Professional Documents
Culture Documents
Cyber Threat Information Sharing System for Industrial Control System (ICS)
Shingo Abe1, 2†, Yukako Uchida1, Mitsutaka Hori1, Yuichiro Hiraoka1 and Shinichi Horata1
1
ICS security Response Group, JPCERT/CC, Tokyo, Japan
(Tel: +81-3-3518-4600; E-mail: icsr@jpcert.or.jp)
2
Nagoya Institute of Technology, Nagoya, Japan
(Tel: +81-52-735-7177; E-mail: s.abe.562@stn.nitech.ac.jp)
Abstract: In pursuit of enhanced cyber security capability in the whole industry, an information sharing scheme for
ICS-related security information is sought after. It is suggested that exchanging cyber threat information described in a
specific machine-readable format can partly automate the security measure processes and eventually lighten the
workload of technical personnel. This will also enable information sharing across the sector and accordingly the
effective implementation of security measures (detect infection, block suspicious communication etc.) in an early stage.
This paper proposes a system to share cyber threat information with a wide range of organisations and format of the data
to be exchanged through the system.
375
Information eXpression (STIX) [9] is the description information from IMS without processing may expose
format of IoC which is applied in AIS, and this contains non-related information or organisation-specific
a column for Tactics, Techniques and Procedures (TTPs) information (ID, password, device parameter etc.). For
of the attack. THS receives attack packets attempting to the scheme of information sharing, we propose “ICS
conduct scan or lateral movement, which contains traces Early Warning Management System (ICSEWM)”,
of attack method. After sanitising, such payload which is a system to 1) integrate information stored in
obtained by THS can be utilised as IoC. By referring to multiple IMS, 2) analysing the threat details and 3)
the observations, other organisations can detect similar feedback the processed IoC to each IMS. In this system,
attack activities on their THS by searching for only cyber threats need to be extracted out of collected
suspicious communications in the log or reconfiguring data, and ideally this process is expected to be
rules for the THS. conducted by analysts who has considerable knowledge
in cyber attacks. However, it is challenging to assign
2.3. Integration and Analysis of Information highly-skilled cyber security analysts in every branch or
Collected by THS factory. Therefore, it is practical to open ICSEWM to
Generally, ICS devices are often implemented on a the company headquarters or mutual organisations (e.g.
control system network apart from information network. industry group, Information Sharing and Analysis
In some cases, Ethernet is used for control network for Centre – ISAC, National CSIRT) for initial processing,
ICS devices. In large-scale networks, each branch, and then distribute the information to each organisation.
factory or even system may be divided into different With this approach, ICSEWM is expected to integrate a
network segments, each of which may also be protected wide range of information which can be actionable for
by firewall. If a THS is implemented in each network cyber threat mitigation. In sophisticated cyber attacks,
segment or layer, it would be possible to detect how far some specific sectors are often targeted. For example,
the network has been compromised. For this reason, it is according to the alert issued by US-CERT, some critical
recommended that multiple THS should be installed in a infrastructure sectors had been affected in a campaign
single organisation for effective detection of threats and “dragonfly 2.0” [10] [11]. If the threat information can
form Integrated Management System (IMS), which be shared from the first affected organisation, other
integrates and analyses information gathered from each partners can also implement preventive measures, and
THS. the potential damage in the whole industry could be
minimised.
If THS is distributed widely in a single organisation,
it is unrealistic to collect and examine information from 2.5. Format for Shared Information
all of them. Instead, it is rather practical that IMS In order to mutually exchange information among
gathers the information centrally from all THS and ICSEWM, IMS and THS, there is a need to define a
notifies the administrator as necessary. If the common format and protocol for communication. While
notification can be sent to a wider range of partners, THS is a light application which can be built up with
other administrators can also prepare to detect similar generic Linux box such as Raspberry Pi, IMS and
cyber threats. For this purpose, administrators need to ICSEWM run on a server. Thus, client-server model as
change the configuration of THS to detect specific applied in information system would be suitable. As
threats. More precisely, THS configuration needs to be discussed in Section 2.1, STIX has been widely used as
dynamically changed according to IMS’s notification. a format for describing different aspect of cyber threats.
