Menu Close

News

The Role of SIEM in addressing the cyber-security challenges of modern EPES

by Hristo Koshutanski, hristo.koshutanski@atos.net
Atos Research and Innovation, Spain.

Current challenges: In recent years the business demands for remote visibility into industrial operations led to the convergence of IT and OT systems, and created new vulnerabilities to cyberattacks [1]. Web-based tactics and procedures used against IT systems now put OT systems at risk. Barriers to entry are being breached with increasing frequency [2], making clear a new approach to cyber resilience is needed – one that integrates IT and OT security.

The cybersecurity issues are even further elevated in the Electrical Power and Energy Systems (EPES) as these are subject of cyber and privacy attacks, data breaches and disruption, given their central role in the connected economy of a given country [3]. Given this year’s news of new malware attacks on ICS/SCADA systems [4] and availability of APT tools to materialize such attack [5], evidence even more the relevance and pressing need of the ELECTRON project and its CYPER framework technologies.  

Figures 1 shows the different type of malware threats for industrial automation systems, as of H2 of last year 2021, for some malware families based on Kaspersky ICS CERT report [6]. To address the challenges of modern EPES above, the ELECTRON project defines the role of SIEM along the following pillars:

Figure1: Percentage of ICS computers on which different types malware were blocked [Source Kaspersky]

Figures 1 shows the different type of malware threats for industrial automation systems, as of H2 of last year 2021, for some malware families based on Kaspersky ICS CERT report [6]. To address the challenges of modern EPES above, the ELECTRON project defines the role of SIEM along the following pillars:

Move to proactive security

This pillar requires early identification of trends and attack, and their cascading-effects. Particularly, the extension of a SIEM solution to integrate, normalise and corelated a number of AI-driven sensors distributed along the EPES infrastructures capable of detection a variety of attacks such as MITM, FDI, DoS, Unauthorised Access, and so on.

Furthermore, given the geographic distribution and nature of EPES, it requires an efficient attack learning and detection across a single or a collaborative set of EPES stakeholders so that identification of attacks in one CI can be automatically learned and proactively applied in other CI contexts. This requires a Federated Leaning Intrusion Detection System [7] deployed at premises and its detectors’ events correlated on the SIEM level. The FL-IDPS achieves the same effect as CTI sharing but with specific for AI models artifacts.

In addition, given the long-term operation of EPES, any proactive security must also address the identification and recognition of APT. It is important to determine if security events observed within an EPES infrastructure over a long period of time are related to a common and persistent threat model. This requires analysis and visualisation of security events but also security logs [8] against the cyber kill chain or along the MITRE ATT&CK framework [9]. For instance, an integration with the MITRE ATT&CK knowledge base will allow EPES operators for an extended view of whether an attack instance observed is part of a common persistent threat over time, how this APT can evolve, and whether other infrastructure assets (or nodes) are related to, or possibly impacted by the APT. The results of such APT identification form a strong part of proactive security, and are to be communicated and correlated on the E-SIEM level too.

Move to integral cybersecurity of IT and OT

An integral cybersecurity requires a holistic approach across all levels from monitoring to detection, from risk analysis to incident response and threat intelligence considering the EPES technology, people, and processes.
A SIEM solution should be able to integrate and correlate security events coming from pure IT space (application servers and protocols including HTTP, FTP, TLS, VPN, SSH, etc.) but also from the cyber-physical space of EPES substations and devices (RTUs, IEDs, PLCs, EPES gateways, SCADA servers, etc.) over communication protocols typical to an EPES SCADA environment such as IEC-104, DNP3, Modbus, IEC68150 (GOOSE/MMS), PTP, etc.

The SIEM solution shall be integrated with corresponding risk analysis and mitigation processes when an attack presence is identified in an EPES infrastructure above a certain level of confidence. Here the specification of the correlation directives in function of the level of confidence of the various sensors is essential to ensure alarms (also called alerts) are consistently generated to trigger other processes in an end-to-end cybersecurity solution. It is an important point to achieve an automated attack response where several heterogeneous sensors’ events (regarding anomalies or misbehaviour of both IT and OT operations) are correlated into a consistent alarms generation for a given attack and its category.

Extended real-time visibility

A SIEM solution should be extended with specialised sensors to establish visibility into the EPES assets, OT systems and processes to build high-fidelity baseline of operational behaviour for detection of threats and anomalies. This requires access to real time traffic sniffing but also to security logs from application protocols behaviour such as honeypots emulating EPES devices or proper devices’ logs.

