Skip to main content
European Commission logo print header

Security In trusted SCADA and smart-grids

Periodic Reporting for period 2 - SCISSOR (Security In trusted SCADA and smart-grids)

Reporting period: 2016-07-01 to 2018-02-28

In traditional ICS, security was assumed by the reliance on proprietary technologies (security by obscurity), physical access protection and disconnection from the Internet. The massive move, in the last decade, towards open standards and IP connectivity, the growing integration of Internet of Things technologies, and the disruptiveness of targeted cyber-attacks, calls for novel, designed-in, cyber security means.
SCISSOR designs a new generation SCADA security monitoring framework, comprising four layers:
i) a monitoring layer supporting traffic probes providing programmable traffic analyses up to layer 7, new ultra low cost/energy pervasive sensing technologies, system and software integrity verification, and smart camera surveillance solutions for automatic detection and object classification;
ii) a control and coordination layer adaptively orchestrating remote probes/ sensors, providing a uniform representation of monitoring data gathered from heterogeneous sources, and enforcing
cryptographic data protection, including certificate-less identity/attribute-based encryption schemes;
iii) a decision and analysis layer in the form of an innovative SIEM fed by both highly heterogeneous monitoring events as well as the native control processes’ signals, and supporting advanced correlation and detection methodologies;
iv) a human-machine layer devised to present in real time the system behavior to the human end user in a simple and usable manner.
The work performed during the first period of the project is summarized in the following deliveries:
D1.4 “Final Project Report”: This is the third year project activities and achievements performed within the project in the whole project duration.
D3.3 “Final revision of monitoring layer components: design and prototype”: This deliverable documents the final revision of monitoring layer design and components prototyping defined in D3.1 and D3.2. Detailed information is provided in “Technical part B” of this report.
D4.5 “Revision of control framework: final design and implementation”: This deliverable documents the final revision of the design and components prototyping of the control framework defined in D4.1 and D4.3. Detailed information is provided in “Technical part B” of this report.
D4.6 “Final revision of control layer techniques: semantic modeling and data protection”: This deliverable documents the final revision of the design and components prototyping of the semantic modeling and data protection techniques defined in D4.2 and D4.4. Detailed information is provided in “Technical part B” of this report.
D5.8 “Revision of Human Machine Interface layer design and implementation”: This deliverable documents the final design/implementation of the HMI layer components. Detailed information is provided in “Technical part B” of this report.
D5.6 “SCISSOR SIEM final design and development”: This deliverable documents the revision of D5.4 and describes the progress regarding the design and development of the SIEM Detailed information is provided in “Technical part B” of this report.
D5.7 “Revision ofadvanced detection algorithms”: This deliverable documents the revision of D5.5. Detailed information is provided in “Technical part B” of this report.
D6.4 “Final integration Status and Platform Assessment “: This deliverable reports of (1) the system integration activities at month 38, (2) the status of the SCADA platform integration at month 38 and (3) the final resilience and security assessment of the SCISSOR framework. Detailed information is provided in “Technical part B” of this report.
D6.3 “Final SCISSOR cloud platform”: This deliverable describes the final design and deployment of the SCISSOR cloud platform.
D7.2 “Validation and Demonstration intermediate report”: This deliverable documents the revision of D7.1 and describes the progress regarding validation activities. Detailed information is provided in “Technical part B” of this report.
D7.3 “Validation and Demonstration final report”: This deliverable documents the revision of D7.2 and describes the progress regarding validation activities and the installation on site in Favignana. Detailed information is provided in “Technical part B” of this report.
D8.3 “Final report on dissemination, standardization and exploitation”: This deliverable documents the actions of dissemination, standardization and exploitation. Details are done in “Technical part B”.
• Public key infrastructure: We have described an authentication system based on identity and attribute based cryptography. We got in fact two powerful authentication systems.
The first one is based on identity (IBE): we have modified this system to get a certificateless PKI.
The second one is based on attributes (ABE): it allows establishing natively access right on the ciphered data. We have modified and enhanced existing scheme by solving some challenging drawback inherent to these authentication systems, hence we have removed the famous key escrow problem.
We have constructed a POC with this updated OpenSSL: we have integrated it in OpenVPN. We think that IBE is simpler to operate than a classical PKI, and by implementing it in OpenSSL. We note that traditionally, Cloud access is secured though HTTPS. Then Access rights are warranted by the IAM and SSO is in general required. With ABE, it can be drastically simplified. Finally, we believe that ABE could have an impact on IoTs in general.
• SIEM: The Scissor SIEM is an advanced SIEM since it is build from three different engines: the first one is based on correlation, the second on dynamic Bayesian networks and the third one on robust statistics.
The Bayesian engine’s goal is to detect the behavioral changes in the full system and gives the list of the equipments responsible of these changes. Developing such an engine is a challenge: i) the probability distributions that should be used in the threat detection inference engine are non-stationary, i.e. they evolve over time; ii) some random variables handled by the Bayesian network are of a continuous nature and need be dealt as such, i.e. they should not be fully discretized.
Thus, we created new Bayesian network-related models that could cope with non-stationarity and we provided a general-purpose framework for learning the structures and parameters of these models.
We also provided learning algorithms to determine their structures and parameters from data. These algorithms highlighted the necessary incorrectness of all the algorithms of the literature relying on maximum likelihood to learn the structure of Bayesian networks and to discretize at the same time continuous variables. This led us to provide new discretization algorithms relying neither on maximum likelihood nor on entropy.
The last engine exploited by the SCISSOR’s SIEM relies on robust statistics. Here, the key idea is to exploit statistical methods to detect outliers, which can be interpreted as anomalies. We produced new algortihms that outperformed the state-of-the-art algorithms and integrated these new algorithms into a threat detection module.
• Architecture characteristics: The idea that consists in considering logical and physical characteristics to detect an intrusion is also original. This approach could be potentially used in different domains like finance, geopolitics where we have to take in account different elements to predict a scenari.