Abstract
In recent years, IACS (Industrial Automation and Control Systems) have become more complex, due to the increasing number of interconnected devices. This IoT (internet of things)-centric IACS paradigm, which is at the core of the Industry 4.0 concept, expands the infrastructure boundaries beyond the aggregated-plant, mono-operator vision, being dispersed over a large geographic area. From a cybersecurity-centric perspective, the distributed nature of modern IACS makes it difficult not only to understand the nature of incidents but also to assess their progression and threat profile. Defending against those threats is becoming increasingly difficult, requiring orchestrated and collaborative distributed detection, evaluation, and reaction capabilities beyond the scope of a single entity. This chapter presents the Intrusion and Anomaly Detection System platform architecture that was designed and developed within the scope of the ATENA H2020 project, to address the specific needs of distributed IACS while providing (near) real-time cybersecurity awareness.
TopIntroduction
In recent years, Industrial Automation and Control Systems (IACSs) have experienced an increase in their complexity, due to the growing number of attached devices, sensors and actuators. Quite often, these components are spread out in the field – this is the case for micro-generation, smart metering, oil and gas distribution or smart water management, among others. This Internet of Things (IoT)-centric IACS paradigm, which is at the core of the Industry 4.0 concept, blurs the infrastructure boundaries, expanding them beyond the single or aggregated-plant, vertical silo perspective, being dispersed over a widespread geographic area, with increasingly small areas of coverage as we progress towards its periphery.
However, IoT-centric IACS pose several challenges. As the boundaries of the IACS expand towards households, they involve several third-party entities, such as telecommunications or utility providers, in a scenario that naturally demands the introduction of multi-tenancy mechanisms for supporting Machine-to-Machine (M2M) communications and infrastructure orchestration. Specifically, and from a cybersecurity-centric perspective, the distributed nature of modern IACS makes it difficult not only to understand the nature of incidents but also to assess their progression and threat profile. Dealing with such threat profiles is a difficult task, furthermore if considering the need to involve several different entities in developing coordinated and collaborative distributed detection, analysis and reaction mechanisms. Hence, this situation constitutes an opportunity to rethink the current approach of cybersecurity for IACS, resorting to new tools and models providing a comprehensive level of coverage for the whole value chain of a Critical Infrastructure (CI) in increasing sophisticated and networked scenarios.
This situation calls for a different approach to cyber threat detection, which was one of the most relevant contributions of the ATENA H2020 project (ATENA Consortium, 2016). The main objective of ATENA project (Vitali et al., 2017) is to improve the efficiency and resilience capabilities of modernized Critical Infrastructures against a wide variety of cyber-physical threats, being those malicious attacks or unexpected faults which may affect the IACS, corporative or simple ICT devices. (…) Every element of the IACS Trusted Control Chain (Figure 1) could be impacted by incident (natural or malicious). The ATENA prototype will demonstrate the capabilities to detect the incident, to identify the problem, to assess the risk for the overall CI and to provide solution to restore the reliability of the CI behavior i.e., to restore a Trusted Control Chain all over the CI network.
Figure 1. IACS trusted control chain
Quite unsurprisingly, the ATENA project objectives statement explicitly describes a reference scenario where a chain of trust traverses a multi-tenant environment, precisely one of the main concerns of modern IoT-centric IACS. For this purpose, the ATENA architecture included an Intrusion and Anomaly Detection System (IADS) subsystem, which was designed from the ground up to deal with the challenges such complex environments.
This chapter intends to present and describe the ATENA IADS architecture, designed from the ground up to address the specific needs of distributed IACS, while providing (near) real-time cybersecurity awareness. The IADS is built around a data-driven security concept, aimed at providing a considerable degree of flexibility in terms of IACS security management, monitoring and configuration, while preventing risks, both from operational errors and from cyber-attacks, intrusions or malware.
The rest of this chapter, which departs from prior published work (Rosa et al., 2017) is structured as follows. The Background and Related Work section provides a state-of-the-art overview about event processing techniques and solutions for security applications, also encompassing a description of a distributed intrusion detection system (IDS) implementation from the same authors of this chapter, which is considered to be representative of a more conventional solution. Afterwards, the Proposed Architecture section describes the IADS architecture and its main components, being followed by a section dedicated evaluating its Event Processing capabilities. This chapter will be closed with a section focused on Future Research Directions, followed by the final Conclusions.
Key Terms in this Chapter
Forensics and Compliance Auditing (FCA): A set of analysis capabilities to retrieve insights from persisted data. Two kinds of actors interact with these capabilities: Operators and Security Analysts. Operators receive continuous information from the processes performing rule assessment, evaluating the critically of events and preparing a set of responsive actions to minimize their impact. Security Analysts are responsible for extracting insights from the interpretation of stored events, performing ad hoc queries to understand related thread event paths and preparing improvement measures.
Critical Infrastructure (CI): Systems whose incapacity or destruction would have a debilitating effect on the economic security of an enterprise, community or nation.
Industrial IoT (IIoT): The result of the evolution of industrial automation technologies towards assimilating the IoT paradigm. The outcome is a new generation of automation infrastructures which are highly distributed and interconnected, spawning large coverage areas.
Lambda Architecture: An architecture designed to deal with immutable data sets that grow over time (which is the nature of the security events being generated from the probes). The Lambda architecture encompasses both stream techniques for fast, time-window based event processing and batch processing techniques, which constitute a slow path for event processing, sifting through large volumes of data (stored in a large repository, such as a data lake) to search for trends or anomalous patterns.
Security Probe: Security agents whose role is to capture relevant evidence from several strategic points and components of the protected infrastructure, which is to be streamed and pre-processed before being sent to a security analytics platform.
Software-Defined Networking (SDN): Consists of an architecture that decouples forwarding functions (data plane) from network control (control plane), enabling network programmability. It constitutes a flow-oriented virtualization mechanism for networks, allow for the flexible creation and management of network overlays on top of existing physical infrastructures, while also enabling significant security and reliability benefits.
Industrial Automation and Control Systems (IACS): Systems that ensure the supervision and control of a series of processes involved in the production and delivery of goods and services, from assembly lines to power plants. In fact, several universal and essential services, such as utility or telecommunications infrastructures, which are crucial to maintain the social, industrial, economic and security status of a modern country, depend on IACS.
Anomaly detection: Analysis techniques which try to identify deviations regarding an established normal behavior or operational pattern of a system.
Security Information and Event Management (SIEM): This term is typically used to refer to systems oriented towards performing log/event storage and processing (typically filtering and correlation).