the scissor approach to establishing situational awareness in … · 2017. 4. 6. · the scissor...
TRANSCRIPT
The SCISSOR approach to establishing situational awareness in Industrial Control Systems Stefano Salsano – University of Rome “Tor Vergata”/CNIT Christof Brandauer – Salzburg Research
Symposium on Innovative Smart Grid Cybersecurity Solutions Vienna, 13th and 14th March, 2017
The SCISSOR Project
Security In trusted SCADA and smart-grids
Assystem Engineering and operation services (FR)
AGH University of Science and Technology of Krakow (PL)
UPMC university Pierre and Marie Curie (FR)
SixSq Sàrl (CH)
Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT)
RADIO6ENSE (IT)
Salzburg Research Forschungsgesellschaft mbH (AT)
Katholieke Universiteit Leuven (BE)
SEA Società Elettrica di Favignana S.p.a. (IT)
3
SCISSOR in a nutshell
A highly scalable ICS/SCADA security monitoring framework
• Integration of a wide range of heterogeneous sensors
• A dynamically adaptable, distributed data aggregation framework
• Advanced detection and correlation models as extensions to a conventional SIEM
• Exploitation of modern cloud-computing concepts
4
Architecture
5 5
The Favignana Test-bed
6
Installation in Favignana Inside the Cabin
7
Installation in Favignana Inside the Cabin
8 8
Smart Camera
4G Router
Public IP
VPN Gateway
RFID Antennas VPN
Client
RFID Reader
Network TAP
SEA HiperLAN
Cabin Switch
SCADA device
SCISSOR testbed
RFID Sensors
SEA SCADA Supervisory
Enhanced SIEM
Threat detection modules
Cloud in a box VPN Client
Decision & Analysis Layer
Assystem SCADA
Supervisory
Assystem SCADA PLCs
Datacenter Cloud
9 9
SCISSOR testbed
kafka
flume
SIEM
HMI
Bayesian networks
Robust statistic zookeeper
logstash
Paris SCADA Lab Environment
Favignana Smart Grid
Cameras Environment
sensors Network monitoring
SCADA Developers’ console
10
Situational awareness is established in a scalable manner in near real-time by correlating events coming from very heterogeneous sensors
Situational awareness
11 11
Authorized access
1. Door open: somebody inside
2. Badge detection: the system recognizes
the technician
3. The technician turns on the light
4. The technician opens a cabinet
5. The technician get close the exit door and turns-off the light; the system records the exit
12 12
Un-authorized access and tampering
1. Open door: somebody inside
2. No badge detection: the person is not authorized
and may be classified as intruder
3. The intruder turns on the light for a short time: maybe uses a torch
4. The intruder opens a cabinet
5. The temperature inside the cabinet increases: possible manumission
6. The intruder opens the door and exits.
13
Events can be correlated in the SIEM correlation engine (Decision and analysis layer)
Situational awareness
Events can be “pre-processed” and aggregated to achieve scalability (local correlation in the Control and coordination layer)
14
Thank you. Questions? Contacts Stefano Salsano University of Rome Tor Vergata / CNIT [email protected] Christof Brandauer Salzburg Research, Austria [email protected] This presentation on slideshare https://www.slideshare.net/stefanosalsano/the-scissor-approach-to-establishing-situational-awareness-in-industrial-control-systems
15
The SCISSOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 644425 (Research
and Innovation Action).
The information given is the author’s view and does not necessarily represent the view of the European Commission (EC). No liability is accepted for any use that may be
made of the information contained.
Additional information
17
SCISSOR partners details (1/3) PRESENTATION OF THE SCISSOR PARTNERS
Partner name & country
Partner Type
Key roles and technical skills in the project
Assystem AEOS, France Large company - Project coordination - Data protection - Id based cryptography - Identity management & AC - SCADA systems - Human-Machine Interface - Test platform.
