Advanced Tools to assEss and mitigate the criticality of ... · IACS Industrial and Automation...

H2020-DS-2015-1-Project 700581

Advanced Tools to assEss and mitigate the criticality of ICT compoNents and their

dependencies over Critical InfrAstructures

D1.5 – Second Periodic Activity Report

General information

Dissemination level Public

State Final

Work package WP1 Project Management

Tasks Task 1.1

Delivery date 31/10/2017

Version 1.0

The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700581. This document is the property of the ATENA consortium and shall not be distributed or

reproduced without the formal approval of the ATENA governing bodies.

Type H2020-DS-2015-1-Project 700581 Project Advanced Tools to assEss and mitigate the criticality of ICT compoNents

and their dependencies over Critical InfrAstructures Title D1.5 – Second Periodic Activity Report

Classification Public

Ref. D1.5 Second Periodic Activity Report.docx Page 2 of 59

Editors

Name Organisation

Nazzarena Barbaro, Paolo Pucci FNM

Authors

Name Organisation

Nazzarena Barbaro, Paolo Pucci FNM

Other WP leaders CRAT, ENEA, IEC, ITRUST, UC, UNIROMA3

Reviewers

Name Organisation Date

Tiago Cruz IEC 27/10/2017

All the trademarks referred in the document are the properties of their respective owners. Should any trademark attribution be missing, mistaken or erroneous,

please contact us as soon as possible for rectification.





Executive Summary

The present deliverable is prepared to give the European Commission and Advisory Board members the requested visibility over the status of the Innovation Action named “Advanced Tools to assEss and mitigate the criticality of ICT compoNents and their dependencies over Critical InfrAstructures” - Grant Agreement Number 700581 (shortly named with acronym ATENA).

In particular, this report provides an overview of the technical progress and achievements in ATENA, covering the period of the project from 1st May 2016 to 31st October 2017 (eighteen months).

A preliminary version of this document was internally circulated in September 2017 to Advisory Board members to give them a picture of activities done before the Rome 2017 Advisory Board Meeting.





Table of Contents

List of figures Figure 1: Timing of work packages ..................................................................................................................... 8 Figure 2: Timing of WP2 ................................................................................................................................... 11 Figure 3: Timing of WP3 ................................................................................................................................... 20 Figure 4: Procedure to elicit the requirements ................................................................................................. 22 Figure 5: Interim functional architecture ........................................................................................................... 23 Figure 6: Timing of WP4 ................................................................................................................................... 27 Figure 7: Draft macro-architecture of the ATENA cyber-security platform ....................................................... 28 Figure 8: Simplified lambda architecture for the Detection Layer .................................................................... 29

1 Introduction .............................................................................................................................................. 6

1.1 Motivation and Context .......................................................................................................................... 6

1.2 Objectives and Scope ............................................................................................................................ 6

1.3 Document Structure ............................................................................................................................... 6

1.4 Glossary ................................................................................................................................................. 6

1.5 Acronyms and symbols .......................................................................................................................... 6

2 Project objectives for the period.............................................................................................................. 8

2.1 Work Breakdown Structure .................................................................................................................... 8

2.2 Project objectives and planned milestones ........................................................................................... 8

3 Work progress and achievements in the period ................................................................................... 11

3.1 WP2: Resilience and efficiency models for flow prediction across CIs against adverse events on their IACS ............................................................................................................................................ 11

3.1.1 Aim of the WP2 (as in the DoA) ..................................................................................................................... 113.1.2 WP Tasks active in the reference period ........................................................................................................ 113.1.3 Work performed and achieved results ........................................................................................................... 12

3.2 WP3: IACS design for security ............................................................................................................ 203.2.1 Aim of the WP3 (as in the DoA) ..................................................................................................................... 203.2.2 WP Tasks active in the reference period ........................................................................................................ 203.2.3 Work performed and achieved results ........................................................................................................... 20

3.3 WP4: Distributed Awareness ............................................................................................................... 263.3.1 Aim of the WP4 (as in the DoA) ..................................................................................................................... 263.3.2 WP Tasks active in the reference period ........................................................................................................ 273.3.3 Work performed and achieved results ........................................................................................................... 27

3.4 WP5: Distributed Mitigation and Resiliency in Interdependent scenario ............................................. 323.4.1 Aim of the WP5 (as in the DoA) ..................................................................................................................... 323.4.2 WP Tasks active in the reference period ........................................................................................................ 323.4.3 Work performed and achieved results ........................................................................................................... 33

3.5 WP6: Development and Components Integration ............................................................................... 373.5.1 Aim of the WP6 (as in the DoA) ..................................................................................................................... 373.5.2 WP Tasks active in the reference period ........................................................................................................ 373.5.3 Work performed and achieved results ........................................................................................................... 38

3.6 WP7: Validation and evaluation ........................................................................................................... 393.6.1 Aim of the WP7 (as in the DoA) ..................................................................................................................... 393.6.2 WP Tasks active in the reference period ........................................................................................................ 403.6.3 Work performed and achieved results ........................................................................................................... 40

3.7 WP8: Project dissemination and commercial strategy ........................................................................ 423.7.1 Aim of the WP8 (as in the DoA) ..................................................................................................................... 423.7.2 WP Tasks active in the reference period ........................................................................................................ 433.7.3 Work performed and achieved results ........................................................................................................... 43

4 Reached project objectives and milestones .......................................................................................... 49

5 Conclusions ............................................................................................................................................. 50

6 References ................................................................................................................................................ 51

Appendix A: examples of use case ................................................................................................................. 52





Figure 9: Timing of WP5 ................................................................................................................................... 32 Figure 10: Elements of decision for the operator (security point of view) ........................................................ 35 Figure 11: Timing of WP6 ................................................................................................................................. 37 Figure 12: Timing of WP7 ................................................................................................................................. 40 Figure 13: Timing of WP8 ................................................................................................................................. 43 Figure 14: ATENA impact levels [8] .................................................................................................................. 48 Figure 15: Power Station Overload .................................................................................................................. 54 Figure 16: Power grid combined cyber attack .................................................................................................. 56 Figure 17: ATENA Validation System at a glance ............................................................................................. 57 Figure 18: IT and operation domains of the ATENA Validation System ........................................................... 58

List of tables Table 1: Work Packages List .............................................................................................................................. 8 Table 2: List of Milestones ................................................................................................................................ 10 Table 3: List of academic publications .............................................................................................................. 45 Table 4: Deliverables List .................................................................................................................................. 49 Table 5: Power Station Overload ...................................................................................................................... 53 Table 6: Power grid combined cyber attack ...................................................................................................... 55 Table 7: Levels of access per project partner ................................................................................................... 57 Table 8: Requirements to the IT and Operation domains ................................................................................. 59





1 Introduction

1.1 Motivation and Context

The present deliverable is provided to the European Commission (in the following referred to as EC) as an overview of the Horizon 2020 Innovation Action shortly named ATENA - Grant Agreement Number 700581, covering the first period of the project from 1st May 2016 to 31st October 2017 (eighteen months, from M1 to M18).

1.2 Objectives and Scope

This document collects the technical progress and achievements in the project, to assess the advances in the Work Packages in terms of activities (concluded or in progress) and of contractual milestones and delivered documents with respect to planned ones.

