Transcript Decision Support System

“Real
time Monitoring and
Control of Hydroelectric
Dam”
Partecipanti:
• UNIPARTHENOPE
• POLITO
• CNR
Overview
• Goal of the paper
• Proposed architecture
– Correlator
– GET
– Decision Support System
• Policy Conflict Resolution
• Reachability Analysis
– Resilient event storage
• Misuse case
• Conclusion and Future Work
Obiettivo del lavoro rispetto a
TENACE
1. Description of an enhanced SIEM (Security
Information and Event Management) system
with the introduction of novel components.
• The proposed SIEM will be validated on a
critical infrastructure scenario, namely a
Hydroelectric Dam.
– In particular, we described a misuse case that
mimics an attack to a DAM.
Architettura Proposta
• GET Component: an advanced security information and event collector
enabling multiple layer data analysis on SIEM frameworks;
• a Decision Support System that allows both to:
• Resolve policy conflicts;
• analyze and control IT networks by allowing to discover
unauthorized data paths and perform automatic re-configuration of
network devices;
• a Resilient Event Storage to ensure integrity and unforgeability of alarms
even in the case of attack against its components.
GET
• generate security events by observing multiple layer
data from the sources in the monitored infrastructure.
• The most relevant sources are physical sensors, logical
access events, physical access events, network systems
and logs from networked applications.
• Tranlstate such events into a common format which is
suitable for the central Correlator engine of the SIEM
and for the Decision Support System.
• preprocess data in the collection points and detects
anomalies in the cyber-physical systems (e.g.
anomalies in the measured parameters).
Correlator
• The Correlator analyzes the GET events in order to discover known
attack sequences, i.e. sequences encoded through schematic rules
and stored in the rule database of the SIEM.
• Correlator engine is a software component that allows to detect
specific attacks signatures (security event sequences) within the
event flow received.
1.
2.
3.
When an attack signature is matched, the Correlator generates an
alarm.
The alarm generated contains also information about the events
that generated it.
Alarm generation through Correlator is performed in order to
improve the accuracy of incident diagnosis and allow better
response procedures.
• The Correlator shows few semantically richer alarms in the face of
the huge number of events coming from single sensors.
How the correlator works
(brute force attack example)
The well-known attacks signatures are defined through the {\em correlation rules}.
In particular, a correlation rule describes a relation between some information
contained in the fields of events gathered in order to identify an attack. An
example of correlation rule that can be used, for example, to discover a brute-force
attack.
Decision Support System (DSS)
• DSS has two functionalities:
– Policy Conflict resolution
– Reachability analysis
DSS for Policy conflict resolution
• Once the Correlator reveals an attack, some
countermeasures have to be taken in order to
preserve the system against a such attack.
• Countermeaseures act according to specific
policy describing the reaction to an event.
• It can be the case that differnt policies are
active at the same time.
• This can lead to the occurence of conflict.
Analitich Hierarchy Process
• The Analytic Hierarchy Process (AHP) is a multi-criteria
decision making technique, which has been largely
used in several fields of study.
• Given a decision problem, where several different
alternatives can be chosen to reach a goal (solve the
conflict), AHP returns the most relevant alternative
(which policy wins the conflict)with respect to a set of
previously established criteria and subcriteria.
• Practically, the AHP approach is to subdivide a
complex problem into a set of sub-problems, criteria
(element of a policy) and subcriteria (attribute), and
then to compute thesolution by properly merging the
various local solutions for eachsub-problem.
DSS for reachability
• Goal: discover unauthorized traffic
– caused by misconfigurations or attacks
• network reachability approach
– which hosts reach a set of services
• high level policies to define network behavior
• runtime comparison between
– generated rules: provided by refinement process
– deployed rules: installed on firewalls
• event-based reaction, e.g.,
– security issue: modify firewall rules to enforce a policy
– non-enforceability: install a filtering control to enforce a policy
• inference rules to manage:
– workflow (refinement + reachability analysis)
– events and reaction/remediation
DSS architecture
Network Policies
<subject> reach <object>
<subject>: e.g., IT Admins
<object>: e.g., h1.service1
System description
hosts, IP addresses,
services (ports, protocols),
network topology
Events
anomaly (i.e., firewall rule is
more restrictive than policy)
security issue (i.e., unauthorized
traffic)
Decisions and Remediation
e.g., modify firewall rules, add a
new firewall (with corresponding
rules) to enforce the policy
Resielience event Storage
• Resilient Event Storage (RES) system is an infrastructure
designed:
– to be tolerant to faults and intrusions;
– to generate signed records containing alarms/events related to
security breaches;
– to ensure the integrity and unforgeability of alarms/events
stored.
• The RES fault and intrusion tolerant capability makes it
able to correctly create secure signed records even when
some components of the architecture are compromised.
• Presented yesterday by Cesario Di Sarno
(Uniparthenope)
Case study
•
•
•
•
A wrong configuration: a data path exists that allows an user in the 'visualization
station' to re-write the sensor firmware.
An unsatisfied employee: he/she discovers this vulnerability and he/she want to
exploit it to perform a serious attack to the hydroelectric dam.
Thus, he/she obtains the administrator credentials and logs in to the control
machine in the 'control station' and manage the gate of the penstock.
The attack is performed in two steps:
– 1) from 'visualization station', an unsatisfied employee performs a reprogramming of the
sensor that measures the water flow rate in the penstock. In particular a constant water flow
rate value is sent to the control center in order to deceive the operator/a threshold control
system;
– 2) the unsatisfied employee enters in the 'control station' using its own badge (RFID),
performs a login with administrator privileges, sends a command to open the gate and runs
away.
•
•
The operator or the classic control system cannot detect the attack because the
sensor always transmits a normal water flow rate value. Instead the turbine spins
as faster as higher the water flow rate is. Also, the electric power generated and
injected in the power grid increases.
This attack finishes when the electric power generated overcomes a security
threshold. In that case the transmission line connected to the generator is
overloaded and a blackout is likely to occur.
Conclusion and Future Work
• Starting from different expertise, we have
proposed a framework able to manage
emergency in a power grid scenario.
• We have presented the components we add for
enhancing a SIEM system.
• We show the application of the proposed
framework in a real scenario
• Future Works
– Setup of the system
– Validation of the whole system on the presented case
study.
Thanks you!