Two national projects: 28/06/2018 Smart Grid Luxembourg Cockpit and - - PowerPoint PPT Presentation

two national projects
SMART_READER_LITE
LIVE PREVIEW

Two national projects: 28/06/2018 Smart Grid Luxembourg Cockpit and - - PowerPoint PPT Presentation

Feb 27, 2024 120 likes •382 views

Move securely within the cyberworld Two national projects: 28/06/2018 Smart Grid Luxembourg Cockpit and IDS4ICS Dr. Carlo Harpes itrust consulting s. r.l. Tel: +352 26 176 212 6 55, rue Gabriel Lippmann Fax: +352 26 710 978 L-6947

slide-1
SLIDE 1

Move securely within the cyberworld

itrust consulting s.à r.l. Tel: +352 26 176 212 6 55, rue Gabriel Lippmann Fax: +352 26 710 978 L-6947 Niederanven Web: www.itrust.lu

Two national projects: Smart Grid Luxembourg Cockpit and IDS4ICS

  • Dr. Carlo Harpes

28/06/2018

slide-2
SLIDE 2

Move securely within the cyberworld

itrust consulting s.à r.l. Tel: +352 26 176 212 6 55, rue Gabriel Lippmann Fax: +352 26 710 978 L-6947 Niederanven Web: www.itrust.lu

  • 0. Common concepts

(also common with ATENA)

slide-3
SLIDE 3

Idea 1: Independent security/risk monitoring

Independent tool for security at the Management level

  • cf. MICIE

3 / 20 H Abdo, Mohamad Kaouk, Jean-Marie Flaus, François Masse. A new approach that considers cyber security within industrial risk analysis using a cyber bow-tie analysis. 2017. <hal-01521762>

slide-4
SLIDE 4

Idea 2: Add more structure

4 / 20

slide-5
SLIDE 5

Idea 3: Include security appliances and automize

5 / 20

Risk analysis

slide-6
SLIDE 6

Tool for Risk management of an ISMS based on a Central Knowledge base

  • 1. Context & assets valuation (cf.2 7005, 29134)
  • 2. Gap analysis (27002,27019, IEC 62443, 27552…;
  • 3. Qualitatively assess threats, vulnerabilities, risks;
  • 4. Quantified assessment of impacts and likelihoods;
  • 5. Risk treatment plan, sorted by phases and ROSI;
  • 6. DPIA compliant to GDPR, RAR compliant to CSSF.

19 / 24 itrust consulting - 10 year anniversary - June 21st 2017

Idea 4: Build upon TRICK Service

slide-7
SLIDE 7

Advantage of Dynamic risk assessments

7 / 20

Manual work Inconsistency Snapshot view Insufficient info

Generate analysis from model Consistent dependency model Real-time Including logs and alerts

slide-8
SLIDE 8

Logical architecture

8 / 20

Static risk analysis Dynamic & dependency-aware risk analysis Risk monitoring platform

Update check Log monitor Intrusion detection

Dependency model

Manual Automated

slide-9
SLIDE 9
  • 1. Smart Grid Luxembourg – Cockpit (SGLC)

(2013-2017)

slide-10
SLIDE 10

SGLC objectives

  • 1. Contribute to security assessment and vulnerability search for smartmeter

architecture

1. Dependency model

  • 2. Pentest
  • 3. Conceive tools and methods for trafic analysis and IDS
  • 4. Designing the feedback of detection information and its transformation into

performance indicators to continuously update the estimated level of risks

1. Firewall log parser 2. Linux Software Checker 3. Dependency model 4. TRICK Cockpit (TRICK Service + dynamic risk analysis)

  • 5. Integrate static risk assessment and dynamic feedback

10 / 20

slide-11
SLIDE 11

TRICK Cockpit architecture

11 / 20

  • Firewall log parser
  • Software checker for Linux
  • IDS (work in progress)
slide-12
SLIDE 12

TRICK Screen shots

12 / 20

slide-13
SLIDE 13

TRICK Screen shots

Qualitative classification of the number of risks versus real time monitoring

  • f total expected losses

13 / 20

slide-14
SLIDE 14
  • 2. Intrusion Dection System for Industrial Control Systems

(IDS4ICS)

slide-15
SLIDE 15

DepOT (Dependency Overview Tool)

Open source https://draw.trickservice.com/

15 / 20

slide-16
SLIDE 16

TRICK API

16 / 20

Security appliance Risk monitoring platform Risk monitoring agent

alert risk

time=1496221744, loc=4176575, fileid=1496181541, action=deny,

  • rig=172.16.255.94,

i/f_dir=inbound, i/f_name=eth0.000, product=VPN-1 & FireWall-1, rule=12, src=10.76.251.12, s_port=34505, dst=10.76.251.4, service=20200, proto=tcp

time-dependent place holder

slide-17
SLIDE 17

TRICK API

17 / 20

SEVERITY HALF-LIFE TIME

0.9 0.1 0.5 0.1 1 0.2

€€ 𝑆 = 𝑇 ⋅ 1 2

−Δ𝑢/𝐼

slide-18
SLIDE 18

Self learning and clustering

18 / 20

Learn normal (“good”) behaviour and create profiles (“clusters”)