In coherence with the Description of the Action (DoA) [2], the present document does not cover either management elements (that will be covered by companion document D1.6 [3]) or use of resources (that will be covered by companion document D1.7 [4]).

1.3 Document Structure

The document is made of several chapters:

• Chapter 1 is the present introduction.

• Chapter 2 defines the project objectives in the period.

• Chapter 3 describes the work progress and the achievements in the period.

• Chapter 4 contains conclusions.

• Chapter 5 contains bibliographic references.

1.4 Glossary

For the sake of maintenance, manageability and completeness, a project-level glossary document is publicly available in the ATENA web site (https://www.atena-h2020.eu/). The reader is invited to refer to that project-level separate glossary document (D2.0 “ATENA Glossary” [5]).

1.5 Acronyms and symbols

Acronym or symbol

Explanation

ANN Artificial Neural Networks

APT Advanced Persistent Threat

CAIDI Customer Average Interruption Duration Index

CC Common Criteria

CEM Common Methodology for Information Technology Security Evaluation

CI Critical Infrastructure

CISIA Critical Infrastructure Simulation by Interdependent Agents

CPIDS Cyber-physical IDS





CPS Cyber Physical System

DoA Description of the Action

DCS Distributed Control Systems

DG Dispersed/Distributed Generation

DHIDS Distributed Heterogeneous IDS

DSS Decision Support System

EC European Commission

ESS Energy Storage System

EU European Union

FCA Forensics and Compliance Auditing

GA Grant Agreement

HEDVa Hybrid Environment for Development and Validation

HV High Voltage

IACS Industrial and Automation Control System

ICS Industrial Control Systems

ICT Information & Communication Technology

IDS Intrusion Detection System

IoT Internet of Things

IP Internet Protocol

IPR Intellectual Property Rights

KPI Key Performance Indicator

M Month

MHR Mixed Holistic Reductionist

MQ Message Queuing

MV Medium Voltage

PLC Programmable Logical Controller

Por Pressure out of range

RAO Resource-Action-Operation

QoS Quality of Service

RES Renewable Energy Source

RTU Remote Terminal Unit

SCADA Supervisory Control and Data Acquisition

SAIDI System Average Interruption Duration Index

SAIFI System Average Interruption Frequency Index

SIEM Security Information and Event Management

SPD Security/Privacy/Dependability

SVM Support Vector Machines

ToC Table of Content

TCP Transmission Control Protocol

US United States of America

VM Virtual Machine

WBS Work Breakdown Structure

WP Work Package





2 Project objectives for the period

The present report covers months from M1 to M18, spanning from May 2016 to October 2017. The ATENA project has an overall length of 36 months, so the present report covers exactly the first half part of the project timeline.

To ease the reader, in section 2.1 an overview of the project WBS is reported, with a Gantt chart for the whole project timeline.

In section 2.2 the project objectives and planned milestones of the period are summarized.

2.1 Work Breakdown Structure

The WBS of the project is shortly displayed in the following Table 1:

WP no.

WP Title Lead Beneficiary

Start Month

End Month

WP1 Project Management FNM 1 36

WP2 Resilience & Efficiency models for flow prediction across CIs against adverse events on their IACS

ENEA 1 36

WP3 IACS design for security CRAT 1 30

WP4 Distributed Awareness UC 5 30

WP5 Distributed Mitigation and Resiliency in interdependent scenario

UNIROMA3 3 30

WP6 Development and components Integration FNM 9 36

WP7 Validation and evaluation IEC 3 36

WP8 Project dissemination and commercial strategy ITRUST 1 36

Table 1: Work Packages List

According to the DoA, all the WPs are currently started and in progress, as shown in the following Gantt chart in Figure 1:

Figure 1: Timing of work packages

2.2 Project objectives and planned milestones

The planned project objectives to be completed (at least in a preliminary version) in the reference period (M1-M18) are:

Obj1. Prepare the plans for the activities to be done during the whole project lifetime, since the earlier phases, for what regards quality management, training, dissemination, communication, exploitation, innovation, IPR and impact assessment.





Obj2. Prepare a project website for showing the project results to the general public.

Obj3. Assess the state of the art of CIs in the domains of interest of ATENA, and identify the CI elements available in the real CI systems of ATENA, to build the context where ATENA research will be done, applied and evaluated.

Obj4. Identify scenarios and cases of use where ATENA research will be done, applied and evaluated.

Obj5. Identify specifications and requirements for the overall ATENA system, for the Decision Support System and for the on-line Cyber-Physical IDS.

Obj6. Design a preliminary ATENA general Reference Architecture.

Obj7. Define metrics to quantify the security of the CI domain, for a sound definition of the vulnerability handling process, the risk analysis process and the security assurance process.

Obj8. Define algorithms to compute optimal configurations to improve the security and resiliency of the CI’s underlying IACS.

Obj9. Define a model-based strategy for identification of faults or attacks in Cyber-Physical systems.

Obj10. Define optimal mitigation strategies and rank-based reaction strategies in the Decision Support System for CI efficiency against faults or attacks.

Obj11. Preliminary study of a Software Defined Security (SDS) subsystem that integrates ATENA functionalities to dynamically and proactively react to faults or attacks.

Obj12. Plan the development strategy of the main components of the ATENA tools suite.

Obj13. Define the validation strategy and the use cases customization.

Obj14. Prepare periodical reports for describing the advances from the technical, management, financial and impact assessment points of view.

The following list highlights the other activities that have been started and are in progress in M18, and that contribute to objectives that will be completed in the next period:

Act1. Prepare the models to analyse the interdependencies among domains of interest.

Act2. Define methodologies and tools for risk analysis applied to CIs.

Act3. Define a Reference Architecture for the Cyber-Physical IDS.

Act4. Design detection agents and security components of the Cyber-Physical IDS.

Act5. Design a Distributed Intrusion Detection System to fulfil the needs of IACS.

Act6. Design a Big Data-based Security Information Event Management (SIEM), to provide a dataframe for forensics and auditing purposes.

Act7. Design distributed extensions of IACS devices, for rule-based filtering of device commands.

Act8. Design the main components of the ATENA tools suite.

Act9. Define models to test the ATENA prototype.

Act10. Identify standards and standardization activities for ATENA-related matters.





The list of the planned milestones in the period is described in the following table (see also section 1.3.4 WT4 List of milestones in [2]).

MS no. Milestone title WPs involved

Due Month

Means of verification Delivery Documents

MS1

Quality, training, dissemination and communication plans ready

WP1, WP8 3

• Quality plan (D1.1) ready

• Training, dissemination and communication plans (D8.1) ready

D1.1, D8.1

MS2 SoTA interim assessment

WP2, WP3, WP5

6 • SoTA interim assessment (D2.1)

completed D2.1, D3.1,

D5.1

MS3 First project review

WP1, WP2, WP3, WP5, WP6, WP8

12

• First periodic reports (D1.2, D1.3, D1.4)

• Impact assessment methodology and criteria (D8.2) and preliminary report (D8.3)

• Taxonomy of ATENA concepts (D2.2) defined

• Preliminary scenarios, use case and indicators (D2.3) defined

• Preliminary hybrid modelling approach & interdependency (D2.4) analysed

• Preliminary architecture of components (D3.2)

• DDS final requirements and reference architecture (D5.6)

• Preliminary model based fault/attack identification (D5.2)

• Plan for design and development (D6.1), exploitation (D8.4) and IPR (D8.5)

D1.2, D1.3, D1.4, D2.2, D2.3, D2.4,

D3.2,

D5.2, D5.6, D6.1, D8.2, D8.3, D8.4,

D8.5

Table 2: List of Milestones





3 Work progress and achievements in the period

This section report, for each work package active in the reference period (except for project management which will be addressed in D1.6 [3]), the following information:

• the status of the work package at task level;

• the achieved results;

• deviations from the DoA.

