A collaborative cyber incident management system for European interconnected critical infrastructures

https://doi.org/10.1016/j.jisa.2016.05.005Get rights and content

Abstract

Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.

Introduction

Industrial control systems are increasingly affected by multi-stage targeted cyber attacks such as Stuxnet, Duqu, and Flame. These Advanced Persistent Threat (APT) campaigns aim at taking control of one specific organization's infrastructure by intruding multiple dependent organizations used as stepping stones to reach the actual target (see Tankard, 2011). To combat this type of threat, CI providers need to protect their business by employing security mechanisms that do not exclusively make use of information collected from their own systems, but additionally gather relevant observations shared among federated organizations, or publicly available.

Information sharing is becoming essential in cyber defense. Recently issued regulatory directives such as those from the European Commission (2016) and from the White House (2013), and technical recommendations (e.g., ENISA, 2013a and NIST, 2014), clearly demand the establishment of technologies and procedures for cyber security information sharing with the purpose of revealing modern cyber-attacks and timely mitigating their effects. Sharing relevant incident information intelligence among SOCs enables a greater knowledge of the current cyber-security situation of federated organizations' infrastructures, and facilitates the detection of covert large-scale cyber attacks and new malware.

Analysis of shared incident information is crucial in attempting to recognize the presence of a threat, within an organization's infrastructure that has already been detected in other cooperating organizations (as proposed by Hernandez-Ardieta et al., 2013, Dacey, 2003, and Denise and James, 2015). Organizations under attack benefit from the analysis and correlation of solutions previously adopted by others to resolve the same or similar issues. Analysis is also essential in order to achieve scalability and efficiency in incident handling. In fact, in the proposed hierarchical approach, incident analysis performed at national and international level allows SOC operators to have a quick overview on the current cyber-security situation of all the monitored CIs on the national territory, and to properly derive suitable countermeasures in case of threat.

The presented work is carried out within the framework of the EU-FP7 research project ECOSSIAN.1 In the ECOSSIAN project we propose a Pan-European three-layered approach (introduced in Kaufmann et al., 2014) to protect CIs by detecting cyber incidents and timely generating and distributing early warnings to the potentially affected infrastructures. As depicted in Fig. 1 we foresee three types of SOCs: Organization SOC (O-SOC), National SOC (N-SOC), and European SOC (E-SOC).

At O-SOC level organizations deploy multiple sensors and tools for intrusion and threat detection, and report to N-SOCs about incidents that might have cross-organizational relevance. There are several different types of information which O-SOCs share with their respective N-SOC. Data generated by sensors at O-SOC level can be automatically forwarded to the N-SOC acquisition module; security relevant information (such as incidents, vulnerabilities, observations, etc.) obtained by analyzing locally detected anomalies, is instead manually reported by O-SOC operators.

N-SOCs are deployed by European member states joining the ECOSSIAN network; they are responsible for gaining cyber situational awareness on the network of national critical infrastructures. Here cyber intelligence is acquired by analyzing information gathered from different data sources such as reporting O-SOCs, federated N-SOCs, and publicly available sources. Cyber incident information aggregation, correlation, classification and analysis are the main functionalities provided at this level. Once the evaluation of analysis results is concluded, mitigation steps, advisories, or early warnings are sent back to the reporting and other involved O-SOCs.

At the highest level the E-SOC performs analysis of strategic information shared by the different N-SOCs and distributes advisories to targeted lower level SOCs. The E-SOC identifies supranational attack campaigns and provides a pan-European view to the member states and to the connected European bodies of relevance (e.g., Europol, ENISA, CERTs, etc.).

In our previous paper (Settanni et al., 2015) we introduced a blueprint for a pan-European cyber incident analysis system. Fig. 2 depicts the diagram of the revised system architecture for an N-SOC introduced in that work. The system is composed by a number of functional blocks performing a series of operations that follow the stages indicated by the arrows.

Diverse sorts of data are imported and sanitized in the Acquisition functional block which employs advanced data collection and data fusion techniques to guarantee high-speed importing. These data are then prepared and prioritized, according to reputation and trust models, during the Processing phase. A feature extraction algorithm Aggregates the collected data and allows the Analysis engine to examine it and compare it with previously handled resources securely stored in the knowledge base. The Evaluation functional block allows to obtain cyber situational awareness by assessing the analysis results and deriving the root cause for the reported incidents. Impact Analysis based on a detailed CIs interdependency model is then carried out deriving Mitigation steps. The whole incident handling process is organized by a work-flow Manager and is supported by a Visualization framework that promptly displays relevant information to the operators throughout the different stages of the process.

The whole incident management process is supervised by human operators, security managers and expert teams who are responsible for critical decision making tasks.

Secure connections are established to import incidents reports and threat data from other SOCs or public sources, to export intelligence and mitigation strategies to O-SOCs, and to exchange relevant information with third party organizations. These operations are performed through the Interconnection functional blocks which include a secure gateway and deploy advanced encryption methods. Ad-hoc informal information exchange between operators of different SOCs is performed through the Collaboration functional block which provides several instant communication mechanism. In order to facilitate maintenance tasks and auditing process, every component employes advanced logging capabilities and forwards log messages to the central Secure Data Storage.

