From manufacturing plants to power grids, industrial control systems are increasingly controlled and networked digitally. While networking these systems together improves their efficiency and convenience to control, it also opens them up to attacks by malicious actors. When these attacks occur, forensic investigators should be able to determine what was compromised and which corrective actions need to be taken.In this paper, we propose a method to investigate attacks on industrial control systems by simulating the logged inputs of the system over time using a model constructed from the control programs. We detect any attacks that will lead to perturbations of the normal operation of the system by comparing the simulated output to the actual output. We also perform dependency tracing between the inputs and outputs of the system, so that attacks can be traced from the anomaly to their sources and vice-versa. Our method can greatly aid investigators in recovering the complete attack graph used by the attacker using only the input and output logs from an industrial control system. To evaluate our method, we constructed a hybrid testbed with a simulated version of the Simplified Tennessee Eastman process, using a hardware-inthe-loop Allen-Bradley Micrologix 1100 PLC. We were able to accurately detect all attack anomalies with a false positive rate of 0.3% or less.
A cybersecurity training environment or platform provides an excellent foundation tool for the cyber protection team (CPT) to practice and enhance their cybersecurity skills, develop and learn new knowledge, and experience advanced and emergent cyber threat concepts in information security. The cyber training platform is comprised of similar components and usage methods as system testbeds which are used for assessing system security posture as well as security devices. To enable similar cyber behaviors as in operational systems, the cyber training platforms must incorporate realism of operation for the system the cyber workforce desires to protect. The system's realism is obtained by constructing training models that include a broad range of system and specific device-level fidelity. However, for cyber training purposes the training platform must go beyond computer network topology and computer host model fidelity - it must include realistic models of cyber intrusions and attacks to enable the realism necessary for training purposes. In this position paper we discuss the benefits that such a cyber training platform provides, to include a discussion on the challenges of creating, deploying, and maintaining the platform itself. With the current availability of networked information system emulation and virtualization technologies, coupled with the capability to federate with other system simulators and emulators, including those used for training, the creation of powerful cyber training platforms are possible.
The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics and Procedures (TTP). This increased understanding of the latest cyber-Attacks would enable cyber defenders to better support and defend the network, thereby increasing the cost to the adversary by making it more difficult to successfully attack an enterprise. Using a deception framework, we have created a live, unpredictable, and adaptable Deception Environment leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. By leveraging actionable data, in real-Time or after a sustained engagement, the Deception Environment may be easily modified to interact with and change the perception of the adversary on-The-fly. This ability to change what and where the attacker is on the network, as well as change and modify the content of the adversary on exfiltration and infiltration, is the defining novelty of our Deception Environment.
The cybersecurity consortium, which was established by DOE/NNSA’s Minority Serving Institutions Partnerships Program (MSIPP), allows students from any of the partner schools (13 HBCUs, two national laboratories, and a public school district) to have all consortia options available to them, to create career paths and to open doors to DOE sites and facilities to student members of the consortium. As a part of this year consortium activities, Sandia National Laboratories and the University of Virgin Islands conducted a week long cyber workshop that consisted of three courses; Digital Forensics and Malware Analysis, Python Programming, and ThunderBird Cup. These courses are designed to enhance cyber defense skills and promote learning within STEM related fields.
The globalization of today's supply chains (e.g., information and communication technologies, military systems, etc.) has created an emerging security threat that could degrade the integrity and availability of sensitive and critical government data, control systems, and infrastructures. Commercial-off-the-shelf (COTS) and even government-off-the-self (GOTS) products often are designed, developed, and manufactured overseas. Counterfeit items, from individual chips to entire systems, have been found in commercial and government sectors. Supply chain attacks can be initiated at any point during the product or system lifecycle, and can have detrimental effects to mission success. To date, there is a lack of analytics and decision support tools used to analyze supply chain security holistically, and to perform tradeoff analyses to determine how to invest in or deploy possible mitigation options for supply chain security such that the return on investment is optimal with respect to cost, efficiency, and security. This paper discusses the development of a supply chain decision analytics framework that will assist decision makers and stakeholders in performing risk-based cost-benefit prioritization of security investments to manage supply chain risk. Key aspects of our framework include the hierarchical supply chain representation, vulnerability and mitigation modeling, risk assessment and optimization. This work is a part of a long term research effort on supply chain decision analytics for trusted systems and communications research challenge.
Design of a physical security perimeter fencing system requires that security designers provide effective detection, delay, and response functionalities with minimal nuisance alarms. In addition, the designers must take into considerations the security fence system life cycle cost (equipment and grounds maintenance), complexity of the terrain, safety, and environmental conditions (location of where the security fence will be installed). Often, these factors drive the security designers to design a perimeter intrusion detection and assessment system (PIDAS) that includes: (1) larger than desired footprint, (2) one or more animal control fences to minimize the nuisance alarm rate (NAR), and (3) clear zones and an isolation zone to facilitate intrusion detection and assessment by keeping the fence lines clear of vegetation, trash, and other objects that could impede the security system's performance. This paper presents a two-tier PIDAS design that focuses on effective performance specifically in high probability of detection and low NAR that minimizes cost and the footprint of the system.