For instance, a specialised support sensors detecting malware activities in network-level traffic is highly desirable [10] even detecting malware presence in TLS traffic, especially in lateral movements when malware infects mode devices or servers in a substation, but also in command-and-control server communications with external domains. Multi phased malware-based attacks are one of the most serious threats to ICS (see the figures of Kaspersky’s report above).

In addition, specialised support sensors shall be deployed to enrich the SIEM scope to anomalies and misuse on a range of EPES protocols not only those based on TCP/IP but also those on lower level such as the Ethernet-based IEC68150 (GOOSE/MMS) or Precision Time Protocol (PTP) used for device time synchronisation. The wider the scope of a SIEM visibility on EPES protocols the better the identification of attacks and APT will be. For instance, low packet-level attacks on PTP that may result in denial of communication between devices in a substation, which in turn would be difficult to detect the cause of such anomaly on a higher-level protocol analysis.

The ELECTRON SIEM Approach

ELECTRON will strengthen the cybersecurity resilience of EPES under different attack scenarios, tactics and procedures through a modular fully customised cybersecurity and privacy preserving framework called CYPER. The CYPER will strongly empower EPES operator’s resilience against cyber and data privacy attacks especially multi-phase malware attacks based on a holistic (beyond state-of-the-art on) integration of high impact cyber security technologies for:  

  • Large-scale learning and detection of attacks through a Federated Learning IDPS (ELECTRON FL-IDPS), 
  • Recognition of threat persistency and potential evolution through MITRE ATT&CK knowledge (ELECTRON APT Shield), 
  • High visibility detection, correlation and alarm generation to trigger risk assessment and mitigation processes (ELECTRON SIEM), 
  • Strong privacy preserving post quantum safe anomaly detection (ELECTRON STRONGBOX).
Figure 2: ELECTRON SIEM and Sensors’ Workflow High Level View

Figure 2 shows the high-level view of the ELECTRON SIEM and high-level workflow [11]. There are several IDS sensors and anomaly detection components all requiring access to an EPES infrastructure traffic, logs or consumer data for the different but complementary functionalities and detection scope. Some relevant KPIs for the SIEM solution [12] are the correlation accuracy (>95%), the rate of normalisation events per second (> 1000 EPS), and the mean time to alarm generation (correlation performance) (<10 ms). In follow up blog posts, we will present in more details the ELECTRON CYPER framework, its main components and the challenges they address.

You can find more about ELECTRON architecture in this previous blog post

[1] “Managing the successful convergence of IT and OT” Deloitte, 2020, available at Deloitte

[2] Fortinet report 2019, 56% experienced a breach in their OT systems, https://www.fortinet.com/content/dam/fortinet/assets/white-papers/WP-Independent-Study-Pinpoints-Significant-Scada-ICS-Cybersecurity-Risks.pdf

[3] Z. Mrabet, et al. »Cyber-security in smart grid: Survey and challenges« Computers & Electrical Engineering vol.67, 2018. DOI

[4] https://www.tripwire.com/state-of-security/ics-security/us-government-warns-new-malware-attacks-ics-scada-systems/;  https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices;  https://www.cybersecuritydive.com/news/encevo-creos-envovos-ransomware/628604/;  https://www.securityweek.com/ransomware-group-claims-access-scada-confusing-uk-water-company-hack

[5] https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

[6] https://ics-cert.kaspersky.com/publications/reports/2022/03/03/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2021/

[7] A Unified Deep Learning Anomaly Detection and Classification Approach for Smart Grid Environments http://dx.doi.org/10.1109/TNSM.2021.3078381

[8] https://dl.acm.org/doi/abs/10.1145/2799979.2800042

[9] https://www.trendmicro.com/vinfo/us/security/news/managed-detection-and-response/using-mitre-att-ck-to-identify-an-apt-attack

[10] http://dx.doi.org/10.1007/978-3-030-30859-9_6

[11] ELECTRON Consortium, D2.2 Platform Specifications and Architecture, July 2022. https://electron-project.eu/deliverables/

[12] ELECTRON Consortium, D2.3 Demonstration Scenarios, Evaluation Strategy and KPIs, Sep. 2022. https://electron-project.eu/deliverables/