CDIS

Conceção e Devolvimento
de Infraestruturas Seguras

Intrusion Detection for ICS

CDIS UNICV 2023 © Paulo Simões -

Cyber Detection Layer for ICS
(a practical perspective)

This Section is largely based on materials from the CockpitCI European

Research Project https://cockpitci.itrust.lu/

CDIS UNICV 2023 © Paulo Simões -

The CockpitCI cyber-detection layer

The CockpitCI project includes External Sources

a cyber analysis and detection CockpitCI (topology, policies,
Risk Prediction Tool inventories, etc.)
layer that must work as a soft
real-time distributed monitoring Interfaces
system and Perimeter Perimeter IDS
Intrusion Detection System
(Perimeter IDS).

Detection Detection Field

It must be able to develop and Agents Agents
Detection
Adaptors
deploy detection agents to Agents
(net. probes,
monitor the potential cyber Legacy
RTU RTU RTU honeypots...)
Sources
threats according to the types
of networks (SCADA, IP…) and
corresponding devices.
CDIS UNICV 2023 © Paulo Simões -
A generic probing architecture
Builds on a distributed infrastructure that aggregates several probing and
monitoring points, working together on close coordination to provide the
surveillance capabilities for the security platform, deployed on three security
zones:

IT Network, Operations Network, Field Network.

IT Workstation Master Station 1

Shadow
RTU
HIDS (OSSEC)
IT Workstation
...
Master Station N
RTU 1

Sensors/Actuators
...
Mon. Port/ Bridged

Mon. Port/ Bridged

Mon. Port/ Bridged

NIDS

NIDS
NIDS

HIDS (OSSEC) Shadow

RTU

HMI Client RTU N

Operations Network

HIDS (OSSEC)
HMI Client
HoneyPot Fieldbus Honeypot

Field Network
IT Network

HIDS (OSSEC)
NIDS
HIDS (OSSEC)

CDIS UNICV 2023 © Paulo Simões -

A generic probing architecture
Builds on a distributed infrastructure that aggregates several probing and
monitoring points, working together on close coordination to provide the
surveillance capabilities for the security platform, deployed on three security
zones:

IT Network, Operations Network, Field Network.

This multi-zone topology provides a contextual approach to the problem of

probe placement. It has two purposes:

• To separate different infrastructure contexts for which different detection,

analysis/inference strategies might apply.

• To provide well-defined security perimeters between each zone, which are

critical to provide mediation mechanisms which may inspect and control
information flows between each one.

CDIS UNICV 2023 © Paulo Simões -

CockpitCI Cyber Analysis and Detection

CDIS UNICV 2023 © Paulo Simões -

Intrusion detection strategies

CDIS UNICV 2023 © Paulo Simões -

CockpitCI Analysis Architecture
Objective: To develop solutions for automatic intrusion detection
and alarm generation for SCADA system protection

Two complementing approaches for intrusion detection:

• Machine-learning and pattern analysis/recognition algorithms.
• Rule-based correlation techniques together with topology and
system-specific detection mechanisms.
While it is impossible to perform security analysis tasks within a real-
time processing timeframe, this architecture provides “soft-real-time”
that is more compatible with both the nature of the threats and the
detection mechanism capabilities.
Attacks, rather than instantaneous events, comprise operations
executed within a finite time window – therefore, effective reaction
must necessarily depend on a careful analysis of the nature of the
attack but also on planning of the response itself, which depends on
both field-gathered intelligence and modeling/simulation.

CDIS UNICV 2023 © Paulo Simões -

IDS via machine learning
Machine learning techniques have the capability to:
• Gather knowledge about the data
• Make predictions about the new data based on the knowledge
gained from the previous data
Malicious users attack the SCADA system vulnerabilities by using a
sequence of events
• Events result in characteristics that
are defined by patterns of attack
ML techniques analyse these
events to detect patterns that
would reflect possible threats,
enabling detection of both known
and unknown (novel) attacks
without any requirements of prior
knowledge

CDIS UNICV 2023 © Paulo Simões -

 Topology and system-specific information
for cyber analysis

• Usage of topology information within detection and analysis

mechanisms is an useful resource, especially in SCADA systems
where the role and behaviour of each system component is more
consistent over time than on other types of networks.
• The consistency of system components makes more valuable the
knowledge about system specific sources, such as topology
databases, policy databases, and trust-based mechanisms, as
well as strategically placed honeypots. Correlating this
knowledge will provide a more clear understanding of security
incidents.
• Correlation is, in fact, a key feature of the analysis layer, providing
a powerful capability to process events from the detection agents
in a distributed and scalable fashion.