3.1 WP2: Resilience and efficiency models for flow prediction across CIs against adverse events on their IACS

3.1.1 Aim of the WP2 (as in the DoA)

The objective of this Work Package is to develop a unified modelling framework, and relevant models, to predict the efficiency of CIs physical flows and resilience against adverse events (faults, cyber-physical threats, and deviations from nominal operation) that may alter the behaviour of their Industrial Automation and Control Systems. Considering advanced interdependent scenarios of modernized CIs, this WP will model physical flows as electricity, gas, water, and information data.

The main results of this work package will be:

• State-of-the-art of modernized CIs, their IACS, security solutions and modelling approaches • Advanced scenarios of modernized interdependent CI and IACS including use cases,

provided by CI Operators. • Indicators of CI flow efficiency, resilience, security, quality of service and risk. Proper IACS

indicators to estimate the benefits of ATENA tools. • Taxonomies of CI elements available in the CI systems of interest of ATENA. • Modelling framework and hybrid & interdependency models to estimate indicators under

IACS adverse events. Models of recovery and mitigation strategies under such events. • Algorithms and possibly meta code for calculating IACS indicators, as functional input to

ATENA tools.

The WP leader is ENEA.

3.1.2 WP Tasks active in the reference period

• Task 2.1: State of the art (UC), Start: M1 – End: M6;

• Task 2.2: Advanced scenarios, use cases & indicators (ENEA), Start: M1 – End: M32;

• Task 2.3: Taxonomies (IEC), Start: M3 – End: M8;

• Task 2.4: Hybrid modelling approach & interdependency analysis (ENEA), Start: M5 – End: M35.

Figure 2: Timing of WP2





3.1.3 Work performed and achieved results

Activities and results:

• Task 2.1: State of the art (UC)

Partners involved: FNM, ENEA, IEC, ITRUST, SAPIENZA SL, UC, SWDE and IBS.

Status: Completed.

Activities in the period: The activity is documented in deliverable 2.1, issued at month 6, October the 31st, 2016. The task leader is Coimbra University. Several partners have contributed to it, particularly, ITRUST, ENEA, IBS, IEC, FNM, SAPIENZA SL and SWDE.

The deliverable is an introductory document covering fundamental aspects of ICS/IACS design, modelling, operation and security, crucial for defining the context on which ATENA project activities are going to be developed. The state of the art look at modernized interdependent CIs that with their IACS are going to play an increased and challenging role which require safer and more secure approaches. Within the scope of ATENA project, Critical Infrastructures (CI), Industrial Control and Automation Systems (ICS &IACS), Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS), incorporating devices such as Programmable Logic Controllers (PLC) or Remote Terminal Units (RTUs), have been considered, investigating their roles in different domains (electric production and distribution, water processing, oil and natural gas distribution), to control dispersed assets using centralized data acquisition and supervisory control and to allow CI in providing essential services, vital and often highly interconnected and mutually dependent.

The most relevant projects related with cyber-security for ICS/IACS, the most relevant ICS cyber security standards and guidelines, with a focus on regulatory, standardisation and industrial approaches, ICS cyber security and interdependency modelling techniques and tools, ICS security policies and solutions, also encompassing existing tools and the relevant technology ecosystem have been investigated. Modeling methods, hardware & software tools and test beds to represent ATENA project context have also been considered looking at the previous expertise gained in several EU projects in the field of CI and IACS protection and resilience.

The elaboration of D2.1 followed an incremental strategy encompassing several sub-tasks (or stages), namely:

1. Definition of a document elaboration strategy (also including aspects such as timings, responsibilities and milestones), as well as the table of contents, planned to be consistent with the ATENA project goals. This stage as undertaken as soon as it was possible, in order to reach a full agreement between all the ATENA project partners (and not only the ones involved in the task);

2. The second stage proceeded as soon as the first round of contributions was received, in order to identify weaknesses and sensible points that required further attention or improvement. At this stage, it was decide to improve upon the document ToC, including a discussion of the Industry 4.0 initiative and the inclusion of a section covering wireless sensor networks;

3. The third stage proceeded after the second round of contributions, with the integration and edition of the document and the creation of the first draft for revision, to be undertaken by UNIROMA3 and UL.

D2.1 includes a glossary of relevant key terms in the scope of the document itself and the ATENA project (i.e., a text table listing key terms and proposing a related definition). The original aim of the glossary was to serve as a reference for the readers of the entire range of ATENA’s deliverables, not only D2.1. Later, because of the need of continuous





enhancement and update of this glossary, and in order to avoid the inclusion of the glossary in all documents, it was decided to insert it in an autonomous document named as D2.0 “ATENA glossary” [5], made available in the ATENA website, that may be easily referred in all the following other ATENA deliverables. It is worth noticing that, since D2.1 was crucial to provide inputs to D3.1 (as well as other future WP3 deliverables), CRAT worked together with UC (despite not being part of the list of partners for D2.1) in order to provide relevant references for both the glossary and contents, also ensuring cross-consistency between both documents.

Delivered output: D2.1 “State of the art” (public report) has been delivered on time (M6). This contributes to milestone MS2.

• Task 2.2: Advanced scenarios, use cases & indicators (ENEA)

Partners involved: FNM, CRAT, CREOS LU, UNIROMA3, ENEA, IEC, MULTITEL, SAPIENZA SL, UC and SWDE.

Status: In progress.

Activities in the period: The task leader is ENEA. All the partners have contributed to it, especially CRAT, CREOS LU, FNM, IEC, ITRUST, MULTITEL, SWDE, UC and UNIROMA3.

Task 2.2 identifies and gathers the whole set of knowledge, information and data, in terms of advanced scenarios, use cases and indicators, needed to develop and demonstrate ATENA tools, meaning that ATENA tools will be able to implement its functionalities within scenarios, as identified in the task report and demonstrated on a subset of them that will be implemented by the validation environment. So, task 2.2 includes the results of the previous WP2 tasks, tasks 2.1 state of the art and task 2.3 taxonomy. The last one preliminary identifies some major issues of the validation environment. ATENA CI operators (IEC, CREOS, SWDE) have given their own view on their own infrastructure, looking also at the elements of interdependency with the other infrastructures.

A specific questionnaire has been addressed to ATENA CI operators (IEC, CREOS and SWDE). For knowledge elicitation and, in order to better understand the processes behind, two technical face-to-face meetings were set up: one for gas and water (in Luxembourg and Verviers, on October 2016) and another one for electricity, interdependencies and validation (in Haifa on January 2017).

