Exploring security controls for ICS/SCADA environments

Trabalho de projeto de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020Os Sistemas de Controlo Industriais (ICS) estão a começar a fundir-se com as soluções de IT, por forma a promover a interconectividade. Embora isto traga inúmeros benefícios de uma perspetiva de controlo, os ICS apresentam uma falta de mecanismos de segurança que consigam evitar possíveis ameaças informáticas, quando comparados aos comuns sistemas de informação [29], [64]. Dada a natureza crítica destes sistemas, e a ocorrências recentes de ciberataques desastrosos, a segurança ´e um tópico que deve ser incentivado. À luz deste problema, na presente dissertação apresentamos uma avaliação de possíveis aplicações e controlos de segurança a serem implantados nestes ambientes críticos e a implementação de uma solução de segurança extensível que dá resposta a certos ataques focados em sistemas industriais, capaz de ser implantada em qualquer rede industrial que permita a sua ligação. Com o auxilio de uma framework extensivel e portátil para testes de ICS, e outros ambientes industriais de testes, foi possível analisar diferentes cenários de ameaças, implantar mecanismos de segurança para os detetar e avaliar os resultados, com o intuito de fornecer uma ideia de como empregar estes mecanismos da melhor maneira possível num ambiente real de controlo industrial.Industrial Control Systems (ICS) are beginning to merge with IT solutions, in order to promote inter-connectivity. Although this brings countless benefits from a control perspective, ICS have been lacking in security mechanisms to ward off potential cyber threats, when compared to common information systems [29], [64]. Given the critical nature of these systems, and the recent occurrences of disastrous cyber-attacks, security is a topic that should be encouraged. In light of this problem, in this dissertation we present an assessment of possible security applications and controls that can be deployed in these critical environments and the implementation of an extensible security solution that responds to certain attacks focused on industrial systems, capable of being deployed in any industrial network that allows its connection. With the help of an extensible and portable framework for ICS testing, and other industrial testing environments, it was possible to analyze different threat scenarios, implement security mechanisms to detect them and evaluate the results in order to provide an idea on how to employ these mechanisms as best as possible in a real industrial control environment, without compromising it’s process

A stacked autoencoder-based convolutional and recurrent deep neural network for detecting cyberattacks in interconnected power control systems

n/

Detection of network anomalies and novel attacks in the internet via statistical network traffic separation and normality prediction

With the advent and the explosive growth of the global Internet and the electronic commerce environment, adaptive/automatic network and service anomaly detection is fast gaining critical research and practical importance. If the next generation of network technology is to operate beyond the levels of current networks, it will require a set of well-designed tools for its management that will provide the capability of dynamically and reliably identifying network anomalies. Early detection of network anomalies and performance degradations is a key to rapid fault recovery and robust networking, and has been receiving increasing attention lately. In this dissertation we present a network anomaly detection methodology, which relies on the analysis of network traffic and the characterization of the dynamic statistical properties of traffic normality, in order to accurately and timely detect network anomalies. Anomaly detection is based on the concept that perturbations of normal behavior suggest the presence of anomalies, faults, attacks etc. This methodology can be uniformly applied in order to detect network attacks, especially in cases where novel attacks are present and the nature of the intrusion is unknown. Specifically, in order to provide an accurate identification of the normal network traffic behavior, we first develop an anomaly-tolerant non-stationary traffic prediction technique, which is capable of removing both pulse and continuous anomalies. Furthermore we introduce and design dynamic thresholds, and based on them we define adaptive anomaly violation conditions, as a combined function of both the magnitude and duration of the traffic deviations. Numerical results are presented that demonstrate the operational effectiveness and efficiency of the proposed approach, under different anomaly traffic scenarios and attacks, such as mail-bombing and UDP flooding attacks. In order to improve the prediction accuracy of the statistical network traffic normality, especially in cases where high burstiness is present, we propose, study and analyze a new network traffic prediction methodology, based on the frequency domain traffic analysis and filtering, with the objective_of enhancing the network anomaly detection capabilities. Our approach is based on the observation that the various network traffic components, are better identified, represented and isolated in the frequency domain. As a result, the traffic can be effectively separated into a baseline component, that includes most of the low frequency traffic and presents low burstiness, and the short-term traffic that includes the most dynamic part. The baseline traffic is a mean non-stationary periodic time series, and the Extended Resource-Allocating Network (BRAN) methodology is used for its accurate prediction. The short-term traffic is shown to be a time-dependent series, and the Autoregressive Moving Average (ARMA) model is proposed to be used for the accurate prediction of this component. Furthermore, it is demonstrated that the proposed enhanced traffic prediction strategy can be combined with the use of dynamic thresholds and adaptive anomaly violation conditions, in order to improve the network anomaly detection effectiveness. The performance evaluation of the proposed overall strategy, in terms of the achievable network traffic prediction accuracy and anomaly detection capability, and the corresponding numerical results demonstrate and quantify the significant improvements that can be achieved

Detection and Localization of Faults in a Regional Power Grid

The structure of power flows in transmission grids is evolving and is likely to change significantly in the coming years due to the rapid growth of renewable energy generation that introduces randomness and bidirectional power flows. Another transformative aspect is the increasing penetration of various smart-meter technologies. Inexpensive measurement devices can be placed at practically any component of the grid. Using model data reflecting smart-meter measurements, we propose a two-stage procedure for detecting a fault in a regional power grid. In the first stage, a fault is detected in real time. In the second stage, the faulted line is identified with a negligible delay. The approach uses only the voltage modulus measured at buses (nodes of the grid) as the input. Our method does not require prior knowledge of the fault type. The method is fully implemented in  R. Pseudo code and complete mathematical formulas are provided