AGH University of Science and Technology of Krakow, Poland
Academy - Video surveillance & pattern recognition - Security and cryptography - Agent-based SCADA & system monitoring
UPMC University Pierre and Marie Curie, France
Academy
- SIEM design - Decision and probability theory(Dynamic Bayesian Networks) - Graphical models - Scalable big data analytics
18
Partner name & country
Partner Type
Key roles and technical skills in the project
SixSq Sàrl, Swiss
SME - Software integration and testing expertise - Cloud expertise and technologies - Automated cloud deployment - Systems architecture and design
Consorzio Nazionale Interuniversitario per le Telecomunicazioni (CNIT), Italy
Research center - Technical Project coordination - Overall system architecture - Traffic Monitoring and stream analytics - Platform-independent API for monitoring - Attribute-based encryption - Smart grid engineering - HMI usability design and assessment
Radio6ense, Italy
SME - Pervasive sensor tags - Sensor data gathering and filtering - Mobile data acquisition devices
PRESENTATION OF THE SCISSOR PARTNERS
SCISSOR partners details (2/3)
19
PRESENTATION OF THE SCISSOR PARTNERS
Partner name & country
Partner Type
Key roles and technical skills in the project
Salzburg Research Forschungsgesellschaft mbH, Austria
Research center - Control framework - Monitoring agents design - Semantic modelling of events - Security policies
Katholieke Universiteit Leuven, Belgium
Academy - Detection of abnormal values in multivariate, high-dimensional, data sets - Robust dimensionality reduction
Società Elettrica Favignana, Italy
Power plant and smart grid provider
- Requirements - Integration with the existing SCADA - Roll out of the real world trial
SCISSOR partners details (3/3)
20
Wireless passive Sensor Network (PSN) for Environment Monitoring MONITORING LAYER
Water/Humidity + RSSI
temperature
light
NUVLA Box
RFID reader
LAN Cable
Electrical Equipment
stac
k Antenna 1 Antenna 2
Events • Authorized and un-
authorized access
• Equipment overload
• Flooding and Fire
• Human Interaction with devices
• Device Tampering
camera
21
radioBOARD: Layout MONITORING LAYER: ENVIRONMENT SENSORS
The board may be configured for different applications and placements by connecting or disconnecting electrical traces
67m
m
28mm
Electromagnetic Coupler with tuning elements
Expander: external sensors + optional Battery/solar cell
Energy Harvester with tuning elements
22 22
Access
Flooding Humidity and light
Temperature (Harness overload)
Manumission Events & Sensors
TEST BED: ENVIRONMENT SENSORS
23
Device Placements reader and antennas
TEST BED: ENVIRONMENT SENSORS
reader
antenna
24
Device Placements access and light
Light sensor
Door-open sensor
TEST BED: ENVIRONMENT SENSORS
25
Device Placement temperature
Transformer overload (PT-1000)
Cabinet temperature
TEST BED: ENVIRONMENT SENSORS
26
Device Placement manual tampering
TEST BED: ENVIRONMENT SENSORS
27
SCADA logs
Demo steps
DEMO - INTEGRATION
• Logs were collected from a simulated electrical network SCADA system
• these logs are sent by beats to the Edge Agent • classical log parser • transformation and publishing to SMI
@datasource:[/opt/zmq-bash-push]: ./play_scada.sh &
28
Environmental sensors
Demo steps
DEMO - INTEGRATION
• sensor data was measured by the Radio6ense prototype installed in Favignana
• sent to the Edge Agent via ZeroMQ • parsing of native sensor output • transformation and publishing to SMI
• dynamic reconfiguration of the Edge Agent filtering • drop / forward RSSI data
@datasource:[/opt/zmq-bash-push]: ./play_envfile.sh &
29
Network monitoring
Demo steps
DEMO - INTEGRATION
• live integration of a distributed streamon instance • streamon probe is configured to detect Modbus device scans • replay of such a previously recorded device scan
• detection by streamon probe, emission of alerts towards to Edge Agent via ZeroMQ
• parsing of the native streamon output • transformation and publishing to SMI
@streamon:[/home/vagrant/Streamon]: ./start.sh config/modbus_device_scan.xml @streamon:[/home/vagrant/Streamon]: tcpreplay -i eth1 config/traces/device_scan.pcap
1456245861397357097 00000001 E1 LOW "Modbus Device Scanning Suspected" ip_src=127.0.0.30 ip_dst=127.0.0.5 rate=2.147463 dst_port=502 1456245866421830452 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.15 rate=3.121049 dst_port=502 1456245866421874608 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.12 rate=3.526514 dst_port=502 1456245866432175844 00000001 E2 HIGH "Modbus Device Scanning Detected" ip_src=127.0.0.30 ip_dst=127.0.0.17 rate=3.931980 dst_port=502
30
Smart camera
Demo steps
DEMO - INTEGRATION
• Events were produced by a Smart Camera • analysis of a video presented in the morning session
• these events are sent to the Edge Agent via ZeroMQ • original timing is preserved
• parsing of the native sensor output • transformation and publishing to SMI
@datasource:[/opt/zmq-bash-push]: ./play_camfile.sh &
31
SCISSOR's SIEM : Prelude SIEM Design & Development
32
SCADA platform in the Assystem testbed
A Use Case for SCISSOR validation
ASSYSTEM ADVANCED SCADA PLATFORM
A virtualized process Complex scenarios handling
Direct occurrences of process events Systemic approach
A generic SCADA based system PLC based control
Use of industrial protocols Typical SCADA HMI
Logs generation: process monitoring, supervision/PLC software, operating systems
Historian Reporting
Report
33
Distributed Cloud Platform CLOUD PLATFORM AND INTEGRATION
Seamless integration of a traditional Datacenter Cloud platform and a “Cloud-in-a-box” platform