk.com/products/software/secureaccess/.

[37] K. J. Biba. Integrity considerations for securecomputer systems. Technical report, DTICDocument, 1977.

[38] M. Russinovich and D. A Solomon. WindowsInternals: Including Windows Server 2008 andWindows Vista. Microsoft press, 2009.

[39] Dokany. Dokan - user mode filesystem forwindows os. On-line http://fuse.sourceforge.

net/ [Accessed 24-November-2015].

[40] Fuse. Fuse - filesystem in userspace. On-line http:

//fuse.sourceforge.net/.

[41] Ralph C Merkle. A digital signature based ona conventional encryption function. In Advancesin CryptologyCRYPTO87, pages 369–378. Springer,1988.

[42] B. Palazzi, M. Pizzonia, and S. Pucacco. Queryracing: Fast completeness certification of queryresults. In Proc. Working Conference on Data andApplications Security and Privacy (DBSEC’10),volume 6166 of Lecture Notes in Computer Science,pages 177–192, 2010.

[43] G. Di Battista and B. Palazzi. Authenticatedrelational tables and authenticated skip lists. InData and Applications Security XXI, pages 31–46.Springer, 2007.

[44] F. Griscioli and M. Pizzonia. Securing promiscuoususe of untrusted usb thumb drives in industrialcontrol systems. In Proc. of Fourteenth AnnualConference on Privacy, Security and Trust (PST2016). IEEE, 0. (to appear).

[45] Karsten Nohl and Jakob Lell. BadUSB - onaccessories that turn evil. https://www.blackhat.com/us-14/briefings.html#Nohl, [Online;accessed 27-July-2016].

[46] F. Griscioli, M. Pizzonia, and M. Sacchetti.USBCheckIn: Preventing BadUSB attacks byforcing human-device interaction. In Proc. ofFourteenth Annual Conference on Privacy, Securityand Trust (PST 2016),. IEEE, 0. (to appear).

[47] D. Perdisci, R.and Ariu, P. Fogla, G. Giacinto, andW. Lee. McPAD: A multiple classifier systemfor accurate payload-based anomaly detection.Computer Networks, 53(6):864–881, 2009.

[48] D. Bolzoni, S. Etalle, and P. Hartel. POSEIDON:a 2-tier anomaly-based network intrusion detectionsystem. In Proc. of IWIA 2006, 2006.

[49] K. Wang, J.J. Parekh, and S.J. Stolfo. Anagram:A content anomaly detector resistant to mimicryattack. In RAID ’06. Springer Berlin Heidelberg,2006.

[50] H. Lin, A. Slagell, C. Di Martino, Z. Kalbarczyk,and R.K. Iyer. Adapting Bro into SCADA: Buildinga Specification-based Intrusion Detection Systemfor the DNP3 Protocol. In Proc. of CSIIRW. ACM,2013.

[51] E. Zambon, M. Caselli, and M. Almgren. CRISALISD6.4 Network-Driven Analysis tools. Technicalreport, EU FP7 Programme, 2015.

[52] David I Urbina, Jairo A Giraldo, Alvaro ACardenas, Nils Ole Tippenhauer, Junia Valente,Mustafa Faisal, Justin Ruths, Richard Candell, andHenrik Sandberg. Limiting the impact of stealthyattacks on industrial control systems. In Proceedingsof the 2016 ACM SIGSAC Conference on Computerand Communications Security. ACM, 2016.

[53] A.A. Cardenas, S. Amin, Z. Lin, Y. Huang,C. Huang, and S. Sastry. Attacks Against ProcessControl Systems: Risk Assessment, Detection, andResponse. Proceedings of ASIACCS ’11, 2011.

[54] SilentDefense. http://www.secmatters.com/products-ics, 2016.

[55] A. Valdes and S. Cheung. Communication patternanomaly detection in process control systems. InTechnologies for Homeland Security (HST). IEEE,2009.