CDIS UNICV 2023 © Paulo Simões -

Event correlation
Event correlation

• Event or alert correlation defines a set of procedures applied to a large

number of events in order extract those who are really useful.
• It is a procedure where a stream of events is processed, in order to detect
(and act on) certain event groups that occur within predefined time
windows.
• These techniques are used in the security analysis to parse events from
several sources such as multiple IDSs, honeypots, networks, hosts and
other security mechanisms.
• The process aims at making intrusion detection more accurate, efficient,
and manageable in order to generate a global overview of the current
security status of the network.
The event correlation process can be summarized into five main steps:
normalization, pre-processing, event fusion and reduction,
verification/masking and root cause analysis (traceback and/or path
reconstitution).
CDIS UNICV 2023 © Paulo Simões -
Two-level correlation
The two-level correlation approach implicitly incorporates contextual
knowledge about the network topology, while improving scalability:

• local correlators collect events from sensors or agents and process

alerts. Each local correlator behaves distinctively according to its
network zone, allowing to detect specific problems to a particular zone.
• The main correlator is focused in Multi-Step and Attack Focus
Recognition correlation. Due to the global SCADA infrastructure
perspective of the main correlator, it provides a way of detecting network
traversal attacks.
SEC and Esper are some of the available correlation tools for this purpose.

CDIS UNICV 2023 © Paulo Simões -

Specialized probes: the SCADA Honeypot

Fieldbus honeypot

A simple device that is deployed on a field

network of a SCADA/ICS system, coexisting
with other devices, while being able to behave
like a PLC, acting as a decoy and reporting
any suspicious activity to the analysis layers.
The physical network interface for event and
device management will placed on an OOB
(Out Of Band) channel.
By emulating the behavior and service footprint
of a commercial PLC, the fieldbus honeypot is
able to persuade an attacker that it is a
worthwhile target

CDIS UNICV 2023 © Paulo Simões -

Specialized probes: the SCADA Honeypot
Fieldbus honeypot
Field Network Security
Event
A prototype was built using a Correlator
Mgmt.
Firewall Platform
simple, low-cost, Linux-based
SBC system, embedding a
Modbus emulator and real Modbus API Event Tx.

Watchdog
implementations of services Event
Port Scan
Assembly
commonly found on modern
PLCs (SNMP, FTP, etc.) FTPD Redutor

Events are generated and locally

SNMPD Filter
preprocessed (lightweight tasks
Honeypot
only) before being sent to the Frontend Interface
Event Monitor

analysis layer.
Modbus Honeypot

CDIS UNICV 2023 © Paulo Simões -

Detection layer component integration
IT Network Operations Network Field Network

NIDS HIDS Honeypot NIDS HIDS Honeypot NIDS HIDS Honeypot

Event Broker Event Broker Event Broker

OCSVM Local Correlator OCSVM Local Correlator OCSVM Local Correlator

Event Broker Main Correlator

Events

Security Management Platform

CDIS UNICV 2023 © Paulo Simões -

 Is this approach enough?!
Ø It aligns with the best industry practices from 5-6 years ago.

Ø Most of the industry is probably still working around these

principles.

Ø However, as we take Industrial IoT and virtualization

technologies to ICS systems (virtual networks, software-
defined networks, virtualized servers and even virtualized
PLCs) we can take advantage of novel opportunities.

CDIS UNICV 2023 © Paulo Simões - 16

(Additional)
Security challenges of modern ICS

CDIS UNICV 2023 © Paulo Simões -

When ICS meets IoT
Over the recent years, control and sensor systems used for ICS
have become more complex, due to the increasing number of
interconnected distributed devices, sensors and actuators.

Such components also became often widely dispersed in the field

– this is the case for micro-generation (wire-to-water generation,
solar or wind), smart metering, oil and gas distribution or smart
water management, among others.

This industrial IoT (Internet of Things)-centric ICS paradigm

expands the infrastructure boundaries well beyond the single or
aggregated-plant, mono-operator vision (mostly associated with
geographically constrained systems topologies).

CDIS UNICV 2023 © Paulo Simões -

Some say the problem was only
for legacy equipment! Seems not…

https://www.theregister.co.uk/2015/05/11/smart_grid_security_worse_than_we_thought/

https://www.darkreading.com/perimeter/smart-meter-hack-shuts-
off-the-lights/d/d-id/1316242?

Read theUNICV
CDIS paper at:©https://eprint.iacr.org/2015/428.pdf
2023 Paulo Simões -
What do you get…
When you marry ICS with IoT?

