Community Research and Development Information Service - CORDIS

FP7

PREEMPTIVE Report Summary

Project ID: 607093
Funded under: FP7-SECURITY
Country: Italy

Periodic Report Summary 3 - PREEMPTIVE (PREVENTIVE METHODOLOGY AND TOOLS TO PROTECT UTILITIES)

Project Context and Objectives:
PREEMPTIVE proposes to:
• Enhance existing methodological security and prevention frameworks with the aim of harmonizing Risk and Vulnerability Assessment methods, standard policies, procedures and applicable regulations or recommendations to prevent cyber-attacks.
• Design and develop prevention and detection tools complaint to the dual approach that takes into account both the industrial process misbehavior analysis (physical domain) and the communication & software anomalies (cyber domain)
The strong innovation proposed in PREEMPTIVE is to face the cyber-attacks adopting a dual approach techniques that take into account industrial process behaviour (IPB) and communication & software related threats (CATh).
Industrial process misbehavior take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. Think of a disgruntled employee that has access to the HMI systems used to control an industrial process. Thanks to the knowledge of the underlying industrial process, he/she can devise a combination of (legitimate) actions that will trigger a failure in the process, such as opening certain valves in a water facility to release sewage water in drinkable water.
Communication & software related threats imply that an attacker hits computers, networks, sensors, PLCs or radio signals to cause failures in the SCADA system by leveraging software vulnerabilities. Stuxnet is a typical example of a communication & software related threat. It used four previously unknown exploits of both host- and network-based software components to deploy some specific PLC code to alter the regular operations of centrifuges for uranium enrichment. To conceal its activities, Stuxnet replayed data recorded during regular operations of the centrifuges to operators’ workstations.
Current research activities failed to recognize the primary importance of the existing relationship among the industrial process behaviour and communication & software related threats. Researchers have focused on addressing one of the two types at a time, without correlating information and events from both, extracted at various levels.
The breakthrough of PREEMPTIVE proposal, unlike other researches, is to conceive a dual approach techniques that improves prevention and detection capabilities against cyber-attacks where SCADA, DCS and PLC networks are used in conjunction with cyber networks

Project Results:
Main Objectives realized during whole Project (three periods, this is the final one) are summarized below:
• Definition of taxonomy for utility network
• Definition of PREEMPTIVE legal and ethical requirements and implementation
• Modeling and simulation of Cyber attacks against the utility network
• Evaluation of existing Security framework, standards, recommendations and gap analysis
• Development of Preemptive Methodology
• Application of Preemptive Methodology to a real utility
• Development of Industrial process tool by
• normal operation states characterization, negative data representation and compression
• industrial process hierarchical structure based on Multiagent
• Development of network-based tools for analyzing both traffic payload and flow
• Development of host-based tool for analysis system/applications events and logs
• Development of a network discovery tool
• Development of the event correlation engine
• Development of a graphical interface for the SW tools
• Making the test session of SW tools and KPI measuring on the final test bed at IEC laboratory
• Finalize the dissemination and exploitation of the project results, and of project web site.
• Ensure proper Management of the project for the correct running of the activities in the period as part of WP1 activities.
In this third reporting period (March 2016-February 2017) the activities of the PREEMPTIVE project have been mainly focused on WP3 “Ethics, Social Impact, Regulations & Recommendations”, WP4 “Methodology Framework for utility network”, WP6 “Industrial process misbehaviour detection”, WP7 “Communication & software related threats prevention and detection”, WP8 “Results validation”. In the third period have been completed all tasks of all WPs.

In Technological Research and Development work packages the following main goals have been achieved:
WP2 serves as input for the other work packages in PREEMPTIVE. It proposes a taxonomy for organizing in a coherent way the information about the physical processes of utilities, the process automation systems employed to monitor and control these processes and their security properties (threats, vulnerabilities and impact on failure). In particular following goals have been achieved:
• taxonomy which provides a consistent description of the physical processes run by utilities, the systems used to control and automate their processes, the main objectives (use cases) that these automation systems allow to achieve and their high-level architecture.
• three utility sectors are analyzed: electricity, gas and water
• cyber-attacks that could affect these systems. In particular, it provides an inventory of the most which processes and services an attacker may wish to disrupt, and for each attack is provided a high-level description of how an attacker may achieve his goals by leveraging (known) vulnerabilities in software, components and protocols used for the process automation systems.

WP3 package regroups research activities on legal and ethical aspects, and on the societal impact of PREEMPTIVE. The objectives is the identification of a list of high-level legal and ethical requirements to which the PREEMPTIVE solution must abide in order to avoid legal and ethical inconsistencies at crucial later stages of the project. In particular following goals have been achieved:
• the ethical and legal requirements to which the end-product should abide
• the legal and ethical considerations to be considered during the development phase
• detail on the requirements for the technical implementation of legal requirements

WP4 package objective defines guidelines for improving Critical Infrastructures (CIs) surveillance. In particular following goals have been achieved:
• describe the state of the art of security frameworks, standards and recommendations which resulted in the description of seven weak points in the state of the art
• development of a Preemptive methodology to be applied to Critical Infrastrucures
• Application of Preemptive methodology to a real utility
• White paper on Methodology results
• Network detection tool for known vulnerabilities

