Cross-Domain Security Asset Management for Healthcare

Healthcare is one of the most peculiar between all Critical Infrastructures due to its context and role in the society. The characteristics of openness and pervasive usage of IT systems and connected devices make it particularly exposed to both physical threats, such as theft and unauthorized access to restricted areas, and cyber attacks, like the notorious wannacry ransomware that abruptly disrupted the British National Health System in May 2017. Even the recent COVID-19 pandemic period has been negatively characterized by an increase of both physical and cyber incidents that specifically targeted hospitals and undermined an essential public service like healthcare. Effective security solutions are necessary in order to protect and enhance the resiliency of the Critical Infrastructures. This paper presents the work being developed in the context of the SAFECARE H2020 project, that specifically considers the requirements for security of hospitals. A particular focus is given to the asset management that consider cross-domain aspects of security, like the physical location and virtual connections that link different components of a hospital. This allows advanced knowledge that enables to infer and forewarn of possible elaborated cyber-physical kill chains. This is particularly important and useful during crisis, as allows to have a holistic overview of the status of the hospital and the potential impacts of one or more incidents to the critical assets. The description and simulation of an attack scenario is also given, together with the description of the messages exchanged by the security systems and the information made available to security operators.

Inferring Anomaly Situation from Multiple Data Sources in Cyber Physical Systems

Cyber physical systems are becoming ubiquitous devices in many fields thus creating the need for effective security measures. We propose to exploit their intrinsic dependency on the environment in which they are deployed to detect and mitigate anomalies. To do so, sensor measurements, network metrics, and contextual information are fused in a unified security architecture. In this paper, the model of the proposed framework is presented and a first proof of concept involving a telecommunication infrastructure case study is provided.

Impact Propagation in Airport Systems

The effective protection of critical infrastructure against cyber and physical security threats involves many different steps from initially the identification of risks to finally the implementation of counter measures in the infrastructure. To derive counter measures and to come to intelligent decisions facing the identified risks, the impact calculation plays a central role. The impact of a specific threat can propagate through the systems of the infrastructure and thus needs to be analysed carefully. In this paper, the role of impact propagation of cyber-physical threats for infrastructure protection is discussed, exemplified for airport systems. In the ongoing EU-H2020 project SATIE (Security of Air Transport Infrastructure of Europe) a toolkit is developed containing two tools for impact propagation, namely the Business Impact Assessment (BIA) and the Impact Propagation Simulation (IPS). Both tools are described and for a small test case the propagation of a cyber threat and the transformation into a physical threat is demonstrated in a network representation as well as an agent-based model of the airport’s systems employing the IPS.

A Comparative Analysis of Emulated and Real IEC-104 Spontaneous Traffic in Power System Networks

Supervisory and Data Acquisition (SCADA) systems control and monitor modern power networks. As attacks targeting SCADA systems are increasing, significant research is conducted to defend SCADA networks including variations of anomaly detection. Due to the sensitivity of real data, many defence mechanisms have been tested only in small testbeds or emulated traffic that were designed with assumptions on how SCADA systems behave. This work provides a timing characterization of IEC-104 spontaneous traffic and compares the results from emulated traffic and real traffic to verify if the network characteristics appearing in testbeds and emulated traffic coincide with real traffic. Among three verified characteristics, two of them appear in the real dataset but in a less regular way, and one does not appear in the collected real data. The insights from these observations are discussed in terms of presumed differences between emulated and real traffic and how those differences are generated.