Final advanced scenarios will be ideally composed by a High Voltage/Medium Voltage smart electricity grid, gas and water network and their SCADA systems, interdependent at physical and functional levels, as a System of Systems that acts as a whole. Topologies, main functionalities, main devices, main communications among devices of such System of Systems, including communication protocols, with special attention on TCP/IP based protocols, interdependencies and the relative cascading effects, cyber security issues such as cyber threats, vulnerabilities, pre-existent cyber security policies and technical solutions, use cases and indicators will be described.

CI Topologies, parameters, main functionalities and interdependencies are under identification as described in deliverable D2.3 interim report. Functionalities, also referred in ATENA taxonomy (D2.2) as processes, currently include electricity a) Load Shedding, b) Power flow management, c) Outage management including fault management procedure. Moreover, on Dispersed Generation (DG), typically by renewable energy sources (RES), other functionalities could be d) Power flow inversion at HV/MV station versus HV network,





e) Voltage variation over ± 10% of nominal value, f) Thermal overload of MV trunks. Normal and critical states of such functionalities/processes also depend upon the gas and water network behavior, as described by functionalities/processes mutual dependencies.

Referring to the functionalities/processes, already individuated or which are going to be individuated, indicators of flow efficiency, resilience, security, quality of service and risk will be first investigated separately, each one tailored to specific models which are going to be executed in ATENA project.

Important global quality of service (QoS) indicators for electricity domain have been identified, based on experience on CockpitCI project. The most important identified indicators are Tn and CAIDI.

Tn - equivalent de-energised time. Tn is the main indicator for one-time reference scenario.

Tn = ∑(KVA*Duration)/Installed KVA, where the sum is taken from the beginning of reference scenario until complete power restoration on whole grid.

CAIDI - Customer Average Interruption Duration. CAIDI index is the most important indicator for power utilities for a long period of time (one years for example). Annually reducing this value indicates an improvement of the overall distribution system performance and reliability.

CAIDI = SAIDI (System Average Interruption Duration) divided by SAIFI (System Average frequency Interruption)

The QoS indicators above are also used by water and gas distribution companies. Besides these common to the electricity indicators, another important indicator is the time the gas or water pressure was out of defined threshold for control points on the distribution network (named Por, i.e. pressure out of range), calculated in different control points of water or gas distribution network.

Then, such separated indicators, related to a single infrastructure, will be investigated in combination, according to combined scenarios of the three infrastructures, and specific reaction and cascading effect strategies will be analyzed and developed by ATENA, providing tangible measure criteria to assess the performances and the outcomes of the ATENA Decision Support System.

Several modeling methods and tools can be used to represent such an huge contest of ATENA. Two main approaches are under consideration:

1. simulation models

• by domain simulators

• by agent based simulators

• by CISIA holistic reductionist simulator

2. mathematical models

In the above perspective, the contributes of partners mainly involved are reported.

CRAT gave its contribution on the identification of use case and indicators for power network, especially looking at mathematical models on smart electricity distribution networks.

The following use cases have been investigated:

1. Transmission network control for mitigation of load altering attacks.





2. Distribution Network Reconfiguration for increased service resilience in presence of alerts on ongoing or predicted faults/attacks.

3. Distribution Network Black Start in presence of energy storage systems for faster service restoration following a power outage at transmission level (possibly caused by an attack).

4. Node level control for industrial and residential customers for increasing service resilience in case of main power outages. The most general case addressed considers a presume node equipped with generation, loads, and energy storage devices.

Regarding the mathematical models, the following ones have been investigated:

1. Power flow equations for Transmission and Distribution level. 2. Models for the Energy storage devices. 3. Generator models for renewable distributed sources.

Also, key indicators have been identified from the review of the literature to capture the quality of the service both in normal operation and in emergency operation. Use cases, models and indicators investigated make reference to an advances scenario foreseeing integration of innovative elements such as distributed and renewable energy resources and storage devices.

MULTITEL aims to investigate CI interdependencies under reference scenarios and using cases using relevant KPI for risk management. (Simulation) Models of all components of such a complex system - electricity distribution system with SCADA, water distribution system with SCADA, gas distribution system with SCADA, communication CI as well as cyber attacks are needed. Obviously in such a scenario of interdependency we need rather aggregated models capturing systemic behavior of each component without unnecessary overcharging the model with fine physical aspects and transitional processes. Preliminary results in definition of such models for each component enumerated above and interdependency scenarios are reported in the deliverable 2.3 -interim report. Also, detailed description of water, gas and electricity CI, their SCADA and communication CI can be found in corresponding chapters of the deliverable.

UC has contributed with a description of a use case focused on a Medium Voltage (MV) electric grid scenario, with use of the Modbus protocol for distributed ring feeder control, mainly focused on the cyber-security domain. The purpose is to provide insights on:

• The most effective penetration and intrusion strategies, as well as the potential attack vectors to be exploited for such purpose;

• Taxonomy of deployable attacks, from network to process-level. For the latter case, the information-gathering strategies were also analysed;

• Impact of implemented attacks both at logical and physical level, from loss of process visibility (in the case of a Denial-of-Service), to process manipulation and service interruption;

Regarding the possible attacks, three different profiles were investigated:

• Scouting attacks, with the aim of executing the reconnaissance of the network topology, as well as existing devices and used protocols. This is usually undertaken to gather intelligence data about the infrastructure and related processes;

• Flooding attack, targeting and overwhelming several control points (implemented using Programmable Logic Controller) to cause service interruptions, hamper control and/or induce loss of process visibility;

• Man-in-the-Middle attacks, designed to both gather intelligence data (in a first stage) and induce on-the-fly process disruption, with loss of visibility;





This contribution highlights the security and safety impacts arising from IACS cyber-attacks, also providing information about the effectiveness of the detection strategies whose implementation is envisioned in the scope of the ATENA project. UNIROMA3 has contributed in the description of the main issues of the electricity domain. Delivered output: D2.3 “Advanced scenarios, use cases & indicators (interim report)” (classified report) has been delivered on time (M10). This contributes to milestone MS3.

• Task 2.3: Taxonomies (IEC)

Partners involved: FNM, UNIROMA3, ENEA, IEC, MULTITEL and SWDE.

Status: Completed.

Activities in the period: The activity is documented in deliverable D2.2, issued in M8. The task leader is IEC, and several partners have contributed to it, particularly, ENEA, FNM and SWDE. The aim of the task is not the proposal of general purpose taxonomies of CI elements, already available in the literature and only partially useful for our purposes, but rather the clear definition of the CI elements that are practically found in the context of ATENA project during the use cases definition and in the following validation phase. Within the task, the following objectives have been addressed:

• The identification of main CIs' interdependencies and KPIs for the development of

models and for the validation of ATENA results.

• The classification and analyses of interdependences of the CIs in ATENA project in

terms of IACS, interfaces and protocols in order to customize the CIs processes,

interdependences and emulators, to analyse and identify possible vulnerabilities of the

CIs' processes and to develop use cases.

• The identification of CIs' processes and parameters that could have influence on the

process implementation.

Particularly, Deliverable 2.2 gives a glance of the advanced scenarios, so as intended to be used for validation purpose of ATENA results. It includes the utility domains: electricity, gas and water, with specific regards to the electricity generation, distribution, keeping inside interdependent elements /components, such as the gas turbine, and modernized process, such as IoT, microgrids (smart houses and smart neighborhood), the related physical processes, technological components and communication protocols used to automate the physical processes.

