Community Research and Development Information Service - CORDIS

H2020

CYPRES Report Summary

Project ID: 684723

Periodic Reporting for period 2 - CYPRES (CYPRES the ICS and SCADA security companion)

Reporting period: 2016-07-01 to 2017-04-30

Summary of the context and overall objectives of the project

Since Stuxnet worm damage an Iranian nuclear site in 2009, the cyberattacks have constantly increased. New attacks regularly emerge, targeting all industries, from critical infrastructures to industrial processes. The consequence of these attacks could be dramatic and could have a huge impact on these industries as well as for the nation security. Also, this issue has become a matter of national security since the White Paper of Defense in 2008 and the French LPM 2013 (Military Programation Law).
In reaction, most of National Security Agencies reinforce the obligation to protect critical infrastructures. But, most of solutions are partial, unsatisfying and limited to Corporate IT cyber-solutions, such as firewalls, and authentications. Designed to protect mostly data stream, these services are unsuited to manage an industrial operation and instead bring obscurity on how they work, letting hackers benefiting from this grey zone.
There is a growing demand for new solutions, better fitted to Industrial Control Systems, targeting at providing insights of the ICS, understandable by the operators, managing the ICS data exchanges, helping to ensure operational continuity whatever the failures or intrusions could be.
Our CyPRES solution integrates all of these features and is expected to become a major product for most ICS – if not all – to ensure their robustness. CyPRES is a dedicated industrial network solution, IDS type (Industrial Detection System) that monitors communications to detect abnormalities. Upon detection it warns both automation expert (such as the operation team) and DSI to help them taking appropriate measures. These abnormal behaviors could be: an intrusion, a virus, a configuration or hardware failure, a software bug or a change of operation model.
CyPRES includes many innovative features. One is a unique engineering tool that allows to “plug” CyPRES on any existing ICS with adjusted effort, so that CyPRES is able to understand in details how the ICS is configured and its functional behavior. Another is the “contextualization”: all data or messages are scrutinized with reference to the system state and what operations it currently does. The rules for abnormalities detection are much more precise, enhancing the detection performance whilst avoiding false detections. AI (Artificial Intelligence) is used to perform heuristic rules on top of the analysis, benefitting from the repeatability of process control for a given context.
CyPRES project is supported by a consortium of two French SMEs expert in industrial automation, software development and cybersecurity. The offer will be a set of a product (mostly software) an engineering tools and method so as to implement CyPRES on new or existing ICS. The offer packaging is no yet finalized and may be of two finds: integrated solution or appliance, depending of the channel of sales. In both cases, CyPRES ambition is to set a new standard in IDS for Industrial Control System. That will be achieved by three main features:
- Simplicity of installation
- Quality of detection and ability to face even future (not known) threats
- Robustness and resistance to attacks.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

The last period has been extremely rich in 3 main directions
- Technical development
- Market presentation and feed-backs
- Perspectives both technical and commercial regarding CyPRES and more generally the market of cybersecurity for industrial systems.

The point where we arrived on these three fields is exciting albeit not completed; as in many research project, the future looks still promising, but complex.
Regarding developments, the many technical obstacles and design choices are now overcome, except two issues: use of heuristic algorithms (AI) and performances. The technical features have been frozen both for specification and design. For behavioral analysis, which is really one of the most interesting innovation in CyPRES, Artificial Intelligence looked attractive, but the domain is vast and selecting the right technology needs more time. The problem has been addressed by mock up, workshops, consultations and is still unresolved.
Performances are another area where difficulties appeared more severe than expected. Not only computing the real-time flow of data streamed onto the networks is a known challenge; additionally, the choice of using a rule engine for anomaly detection made it difficult to implement, as certain rules have to be processed at very low level. Significant changes to the software real-time management has to be made and this activity is still on-going.
Apart of these two issues, the product development is well on its way and three releases have been produced so far, with internal tests and client presentations.
On the market side, a show-room was installed in FPC Ingénierie premisses. Many presentations have been made there, in addition to participation to three major exhibitions. The feed-back is now coming from more than 100 respondents, a majority of them being knowledgeable actors in the field of cybersecurity. To summarize the feed-back
1) Best product in its category, innovative approach, very promising
2) Several technical features should be enhanced, by little or by far
3) Engineering the product will be complicated and that may endanger the attractiveness
4) The market is not yet mature and selling expectations will not start at large scale very soon.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

A side effect of CyPRES product was discovered in its ability to show off how works, internally, a control system in a factory. Most users, most operators and even people programming their plc do not know how it works. They only know that it works and how to modify what they want to modify. To plug CyPRES, it needs to analyse the plc programs, the architecture, and CyPRES IHM presents many things, including most functions performed by the many devices, how dynamically it is performs, how it is changed when context changes.
This information proved very valuable and interesting for most operators and integrators. It opens the way to a new green field: supervision of a control system. To start with, a product variation of CyPRES was made, called CySCAD, to go beyond this opportunity, it is clear that many CyPRES features could be integrated in future control systems so as to own a self-supervising function. It could be more than useful when integrating IIoT (Industrial Internet of Things) as foreseen for the Industry 4.0.
As CyPRES first lab applications have shown, CyPRES could secure effectively mots systems, including existing control systems which are extremely vulnerable to cyber-attacks.

Related information

Record Number: 190313 / Last updated on: 2016-11-14
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top