WP5 package objective is to model and simulate utility networks environment and cyber threats in order to anticipate and study the criticalities coming for the adoption both the prevention methods and innovative technologies. In particular following goals have been achieved:
• a reference guide to operate the test environment and simulate threats and their steps to compromise the industrial network based on the attack scenarios developed in WP2
• the realization of simulation and emulation environment used to deploy cyber-attack malware in industrial control networks. Software and hardware components emulate the cyber and physical functionalities of a real system
• building upon the above simulation and emulation environment recreating specific attack scenarios. The focus is on cyber attacks deployment and their impact on electricity, water and gas networks

WP6 package objective is to is to identify misbehavior at industrial process level through measurement analysis that could depict a cyber-attack. In particular following goals have been achieved:
• the detection based in Artificial Immune System of anomalies at industrial process level by the characterization of normal operation states in Critical Infrastructures, and negative representation of data
• the design and implementation of several layers of coordinated sensors (physical or software modules) at different levels that allows identifying global effects even when all corresponding local sensor indicate “normal operation”
• the detection based in Artificial Immune System of anomalies at industrial process level by the characterization of normal operation states in Critical Infrastructures, and negative representation of data

WP7 package objective is to to develop new tools to prevent and/or detect anomalous and malicious activities against critical systems. In particular following goals have been achieved:
• network-based intrusion detection solutions (IDS) for ICS/SCADA based on two distinct but complementary areas: payload-based and flow-based
• host-based IDS for ICS/SCADA based on three distinct but complementary areas: malicious payload detection for embedded devices used in ICS environments, malware detection in standard IT components deployed in ICS environments and integrity of personal and company storage devices
• Correlation Engine for the alarm correlation and threats/APT identification

WP8 package objective is to measure the effectiveness of the methodology framework as well as the innovative tools developed during the time period of the project. In particular following goals have been achieved:
• a comprehensive list of Key Performance Indicator (KPI) to be used in the assessment of the project solutions
• the test plan, which has been used to validate and demonstrate the results achieved. The proposed test plan is composed by a set of test sessions structured as cyber attacks
• the test environment in an industrial network in a reduced configuration which has been used in order to running cyber-attack according to test plan to validate KPI of methodology and SW tools

WP9 package objective is to make the knowledge and results of the project available for the research community and to companies that can turn these results into a sustainable business. The envisaged objective of WP9 is to disseminate the project results and deliverables of the previous work packages through participation in standards bodies, coordination activities with other organizations, face-to-face meetings, briefings, presentations, and publications in conferences, workshops, scholarly journals, magazines, and other venues in academia, industry, and government. Moreover this work package focuses on creating visibility for the project, on disseminating the results through different channels, on building a knowledge base within the project and creating permanent structures to collect and disseminate the knowledge about utilities protection, and finally on stimulating the uptake and exploitation of the results. Main results reached by this WPs are:
• Setup of project webpage
• Setup mailing lists for the dissemination and partners cooperation
• Setup of SVN storage servers for document and data
• Setup of web portal for partners cooperation including forums, calendars and wiki pages dedicated for each WP.
• Publication of several papers
• Active participation to several congresses for Preemptive results dissemination
• Contacts with End User for exploitation

Potential Impact:
The main PREEMPTIVE final output are:
• Taxonomy – report
▪ Classifying the utility networks taking into account type and communication technology, sensibility to Cyber threats
• Simulation Modelling – software
▪ Models and virtual environment for simulating and gathering data on cyber attacks
• Core of the detection tools (network, host and process based) - Software
▪ Prevention and detection tools to improve security on SCADA utility networks
• Cyber Defence Methodology Framework – Guidelines
▪ Risk and Vunerability Assessment Methods
▪ Standard policies, procedures and guidelines to prevent cyber attacks
• Ethics, Social Impact– Report
▪ Legal and ethical requirements and implementation report

The consortium has developed a series of industrial process-related threats prevention and detection tools and host-based tools that constitute the PREEMPTIVE methodology that can be exploited individually by the developing partners or included in products already existing in their portfolios. PREEMPTIVE exploitable results include:

- Preemptive Methodology, cyber defense methodology framework that will provide security protection for utility networks and improve the level of security in cyber-physical system of critical infrastructure.
- Inclusion of the PREEMPTIVE tools in Vitrociset’s Vbrain and CyCube products. Vbrain is a scalable and configurable platform that allows the realization of remote command and control system of technological plants and integrated security systems. CyCube, on the other hand, is a microappliance that offers advanced protection means against cyberattacks.
- P-NIDS (Payload-based Network IDS). A tool for monitoring process variables by passively sniffing network traffic in critical infrastructure, developed by SecurityMatters.
- PR-IDS (Process-Related Intrusion Detection System). An anomaly detection tool, developed by AIA, built to detect abnormal behaviours at the process level of critical infrastructures, aimed to the detection of cyber of physical intruders.
- HIS (Host-based Integrity System) tool and results achieved with the tool.
- Scientific publications in conferences and journals. Scientific knowledge transfer within academic partners.
- Software aimed to produce an open-source library for the scientific community and industry.
- USBCheckIn, a hardware protection against firmware attacks.
- Baseline security requirements, developed by ENCS, for smart meters and equipment used in the operation of the smart grid.

List of Websites:
www.preemptive.eu

Reported by

Vitrociset spa
Italy

Subjects

Safety
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top