The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano Salsano – University of Rome “Tor Vergata”/CNIT Christof Brandauer – Salzburg Research

Symposium on Innovative Smart Grid Cybersecurity Solutions Vienna, 13th and 14th March, 2017

The SCISSOR Project

Security In trusted SCADA and smart-grids

Assystem Engineering and operation services (FR)

AGH University of Science and Technology of Krakow (PL)

UPMC university Pierre and Marie Curie (FR)

SixSq Sàrl (CH)

Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT)

RADIO6ENSE (IT)

Salzburg Research Forschungsgesellschaft mbH (AT)

Katholieke Universiteit Leuven (BE)

SEA Società Elettrica di Favignana S.p.a. (IT)

3

SCISSOR in a nutshell

A highly scalable ICS/SCADA security monitoring framework

• Integration of a wide range of heterogeneous sensors

• A dynamically adaptable, distributed data aggregation framework

• Advanced detection and correlation models as extensions to a conventional SIEM

• Exploitation of modern cloud-computing concepts

4

Architecture

5 5

The Favignana Test-bed

6

Installation in Favignana Inside the Cabin

7

Installation in Favignana Inside the Cabin

8 8

Smart Camera

4G Router

Public IP

VPN Gateway

RFID Antennas VPN

Client

RFID Reader

Network TAP

SEA HiperLAN

Cabin Switch

SCADA device

SCISSOR testbed

RFID Sensors

SEA SCADA Supervisory

Enhanced SIEM

Threat detection modules

Cloud in a box VPN Client

Decision & Analysis Layer

Assystem SCADA

Supervisory

Assystem SCADA PLCs

Datacenter Cloud

9 9

SCISSOR testbed

kafka

flume

SIEM

HMI

Bayesian networks

Robust statistic zookeeper

logstash

Paris SCADA Lab Environment

Favignana Smart Grid

Cameras Environment

sensors Network monitoring

SCADA Developers’ console

10

Situational awareness is established in a scalable manner in near real-time by correlating events coming from very heterogeneous sensors

Situational awareness

11 11

Authorized access

1. Door open: somebody inside

2. Badge detection: the system recognizes

the technician

3. The technician turns on the light

4. The technician opens a cabinet

5. The technician get close the exit door and turns-off the light; the system records the exit

12 12

Un-authorized access and tampering

1. Open door: somebody inside

2. No badge detection: the person is not authorized

and may be classified as intruder

3. The intruder turns on the light for a short time: maybe uses a torch

4. The intruder opens a cabinet

5. The temperature inside the cabinet increases: possible manumission

6. The intruder opens the door and exits.

13

Events can be correlated in the SIEM correlation engine (Decision and analysis layer)

Situational awareness

Events can be “pre-processed” and aggregated to achieve scalability (local correlation in the Control and coordination layer)

14

Thank you. Questions? Contacts Stefano Salsano University of Rome Tor Vergata / CNIT stefano.salsano@uniroma2.it Christof Brandauer Salzburg Research, Austria christof.brandauer@salzburgresearch.at This presentation on slideshare https://www.slideshare.net/stefanosalsano/the-scissor-approach-to-establishing-situational-awareness-in-industrial-control-systems

15

The SCISSOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 644425 (Research

and Innovation Action).

The information given is the author’s view and does not necessarily represent the view of the European Commission (EC). No liability is accepted for any use that may be

made of the information contained.

Additional information

17

SCISSOR partners details (1/3) PRESENTATION OF THE SCISSOR PARTNERS

Partner name & country

Partner Type

Key roles and technical skills in the project

Assystem AEOS, France Large company - Project coordination - Data protection - Id based cryptography - Identity management & AC - SCADA systems - Human-Machine Interface - Test platform.

AGH University of Science and Technology of Krakow, Poland

Academy - Video surveillance & pattern recognition - Security and cryptography - Agent-based SCADA & system monitoring

UPMC University Pierre and Marie Curie, France

Academy

- SIEM design - Decision and probability theory(Dynamic Bayesian Networks) - Graphical models - Scalable big data analytics

18

Partner name & country

Partner Type

Key roles and technical skills in the project

SixSq Sàrl, Swiss

SME - Software integration and testing expertise - Cloud expertise and technologies - Automated cloud deployment - Systems architecture and design

Consorzio Nazionale Interuniversitario per le Telecomunicazioni (CNIT), Italy

Research center - Technical Project coordination - Overall system architecture - Traffic Monitoring and stream analytics - Platform-independent API for monitoring - Attribute-based encryption - Smart grid engineering - HMI usability design and assessment

Radio6ense, Italy

SME - Pervasive sensor tags - Sensor data gathering and filtering - Mobile data acquisition devices