About CI interdependencies, it is worth mentioning that ATENA deals with many kinds of interdependencies:

• within the IACS system(s) of a CI. The problem occurs in IACS and propagates from IACS to its controlled CI;

• within one CI, particularly effects originating from disruptions in IACS that affect the physical CI system and the business processes. The problem occurs in IACS and propagates from IACS to its controlled CI, resulting in an alteration of CI business process (e.g., unsupplied customers);

• among different CI systems, where one or more CIs are depending on another CI (named CI1). The problem in CI1 has effects propagating from CI1 to other CIs depending on CI1.

According to literature, models and simulation approaches of CI interdependencies can be

distinguished in several approaches. Among those, the following approaches are

considered in ATENA project.





• empirical approaches which refer to historical accident or disaster data and expert experience. Failures and potential cascading effects are analyzed based on real events. Sometime the complexities from real world are hard to be captured and are ignored.

• agent-based approaches which represent the complex behaviour of many individual agents and their interactions. CIs are regarded as complex adaptive systems where each CI component is viewed as an agent.

• system dynamics is a top-down holistic approach to analyse complex systems. Feedback, stock and flow are the basic concepts of this approach.

• economic theory based approaches where the interactions between economic actors, such as households and producers, are considered at different level. Market transactions are taken into account to show interdependencies between sectors in the economy (CI) for production and consumption.

• network based approaches look at physical and relational connections. The level of analysis is more detailed, often at the level of components and nodes within a CI. Network based approaches model networks and describe interdependencies by links; detailed descriptions of topologies and flow patterns are considered. In case of failure of a component, cascading effects can be simulated within and across different CIs at the system level.

Other approaches such petri-net based methods or Bayesian network based methods are not considered in ATENA not because inappropriate, but because of preference which keeps into account the past experience of the ATENA partners.

Delivered output: D2.2 “Taxonomies” (public report) has been delivered on time (M8). This contributes to milestone MS3.

• Task 2.4: Hybrid modelling approach & interdependency analysis (ENEA)

Partners involved: UNIROMA3, ENEA, IEC, MULTITEL and UC.


Activities in the period: The task leader is ENEA. All the partners have contributed to it, especially CRAT, CREOS LU, FNM, IEC, ITRUST, MULTITEL, SWDE, UC and UNIROMA3. To investigate CI interdependencies under advanced scenarios and using cases using relevant KPI for risk management, one needs models of such a complex system of systems. Models have ideally to represent CI behavior (in normal and critical operation), the underlined CI components SCADA functionalities/processes, network interdependencies (at physical and ideally at geographical, cyber and organizational layers) energy efficiency and their degradation due to (natural, technological and malicious) adverse events. ATENA project is in line with CockpitCI and MICIE previous projects of which it resumes the main concept, i.e. by increasing the cooperation among ICT based systems of physical infrastructures it is possible to provide the operator of the single CI with an improved situational awareness of the presence of adverse events, the early prediction of their consequences and therefore to improve the CI level of service (business continuity). ATENA proposes such concepts again in a wider operational range, which addresses now not only adverse events, but also cyber events, not only on SCADA but also on IoT generation of SCADA systems, not only on a conventional electricity infrastructure but on modernized and interdependent Critical Infrastructures such as a Transmission (HV) electricity grid & Distribution (MV) smart grid, a modernized gas transport and distribution network and a modernized water network.

Also for the heterogeneous interdependencies simulation model for quality of service indicators estimations, under development in ATENA project, the model will capitalize on





CockpitCI model and extend the model in several aspects. This will allow to simulate various complex scenarios of interdependency among the three infrastructures (electricity, water, gas) with their SCADA and communication links. Two main approaches are under way to implement this model. The first is using of Intelligent RAO Simulator, a general purposes agent-based simulator, to describe all the CIs in one tool. The second is building a distributed model, composed by the different CIs models implemented in domain-specific simulators available on the market, communicating for data exchange and simulation time synchronization.

To create such a complex model of system of systems is not an easy job. The complex modeling approach is going to be implemented in an incremental fashion, advancing knowledge by advancing ATENA project.

At a first stage, from the bare model of the electricity system, at the main sources of each network, sources belonging to the other networks have been added; active components of water and gas networks energized by the electrical grid have been individuated; the main functionalities of SCADA of each network have been considered in optimizing network behavior. Then, methodology, models and results are going to be extended and instantiated on the modernization of the critical infrastructure of ATENA project as provided by IEC, CREOS LU and SWDE.

Models, in a understandable and compact size, are intended to be used within ATENA validation testbed.

Models, in the large size, will be implemented and exercised to ideally provide knowledge and algorithms to feed ATENA risk prediction and mitigation tool. Such models will allow us to study (i) the heterogeneous system behavior under various adverse events of cyber and physical nature and (ii) the influence of malfunctioning of one CI on the another ones in order to better understand the malfunctioning propagation and to quantitatively study possible countermeasures influence, thus paving a way to better structural resilience of the whole system.

Domain simulators are included in a more complete simulation environment for modeling and simulation of interactive and cooperative networks, that, as a System of Systems, acts as a whole. The aim is to predict CIs physical flows efficiency and CIs resilience in normal conditions and in presence of adverse events. Such challenging issues need the cooperation of the domain simulators, based on equations domain, able to generate data and status of the physical layer of each network and event based simulators for representing SCADA functionalities and network operational layer. Moreover, it is also requested to represent the occurrence of the adverse events and/or to generate cyber attacks. Particularly, the simulative models, developed by domain and transversal simulators, coexist with hardware devices, with the aim to conduct actual cyber attacks on SCADA and analyze their consequences on SCADA and on the interdependent critical infrastructures. Particularly, hardware devices are in charge of representing actual SCADA devices, reproducing cyber attacks, typical SCADA cyber protection and monitoring data flow. Domain and transversal simulators are used to faithfully represent each physical network, their interdependencies and to compute energy efficiency and resilience indicators. Among simulative models, a smart grid simulator is available to characterize an actual smart grid, connected to photovoltaic plants of different power and locations and analyze energy efficiency according to different input parameters. The smart grid model will be interconnected with the other components of the environment to investigate the impact of cyber attacks and interdependencies on resilience and energy efficiency. Work is going along two main paths:

1. on the implementation of single infrastructure models by using PSS SINCAL

(commercial domain simulator by Siemens):





• an electrical grid model to be used in validation, which refers to the schema and

the initial data, provided by IEC. On such a model, the exercise of some use

cases for validation and load flow analysis are in progress

• models and sub-models of water network which refer to the schema and data

provided by SWDE, in order to exercise both use cases for validation and to

perform independent performance vulnerability analysis with the aim of

identifying relevant scenarios

• models of gas network.

2. on the implementation software modules to automate the SINCAL simulations.

Specifically, a Simulation Manager is under development with the aim to simulate

dependencies among the critical infrastructure networks. Currently, it is possible:

• to configure by remote the simulator using one-day load generation profiles and

analyze the network behavior hour by hour;

• to simulate the dependencies between the electrical network and the water

network.

