Visualization-Driven Approach to Anomaly Detection in the Movement of Critical Infrastructure

Critical infrastructures and associated real time Informational systems need some security protection mechanisms that will be able to detect and respond to possible attacks. For this reason, Anomaly Detection Systems (ADS), as part of a Security Information and Event Management (SIEM) system, are needed for constantly monitoring and identifying potential threats inside an Information Technology (IT) system. Typically, ADS collect information from various sources within a CI system using security sensors or agents and correlate that information so as to identify anomaly events. Such sensors though in a CI setting (factories, power plants, remote locations) may be placed in open areas and left unattended, thus becoming targets themselves of security attacks. They can be tampering and malicious manipulated so that they provide false data that may lead an ADS or SIEM system to falsely comprehend the CI current security status. In this paper, we describe existing approaches on security monitoring in critical infrastructures and focus on how to collect security sensor–agent information in a secure and trusted way. We then introduce the concept of hardware assisted security sensor information collection that improves the level of trust (by hardware means) and also increases the responsiveness of the sensor. Thus, we propose a Hardware Security Token (HST) that when connected to a CI host, it acts as a secure anchor for security agent information collection. We describe the HST functionality, its association with a host device, its expected role and its log monitoring mechanism. We also provide information on how security can be established between the host device and the HST. Then, we introduce and describe the necessary host components that need to be established in order to guarantee a high security level and correct HST functionality. We also provide a realization–implementation of the HST overall concept in a FPGA SoC evaluation board and describe how the HST implementation can be controlled. In addition, in the paper, two case studies where the HST has been used in practice and its functionality have been validated (one case study on a real critical infrastructure test site and another where a critical industrial infrastructure was emulated in our lab) are described. Finally, results taken from these two case studies are presented, showing actual measurements for the in-field HST usage.

Download Full-text

Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure

International Journal of Critical Infrastructure Protection ◽

10.1016/j.ijcip.2012.05.001 ◽

2012 ◽

Vol 5 (2) ◽

pp. 66-73 ◽

Cited By ~ 16

Author(s):

Samuel Stone ◽

Michael Temple

Keyword(s):

Anomaly Detection ◽

Radio Frequency ◽

Critical Infrastructure ◽

Programmable Logic ◽

Programmable Logic Controllers ◽

Logic Controllers

Download Full-text

Anomaly Detection in Critical Infrastructure Using Probabilistic Neural Network

Applications and Techniques in Information Security - Communications in Computer and Information Science ◽

10.1007/978-981-15-0871-4_10 ◽

2019 ◽

pp. 129-141 ◽

Cited By ~ 1

Author(s):

M. R. Gauthama Raman ◽

Nivethitha Somu ◽

Aditya P. Mathur

Keyword(s):

Neural Network ◽

Anomaly Detection ◽

Critical Infrastructure ◽

Probabilistic Neural Network

Download Full-text

A Survey of Anomaly Detection in Industrial Wireless Sensor Networks with Critical Water System Infrastructure as a Case Study

Sensors ◽

10.3390/s18082491 ◽

2018 ◽

Vol 18 (8) ◽

pp. 2491 ◽

Cited By ~ 41

Author(s):

Daniel Ramotsoela ◽

Adnan Abu-Mahfouz ◽

Gerhard Hancke

Keyword(s):

Wireless Sensor Networks ◽

Sensor Networks ◽

Intrusion Detection ◽

Anomaly Detection ◽

Critical Infrastructure ◽

Water System ◽

Machine Learning Techniques ◽

Wireless Sensor ◽

Monitoring And Control ◽

Industrial Wireless Sensor Networks

The increased use of Industrial Wireless Sensor Networks (IWSN) in a variety of different applications, including those that involve critical infrastructure, has meant that adequately protecting these systems has become a necessity. These cyber-physical systems improve the monitoring and control features of these systems but also introduce several security challenges. Intrusion detection is a convenient second line of defence in case of the failure of normal network security protocols. Anomaly detection is a branch of intrusion detection that is resource friendly and provides broader detection generality making it ideal for IWSN applications. These schemes can be used to detect abnormal changes in the environment where IWSNs are deployed. This paper presents a literature survey of the work done in the field in recent years focusing primarily on machine learning techniques. Major research gaps regarding the practical feasibility of these schemes are also identified from surveyed work and critical water infrastructure is discussed as a use case.

