Projects

Long-term business cooperation on a wide range of network design and security system implementation projects has raised our awareness of the (in)efficiency of existing commercial security solutions and of the operational and security shortcomings in process network operations. The existing market solutions (SIEM solutions, network surveillance, network communication baseline and anomaly detections, and ICS/SCADA firewalls) have been found to be insufficient in dealing with the identified issues. The purpose of the CEKOM project is to develop our own solutions, including technical systems, procedures and methodologies, that would contribute to better handling these issues.

The need for change, such as introducing new security and surveillance mechanisms, methodologies and procedures to the process network of a Croatian power utility, is also applicable to the process networks of other regional power utilities (Slovenia, Hungary, Serbia, North Macedonia and Bosnia-Herzegovina). As regional power grids face similar requirements and challenges, all solutions developed as part of the CEKOM project would be applicable at the regional level.

This CEKOM project will address these issues concerning process environments. This will be carried out through research and development activities focused on development of the following platforms:

Platform for collection, analysis and visualisation of communication flows, risk assessment and modelling of SCADA system security policies

Industrial research (Phase 1)

PROJECT ACTIVITY 1.1.

Start date: 1 July 2020
Conclusion date: 30 June 2021

Proponent: CS Computer Systems d.o.o.
Implementing partners: Končar KET d.d., HOPS d.o.o. and FER

Logical base

Based on CEKOM member experience, the processing networks of regional power utilities are merely a bundle of equipment and wires that transfer large quantities of data without knowing their type, quantity, time division or other details that would enable transparent understanding of the content of data transferred via these networks. The engineers and administrators responsible for security are not acquainted with the current data and control system behaviour trends (e.g., which connections are under greater or lesser load; which elements communicate amongst themselves, to what extent and in accordance with which protocols; what kind of information is transferred in these packages; and which systems have access to the Internet).

Particularly observable is the lack of knowledge and lack of control over the most critical communication lines – those in which station computers communicate with executive devices: PLCs, relays, and transformer stations. Specifically, these lines are characterized by ignorance about the ICS/SCADA commands and measuring data exchanged between the controlling and executive measurement layers of the processing network. Such a situation hinders informed management, implementation of security policies, and high-quality comprehensive control of the network. Establishing a mechanism of control, statistics and analytics of processing networks that support the TCP/IP type of network traffic and ICS/SCADA protocols is the first step towards enabling informed security management for industrial control systems.

Limited resources and time are available to manage the security of any system, including a control system. It is not possible to prevent every potential threat or eliminate every vulnerability; this is a process that begins by analysing the condition of the security system in question, and identifying the threats in its environment and potential damage that could be incurred. The result of this process – called risk assessment – is a list of problems which are to be solved, depending on their priority and available resources. A crucial problem in the process is the implementation of efficient and adequate risk assessment methods that are needed due to the specific characteristics of the control systems and, finally, validation of the assessment (i.e., determining whether an adequate risk assessment has been conducted). Risk assessment must therefore be a continuous process, as the conditions in cyber security are highly dynamic and subject to rapid change.

In the process of defining the security policy, it is important to ensure an adequate environment for experimenting to establish the efficiency and flaws of the solutions. Experimenting in real environments is difficult due to their sensitivity and the chances of errors that could potentially have devastating effects on both the control system and the system it controls. There are two additional problems: first, control environments are highly diverse, making experimenting more complex, and second, when experimenting, large quantities of data have to be collected for analysis, meaning that the control system will also be directly affected. As such, an environment that enables the testing of developed ideas and prototypes should be ensured for further development. This is best achieved by developing a developmental or simulation environment that enables experimenting without any risk for people or the environment, and that is as similar as possible to the real system that it emulates. This is a substantial challenge that the project team will have to face.

Project activity 1.1 includes the following industrial research activities: establishing laboratory infrastructure; researching the field of collecting, processing and visualisation of large quantities of data in the context of industrial protocols; and developing algorithms and prototypes of software components in these areas to isolate the most successful prototypes required for the development of the end platform prototype in the following activity 1.2.