RAO model, in particular, can potentially be used in on-line mode as a part of ATENA risk prediction and mitigation tool. In this mode, the model could quickly simulate, starting from current system state and anomalies detected (coming from other components of ATENA tool), several possible scenarios of development of the situation, thus allowing to predict most probable potential near term problems and estimate their consequences on quality of service indicators. Such an estimation is the important part of overall near-term risk estimation and mitigation and thus helps to increase operational resilience of the whole system.

Moreover, a fundamental component of ATENA risk prediction and mitigation tool is CISIApro simulator. The original CISIA simulator (Critical Infrastructure Simulation by Interdependent Agents) was designed some years ago for analyzing the short-term effects of failure both in terms of faults propagation and with respect to performance degradation. In 2014, CISIA was re-designed developing a new version called CISIApro, aiming at greater flexibility in the design of critical infrastructure and better software usability and performed. The evolved product has new graphical interfaces for design, debug and development phases. CISIApro is an agent-based simulator, where each element of the infrastructure is described by an agent that has the same structure. The agent receives resources and faults from upcoming agents and send resources and faults to downstream agents. CISIApro can work connected to a IACS control center in order to evaluate the consequences of faults and cyber threats on the modelled interconnected infrastructures.

The modelling guideline exploited by CISIApro is called Mixed Holistic Reductionist approach (MHR). MHR tries to combine the holistic approach, where each infrastructure is seen as a whole, and the reductionist one, where each infrastructure is decomposed in its basic devices. MHR includes services, as a middle abstraction level, needed in order to assess a more complete view of the overall system. Services are key components and indicators for infrastructure operator. Therefore, CISIApro can assess the consequences of faults and cyber threats also on services.

Delivered output: D2.4 “Hybrid modelling approach & interdependency analysis (interim report)” (classified report) has been delivered on time (M12). This contributes to milestone MS3.

Deviation from DoA: None. It is worth noting that the deliverable D2.5 “Improved risk assessment to increase resilience and awareness (interim report)” was planned for M16 in the DoA. However, in agreement with the





Project Officer, this was recognized as an evident typo, because in the same DoA the Task 2.5 “Risk assessment to increase resilience and awareness” – responsible for producing results collected in D2.5 – is planned to start only in M24. In agreement with the Project Officer the deadline to deliver D2.5 was delayed to M30, so any late flag for D2.5 is not to be considered as an issue.

3.2 WP3: IACS design for security


The first objective of this WP is to provide a common ground to the project by defining the overall ATENA architecture and the requirements for developing the prototype components of the other technological WPs. The second, and most important, objective of the WP is to improve the cyber-physical security of already existing IACS by producing the “off-line” or “slow control loop” component of the ATENA architecture defined so far.

The main results of this WP will be:

• the definition of the ATENA Requirements & Specifications; • the design of the ATENA architecture, including new paradigms and functionalities for IACS; • the analysis of the CI vulnerability to faults and cyber-physical attacks; • the definition of security metrics for IACS (based on Common Criteria); • the design & development of offline control/optimization strategies to improve IACS security

and resilience.

The WP leader is CRAT.


• Task 3.1: Definition of ATENA System Requirements and Specifications (CRAT), Start: M1 – End: M18;

• Task 3.2: ATENA Reference Architecture Design (CRAT), Start: M4 – End: M27.

• Task 3.3: Analysis of Security Metrics and CI Vulnerabilities (CRAT), Start: M12 – End: M30.

• Task 3.4: Off-line tool for optimal IACS design and configuration (CRAT), Start: M12 – End: M30.

• Task 3.5: Risk analysis methodology and tools (ITRUST), Start: M16 – End: M24.




• Task 3.1: Definition of ATENA System Requirements and Specifications (CRAT)

Partners involved: FNM, CRAT, UNIROMA3, ENEA, IEC, ITRUST, UL, UC and IBS.

Status: Completed.





Activities in the period: The ATENA partners have cooperated to derive and discuss the set of requirements for the ATENA tool. To that end, the following main sub-tasks have been performed (see D3.1/ D3.6 [6] for details):

1. Analysis of the state of the art on requirements and specifications of critical systems in the industrial and automation domain (also starting from the state of the art analysis performed in WP2). Key standards, scientific papers, orientation documents released by the reference US/EU agencies in this sector, past/ongoing research initiatives and products already available in this field have been assessed, in order to distil a comprehensive base of knowledge and benchmark to nurture the ATENA requirements definition process. In D3.1/D3.6 the analysis of the most significant documents reviewed so far reported. More specifically:

a. A total of ten security reports and qualified documents in the field.

b. Three scientific papers providing recommendation on the elicitation of the requirements for critical systems.

c. Several recommendations from the key standards and regulations investigated in D2.1 [5].

d. Fourteen research projects in relevant fields.

e. Twelve commercial and scientific tools available on the market.

2. Definition and agreement on a common procedure for requirements elicitation, as well as contextualization of the role of this process in the frame of the whole project (see Figure 4).

3. Assessment of the general ATENA vision, with the related main challenges, the involved stakeholders and the critical infrastructures candidates for potential inclusion within the scope of the project. A special focus has been devoted to selection of possible users, with the analysis of five usage stories.

4. Assessment of the needs and expectations of the ATENA tool suite end-users, by means of dedicated discussion as well as the collection of end-user questionnaires prepared for this purpose. (The questionnaire consisted of sixteen selected questions).

5. Derivation of a list of high level end-user requirements and a list of high level system requirements, for the ATENA tool suite.

6. Derivation of traceability matrices to map system requirements on the corresponding user requirements, as a mean of verification for the full coverage of the user requirements.

7. Starting from the interim architecture developed in T3.2 the ATENA modules have been mapped to the ATENA modules, with the identification of the basic building blocks:

a. Vulnerability management system

b. Composer

c. Intrusion detection layer

d. Adaptors and secure mitigation network gateway

e. Risk Predictor

f. Mitigation Module

g. Orchestration Module.





Figure 4: Procedure to elicit the requirements

8. Basing on these modules, the detailed ATENA technical specifications have been defined.

Delivered output:

• D3.1 “ATENA System Requirements and Specifications (interim report)” (classified report) has been delivered on time (M6). This contributes to milestone MS2.

• D3.6 “ATENA System Requirements and Specifications (final report)” (classified report) has been delivered on time (M18). This will contribute to future milestone MS4.

• Task 3.2: ATENA Reference Architecture Design (CRAT)

Partners involved: FNM, CRAT, UNIROMA3, ITRUST and UC.


Activities in the period: The ATENA partners have cooperated towards the definition of the high-level ATENA functional architecture, with the objective of specifying its main modules and their respective interfaces. The activities in this task have moved from the early outcomes of the project, preliminary discussion performed in Task 3.1 and the review of the requirements identified in the same task. The main activities performed in the reference period were:

1. Definition of the methodology to be followed for the derivation of the ATENA architecture, consisting of four main steps, with a focus on:

a. The identification and documentation of the main modules, in terms of functionalities performed and input/output description (i.e. inputs needed and outputs provided).

b. Documentation of the interfaces among the modules.

c. Sequence diagrams to check the consistency of the architecture in supporting the services to be provided by the ATENA tool suite.

