This Work Package, led by the University of Coïmbra (FCTUC), aims to provide the distributed awareness capabilities for IACS systems considering threats and vulnerabilitiesof modern CIs. Beyond the state-of-the-art, the outputs of EU FP7 CockpitCI project, regarding detection of cyber-attacks and risk prediction, will be improved in terms of implementation and extended to include new threats and interdependency models. The main purpose of this WP is to develop solutions and components for distributed anomaly detection and risk assessment.
Considering that new generations of IACS (as it is the case for smart metering) are becoming distributed systems, calls for new approaches, capable of tackling the challenges introduced the by capillary nature of such infrastructures. As such, the adoption of Big Data-like data processing strategies (such as the use of Scalable Complex Event Processing), coupled with Fog-Computing mechanisms (eventually supported with NFV service chain abstractions) is envisioned as strategic assets in the architecture to be developed. Moreover, building on the experience from the CockpitCI project, cyber-awareness mechanisms will take advantage of technologies such as the Shadow RTU, the SCADA Honeypots and the Smart Extension, as well as the concept of distributed multi-layered correlation that was extensively used on the cyber-detection layer architecture. In order to achieve this goal, several advanced strategies for distributed detection, anomaly detection and/or event correlation will be researched, taking advantage of the extensive and heterogeneous expertise of the project partners.
Work to do
- Design and development of the detection agents, including domain-specific Honeypots and Honeynets, Shadow RTU, as well as specialized network and device probes to be added to the IACS.
- Design and development of the Distributed Awareness Layer, which will be a Distributed Intrusion Detection System (DIDS), designed to fulfil the needs of IACS.
- Distributed anomaly detection architecture for IACS
- New IACS-oriented components for anomaly detection and field-level security event acquisition (Shadow RTU, SCADA Honeypot, Smart Extension)
- Distributed vulnerability detection system such as software, configuration vulnerability detection systems
- A Big Data SIEM, capable for providing a source dataframe for forensics and auditing purposes.
Tasks break down
- Task 4.1 – Requirements and Reference Architecture for the Cyber-physical IDS
- Task 4.2 – Distributed Intrusion and Anomaly Detection Strategies for IACS
- Task 4.3 – Design of detection agents and security components
- Task 4.4 – Design of the Distributed IDS for IACS
- Task 4.5 – Evolved Big Data SIEM for Forensics and Auditing Support