Implementation method

This project activity will consist of the following sub-activities:

1. Establishing a developmental/simulation environment for CEKOM requirements

The development of solutions to improve control system security requires an experimental environment that allows for testing the efficiency and flows of solutions. Experimenting in real environments is difficult due to their sensitivity and the chances of errors that could potentially have devastating effects on both the control system and the system it controls.

The goal is to establish laboratory infrastructure that can emulate various topologies and configurations of real control systems. This infrastructure should be easy to manage, controlled and suitable for collecting large quantities of data.

2. Conceptual design and piloting of the components crucial for collecting and storing SCADA control system data

In the first phase of the research, the situation in the reference environment (of the partner) will be scanned to identify all data and information available in control systems that are potentially interesting for the project’s target security analyses. This sub-activity will include identification of the sources of information relevant for security of the computer and network infrastructure. Based on the results, an initial system architecture for collection of the relevant data (e.g., catalogue of protected objects, systemic logs, etc.) will be defined. Particular attention will be paid to:

  • Adequate dimensions and robustness of the system, as required for the expected quantity of data and recorded events
  • Selecting the communication network (control network or an alternative structure)
  • Position of the storage system to prevent attacker’s access from the business network to the control network
  • Secure data collection method that will not affect the functionality of the control system or managerial processes

In this phase, a logical data model will be designed that enables unified storage of relevant information, data and events from SCADA systems.

3. Ascertaining the possibility of analysing the collected data by using advanced data processing and visualisation methods

In this phase of the research, the collected data will be analysed using advanced data processing and visualisation methods. The design of the computer networks and SCADA system will also be analysed. Research activities will focus on identifying optimal ways of processing and displaying the data to obtain better insight into all aspects of SCADA system security management, such as:

  • Identifying the components of the SCADA system (including physical and applicative components) and assessing how critical they are
  • Identifying communication flows in the SCADA environment
  • Visualising the collected and analysed data and displaying the architecture and elements of the SCADA systems while focusing on their mutual communication
  • Determining the possibility of data anonymisation, so that collected data may be published or shared with other researchers
  • Identifying the managed technical process

Several rough prototypes of the software components for data processing and visualisation in the laboratory infrastructure will be developed and the initial architecture and logical data model will be redefined in accordance with our insight and research results.

4. Ascertaining the possibility of assessing security risks and vulnerability of the control system based on what is known about SCADA systems (system components, risk assessment of components, communication flows)

  • Exploring the methodologies and algorithms for risk assessment in theory and practice
  • Establishing the sources of information for risk assessment and generating a catalogue of threats and vulnerabilities
  • Designing risk assessment methodologies and algorithms
  • Ascertaining the possibility of integrating modules with external systems for providing information on threats and vulnerabilities
  • Prototype implementation of algorithms and evaluation of concepts in the laboratory environment
Results
  • Laboratory infrastructure in place
  • Developed rough prototype modules of the future platform for best results in the laboratory environment
  • Modules developed for:
    • collecting and storing data with minimum effects on the observed (control) system
    • visualising the collected and analysed data and displaying the architecture and elements of the SCADA systems while focusing on their mutual communication
  • Developed methodology for identifying the communication baseline by using advanced data processing methods (defined data processing algorithms required for data structuring/classification)
  • Defined methodology for assessing security risks and vulnerability of the control system based on analysis results (system components, risk assessment of components, communication flows), combined with external (external to the system) information on vulnerability and threats
  • Experimental confirmation of the concept
  • Laboratory evaluation of the technological concept
Output indicators
  • Equipment procured and laboratory infrastructure in place
  • Rough module prototypes developed
  • Laboratory evaluation of the technological concept
  • Scientific and/or professional results published

Experimental development (Phase 2)

PROJECT ACTIVITY 1.2.

Date of beginning: 1 July 2021
Date of conclusion: 31 December 2021

Proponent: CS Computer Systems d.o.o.
Implementing partners: HOPS d.o.o. and FER

Logical base

Project activity 1.2 draws upon the results of project activity 1.2 and includes the activities of experimental development of the target platform by means of further implementation and integration of the developed prototypes in order to implement the technology in a relevant environment.

