“Real time Monitoring and Control of Hydroelectric Dam” Partecipanti: • UNIPARTHENOPE • POLITO • CNR Overview • Goal of the paper • Proposed architecture – Correlator – GET – Decision Support System • Policy Conflict Resolution • Reachability Analysis – Resilient event storage • Misuse case • Conclusion and Future Work Obiettivo del lavoro rispetto a TENACE 1. Description of an enhanced SIEM (Security Information and Event Management) system with the introduction of novel components. • The proposed SIEM will be validated on a critical infrastructure scenario, namely a Hydroelectric Dam. – In particular, we described a misuse case that mimics an attack to a DAM. Architettura Proposta • GET Component: an advanced security information and event collector enabling multiple layer data analysis on SIEM frameworks; • a Decision Support System that allows both to: • Resolve policy conflicts; • analyze and control IT networks by allowing to discover unauthorized data paths and perform automatic re-configuration of network devices; • a Resilient Event Storage to ensure integrity and unforgeability of alarms even in the case of attack against its components. GET • generate security events by observing multiple layer data from the sources in the monitored infrastructure. • The most relevant sources are physical sensors, logical access events, physical access events, network systems and logs from networked applications. • Tranlstate such events into a common format which is suitable for the central Correlator engine of the SIEM and for the Decision Support System. • preprocess data in the collection points and detects anomalies in the cyber-physical systems (e.g. anomalies in the measured parameters). Correlator • The Correlator analyzes the GET events in order to discover known attack sequences, i.e. sequences encoded through schematic rules and stored in the rule database of the SIEM. • Correlator engine is a software component that allows to detect specific attacks signatures (security event sequences) within the event flow received. 1. 2. 3. When an attack signature is matched, the Correlator generates an alarm. The alarm generated contains also information about the events that generated it. Alarm generation through Correlator is performed in order to improve the accuracy of incident diagnosis and allow better response procedures. • The Correlator shows few semantically richer alarms in the face of the huge number of events coming from single sensors. How the correlator works (brute force attack example) The well-known attacks signatures are defined through the {\em correlation rules}. In particular, a correlation rule describes a relation between some information contained in the fields of events gathered in order to identify an attack. An example of correlation rule that can be used, for example, to discover a brute-force attack. Decision Support System (DSS) • DSS has two functionalities: – Policy Conflict resolution – Reachability analysis DSS for Policy conflict resolution • Once the Correlator reveals an attack, some countermeasures have to be taken in order to preserve the system against a such attack. • Countermeaseures act according to specific policy describing the reaction to an event. • It can be the case that differnt policies are active at the same time. • This can lead to the occurence of conflict. Analitich Hierarchy Process • The Analytic Hierarchy Process (AHP) is a multi-criteria decision making technique, which has been largely used in several fields of study. • Given a decision problem, where several different alternatives can be chosen to reach a goal (solve the conflict), AHP returns the most relevant alternative (which policy wins the conflict)with respect to a set of previously established criteria and subcriteria. • Practically, the AHP approach is to subdivide a complex problem into a set of sub-problems, criteria (element of a policy) and subcriteria (attribute), and then to compute thesolution by properly merging the various local solutions for eachsub-problem. DSS for reachability • Goal: discover unauthorized traffic – caused by misconfigurations or attacks • network reachability approach – which hosts reach a set of services • high level policies to define network behavior • runtime comparison between – generated rules: provided by refinement process – deployed rules: installed on firewalls • event-based reaction, e.g., – security issue: modify firewall rules to enforce a policy – non-enforceability: install a filtering control to enforce a policy • inference rules to manage: – workflow (refinement + reachability analysis) – events and reaction/remediation DSS architecture Network Policies <subject> reach <object> <subject>: e.g., IT Admins <object>: e.g., h1.service1 System description hosts, IP addresses, services (ports, protocols), network topology Events anomaly (i.e., firewall rule is more restrictive than policy) security issue (i.e., unauthorized traffic) Decisions and Remediation e.g., modify firewall rules, add a new firewall (with corresponding rules) to enforce the policy Resielience event Storage • Resilient Event Storage (RES) system is an infrastructure designed: – to be tolerant to faults and intrusions; – to generate signed records containing alarms/events related to security breaches; – to ensure the integrity and unforgeability of alarms/events stored. • The RES fault and intrusion tolerant capability makes it able to correctly create secure signed records even when some components of the architecture are compromised. • Presented yesterday by Cesario Di Sarno (Uniparthenope) Case study • • • • A wrong configuration: a data path exists that allows an user in the 'visualization station' to re-write the sensor firmware. An unsatisfied employee: he/she discovers this vulnerability and he/she want to exploit it to perform a serious attack to the hydroelectric dam. Thus, he/she obtains the administrator credentials and logs in to the control machine in the 'control station' and manage the gate of the penstock. The attack is performed in two steps: – 1) from 'visualization station', an unsatisfied employee performs a reprogramming of the sensor that measures the water flow rate in the penstock. In particular a constant water flow rate value is sent to the control center in order to deceive the operator/a threshold control system; – 2) the unsatisfied employee enters in the 'control station' using its own badge (RFID), performs a login with administrator privileges, sends a command to open the gate and runs away. • • The operator or the classic control system cannot detect the attack because the sensor always transmits a normal water flow rate value. Instead the turbine spins as faster as higher the water flow rate is. Also, the electric power generated and injected in the power grid increases. This attack finishes when the electric power generated overcomes a security threshold. In that case the transmission line connected to the generator is overloaded and a blackout is likely to occur. Conclusion and Future Work • Starting from different expertise, we have proposed a framework able to manage emergency in a power grid scenario. • We have presented the components we add for enhancing a SIEM system. • We show the application of the proposed framework in a real scenario • Future Works – Setup of the system – Validation of the whole system on the presented case study. Thanks you!