2. Study of reference techniques/frameworks for the drafting of architectures for security applications.

3. Development and discussion, also by mean of project meetings and dedicated face-to-face/remote conferences, of the ATENA functional architecture, including the main modules of the tool. The objective of deriving an ATENA functional architecture was to: i) identify the main modules of the ATENA tool suite and ii)





define the respective functionalities and the interactions needed in order to support that functionalities.

The interim version of the architecture is reported in the following figure, and is being further elaborated in the scope of the task. Its finalisation is expected in D3.7 due in M24.

Figure 5: Interim functional architecture

4. Preliminary assessment, starting from the functional architecture, of the communication architecture to support ATENA behaviour, with the specification of the communication flows between the different modules.

Delivered output: D3.2 “ATENA Reference Architecture design (interim version)” (classified report) has been delivered on time (M12). This contributes to milestone MS3.

• Task 3.3: Analysis of Security Metrics and CI Vulnerabilities (CRAT)

Partners involved: FNM, CRAT, ROMA3, IEC, ITRUST, UL, UC


Activities in the period: During the reference period, the ATENA partners involved in T3.3 started the analysis and investigation of the state of the art to: i) assess the vulnerability of CI and IACS, ii) identify relevant threats, available countermeasures and specific system assets, and iii) define the approach and roadmap to be adopted to reach the goal of the Task. In this perspective, several existing methodologies have been studied and evaluated as starting point for the design of CI security metrics, the main ones being:





• The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM)

• IEC 62443: Network and system security for industrial-process measurement and control

• Open Source Security Testing Methodology Manual (OSSTMM)

• Attack surface theory.

For all the analysed methodologies, an assessment matrix has been derived, summarizing strength and weakness of the approaches, as well as the applicability gaps for the ATENA specific domains.

Starting from the identified gaps, a preliminary evaluation of innovative approaches to be put in place in the definition of the ATENA metrics has been carried out, following two potential roadmaps:

• design of completely new approaches: challenging and smart, but at the same time more distant from immediate application due to the need of a formal sharing and validation within the security community (it may take several years to see a new security standard recognized and approved)

• improvement/merging of consolidated approaches, with injection of innovative concepts and properly tailored to cope with ATENA peculiarities: while assuring the coverage of the identified gaps, such approaches are closer to their effective application and acceptance from the community.

Solutions for both roadmaps are currently under investigation and a pros/cons analysis will be part of the work performed in this task.

Potential approaches evaluated in this period include, but are not limited to:

• The extension of the SPD (Security/Privacy/Dependability) metrics developed in the context of the nSHIELD project to cyber-physical CI

• The definition of suitable centrality indices highlighting critical nodes/edges with respect to specific security features

• The definition of a glossary of terms (coherent with the ATENA glossary initially defined in D2.1) that can be used as a common ground – with respect to specific security features/threats – between the cyber, cyber-physical and physical domains.

In order to design a preliminary cyber-physical security metrics suitable to the CI-IACS domain, the abovementioned existing methodologies and innovative approaches are being analysed and evaluated.

Delivered output: D3.3 ”Analysis of Security Metrics ad CI Vulnerabilities (interim version)” (classified report) has been delivered on time (M18). This will contribute to future milestone MS4.

• Task 3.4: Off-line tool for optimal IACS design and configuration (CRAT)

Partners involved: FNM, CRAT.


Activities in the period: The ATENA partners involved in T3.4 have started the research activities necessary to define a model/methodology suitable to solve the “Composable





Security” problem in Critical Infrastructure domain, i.e. the problem of finding a proper configuration for a given cyber-physical system that shall satisfy the desired security needs.

In order to reach this challenging objective, an effective research strategy has been set up, with strict liaisons with task T3.3. These two tasks, T3.3 and T3.4, are indeed strongly linked due to the fact that both aim to address CIs’ vulnerabilities. While in T3.3 the objective is evaluating the overall security level of the CI with proper metrics, the aim of T3.4 is to find the optimal secure configuration of the CI, meeting a specified target reference security level, by the identification and the analysis of the vulnerabilities and their corresponding countermeasures.

As first activity, approaches in the state of the art have been analysed so as to identify their strength and weakness as well as the gaps to be filled for application in the ATENA domains. The most significant approaches for optimal security configuration of complex systems analysed so far are:

• The composable SPD approach developed within the EU project nSHIELD

• Security Models for implementing security policies in cyber systems.

A gap analysis has been performed, with the objective of providing indications and guidelines for tailoring such approaches to the ATENA application scenario. Then a preliminary effort has been payed to extend of consolidated methodologies to the cyber-physical domain, and in particular the methodologies developed in the context of the nSHIELD project: from Embedded Systems to cyber-physical CI.

In addition to that, completely new approaches are currently under investigation to cope with the same problem. Considering that i) the aim of the task is to find a way to compute an optimal security configuration of the CI, and that ii) the security of a certain configuration is mainly reached by coupling vulnerabilities with corresponding countermeasures, then a candidate approach to solve this problem could pass through the assignment of a “priority” index to the possible countermeasures (i.e. security control actions) that can be put in place. Thanks to this index, countermeasures can be sorted and evaluated: in this perspective, the task has hence started to investigate methodologies for the prioritization of countermeasures, i.e. the identification of those countermeasures having a greater relevance for the security of the CI (i.e. high priority security controls). A good candidate for further investigation is an approach based on the definition of suitable centrality indexes highlighting critical nodes/edges in relational graphs with respect to specific security features: since the compromising of such critical elements would cause more damage on the overall system, the prioritization of security countermeasures to address their vulnerabilities could be an interesting aspect to investigate.

Of course, all these approaches are moving from the identification/definition of a common lexicon – with respect to specific security features/threats – between the cyber, cyber-physical and physical domains, developed at the beginning of the task. Coherence and interactions with the reference taxonomy highlighted in WP2, as well as with lexicon developed in Task 3.3, have been assured.

The final aim of the methodologies investigated in this task is to define a tool for dealing with security issues in the long term (design, configuration and long-term strategies to meet the desired security level) belonging to different domains, and in particular to empower the concept of composable security in cyber-physical CIs.

Delivered output: D3.4 ”ATENA tools for optimal IACS design and configuration (interim version)” (confidential report) has been delivered on time (M18). This will contribute to future milestone MS4.





• Task 3.5: Risk analysis methodology and tools (ITRUST)

Partners involved: IEC, ITRUST.


Activities in the period: According to the Grant Agreement, this task involves several activities:

• Adaptation of the risk analysis methodology tailored to the specific needs of CI protection. The methodology is expected to i) model dependencies in an asset-based risk assessment, ii) provide real-time monitoring of current risk and iii) provide current risk propagation from one asset to the depending asset.

• Tailoring of the existing tools to CI protection needs according to the identified methodology.

The methodology and relative tools allow to provide reliable input in terms of Quality of Service to risk predictor systems according to the detection output.

The task has started in M16 and the main activity performed has been the definition of a reliable methodology to assess the risk according to the Vulnerability Management System (advanced CVSS parameters) and Detection System (IDMEF message based on AVOIDIT taxonomy) output. In parallel with the definition of the methodology, a first round of development is in progress mostly focused on the topology modelling of CI assets to consider the dependencies and the risk propagation requirements and to be able to set an operational interface to monitor the current risk.

Delivered output: none planned for this period.

Deviation from DoA: None.

