Professional Documents
Culture Documents
I.
INTRODUCTION
POLICY ENGINEERING
Attributes ID
Master artefact
Salve artefact
Master component
Slave component
Behaving rule
Trigger item
Usage context
Priority extension
CP-Ma-art
CP-S-art
CP-Ma-Com
CP-S-Com
CP-Ru
CP-TI
CP-UC
CP-prior
1) Permissive Policy
Permissive Policies are represented in red in Fig. 2. They
represent policies which govern the knowledge acquisition
rules from the Master to the Slave artefact [14]. This
knowledge acquisition traditionally takes the form of SCADA
states data accessed or provided in order to provide the
Responsible with the access (of in, out, in_out types [16])
to successive Cognitive Policies in case of occurring events.
The Permissive Policies morphology is articulated on the
following set of attributes [perceived by [15]): Master artefact,
Slave artefact, Master component, Slave component,
Permission rules, Pre-permission conditions, Master
permission cardinality, Slave permission cardinality, and
Cognitive constraints (Table II) - sustained by Cognitive
Policy states).
Table II. Permissive Policy attributes name and attributes ID
Attribute Name
Attribute ID
Master artefact
Slave artefact
Master component
Slave component
Permission rules
Permission conditions
Master permission cardinality
Slave permission cardinality
Cognitive constraints
PP-Ma-art
PP-S-art
PP-Ma-Com
PP-S-Com
PP-Ru
PP-Condi
PP-Ma-Car
PP-S-Car
PP-Co.con.
1) Detection correlation
Detection and cyber detection (DCD) [19] compose the
skeleton of the detection correlation mechanism which
supports the SCADA environment. Mainly three security
zones constitute the source of classified knowledge for this
DCD, namely, the corporate networks, the CI, and the field of
correlation that constitutes the input from distributed sensors.
The fields are architecture-based on traditional and specific
components from SCADA networks, to know: IDS,
Honeypots, Anti-Virus, and RTUs mirror. DCD performs a
correlation based on low validated alerts/events aggregation
(true-positive detections [20]) to higher validated alerts. As
highlighted in Fig. 3, cyber threat and security propagation
models support the correlation mechanism by allowing
analyzing and detecting suspicious signatures and suspicious
behaviours to issue a set of Detected Cyber Parameter (DCP).
2) Online cyber analysis
The Online Cyber Analysis (OCA) module [21] acts as the
heart of the SCADA schema, since it supports the definition of
the Refined Cyber Parameters provided to the Cyber
Simulator. OCA receives as input the DCP from the DCD on
the one hand, and the data from the analysis tools on the other
hand. The Cyber-physical Events are correlated amongst this
DCD and the Operative Level Analysis module (which we
Figure 4. SCADA architecture extracted from [15] focussed on detection correlation, online cyber analysis and visualization system
Table III. CP instantiation for the Analytical function policy master artifact
Attribute ID
Attribute Name
CP-Ma-art
CP-S-art
CP-Ma-Com
CP-S-Com
CP-Ru
CP-TI
CP-UC
CP-prior
V.
VI.
CONCLUSIONS
[2]
[4]
[5]
[6]
[7]
RELATED WORKS
[1]
[3]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]