A Graphical Adversarial Risk Analysis Model for Oil and Gas Drilling Cybersecurity

Oil and gas drilling is based, increasingly, on operational technology, whose cybersecurity is complicated by several challenges. We propose a graphical model for cybersecurity risk assessment based on Adversarial Risk Analysis to face those challenges. We also provide an example of the model in the context of an offshore drilling rig. The proposed model provides a more formal and comprehensive analysis of risks, still using the standard business language based on decisions, risks, and value.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Detection techniques in operational technology infrastructure

In previous decades, cyber-attacks have not been considered a threat to critical infrastructure. However, as the Information Technology (IT) and Operational Technology (OT) domains converge, the vulnerability of OT infrastructure is being exploited. Nation-states, cyber criminals and hacktivists are moving to benefit from economic and political gains. The OT network, i.e. Industrial Control System (ICS) is referred to within OT infrastructure as Supervisory Control and Data Acquisition (SCADA). SCADA systems were introduced primarily to optimise the data transfer within OT network infrastructure. The introduction of SCADA can be traced back to the 1960’s, a time where cyber-attacks were not considered. Hence SCADA networks and associated systems are highly vulnerable to cyber-attacks which can ultimately result in catastrophic events. Historically, when deployed, intrusion detection systems in converged IT/OT networks are deployed and monitor the IT side of the network. While academic research into OT specific intrusion detection is not a new direction, application to real systems are few and lack the contextual information required to make intrusion detection systems actionable. This paper provides an overview of cyber security in OT SCADA networks. Through evaluating the historical development of OT systems and protocols, a range of current issues caused by the IT/OT convergence is presented. A number of publicly disclosed SCADA vulnerabilities are outlined, in addition to approaches for detecting attacks in OT networks. The paper concludes with a discussion of what the future of interconnected OT systems should entail, and the potential risks of continuing with an insecure design philosophy

Advanced Threat Intelligence: Interpretation of Anomalous Behavior in Ubiquitous Kernel Processes

Targeted attacks on digital infrastructures are a rising threat against the confidentiality, integrity, and availability of both IT systems and sensitive data. With the emergence of advanced persistent threats (APTs), identifying and understanding such attacks has become an increasingly difficult task. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. This thesis presents a multi-stage system able to detect and classify anomalous behavior within a user session by observing and analyzing ubiquitous kernel processes. Application candidates suitable for monitoring are initially selected through an adapted sentiment mining process using a score based on the log likelihood ratio (LLR). For transparent anomaly detection within a corpus of associated events, the author utilizes star structures, a bipartite representation designed to approximate the edit distance between graphs. Templates describing nominal behavior are generated automatically and are used for the computation of both an anomaly score and a report containing all deviating events. The extracted anomalies are classified using the Random Forest (RF) and Support Vector Machine (SVM) algorithms. Ultimately, the newly labeled patterns are mapped to a dedicated APT attacker–defender model that considers objectives, actions, actors, as well as assets, thereby bridging the gap between attack indicators and detailed threat semantics. This enables both risk assessment and decision support for mitigating targeted attacks. Results show that the prototype system is capable of identifying 99.8% of all star structure anomalies as benign or malicious. In multi-class scenarios that seek to associate each anomaly with a distinct attack pattern belonging to a particular APT stage we achieve a solid accuracy of 95.7%. Furthermore, we demonstrate that 88.3% of observed attacks could be identified by analyzing and classifying a single ubiquitous Windows process for a mere 10 seconds, thereby eliminating the necessity to monitor each and every (unknown) application running on a system. With its semantic take on threat detection and classification, the proposed system offers a formal as well as technical solution to an information security challenge of great significance.The financial support by the Christian Doppler Research Association, the Austrian Federal Ministry for Digital and Economic Affairs, and the National Foundation for Research, Technology and Development is gratefully acknowledged