In this article we extend our previous work by:

  • Outlining an extensive use-case for the proposed pan-European incident management system;

  • Providing a comprehensive description of the N-SOC architectural components previously defined;

  • Introducing the operational processes which an N-SOC should deploy in order to effectively operate and support the affiliated O-SOCs, manage cyber incidents and promptly respond to national threats.

The remainder of the paper is structured as follows: in Section 2 we review state of the art and related work addressing cyber incident analysis and management. In Section 3 we illustrate a plausible use-case to demonstrate the application of our approach. Section 4 describes the processes of data collection, data fusion and information sharing among the ECOSSIAN SOCs. In Section 5 we introduce a collaborative incident analysis engine, we describe the theoretical model it relies on and the system components it is composed of. In Section 6 the process of evaluating the analysis results is discussed along with the visualization functionality, provided by the ECOSSIAN system, which supports the operators in achieving national situational awareness. Section 7 deals with impact analysis and derivation of mitigation steps for the analyzed incidents. We conclude the paper in Section 8 with remarks and future work.

Section snippets

Related work

The directive issued by the European Commission (2016) requires all the European Member States to adopt national Network Information Security (NIS) strategies; it also lays down obligations for the Member States to designate national competent authorities, single points of contact and CSIRTs (“Computer Security Incident Response Teams”) with tasks related to the security of networks and information systems. Additionally, the directive demands the creation of cooperation groups to facilitate the

Use case

Let us consider the scenario of an attack targeting gas distribution infrastructures in Europe, in particular the one operated by Wonderland Gas Networks (WGN), a fictitious critical infrastructure provider.

Data collection and cross-SOC information exchange

In this section we provide a comprehensive description of the tasks carried out in the Interconnection, Acquisition and Processing functional blocks depicted in Fig. 2. We focus on the mechanisms and techniques adopted by ECOSSIAN N-SOCs to perform secure and high-performance data collection, data fusion, and exchange of information with other SOCs and external entities. Data collection, fusion and sharing are critical functions which the ECOSSIAN system relies on. In particular they are

Feature extraction and collaborative incident analysis

Once incident data are collected, sanitized and prioritized at N-SOC according to the methods described in the previous section, data Aggregation and incident Analysis phases are executed. CAESAIR: a Cooperative Analysis Engine for Situational Awareness & Incident Response is the component responsible for these functions. In this section we give first a theoretical description of CAESAIR's model, then we provide details on the architectural components and their functionalities.

CAESAIR gathers

Gaining national situational awareness

In this section we describe how an incident report is handled by the Evaluation functional block to extract the impact severity as declared by the targeted CI and consolidated by the Analysis functional block. Moreover we outline the main features provided by the Visualization component which fundamentally supports the N-SOC operators during the evaluation phase and facilitates the obtainment of situational awareness.

Incident mitigation

In this section we outline the methodologies an N-SOC employs in order to perform Impact Analysis on national level, and to derive appropriate Mitigation strategies for incidents reported by the connected O-SOCs.

Conclusion and future work

In this paper we presented a model for national comprehensive cross-organizational cyber incident management for critical infrastructures. It is aligned to a great extent with the measures required in the NIS directive issued by the European Commission (2016), to ensure a high common level of network and information security across the Union. We illustrated a realistic use case for our approach and we described the main functional blocks the system's architecture is composed of.

Our work is the

Acknowledgments

This work was partly funded by the European Union FP7 project ECOSSIAN (607577).

References (42)

  • F. Skopik et al.

    Modeling and mining of dynamic trust in complex service-oriented systems

    Inf Syst

    (2010)
  • C. Tankard

    Advanced persistent threats and how to monitor and deter them

    Netw Secur

    (2011)
  • I. Ahmed et al.

    Scada systems: challenges for forensic investigators

    Comput

    (2012)
  • J. Bethencourt et al.

    Ciphertext-policy attribute-based encryption

  • I. Bloch

    Information combination operators for data fusion: a comparative review with classification

    IEEE Trans Syst Man Cybern A Syst Humans

    (1996)
  • R. Chandia et al.

    Security strategies for scada networks

  • R. Dacey

    Homeland security: information sharing responsibilities, challenges, and key management issues

  • Z. Denise et al.

    Cyber threat information sharing

    (2015)
  • ENISA

    A step-by-step approach on how to set up a CSIRT

    (2010)
  • ENISA

    Detect, share, protect

    (2013)
  • ENISA

    Incident taxonomy.

    (2013)
  • ENISA

    Incident handling automation project.

    (2015)
  • ENISA

    Methodologies for the identification of critical information infrastructure assets and services.

    (2015)
  • European Commission

    Proposal for a directive of the european parliament and of the council concerning measures for a high common level of security of network and information systems across the union

  • G.G. Granadillo et al.

    Considering technical and financial impact in the selection of security countermeasures against advanced persistent threats

    (2015)
  • D.L. Hall et al.

    An introduction to multisensor data fusion

    P IEEE

    (1997)
  • J.L. Hernandez-Ardieta et al.

    Information sharing models for cooperative cyber defence

  • IBM

    Combat the latest security attacks with global threat intelligence

    (2013)
  • ICS-CERT

    Targeted cyber intrusion detection and mitigation strategies

    (2013)
  • IEC/TR

    Industrial communication networks — network and system security — part 3-1: security technologies for industrial automation and control systems

    (2009)
  • G. Jakobson

    Mission cyber security situation assessment using impact dependency graphs

  • Cited by (0)

    View full text