PRESENTATION OF THE SCISSOR PARTNERS

SCISSOR partners details (2/3)

19

PRESENTATION OF THE SCISSOR PARTNERS

Partner name & country

Partner Type

Key roles and technical skills in the project

Salzburg Research Forschungsgesellschaft mbH, Austria

Research center - Control framework - Monitoring agents design - Semantic modelling of events - Security policies

Katholieke Universiteit Leuven, Belgium

Academy - Detection of abnormal values in multivariate, high-dimensional, data sets - Robust dimensionality reduction

Società Elettrica Favignana, Italy

Power plant and smart grid provider

- Requirements - Integration with the existing SCADA - Roll out of the real world trial

SCISSOR partners details (3/3)

20

Wireless passive Sensor Network (PSN) for Environment Monitoring MONITORING LAYER

Water/Humidity + RSSI

temperature

light

NUVLA Box

RFID reader

LAN Cable

Electrical Equipment

stac

k Antenna 1 Antenna 2

Events • Authorized and un-

authorized access

• Equipment overload

• Flooding and Fire

• Human Interaction with devices

• Device Tampering

camera

21

radioBOARD: Layout MONITORING LAYER: ENVIRONMENT SENSORS

The board may be configured for different applications and placements by connecting or disconnecting electrical traces

67m

m

28mm

Electromagnetic Coupler with tuning elements

Expander: external sensors + optional Battery/solar cell

Energy Harvester with tuning elements

22 22

Access

Flooding Humidity and light

Temperature (Harness overload)

Manumission Events & Sensors

TEST BED: ENVIRONMENT SENSORS

23

Device Placements reader and antennas

TEST BED: ENVIRONMENT SENSORS

reader

antenna

24

Device Placements access and light

Light sensor

Door-open sensor

TEST BED: ENVIRONMENT SENSORS

25

Device Placement temperature

Transformer overload (PT-1000)

Cabinet temperature

TEST BED: ENVIRONMENT SENSORS

26

Device Placement manual tampering

TEST BED: ENVIRONMENT SENSORS

27

SCADA logs

Demo steps

DEMO - INTEGRATION

• Logs were collected from a simulated electrical network SCADA system

• these logs are sent by beats to the Edge Agent • classical log parser • transformation and publishing to SMI

@datasource:[/opt/zmq-bash-push]: ./play_scada.sh &

28

Environmental sensors

Demo steps

DEMO - INTEGRATION

• sensor data was measured by the Radio6ense prototype installed in Favignana

• sent to the Edge Agent via ZeroMQ • parsing of native sensor output • transformation and publishing to SMI

• dynamic reconfiguration of the Edge Agent filtering • drop / forward RSSI data

@datasource:[/opt/zmq-bash-push]: ./play_envfile.sh &

29

Network monitoring

Demo steps

DEMO - INTEGRATION

• live integration of a distributed streamon instance • streamon probe is configured to detect Modbus device scans • replay of such a previously recorded device scan

• detection by streamon probe, emission of alerts towards to Edge Agent via ZeroMQ

• parsing of the native streamon output • transformation and publishing to SMI

@streamon:[/home/vagrant/Streamon]: ./start.sh config/modbus_device_scan.xml @streamon:[/home/vagrant/Streamon]: tcpreplay -i eth1 config/traces/device_scan.pcap

1456245861397357097 00000001 E1 LOW "Modbus Device Scanning Suspected" ip_src=127.0.0.30 ip_dst=127.0.0.5 rate=2.147463 dst_port=502 1456245866421830452 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.15 rate=3.121049 dst_port=502 1456245866421874608 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.12 rate=3.526514 dst_port=502 1456245866432175844 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.17 rate=3.931980 dst_port=502

30

Smart camera

Demo steps

DEMO - INTEGRATION

• Events were produced by a Smart Camera • analysis of a video presented in the morning session

• these events are sent to the Edge Agent via ZeroMQ • original timing is preserved

• parsing of the native sensor output • transformation and publishing to SMI

@datasource:[/opt/zmq-bash-push]: ./play_camfile.sh &

31

SCISSOR's SIEM : Prelude SIEM Design & Development

32

SCADA platform in the Assystem testbed

A Use Case for SCISSOR validation

ASSYSTEM ADVANCED SCADA PLATFORM

A virtualized process Complex scenarios handling

Direct occurrences of process events Systemic approach

A generic SCADA based system PLC based control

Use of industrial protocols Typical SCADA HMI

Logs generation: process monitoring, supervision/PLC software, operating systems

Historian Reporting

Report

33

Distributed Cloud Platform CLOUD PLATFORM AND INTEGRATION

Seamless integration of a traditional Datacenter Cloud platform and a “Cloud-in-a-box” platform