Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Spatiotemporal patterns and predictability of cyberattacks

A relatively unexplored issue in cybersecurity science and engineering is whether there exist intrinsic patterns of cyberattacks. Conventional wisdom favors absence of such patterns due to the overwhelming complexity of the modern cyberspace. Surprisingly, through a detailed analysis of an extensive data set that records the time-dependent frequencies of attacks over a relatively wide range of consecutive IP addresses, we successfully uncover intrinsic spatiotemporal patterns underlying cyberattacks, where the term "spatio" refers to the IP address space. In particular, we focus on analyzing {\em macroscopic} properties of the attack traffic flows and identify two main patterns with distinct spatiotemporal characteristics: deterministic and stochastic. Strikingly, there are very few sets of major attackers committing almost all the attacks, since their attack "fingerprints" and target selection scheme can be unequivocally identified according to the very limited number of unique spatiotemporal characteristics, each of which only exists on a consecutive IP region and differs significantly from the others. We utilize a number of quantitative measures, including the flux-fluctuation law, the Markov state transition probability matrix, and predictability measures, to characterize the attack patterns in a comprehensive manner. A general finding is that the attack patterns possess high degrees of predictability, potentially paving the way to anticipating and, consequently, mitigating or even preventing large-scale cyberattacks using macroscopic approaches

Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study

Anomaly-based intrusion detection systems classify network traffic instances by comparing them with a model of the normal network behavior. To be effective, such systems are expected to precisely detect intrusions (high true positive rate) while limiting the number of false alarms (low false positive rate). However, there exists a natural trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing any false alarms). The parameters of a detection system play a central role in this trade-off, since they determine how responsive the system is to an intrusion attempt. Despite the importance of properly tuning the system parameters, the literature has put little emphasis on the topic, and the task of adjusting such parameters is usually left to the expertise of the system manager or expert IT personnel. In this paper, we present an autonomic approach for tuning the parameters of anomaly-based intrusion detection systems in case of SSH traffic. We propose a procedure that aims to automatically tune the system parameters and, by doing so, to optimize the system performance. We validate our approach by testing it on a flow-based probabilistic detection system for the detection of SSH attacks

Spatiotemporal Patterns and Predictability of Cyberattacks

Y.C.L. was supported by Air Force Office of Scientific Research (AFOSR) under grant no. FA9550-10-1-0083 and Army Research Office (ARO) under grant no. W911NF-14-1-0504. S.X. was supported by Army Research Office (ARO) under grant no. W911NF-13-1-0141. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.Peer reviewedPublisher PD

Forecast, observation and modelling of a deep stratospheric intrusion event over Europe

A wide range of measurements was carried out in central and southeastern Europe within the framework of the EU-project STACCATO (Influence of Stratosphere-Troposphere Exchange in a Changing Climate on Atmospheric Transport and Oxidation Capacity) with the principle goal to create a comprehensive data set on stratospheric air intrusions into the troposphere along a rather frequently observed pathway over central Europe from the North Sea to the Mediterranean Sea. The measurements were based on predictions by suitable quasi-operational trajectory calculations using ECMWF forecast data. A predicted deep Stratosphere to Troposphere Transport (STT) event, encountered during the STACCATO period on 20-21 June 2001, could be followed by the measurements network almost from its inception. Observations provide evidence that the intrusion affected large parts of central and southeastern Europe. Especially, the ozone lidar observations on 20-21 June 2001 at Garmisch-Partenkirchen, Germany captured the evolution of two marked tongues of high ozone with the first one reaching almost a height of 2 km, thus providing an excellent data set for model intercomparisons and validation. In addition, for the first time to our knowledge concurrent measurements of the cosmogenic radionuclides <sup>10</sup>Be and <sup>7</sup>Be and their ratio <sup>10</sup>Be/<sup>7</sup>Be are presented together as stratospheric tracers in a case study of a stratospheric intrusion. The ozone tracer columns calculated with the FLEXPART model were found to be in good agreement with water vapour satellite images, capturing the evolution of the observed dry streamers of stratospheric origin. Furthermore, the time-height cross section of ozone tracer simulated with FLEXPART over Garmisch-Partenkirchen captures with many details the evolution of the two observed high-ozone filaments measured with the IFU lidar, thus demonstrating the considerable progress in model simulations. Finally, the modelled ozone (operationally available since October 1999) from the ECMWF (European Centre for Medium-Range Weather Forecasts) atmospheric model is shown to be in very good agreement with the observations during this case study, which provides the first successful validation of a chemical tracer that is used operationally in a weather forecast model. This suggests that coupling chemistry and weather forecast models may significantly improve both weather and chemical forecasts in the future

Generalized inattentional blindness from a Global Workspace perspective

We apply Baars' Global Workspace model of consciousness to inattentional blindness, using the groupoid network method of Stewart et al. to explore modular structures defined by information measures associated with cognitive process. Internal cross-talk breaks the fundamental groupoid symmetry, and, if sufficiently strong, creates, in a highly punctuated manner, a linked, shifting, giant component which instantiates the global workspace of consciousness. Embedding, exterior, information sources act as an external field which breaks the groupoid symmetry in a somewhat different manner, definng the slowly-acting contexts of Baars' theory and providing topological constraints on the manifestations of consciousness. This analysis significantly extends recent mathematical treatments of the global workspace, and identifies a shifting, topologically-determined syntactical and grammatical 'bottleneck' as a tunable rate distortion manifold which constrains what sensory or other signals can be brought to conscious attention, typically in a punctuated manner. Sensations outside the limits of that filter's syntactic 'bandpass' have lower probability of detection, regardless of their structure, accounting for generalized forms of inattentional blindness