Implementation method

This project activity will consist of the following sub-activities:

1. Developmental activities on prototype implementation of the platform by integrating individual components for collecting data on related information and communication activities within SCADA systems and the implementation of algorithms required for data structuring/classification

2. Developing software modules for visualisation of collected data and integration with the data collecting module

3. Prototype implementation of the module for assessment of the control system security risks and vulnerabilities and integration with the components for data collection, analysis and visualisation

4. Integrated prototype evaluation

  • Testing the data from the operational environment by integrating them with existing platform components
  • Redefining the data model in accordance with the results
  • Working with tools for penetration testing and establishing vulnerabilities in laboratory conditions, and determining methods of scanning and assessment of control system component vulnerabilities
  • Real-time integration with online information sources

5. Implementing technology in a relevant environment

  • Implementing the required system and network elements in the operational environment and developing the software components required for demonstrating the technology in the operational environment of HOPS d.o.o. without affecting normal operation of the control system and security of the power-supply system operation (simultaneous collection of relevant operational data)
Results
  • Platform prototype developed for:
    • Collecting data with minimum effects on the observed (control) system
    • Identifying the components of the SCADA system (including physical and applicative components) and assessing how critical they are
    • Visualising the collected and analysed data and displaying the architecture and elements of SCADA systems while focusing on their mutual communication
    • Identifying communication flows within the SCADA environment
    • Possibility of proposing configurations of security mechanisms
    • Proposing an optimal arrangement of security mechanisms in the system based on user default criteria
    • Assessing the effects on the system by introducing security mechanisms
    • Assessing security risks and vulnerabilities of the control system based on analysis results (system components, risk assessment of the components, communication flows), combined with external (external to the system) information on vulnerability and threats
  • Evaluating the technology in an operational environment
  • Publishing scientific and/or professional results
Output indicators
  • Evaluating the technology in an operational environment
  • Publishing scientific and/or professional results

Platform for the active security management of SCADA systems

Industrial research (Phase 1)

PROJECT ACTIVITY 1.3.

Date of beginning: 1 January 2022
Date of conclusion: 31 December 2022

Proponent: CS Computer Systems d.o.o.
Implementing partners: HOPS d.o.o., FER and CERT

Logical base

The cybernetic security of control systems and SCADA systems is as relevant as the fundamental requirement for their continuous, stable and unobstructed operation (due to successful breaches of several process environment control systems in recent years, such as Stuxnet, a German steel mill and Ukrainian power utilities (last year)). Integration of security mechanisms into control systems has become a necessity and a precondition for responsible process system management.

Although widely available, surveillance tools have not yet resolved the issue of the large quantities of data and information that administrators are required to process when comparing current communication flows with the reference flow. The quantity of data to be analysed in such situations cannot be processed with conventional data processing methods alone. This is why administrators mostly resort to their own experience when detecting fallbacks and assessing if these fallbacks compromise the security of a processing system.

When traffic deviating from the communication baseline is detected through the automated application of advanced methods such as machine learning, it is possible to identify individual cases of possible attempts to compromise the security of a processing system.

Although it is very important to react swiftly and take corrective actions following the detection of anomalies or security incidents in a control system, administrators spend substantial time analysing numerous alarms when trying to decide how to react. This project addresses this issue by assessing the possibilities of introducing automated and semi-automated reactions, thus shortening the reaction time. In this, particular attention is paid to the issue of falsely detected anomalies. As anomaly detection systems are not perfect, it is possible that an event can be wrongly declared as an anomaly (false positive events) or that the system fails to declare certain events as anomalies (false negative events). Both situations pose a problem for control systems. False positive cases can lead to a reaction that could damage the control system. As for the false negative events, operators can place too much trust in the system and fail to react when necessary. This is an issue particularly with control systems, since they require deterministic behaviour, with no false reports.

Project activity 1.3 includes industrial research activities that will develop the methodology and a prototype of an anomaly detection system within control systems by applying machine learning algorithms and a network of honeypot sensors. Possibilities of automated and semi-automated management of the communication and security infrastructure (depending on the anomalies identified) will also be assessed.

