Closing the loop of SIEM analysis to Secure Critical Infrastructures

Critical Infrastructure Protection is one of the main challenges of last years. Security Information and Event Management (SIEM) systems are widely used for coping with this challenge. However, they currently present several limitations that have to be overcome. In this paper we propose an enhanced SIEM system in which we have introduced novel components to i) enable multiple layer data analysis; ii) resolve conflicts among security policies, and discover unauthorized data paths in such a way to be able to reconfigure network devices. Furthermore, the system is enriched by a Resilient Event Storage that ensures integrity and unforgeability of events stored.Comment: EDCC-2014, BIG4CIP-2014, Security Information and Event Management, Decision Support System, Hydroelectric Da

A novel security information and event management system for enhancing cyber security in a hydroelectric dam

Security information and event management (SIEM) systems are increasingly used to cope with the security challenges involved in critical infrastructure protection. However, these systems have several limitations. This paper describes an enhanced security information and event management system that (i) resolves conflicts between security policies; (ii) discovers unauthorized network data paths and appropriately reconfigures network devices; and (iii) provides an intrusion- and fault-tolerant storage system that ensures the integrity and non-forgeability of stored events. The performance of the enhanced system is demonstrated using a case study involving a hydroelectric dam. The case study considers an attack model that affects portions of the information technology infrastructure of the hydroelectric dam and demonstrates that the security information and event management system is successfully able to detect and respond to attacks

An Intrusion and Fault Tolerant Forensic Storage for a SIEM System

Current Security Information and Events Management (SIEM) solutions lack a data storage facility which is secure enough - i.e. stored events related to security incidents cannot be forged and are always available - that it can be used for forensic purposes. Forensic storage used by current SIEM solutions uses traditional RSA algorithm to sign the security events. In this paper we have analyzed the limits of current forensic storages, and we have proposed an architecture for forensic storage, implementing a threshold-based variant of the RSA algorithm, that outperforms state of the art SIEM solutions in terms of intrusion- and fault-tolerance. We show by experiments that our forensic storage works correctly even in the presence of cyber-attacks, although with a performance penalty. We also conduct an experimental campaign to evaluate the performance cost of the proposed scheme as a function of the threshold

A GPS Spoofing Resilient WAMS for Smart Grid

Smart grids provide efficiency in energy distribution, easy identification of disturbance sources, and fault prediction. To achieve these benefits a continuous monitoring of voltage and current phasors must be performed. Phasor Measurement Units (PMUs) allow measurements of the phasors. A Wide Area Measurement System uses PMUs placed in different locations to assess the status of the power grid. To correctly analyze the phasors provided by PMUs, phasors must refer to the same time. For this reason each PMU uses the clock provided by a GPS receiver. GPS receiver is vulnerable to spoofing attack and it is a single point of failure. In this context we examined Network Time Protocol (NTP) as an alternative time source when the GPS receiver is compromised. In this paper a resilient architecture is proposed that is able to detect and react to the GPS spoofing attack. Experimental tests have shown the effectiveness of our solution

A resilient architecture for forensic storage of events in critical infrastructures

In Critical Infrastructures, forensic analysis of stored events is an essential task when a security breach occurs. The goal of forensic analysis is to provide evidence to be used as valid proofs in a legal proceeding. So, it is very important to ensure the integrity of the events stored in order to perform a correct forensic analysis. Today, most of the SIEMs used to protect the Critical Infrastructures sign the security events with RSA classic algorithm in order to ensure their integrity. The signed security events cannot be admissible as evidence if the secret key is compromised, or when the module responsible for signing operations is down for any reason. In this paper a new architecture that overcomes these limitations has been proposed. Experimental tests show the performance of our architecture and the high resilience in faulty situations, i.e. some nodes are under attack