Download Full-text

FALCON: Framework for Anomaly Detection in Industrial Control Systems

Electronics ◽

10.3390/electronics9081192 ◽

2020 ◽

Vol 9 (8) ◽

pp. 1192 ◽

Cited By ~ 1

Author(s):

Subin Sapkota ◽

A K M Nuhil Mehdy ◽

Stephen Reese ◽

Hoda Mehrpouyan

Keyword(s):

Water Treatment ◽

Anomaly Detection ◽

Control Systems ◽

Short Term Memory ◽

Critical Infrastructure ◽

Attack Detection ◽

Support Vector ◽

Physical Processes ◽

Industrial Control ◽

Industrial Control Systems

Industrial Control Systems (ICS) are used to control physical processes in critical infrastructure. These systems are used in a wide variety of operations such as water treatment, power generation and distribution, and manufacturing. While the safety and security of these systems are of serious concern, recent reports have shown an increase in targeted attacks aimed at manipulating physical processes to cause catastrophic consequences. This trend emphasizes the need for algorithms and tools that provide resilient and smart attack detection mechanisms to protect ICS. In this paper, we propose an anomaly detection framework for ICS based on a deep neural network. The proposed methodology uses dilated convolution and long short-term memory (LSTM) layers to learn temporal as well as long term dependencies within sensor and actuator data in an ICS. The sensor/actuator data are passed through a unique feature engineering pipeline where wavelet transformation is applied to the sensor signals to extract features that are fed into the model. Additionally, this paper explores four variations of supervised deep learning models, as well as an unsupervised support vector machine (SVM) model for this problem. The proposed framework is validated on Secure Water Treatment testbed results. This framework detects more attacks in a shorter period of time than previously published methods.

Download Full-text

Detecting Cyber Attacks on SCADA and Other Critical Infrastructures

Securing Critical Infrastructures and Critical Control Systems ◽

10.4018/978-1-4666-2659-1.ch002 ◽

2013 ◽

pp. 17-53 ◽

Cited By ~ 1

Author(s):

Maurilio Pereira Coutinho ◽

Germano Lambert-Torres ◽

Luiz Eduardo Borges da Silva ◽

Horst Lazarek ◽

Elke Franz

Keyword(s):

Anomaly Detection ◽

Electric Power ◽

Financial Services ◽

Secure Communication ◽

Rough Set Theory ◽

Critical Infrastructure ◽

Modern Society ◽

Cyber Attacks ◽

Transportation Services ◽

Scada Systems

Nowadays, critical infrastructure plays a fundamental role in our modern society. Telecommunication and transportation services, water and electricity supply, and banking and financial services are examples of such infrastructures. They expose society to security threats. To safeguard against these threats, providers of critical infrastructure services also need to maintain the security objectives of their interdependent data networks. As an important part of the electric power system critical infrastructure, Supervisory Control and Data Acquisition (SCADA) systems require protection from a variety of threats, and their network infrastructures are potentially vulnerable to cyber attacks because security has not been part of their design. The diversity and lack of interoperability in the communication protocols also create obstacles for anyone attempting to establish secure communication. In order to improve the security of SCADA systems, anomaly detection can be used to identify corrupted values caused by malicious attacks and injection faults. The aim of this chapter is to present an alternative technique for implementing anomaly detection to monitor electric power electric systems. The problem is addressed here by the use of rough set theory.

Download Full-text

Anomaly Detection Trusted Hardware Sensors for Critical Infrastructure Legacy Devices

10.20944/preprints202002.0241.v1 ◽

2020 ◽

Author(s):

Apostolos P. Fournaris ◽

Charalambos Dimopoulos ◽

Konstantinos Lampropoulos ◽

Odysseas Koufopavlou

Keyword(s):

Anomaly Detection ◽

Power Plants ◽

Critical Infrastructure ◽

Information Collection ◽

Critical Infrastructures ◽

Security Level ◽

Trusted Hardware ◽

Protection Mechanisms ◽

Evaluation Board ◽

Security Agent

Critical Infrastructures and associated real time Informational systems need some security protection mechanisms that will be able to detect and respond to possible attacks. For this reason, Anomaly Detection Systems (ADS), as part of a Security Information and Event Management (SIEM) system, are needed for constantly monitoring and identifying potential threats inside an Information Technology (IT) System. Typically, ADS collect information from various sources within a CI system using security sensors or agents and correlate those information so as to identify anomaly events. Such sensors though in a CI setting (factories, power plants, remote locations) may be placed in open areas and left unattended thus becoming targets themselves of security attacks. They can be tampering and malicious manipulated so that they provide false data that may lead an ADS or SIEM system to falsely comprehend the CI current security status. In this paper, we describe existing approaches on security monitoring in critical infrastructures and focus on how to collect security sensor - agent information in a secure and trusted way. We then introduce the concept of hardware assisted security sensor information collection that improve the level if trust (by hardware means) and also increase the responsiveness of the sensor. Thus, we propose a Hardware Security Token (HST) that when connected to a CI Host, it acts as a secure anchor for security agent information collection. We describe the HST functionality, its association with a host device, its expected role and its log monitoring mechanism. We also provide information on how security can be established between the Host device and the HST.Then, we introduce and describe the necessary Host components that need to be established in order to guarantee a high security level and correct HST functionality. We, also provide a realization-implementation of the HST overall concept in a FPGA SoC evaluation board and describe how the HST implementation can controlled. Finally, we provide indicative use case scenarios of how the HST can be used in practice to provide a variety of different security services beyond acting as a secure ADS sensor.

Download Full-text