Environmental Baseline Monitoring Project. Phase II, final report

This report is submitted in compliance with the conditions set out in the grant awarded to the British Geological Survey (BGS), for the period April 2016 – March 2017, to support the jointly-funded project "Science-based environmental baseline monitoring". It presents the results of monitoring and/or measurement and preliminary interpretation of these data to characterise the baseline environmental conditions in the Vale of Pickering, North Yorkshire and for air quality, the Fylde in Lancashire ahead of any shale gas development. The two areas where the monitoring is taking place have seen, during the project, planning applications approved for the exploration for shale gas and hydraulic fracturing. It is widely recognised that there is a need for good environmental baseline data and establishment of effective monitoring protocols ahead of any shale gas/oil development. This monitoring will enable future changes that may occur as a result of industrial activity to be identified and differentiated from other natural and man-made changes that are influencing the baseline. Continued monitoring will then enable any deviations from the baseline, should they occur, to be identified and investigated independently to determine the possible causes, sources and significance to the environment and public health. The absence of such data in the United States has undermined public confidence, led to major controversy and inability to identify and effectively deal with impact/contamination where it has occurred. A key aim of this work is to avoid a similar situation and the independent monitoring being carried out as part of this project provides an opportunity to develop robust environmental baseline for the two study areas and monitoring procedures, and share experience that is applicable to the wider UK situation. This work is internationally unique and comprises an inter-disciplinary researcher-led programme that is developing, testing and implementing monitoring methodologies to enable future environmental changes to be detected at a local scale (individual site) as well as across a wider area, e.g. ‘shale gas play’ where cumulative impacts may be significant. The monitoring includes: water quality (groundwater and surface water), seismicity, ground motion, soil gas, atmospheric composition (greenhouse gases and air quality) and radon in air. Recent scientific and other commissioned studies have highlighted that credible and transparent monitoring is key to gaining public acceptance and providing the evidence base to demonstrate the industry’s impact on the environment and importantly on public health. As a result, BGS and its partners initiated in early 2015, a co-ordinated programme of environmental monitoring in Lancashire that was then extended to the Vale of Pickering in North Yorkshire after the Secretary of State for Energy and Climate Change (BEIS) awarded a grant to the British Geological Survey (BGS). The current duration of the grant award is to 31st March 2018. It has so far enabled baseline environmental monitoring for a period of more than 12 months. With hydraulic fracturing of shale gas likely to take place during late 2017/early 2018, the current funding will allow the environmental monitoring to continue during the transition from baseline to monitoring during shale gas operations. This report presents the monitoring results to April 2017 and a preliminary interpretation. A full interpretation is not presented in this report as monitoring is continuing and it is expected that there will be at least six months of additional baseline data before hydraulic fracturing takes place. This represents up to 50% more data for some components of the montoring, and when included in the analysis will significantly improve the characterisation and interpretation of the baseline. In addition to this report, the BGS web site contains further information on the project, near real-time data for some components of the monitoring and links to other projects outputs, e.g. reports and videos (www.bgs.ac.uk/research/groundwater/shaleGas/monitoring/home.html)

Project BeARCAT : Baselining, Automation and Response for CAV Testbed Cyber Security : Connected Vehicle & Infrastructure Security Assessment

Connected, software-based systems are a driver in advancing the technology of transportation systems. Advanced automated and autonomous vehicles, together with electrification, will help reduce congestion, accidents and emissions. Meanwhile, vehicle manufacturers see advanced technology as enhancing their products in a competitive market. However, as many decades of using home and enterprise computer systems have shown, connectivity allows a system to become a target for criminal intentions. Cyber-based threats to any system are a problem; in transportation, there is the added safety implication of dealing with moving vehicles and the passengers within

Studies of Uncertainties in Smart Grid: Wind Power Generation and Wide-Area Communication

This research work investigates the uncertainties in Smart Grid, with special focus on the uncertain wind power generation in wind energy conversion systems (WECSs) and the uncertain wide-area communication in wide-area measurement systems (WAMSs). For the uncertain wind power generation in WECSs, a new wind speed modeling method and an improved WECS control method are proposed, respectively. The modeling method considers the spatial and temporal distributions of wind speed disturbances and deploys a box uncertain set in wind speed models, which is more realistic for practicing engineers. The control method takes maximum power point tracking, wind speed forecasting, and wind turbine dynamics into account, and achieves a balance between power output maximization and operating cost minimization to further improve the overall efficiency of wind power generation. Specifically, through the proposed modeling and control methods, the wind power control problem is developed as a min-max optimal problem and efficiently solved with semi-definite programming. For the uncertain communication delay and communication loss (i.e. data loss) in WAMSs, the corresponding solutions are presented. First, the real-world communication delay is measured and analyzed, and the bounded modeling method for the communication delay is proposed for widearea applications and further applied for system-area and substation-area protection applications, respectively. The proposed bounded modeling method is expected to be an important tool in the planning, design, and operation of time-critical wide-area applications. Second, the real synchronization signal loss and synchrophasor data loss events are measured and analyzed. For the synchronization signal loss, the potential reasons and solutions are explored. For the synchrophasor data loss, a set of estimation methods are presented, including substitution, interpolation, and forecasting. The estimation methods aim to improve the accuracy and availability of WAMSs, and mitigate the effect of communication failure and data loss on wide-area applications