3.3 WP4: Distributed Awareness


The main purpose of this WP is to develop solutions and components for distributed anomaly detection and risk assessment. Considering that new generations of IACS (as it is the case for smart metering) are becoming distributed systems, calls for new approaches capable of tackling the challenges introduced the by capillary nature of such infrastructures. In order to achieve this goal, several advanced strategies for distributed detection, anomaly detection and/or event correlation are researched, taking advantage of the extensive and heterogeneous expertise of the project partners. The work is split into two main lines of action:

• Design and development of the detection agents, including domain-specific Honeypots and Honeynets, Shadow RTU, as well as specialized network and device probes to be added to the IACS.

• Design and development of the Distributed Awareness Layer, which will be a Distributed Intrusion Detection System (DIDS), designed to fulfil the needs of IACS.

The main results of this work package will be:

• Distributed anomaly detection architecture for IACS (UC, UNIROMA3, CRAT, ITRUST); • New IACS-oriented components for anomaly detection and field-level security event

acquisition (Shadow RTU, SCADA Honeypot – UC, Smart Extension - UNIROMA3) • Distributed vulnerability detection system such as software, configuration vulnerability

detection systems (ITRUST, UC, UNIROMA3);





• A Big Data SIEM, capable for providing a source dataframe for forensics and auditing purposes (ITRUST, UC and CRAT).

The WP leader is UC.


• Task 4.1: Requirements and Reference Architecture for the Cyber-physical IDS (UC), Start: M5 – End: M24.

• Task 4.2: Distributed Intrusion and Anomaly Detection Strategies for IACS (UC), Start: M9 – End: M27.

• Task 4.3: Design of the detection agents and security components (UL), Start: M12 – End: M30.

• Task 4.4: Design of the Distributed IDS for IACS (UC), Start: M15 – End: M30.

• Task 4.5: Evolved Big Data SIEM for Forensics and Auditing Support (UC), Start: M15 – End: M30.




• Task 4.1: Requirements and Reference Architecture for the cyber-physical IDS (UC)

Partners involved: UNIROMA3, ENEA, IEC, ITRUST, UL and UC.


Activities in the period: During the reporting period, the ATENA partners active in Task 4.1 have worked together in order to agree and define a set of requirements, as well as a first draft of the architecture for the Cyber-physical IDS (CPIDS). The CPIDS, as any other cyber detection layer, must be designed to provide insights and alerts about the security status of a protected infrastructure. Its operation model should be akin to a distributed heterogeneous IDS architecture, designed to acquire information from several different probes scattered around the infrastructure, which provide evidence about the security status of the protected IACS. Since Task 4.1 is proceeding in partial simultaneity with Task 3.1 (they overlap partially), an effort was undertaken in order to ease integration, by aligning external interfaces and data flows as soon as it was possible. The development of Task 4.1-related activities, which was documented in D4.1, followed a strategy composed by several sub-tasks, namely:

1. Analysis of the state of art on Cyber-detection capabilities for IACS, encompassing existing literature and related components and products;

2. Definition of a table of contents for deliverable D4.1, agreed between all the involved task partners;

3. Identification, classification and prioritization of the desired CPIDS capabilities, in terms of evidence acquisition, transport, processing and forensics;





4. Identification of the most relevant functional macro-modules, as well as the information flows between them;

5. Identification of suitable data schemas for normalized information exchange and encoding;

6. Identification of the adequate reliability and performance requirements for event passing;

7. Analysis and evaluation of suitable architectures for differentiated large scale event processing.

This effort was (and is, since D4.1 is an interim version) coordinated via regular meetings (face-to-face) and remote teleconferences with the WP4 partners, in order to better define and specify the functional modules of the CPIDS and their integration.

Task 4.1 produced the first high-level draft of the ATENA cyber-security reference architecture, which is illustrated in Figure 7 and includes several components, namely: different types of probes, from conventional network and host components, to IACS field-specific ones; a Domain Processor per scope, backed by a Message Queuing (MQ) system; a distributed Security Information and Event Manager (SIEM), for the support of streaming and batch processing; a Data Lake, where all the data is stored; and, finally, a Forensics and Compliance Auditing (FCA) module, to enable a post-mortem analysis of the incidents or ongoing compliance validation of organizational security policies. Each of these modules is built on a distributed architecture, designed to accommodate and scale in/out according to the specific needs of the protected IACS (i.e. number events, sources, multiple domains).

Figure 7: Draft macro-architecture of the ATENA cyber-security platform

As a result of this effort, Task 4.1 produced the interim version of its deliverable (D4.1), which documents and formalizes the requirements elicitation study that was undertaken. Besides the requirements and reference architecture for the IADS, this deliverable already delves into other related aspects such as probe integration (covering both management and eventing mechanisms), probe taxonomy, event transport and stream processing mechanisms and implementation strategy-related aspects (such as OWASP-compliance within the continuous delivery pipeline).

Delivered output: D4.1, ”Requirements and Reference Architecture for the cyber-physical IDS” (public report) has been delivered on time (M15). This will contribute to future milestone MS4.

• Task 4.2: Distributed Intrusion and Anomaly Detection Strategies for IACS (UC)





Partners involved: CRAT, ITRUST, UL and UC.


Activities in the period: During the reporting period, the ATENA partners active in Task 4.2, have been working together to analyse and select the most suitable techniques for distributed intrusion and anomaly detection. From a cyber-physical security (and even safety) perspective, the ability to process security data feeds from the detection agents in a (near)real-time fashion is a critical requirement, as well as the ability to analyse and correlate the information from multiple domains over larger periods of time. The latter case is particularly relevant in the case of slow paced and multi-staged attacks, such as Advanced Persistent Threats (APT)s, which may only be detected using a deeper analysis executed over larger time frames. In this perspective, the partners active in this task have been involved into discussing different aspects of the distributed detection capabilities to be embedded within the ATENA CPIDS, with focus on the following aspects:

• Analysis of the specific characteristics of the stakeholder environments, in order to identify relevant protocols and strategic deployment points for probes;

• Analysis of the state of art about modern IACS protocols and topologies, as well as their characteristics and shortcomings, in order to understand how to develop better detection capabilities;

• Research about architectures for distributed event processing. Considering the specific and differentiated requirements for event analysis, a simplified lambda architecture pattern (see Figure 8), is being considered to provide the fundamental big data event processing capabilities.

Figure 8: Simplified lambda architecture for the Detection Layer

Lambda architectures accommodate both the needs for quick, as-fast-as-possible (or near real-time) event processing (for critical alerts requiring low reporting latency) and also slow-rate processing (to detect anomalous trends in big data sets).

• Study and research on control-theoretic methods for the detection of attacks to CI networks has been carried out, focusing especially on the cyber-physical vulnerabilities that arise from the integration of cyber technologies with physical processes and undermine the reliability of the considered CI. In particular, such research activity was aimed at determining a comprehensive mathematical framework that models:

� Cyber-physical systems under attack as linear time-invariant descriptor systems subject to unknown input disturbances,

� Distributed monitors for attack detection and identification as bad data detectors embedding residual generators.

Moreover, some structural conditions were identified, which not only determine the detectability and identifiability of attacks struck against the CI networks, but also


and their dependencies over Critical InfrAstructures Title D1.5 – Second Perio

Date post:	12-Feb-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times