In this regard, IMS should be able to collect information For information exchange in STIX format, Trusted
from THS, control THS’s operation and its Automated eXchange of Indicator Information (TAXII)
configuration. protocol has been used. Given that IMS and ICSEWM
also serve as a TAXII server, they can also exchange
Threat details from IMS have potential for more STIX-based information. Most SIEM products are now
detailed analysis if combined with other information compatible with STIX format. By enabling STIX-based
collected by Firewall and Network Switch. Logs information exchange between IMS and SIEM, it would
obtained in these devices are often managed and be possible to effectively analyse IoC for information
analysed by log management system which has a system such as identify packets from malware-infected
Security Information and Event Management (SIEM) devices and C&C servers. Likewise, by enabling
function. If IMS has a SIEM function or syncs with the STIX-based information sharing between IMS and THS,
existing SIEM for log analysis, events on a network can the whole ICSEWM would communicate in a single
be investigated effectively. description format. The overview of this proposed
system will be explained further in Section 3.2.
2.4. Threat Information Sharing among
Organisations
As discussed earlier, IMS gathers information from
THS in each network segment. This includes not only
malicious payload from attackers but also configuration
errors, which is not always necessary to share. Sharing
376
Figure 1 Overview of the system architecture
377
3) IoC distribution logs in comparison to the IoC and notifies the
Distribute the processed information (IoC) to each IMS. administrators if there is any match. If any change is
required to THS configuration to detect a specific threat,
4) IoC management IMS reconstructs it. In this system, organisation-specific
Create and manage IoC for distribution. information will not be shared with other partners and
We used ElasticSearch as a database server and only threat information is shared.
implemented using STIX library.
4. FUTURE CHALLENGES AND
3.2. Example of Data for Sharing CONSIDERATIONS
As one of the examples of the data to be shared using
the ICSEWM, we explain an example of report message In actually implementing the proposed information
which will be sent to IMS about malicious activities sharing scheme, the following challenges need to be
caused by “HavexRAT” [12], which was also introduced considered.
in our preceding study. We assume that a device on ICS
network is infected with HavexRAT and sends scan z THS’s emulation function
packets to the network which also reaches THS, which In order for THS to deceive attackers and observe
triggers a report to IMS. attack activities in a prolonged period, it needs to be
capable of sending precise response to various
In this system, the message is communicated in STIX commands and via different protocols. The preceding
format (v.1). This structure consists of the following 8 research only focuses on a particular protocol and
elements: Campaigns, Threat Actors, TTPs, Indicators, commands. There is a need to increase the compatibility
Observables, Incidents, Courses Of Action and Exploit with other protocols and commands used in ICS
Targets. Information collected from THS can be devices.
described in Observables, Incidents or Indicators section.
Furthermore, THS configurations required for detecting z Anomaly detection
a specific threat (types of machine that THS needs to There is a preceding study which applies machine
imitate, port number for communication) provided from learning for detecting anomaly. However, it does not
IMS can be specified in “Targeted Systems” defined in cover the all the types of anomalies originated in cyber
TTP. However, some of the information required for attacks and false detection is still possible. Efforts need
THS configuration does not fit in the existing STIX to be made to develop detection method for different
format. These can be inserted in description element for kinds of cyber attacks and reducing false detection rate.
each column, or there may be a need to redefine a new
STIX format especially for ICS. In the conference z Anomaly notification
presentation, we would like to discuss the potential and It is difficult for factory personnel to analyse and
extended STIX format in detail. address all the cyber security related issues. In addition
to turning on warning lights upon anomaly detection,
An example of the information is described in Figure we need to discuss what kind of information needs to be
2. In the below message, organisation-specific provided to encourage smooth actions.
information has been already removed and converted
into a specific format. Referring to STIX, we have z STIX format for ICS
developed a light and simple format for describing Use of STIX format for threat information exchange
cyber threats. will expand, however, its increasing data size is one of
the common challenges. There is a room for discussion
<campaigns> on a new STIX format which is lighter and has higher
<campaigns:name>Havex Scans</campaigns:name>
<incidents>
compatibility with different systems.
