CORDIS - EU research results

CYPRES the ICS and SCADA security companion

Periodic Reporting for period 3 - CYPRES (CYPRES the ICS and SCADA security companion)

Reporting period: 2017-05-01 to 2018-02-28

Since Stuxnet worm damage an Iranian nuclear site in 2009, the cyberattacks have constantly increased. New attacks regularly emerge, targeting all industries, from critical infrastructures to industrial processes. The consequence of these attacks could be dramatic and could have a huge impact on these industries as well as for the nation security. Also, this issue has become a matter of national security since the White Paper of Defense in 2008 and the French LPM 2013 (Military Programation Law).
In reaction, most of National Security Agencies reinforce the obligation to protect critical infrastructures. But, most of solutions are partial, unsatisfying and limited to Corporate IT cyber-solutions, such as firewalls, and authentications. Designed to protect mostly data stream, these services are unsuited to manage an industrial operation and instead bring obscurity on how they work, letting hackers benefiting from this grey zone.
There is a growing demand for new solutions, better fitted to Industrial Control Systems, targeting at providing insights of the ICS, understandable by the operators, managing the ICS data exchanges, helping to ensure operational continuity whatever the failures or intrusions could be.
Our CyPRES solution integrates all of these features and is expected to become a major product for most ICS – if not all – to ensure their robustness. CyPRES is a dedicated industrial network solution, IDS type (Industrial Detection System) that monitors communications to detect abnormalities. Upon detection it warns both automation expert (such as the operation team) and DSI to help them taking appropriate measures.
CyPRES project is supported by a consortium of two French SMEs expert in industrial automation, software development and cybersecurity. The offer will be a set of a product (mostly software) an engineering tools and method so as to implement CyPRES on new or existing ICS. The offer packaging is no yet finalized and may be of two finds: integrated solution or appliance, depending of the channel of sales. In both cases, CyPRES ambition is to set a new standard in IDS for Industrial Control System. That will be achieved by three main features:
- Simplicity of installation
- Quality of detection and ability to face even future (not known) threats
- Robustness and resistance to attacks.
Product Development
CyPRES is released commercially. The product has been deeply tested for water treatment control systems using Modbus protocol. Other tests have been carried out on electricity utilities with IEC 61850 protocol.
The consortium has developed engineering tools to go with CyPRES. It allows a unique achievement which is to detect abnormalities on the process itself, in terms of values, active functions, consistency with physical constraints, repeated patterns.
Other engineering tools have been developed in order to simplify and shorten CyPRES installation. The objective to be able to install CyPRES in 5 man-days, configuration included, is almost reached. It means that CyPRES is not only best-in-class by its features, but also very attractive in costs.
As a side effect, CyPRES is capable of providing a view on the control system form its internal network, as a sort of X-ray.
During the tests, several types of attack were performed. For a known attack, it exists a configuration (and rules) that detect it under several aspects.
Ai algorithms have been evaluated (Process Mining with INRIA, Decision Tree by It has been possible only when the product structure was frozen and stable, which occurred late in the project. There is clearly a potential for enhancing CyPRES configuration, rather than detection capability which is already high.
The market is slower than expected. It has been also clear that market studies on industrial cybersecurity are rare and poor. Market maturity is expected in 3/5 years form now (2021-2023).
CyPRES is beautiful enough to bring consideration to NetCeler and Cybelius, and hence improving the image of the two companies.
Another trend is that CyPRES user is not existing yet. CyPRES alerts, from a design point of view, would interest both the site or infrastructure operator, and the cybersecurity responsible. CyPRES will be initially exploited through the logs it transfers to a centralized security system (SIEM).
CyPRES when associated to a control system is much more than an intrusion detection device. It provides an insight of the control system both as a static view (hosts, protocols) but also in its dynamic behavior. CyPRES may be useful in reliability analysis, in process performance, in maintenance activity, in misconfiguration detection, and many other aspects linked to the control system quality, robustness, and correct engineering.
Additionally, CyPRES can be the basis of a new generation of products with potential impact on the structure of control systems, providing security-by-design. Given the storage capabilities of CyPRES, it may become a valuable component for forensic tools.
All together, CyPRES can secure all the existing control systems, which are all vulnerable, at a reasonable cost. This is a considerable improvement as today, most systems can be shut down or damaged with little effort from attackers.
The potential impact is high in 3 directions:
2. Innovative technologies that may be consolidated and become a world leader in the domain of industrial cybersecurity
3. Rapid critical infrastructure protection in Europe, as well as mots industries and cities
4. Large business activity shared between partners and integrators, with jobs creation and high revenue.