Cybersecurity on SCADA: Risk prediction, analysis and reaction tools for critical infrastructures

The protection of the national infrastructures is one of the main issues for national and international security. While FP7 MICIE project has proved that increasing cooperation among infrastructures increases their level of service and predictive capability, it is not enough to effectively counteract threats such as cyber attacks. Such attacks could be performed blocking communication from central SCADA to local equipment or inserting fake commands/measurements in the SCADA-field equipment communications (as happened with STUXNET worm).

The paradox is that critical infrastructures massively rely on the newest interconnected (and vulnerable) ICT technologies, while the control equipment is typically old, legacy software/hardware. Such a combination of factors may lead to very dangerous situations, exposing systems to a wide variety of attacks. To overcome such threats, the CockpitCI project aims on one hand to continue the work done in MICIE by refining and updating the on-line Risk Predictor deployed in the SCADA centre, on the other hand to provide some kind of intelligence to field equipment, allowing them to perform local decisions in order to self-identify and self-react to abnormal situations induced by cyber attacks.

It is mandatory to operate both at SCADA control centre and at field equipment because it is very dangerous to let field components operate autonomously. To address this issue an hybrid validation system will be implemented: at the Control Centre level an “Integrated Online Risk Predictor” will provide the operator with qualitative/quantitative measurements of near future level of risk integrating data coming from the field, from other infrastructures, and from smart detection agents monitoring possible cyber attacks; at field level, the system is complemented with a smart software layer for field equipment and a detection system for the TLC network. The system will be validated on real equipment and scenarios provided by Israel Electric Corp.

Apart from participating in a number of R&D tasks, Surrey is to lead two research tasks:

• Real-time intrusion detection strategies, to be investigated along the lines of anomaly detection and misuse detection via machine learning, pattern recognition, post-processing to reduce false positives as well as false negatives, and context awareness and adaptability approaches.
• Strategies for automatic reaction, to be investigated along the lines of decision support with multi-source information fusion, graph-based modelling and rule based approaches.