<category>Scans</category>
<effect>Theft of Proprietary Information</effect> z Framework for information sharing
</incidents> The ICS community in Japan is a generally closed
<ttps> community and there is not much information exchange
<targetSystem>OPC Server</targetSystem> opportunity within the sector. Awareness raising
</ttps> activities should be provided to enhance information
<descriptions> sharing in the sector.
<sourceIp>192.168.XXX.XXX</sourceIp>
5. CONCLUSION
<targetPort>102,502,11234,12401,44818</targetPort>
</descriptions> We have explained an example of ICS-related
</campaigns> information exchange among multiple organisations
Figure 2 Simple format for describing cyber threats using STIX format. Linking THS, IMS and ICSEWM
Based on the information, IMS sends a threat report to using STIX format data leads to minimise the demand
ICSEWM. ICSEWM creates IoC and sends it to other for skilled technicians for threat analysis and realise
IMS. The IMS which received this information analyses smooth threat information sharing among organisations
378
and factories. Shared threat information can be https://www.fsecure.com/weblog/archives/00002718.ht
processed automatically, and notifications will be sent to ml, F-Secure, 2014.
administrators. From the notification, it is expected that
security measures are taken accordingly in each
recipient organisation. This automated process is
expected to reduce the workload of technical personnel.
With an aim to improve ICS security, we will keep its
effort to address the issues.
REFERENCES
[1] S. Abe, M. Fujimoto, S. Horata, Y. Uchida and T.
Mitsunaga, “Security Threats of Internet-reachable ICS”,
Conference Proceedings of 2016 55th Annual
Conference, Society of Instrument and Control
Engineers of Japan, 2016.
[2] US-CERT, “Automated Indicator Sharing (AIS)”,
https://www.us-cert.gov/ais, US-CERT.
[3] ICS-CERT, “Training Available Through
ICS-CERT”,
https://ics-cert.us-cert.gov/Training-Available-Through-
ICS-CERT.
[4] K. Stouffer, V. Pillitteri, S. Lightman, Mabrams and
A. Hahn, “Guide to Industrial Control Systems (ICS)
Security”, NIST Special Publication 800-82r2,
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist
.sp.800-82r2.pdf, NIST, 2015.
[5] ICS-CERT, 䯔 ICS-CERT Monitor March 2012 䯕 ,
https://ics-cert.us-cert.gov/sites/default/files/Monitors/I
CS-CERT_Monitor_Mar2012.pdf, ICS-CERT, 2012.
[6] S. Abe, Y. Tanaka, Y. Uchida and S. Horata, “Track
Attack Sources based on Traceback Honeypot for ICS
Network”, Conference Proceedings of 2017 56th
Annual Conference, Society of Instrument and Control
Engineers of Japan, 2017.
[7] K. Wilhoit and S. Hilt, “The GasPot Experiment:
Unexamined Perils in Using Gas-Tank-Monitoring
Systems”,
https://www.trendmicro.de/cloud-content/us/pdfs/securit
yintelligence/white-papers/wp_the_gaspot_experiment.
pdf, Trend Micro, 2015.
[8] A. Terai, S. Abe, S. Kojima, Y. Takano and I.
Koshijima, “Cyber-Attack Detection for Industrial
Control System Monitoring with Support Vector
Machine based on Communication Profile”, S4CIP'17,
2017.
[9] MITRE Corporation, “Structured Threat Information
eXpression (STIX^TM) 1.x Archive Website”,
https://stixproject.github.io/, 2017.
[10] US-CERT, “Alert (TA17-293A) Advanced
Persistent Threat Activity Targeting Energy and Other
Critical Infrastructure Sectors”,
https://www.us-cert.gov/ncas/alerts/TA17-293A,
US-CERT.
[11] US-CERT, “Alert (TA18-074A) Russian
Government Cyber Activity Targeting Energy and Other
Critical Infrastructure Sectors”,
https://www.us-cert.gov/ncas/alerts/TA18-074A,
US-CERT.
[12] D. Hentunen and A. Tikkanen, “Havex Hunts For
ICS/SCADA Systems”,
379