1 network packet 1 cluster of similar network packets

Raise alerts on new clusters

data rate pkt size

Add fainting to adapt to time changes

slide-19
SLIDE 19

26.06.2018 19

SCADA

NETWORK

OFFICE

NETWORK

Probe Probe Probe

TRICK API

Risk monitoring

TRICK Service

Risk analysis tool

Intrusion detection

TRICK Service

Web interface

DMZ

DepOT

Dependency modelling tool

slide-20
SLIDE 20

Next steps

Merge with ATENA tools Apply in the Scada testbed Find customers for pilot deployment

20 / 20

slide-21
SLIDE 21

Move securely within the cyberworld

slide-22
SLIDE 22

About itrust consulting

22

  • itrust consulting An SME from Luxembourg specialising in

Information Security Systems, with four business lines

  • Audit and hacking
  • Consulting, innovation, sourcing
  • Research and development
  • Training and awareness
  • Skills and products brought collectively by all 20 employees
  • Organisational and technical audits: ISMS, Archiving, BCP/DRP Management, Data protection
  • Penetration testing: Vulnerability scans and assessment, Black-and-white-box

penetrations tests, Social engineering, Certification and accreditation Audits

  • Malware.lu CERT
  • Consulting Risk management: TRICK Service, DPIA, risks assessment on PKI and e-money,

ISMS documentation, implementation

  • Licencing: Software checker, AVCaesar
  • Research and & Development: H2020, National
  • Standardisation

ISED 4/5/2018 itrust consulting: bIoTope: IoT (Security) Standards

slide-23
SLIDE 23

About malware.lu CERT

CERT: Computer Emergency Response Team

  • Incident Response
  • Forensic Investigation
  • Malware Analysis
  • R&D
  • Participation to international conferences (Defcon Las Vegas, hack.lu)
  • Knowledge transfer (APT1: technical backstage)

itrust consulting CERT respects the incident-handling guidelines provided by NIST:

  • Preparation

Containment Recovery

  • Identification

Eradication Follow-up

What we learned operating a CERT

  • a lot on threats and malware,
  • that in the future, all organisations SHALL manage how to react to security incidents,

i.e., have CERTs as partners / subcontractors.

23

slide-24
SLIDE 24

About our Research projects

On-going projects

ATENA Advanced Tools to assEss and mitigate the criticality of ICT componNents and their dependencies over infrAstructures bioTope Building an IoT OPen innovation Ecosystem for connected smart objects SGLC (SmartGrid Luxembourg- Cockpit) We will create a real-time risk monitoring tool for the Lu smartmeter network and similar ICS. IDS4ICS (PhD by FNR) PhD project with UniLux and Institut Telecom on Intrusion Detection System and Risk monitoring for Industrial Control Systems

Former projects

FP7 CockpitCI (Cybersecurity on SCADA: risk prediction, analysis and reaction tools for Critical Infrastructures): CockpitCI defined and implemented an online distributed risk predictor, and designed a tool able to detect critical situations such as cyber attacks and enable reaction strategies FP7 TREsPASS (Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security): We led the development And integration of the TREsPASS tools, such as Attack Tree tools, TRICK Service, ... DIAMONDS (Security testing): We developed malwasm, malware.lu CERT, … ESA project LASP (Localisation Assurance Service Provider): The LASP project, led by itrust consulting, aimed at developing a demonstrator to ensure the location correctness (subcontr. uni.lu) FP7 Liveline: Live Ict services Verified by EGNOS to find Lost Individuals in Emergency situations FP7 MICIE: Design of a risk prediction tool for interdependent Critical Infrastructures CELTIC BUGYO Beyond: Building security assurance in open infrastructure beyond: we developed TRICK light CIPS SPARC (Space Awareness for Critical Infrastructures): with telespatio, Uni. Roma3… The project will analyse the space threats, their impact and set up security good practices guidelines FP7 i-GOing (i-GalilieO indoor navigation): Galilleo like signals by network of pseudolites for indoor navigation

24

slide-25
SLIDE 25

About our research qualities

  • Official: itrust consulting registered as a research institution by the Luxembourg Ministry of

Economy, the first without base funding

  • Committed: Involved in research from the earliest days of its existence (MICIE and Bugyo

Beyond from 2008)

  • Focused: Dedicated research department
  • Culture: Almost all technical personnel have been (or are) involved in research projects
  • Value: Business always a target
  • Bold: Unafraid to explore risky topics (e.g. blockchain)
  • Results-oriented: Research successfully used to design/enhance itrust products (AVCaesar,

Software Checker, TRICK products)

25