Closing the loop of SIEM analysis to Secure Critical Infrastructures

Critical Infrastructure Protection is one of the main challenges of last years. Security Information and Event Management (SIEM) systems are widely used for coping with this challenge. However, they currently present several limitations that have to be overcome. In this paper we propose an enhanced SIEM system in which we have introduced novel components to i) enable multiple layer data analysis; ii) resolve conflicts among security policies, and discover unauthorized data paths in such a way to be able to reconfigure network devices. Furthermore, the system is enriched by a Resilient Event Storage that ensures integrity and unforgeability of events stored.Comment: EDCC-2014, BIG4CIP-2014, Security Information and Event Management, Decision Support System, Hydroelectric Da

A novel security information and event management system for enhancing cyber security in a hydroelectric dam

Security information and event management (SIEM) systems are increasingly used to cope with the security challenges involved in critical infrastructure protection. However, these systems have several limitations. This paper describes an enhanced security information and event management system that (i) resolves conflicts between security policies; (ii) discovers unauthorized network data paths and appropriately reconfigures network devices; and (iii) provides an intrusion- and fault-tolerant storage system that ensures the integrity and non-forgeability of stored events. The performance of the enhanced system is demonstrated using a case study involving a hydroelectric dam. The case study considers an attack model that affects portions of the information technology infrastructure of the hydroelectric dam and demonstrates that the security information and event management system is successfully able to detect and respond to attacks

An Intrusion and Fault Tolerant Forensic Storage for a SIEM System

Current Security Information and Events Management (SIEM) solutions lack a data storage facility which is secure enough - i.e. stored events related to security incidents cannot be forged and are always available - that it can be used for forensic purposes. Forensic storage used by current SIEM solutions uses traditional RSA algorithm to sign the security events. In this paper we have analyzed the limits of current forensic storages, and we have proposed an architecture for forensic storage, implementing a threshold-based variant of the RSA algorithm, that outperforms state of the art SIEM solutions in terms of intrusion- and fault-tolerance. We show by experiments that our forensic storage works correctly even in the presence of cyber-attacks, although with a performance penalty. We also conduct an experimental campaign to evaluate the performance cost of the proposed scheme as a function of the threshold

A GPS Spoofing Resilient WAMS for Smart Grid

Smart grids provide efficiency in energy distribution, easy identification of disturbance sources, and fault prediction. To achieve these benefits a continuous monitoring of voltage and current phasors must be performed. Phasor Measurement Units (PMUs) allow measurements of the phasors. A Wide Area Measurement System uses PMUs placed in different locations to assess the status of the power grid. To correctly analyze the phasors provided by PMUs, phasors must refer to the same time. For this reason each PMU uses the clock provided by a GPS receiver. GPS receiver is vulnerable to spoofing attack and it is a single point of failure. In this context we examined Network Time Protocol (NTP) as an alternative time source when the GPS receiver is compromised. In this paper a resilient architecture is proposed that is able to detect and react to the GPS spoofing attack. Experimental tests have shown the effectiveness of our solution

A resilient architecture for forensic storage of events in critical infrastructures

In Critical Infrastructures, forensic analysis of stored events is an essential task when a security breach occurs. The goal of forensic analysis is to provide evidence to be used as valid proofs in a legal proceeding. So, it is very important to ensure the integrity of the events stored in order to perform a correct forensic analysis. Today, most of the SIEMs used to protect the Critical Infrastructures sign the security events with RSA classic algorithm in order to ensure their integrity. The signed security events cannot be admissible as evidence if the secret key is compromised, or when the module responsible for signing operations is down for any reason. In this paper a new architecture that overcomes these limitations has been proposed. Experimental tests show the performance of our architecture and the high resilience in faulty situations, i.e. some nodes are under attack

Boceprevir or telaprevir in hepatitis C virus chronic infection: The Italian real life experience

AIM: To check the safety and efficacy of boceprevir/ telaprevir with peginterferon/ribavirin for hepatitis C virus (HCV) genotype 1 in the real-world settings. METHODS: This study was a non-randomized, observational, prospective, multicenter. This study involved 47 centers in Italy. A database was prepared for the homogenous collection of the data, was used by all of the centers for data collection, and was updated continuously. All of the patients enrolled in this study were older than 18 years of age and were diagnosed with chronic infection due to HCV genotype 1. The HCV RNA testing was performed using COBAS-TaqMan2.0 (Roche, LLQ 25 IU/mL). RESULTS: All consecutively treated patients were included. Forty-seven centers enrolled 834 patients as follows: Male 64%; median age 57 (range 18-78), of whom 18.3% were over 65; mean body mass index 25.6 (range 16-39); genotype 1b (79.4%); diagnosis of cirrhosis (38.2%); and fibrosis F3/4 (71.2%). The following drugs were used: Telaprevir (66.2%) and PEG-IFN-alpha2a (67.6%). Patients were naïve (24.4%), relapsers (30.5%), partial responders (14.8%) and null responders (30.3%). Overall, adverse events (AEs) occurred in 617 patients (73.9%) during the treatment. Anemia was the most frequent AE (52.9% of cases), especially in cirrhotic. The therapy was stopped for 14.6% of the patients because of adverse events or virological failure (15%). Sustained virological response was achieved in 62.7% of the cases, but was 43.8% in cirrhotic patients over 65 years of age. CONCLUSION: In everyday practice, triple therapy is safe but has moderate efficacy, especially for patients over 65 years of age, with advanced fibrosis, nonresponders to peginterferon + ribavirin