[56] A. Sperotto. Flow-Based Intrusion Detection. PhDthesis, University of Twente, 2010.

[57] O. Linda, T. Vollmer, and M. Manic. Neuralnetwork based intrusion detection system for criticalinfrastructures. In International Joint Conferenceon Neural Networks, 2009.

[58] Katherine A. Heller, Krysta M. Svore, Angelos D.Keromytis, and Salvatore J. Stolfo. One classsupport vector machine for detecting anomalouswindows registry accesses, 2000.

[59] Franka Schuster, Andreas Paul, Rene rietz, andHartmut Konig. Potential of using one-class svm fordetecting protocol-specific anomalies in industrialnetworks, 2015.

[60] ThetaRay cyber solution. http://www.thetaray.

com/, 2016.

[61] ICS2 On-Guard system. http://ics2.com/, 2016.

[62] Zhou Ji and Dipankar Dasgupta. V-detector:An efficient negative selection algorithmwith ”probably adequate” detector coverage.Information Sciences, 179:1390–1406, 2009.

20 E. Etcheves Miciolino et al.

[63] Zhou Ji website. http://zhouji.net.s3-website-us-east-1.amazonaws.com/vdetector.html, 2014.

[64] X. Clotet c G. Leon, E. Constante, M. Pizzonia, andF. Griscioli. Multi-agent architecture. Technicalreport, The Preemptive project, 2016.

[65] T. Ptacek and T. Newsham. Insertion, evasionand denial of service: Eluding network intrusiondetection. Secure Networks, Inc., 1998.

[66] M. Roesch. Snort. presented at the Black HatConference 2001, 2001.

[67] M. Roesch. Your network is talking, are youlistening? presented at the CanSecWest, Vancouver2004, 2004.

[68] A. DeMontigny and F. Massicotte. Passive networkdiscovery for real time situation awareness. In ProcNATORTO Symp. Adapt. Def. Unclassif. Netw.,volume 4, 2004.

[69] G. Vigna. A topological characterization of tcp/ipsecurity. In Int. Symp. Form. Methods Eur.Springer Berlin Heidelberg, 2003, 2003.

[70] B. Morin. M2d2: A formal data model for ids alertcorrelation. In Int. Workshop Recent Adv. IntrusionDetect. Springer Berlin Heidelberg, 2002, 2002.

[71] http://dmtf.org/standards/cim/, 2016.

[72] http://www.splunk.com/, 2016.

[73] A. Clemm, J. Medved, R. Varga, T. Tkacik,N. Bahadur, H. Ananthakrishnan, and X. Liu. Adata model for network topologies. IETF NetworkWorking Group Internet-Draft, 2016, 2016.

[74] J. Dong and X. Wei. A yang data model for layer-2network topologies. IETF Network Working GroupInternet-Draft, 2016, 2016.

[75] A. Clemm, J. Medved, R. Varga, T. Tkacik,X. Liu, I. Bryskin, A. Guo, H. Anathakrishnan,N. Bahadur, and V. Beeram. A yang data model forlayer 3 topologies. IETF Network Working GroupInternet-Draft, 2016, 2016.

[76] M. Bjorklund. Yang - a data modelling language forthe network configuration protocol (netconf). IETFRFC 6020, 2010, 2010.

[77] J. Schoenwaelder. Common yang data types. IETFRFC 6991, 2013, 2013.

[78] http://prads.projects.linpro.no/, 2016.

[79] http://www.opennms.org/, 2016.

[80] http://www.openvas.org/, 2016.

[81] ArcSight. Implementing arcsight cef. White PaperRevision 20, HP, June 2013.

[82] Nesper:. http://www.espertech.com/esper/nesper.php.

[83] C. Borgelt and R. Kruse. Induction of AssociationRules: Apriori Implementation. In Compstat2002,15th Conference on Computational Statistics,pages 395–400, Berlin, Germany, 2002.