ICS + IoT = IACS (Industrial Automation and Control Systems)

IACS is now the term adopted by the ISA-99 committee

responsible for the ISA/IEC 62443 standards
https://www.isa.org/isa99/
http://isawilldupage.org/wp-content/uploads/How-can-I-use-ISA_IEC-62443-to-minimize-risk.pdf
(more on this later today)

IACS are also a fundamental component of the Industry 4.0 paradigm

Some of the key security issues added by modern IACS:

l Scale, capillarity, dynamics, virtualization, more than SCADA

CDIS UNICV 2023 © Paulo Simões -

Less bounded scale
Even without visionary IoT scenarios, modern IACS such as
energy smartgrids significantly increased in scale and complexity,
when compared with classic energy networks – leading to the
progressive adoption of distributed processing and big data paradigms.
Moreover, periphery subsystems are no longer isolated from multiple
points of view – logical, physical, administrative...

CDIS UNICV 2023 © Paulo Simões -

Modern ICS are not monolithic
capillarity, dynamics

Modern ICS are dispersed over large geographic areas, with

increasingly small areas of coverage as we progress towards its
periphery – capillarity.

Moreover, scale and capillarity are also matched with increased

dynamics: changes in the control infrastructure are more frequent
and less planned/controlled.

This distribution makes it difficult not only to understand the nature

of incidents, but also to assess their progression and threat profile.

Reacting and defending against those threats is something that is

becoming increasingly difficult.

This requires orchestrated and collaborative distributed detection,

evaluation and reaction capabilities well beyond previous practices.

CDIS UNICV 2023 © Paulo Simões -

Modern ICS are not monolithic
The role(s) played by virtualization

The trends towards virtualization effects on IACS are manifold:

l Virtualization of Level 4 and Level 3 computing resources (servers)

l Virtualization and softwarization of the networks (soon reaching Level 1)

l VPNs (remote access, interconnecting field networks),

l VLANs,

l Software-defined Networks.

l Future (ongoing?) virtualization of level 2 and level 1 devices

(HMI’s, PLCs, RTUs, industrial IOT devices)

IACS virtualization is both a risk and an opportunity

CDIS UNICV 2023 © Paulo Simões -

[BTW/side note…]
Can we really virtualize the PLC?

Isn’t the PLC intrinsically “physical”?

CDIS UNICV 2023 © Paulo Simões -

CDIS UNICV 2023 © Paulo Simões -
[BTW/side note…]
Can we really virtualize the PLC?

and still comply with the real-time requirements envelope?

What if you manage to decouple I/O from the other functions

T. Cruz, P. Simões and E. Monteiro, "Virtualizing Programmable Logic Controllers: Toward a

Convergent Approach,” IEEE Embedded Systems Letters, 2016.
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7564414&isnumber=7738317
What do standards tell us?

CDIS UNICV 2023 © Paulo Simões -

ISA/IEC 62443 (former ISA99)
Main industry reference for IACS security practices

You may check the slides about IEC 62443 standards, from Dan DesRuisseaux,
that are available on Moodle (CDIS.T.3.1_IEC-62443.pdf)

CDIS UNICV 2023 © Paulo Simões -

An example of a security awareness
framework for IACS – H2020 ATENA

CDIS UNICV 2023 © Paulo Simões -

Distributed Security Awareness within ATENA
The Intrusion and Anomaly Detection System (IADS)

Objective of the European Research Project ATENA:

To develop solutions and components for distributed

anomaly detection and risk assessment, geared towards
modern IACS.

https://www.atena-h2020.eu/

CDIS UNICV 2023 © Paulo Simões -

Distributed Security CI,I,ATENA
Operator

Awareness within ATENA ATENA

Tool,GUI(s)

6
Offline6/6Slow6control6loop

Online6/6Fast6control6loop
Orchestrator,
Composer,(COMP) comp'mm6 Mi#ga#on mm'orch6 (ORCH)
Module,(MM) [ROMA3]
[CRAT]
[ROMA3'CRAT] mm'adp6

rp'mm 6

6
vms'comp
Risk,Predictor,
(RP)
adp'rp 6
[ROMA3]

Cert CSIRT
rant'rp 6

6
orch'adp

orch'ict
Vulnerability,management, Risk,Analysis,
Other ext'vms 6 system,(VMS)
vms'rant 6 Tool,(RANT)
ATENA Tool [ITRUST] [ITRUST]

6
amng'comp

6
amng'vms

iads'rant

6
iads'rp
amng'mm 6
Assets,Management,Module, Intrusion,and,Anomaly,
Adaptors,(ADP),
(AMNG) Assets amng'iads 6 Detec#on,System,(IADS)
adp'iads 6 [LEONARDO]
CI,Management, [ITRUST] DB [COIMBRA]
Team
iads'probes 6 6
iads'ict adp'scada 6
ATENA,Tools

Distributed6Probes Network6Controller

Historian ICT,component,of, Smart6Extension,(SE) PLCs

DB
CI,(e.g.,SCADA, [ROMA3] CI6process
SCADA,System Operation
DB
Network)
PLCs
CI,SCADA, CI6process
Operator
SCADA,Control,Center SCADA,Remote,site
CDIS UNICV 2023 © Paulo Simões - Cri#cal,Infrastructure,and,IACS 6
Moving beyond conventional approaches
(such as those from CockpitCI)

Evolve the existing Security Information and Event Management (SIEM)

systems model

Big Data Approach for event and alarm handling:

l Classic correlator-based SIEM gives place to Big Data SIEM

Introduction of Software-defined Networks (SDN)

Introduction of Forensics and compliance auditing

New probes / attacks

Event correlation + Anomaly detection locally and globally

Machine learning at I/O level (Shadow Security Unit)

CDIS UNICV 2023 © Paulo Simões -

ATENA IADS Subsystem Architecture

CDIS UNICV 2023 © Paulo Simões -

Adopting Big Data paradigms for handling scale

CDIS UNICV 2023 © Paulo Simões -

Software-Defined Networking (SDN) support

SDN integration:
l Centralized network view

l Granular Security

l Network Flexibility (programmability)

l Program the network by writing control
programs
l Add new features to the network on
demand
l Standard API with OpenFlow
(southbound interface)
l Offers an elegant solution for dealing
with multi-tenancy.

why may multitenancy

become relevant for IACS?

CDIS UNICV 2023 © Paulo Simões -

Leveraging SDN for probe deployment
Use of SDN and NFV paradigms to perform service support for
components of the proposed architecture.
SDN as a way of avoiding network monitoring contention

Normal switch monitoring port techniques capabilities

can fill the capacity of the redirecting links
New links can be cumbersome to setup
CDIS UNICV 2023 © Paulo Simões -
Leveraging SDN for probe deployment
Using SDN, when a monitoring link capacity is achieved, additional
monitoring links can be set-up

Multiple (virtual) instances of a probe can be quickly deployed and linked

to strategic points of the network

CDIS UNICV 2023 © Paulo Simões -

SDN and NFV-enabled Service Support

CDIS UNICV 2023 © Paulo Simões -

 Figure 5.16 presents the high level architecture of the SDN subsystem of IADS. It is com-
posed mainly by 4 components: a management web-interface, a distributed control plane,
the field network and the virtualization infrastructure. The domain processor (see section
SDN-enabled Service Support
4.1) is responsible for receiving events produced within the SDN sub-system. However, its
SDN high definition
architecture level architecture
is out of the scope of this thesis.

Figure 5.16: IADS SDN high level architecture

CDIS UNICV 2023 © Paulo Simões -

The control plane is composed by a cluster of SDN controller nodes containing a set of
specially crafted applications. Those applications enforce the goal of the control plane
virtualization infrastructure represents the NFV domain. The management webinterface is
responsible for providing a global administration interface to the whole platform: this in-
SDN-enabled
cludes Service
the control plane, the underlyingSupport
network, the virtual infrastructure as well as any
other component in
Distributed the IADSplane
control platform.
node architecture
The architecture of each control plane node is presented in Figure 5.17.

Figure
CDIS UNICV 2023 © Paulo Simões5.17:
- Distributed control plane node architecture
A few SDN-enabled applications

l Software-based Data-diode

l Virtualized NIDS
(e.g. instant deployment of virtualized and scalable SNORT service
for a specific network link or specific network flows)

l vHoneypot
(instant deployment of virtualized Honeypots)

CDIS UNICV 2023 © Paulo Simões -

Conclusions and next developments

The Cyber Detection and Analysis Layer departs from the conventional
ICT IDS paradigm to offer a complete solution to deal with ICS cyber-security.

This solution was designed to scale and be flexible, while providing

consolidated management and orchestration features.

It integrates diversified detection agents, implementing new techniques,

but also known approaches introduced for the first time in such contexts.

It is able to detect both known and rogue threats, thanks to the use of
analysis strategies based on machine learning and rule-based techniques.

CDIS UNICV 2023 © Paulo Simões -