Implementation method

This project activity will consist of the following sub-activities:

1. Developing the methodology and prototype of an anomaly detection system in a control system by applying a machine learning algorithm and a network of honeypot sensors

  • Learning about the industrial processes to be simulated
  • Penetration testing in a laboratory environment to generate the malware traffic required during an anomaly-detecting analysis
  • Assessing the possibility of generating synthetic traffic
  • Developing the honeypot and honeynet solutions specialised for the control systems. The development goals are that the developed system should be easy to use, is able to emulate complex control networks, and guarantees safety and security
  • Assessing the possibility of detecting anomalies based on monitoring network traffic and the status of computer systems participating in the managerial process
  • Assessing the possibility of automated assessment of the risk created by an anomaly detected using advanced data-processing methods (machine learning)
  • Developing prototypes of the anomaly detection system components based on monitoring the status of the process being managed and the commands executed on such a process
  • Recognising compromised control channels or sensor channels or incidents within by using a dynamic model of the process being managed using the SCADA system (methodology: estimation procedures relying on the dynamic model of the process being managed)
  • Laboratory evaluation of the technological concept

2. Assessing the possibility of automated and semi-automated management of communication and information infrastructure based on the anomalies identified

  • Exploring possible approaches to the elimination and prevention of identified anomalies and incidents
  • Exploring possible approaches to resolving the issue of detection of the root cause of the detected anomalies
  • Developing the methodology and prototype implementation of software components
  • Exploring the technologies applicable to automation of the operational procedures in an IT environment
  • Developing the prototype components needed to extend the system required for the SCADA system environment
  • Laboratory evaluation of the technological concept
Results
  • Ability to scan network traffic with or without malware impact
  • Prototype implementation of the system for detecting anomalies in a control system – laboratory evaluation of the technological concept
  • Developed prototypes of honeypot and honeynet systems
  • Identified mechanisms and tools enabling automated actions based on the detection mechanism
  • Developed algorithms for proposing corrections based on identified deviations from the communication baseline
  • Publishing scientific and/or professional results
Output indicators
  • Evaluating technology concept in laboratory environment
  • Publishing scientific and/or professional results

Experimental development (Phase 2)

PROJECT ACTIVITY 1.4.

Date of beginning: 1 January 2023
Date of conclusion: 30 June 2023

Proponent: CS Computer Systems d.o.o.
Implementing partners: HOPS d.o.o. and FER

Logical base

Project activity 1.4 draws upon the results of the industrial research carried out as part of project activity 1.3 and includes the experimental development of the target platform for the active security management of SCADA systems.

The goal is to incorporate the results of the preceding activity (individually evaluated in a laboratory environment) into the prototype of an integral platform for detecting anomalies in control systems and implementing corrective actions.

Implementation method

This project activity will consist of the following sub-activities:

1. Developing the prototype implementation by integrating individual components

  • Developing software modules for the visualisation of collected data
  • Evaluating the concept in an operational environment without affecting the normal operation of the control system and security of the power-supply system operation
  • Prototype integration of the anomaly detection system based on monitoring network traffic and the status of computer systems, and detecting anomalies based on managerial process monitoring
  • Prototype integration with components for automated management of the communication and information infrastructure
  • Developing the extensions required for integration with own and independent systems for control (SCADA) system surveillance.

2. Implementing the technology in a relevant environment

  • Developing the software components required for demonstrating technologies in an operational environment
Results
  • Developed platform prototype for automated management of communication and information infrastructure of the SCADA system, based on the detected anomalies
Output indicators
  • Evaluating the technology in an operational environment
  • Publishing scientific and/or professional results

Remote control and surveillance system for industrial plants using secure communications protocols will result in two products:

1. SCADA system that includes communications protocols and auxiliary applications based on application of the IEC 62351 standard

2. Communication adapter of the protocol, which includes communication protocols and auxiliary applications based on application of the IEC 62351 standard

Industrial research (Phase 1)

PROJECT ACTIVITY 1.5.

Date of beginning: 1 July 2020
Date of conclusion: 30 June 2022

Proponent: Končar KET d.d.
Implementing partners: FER and CERT

Logical base

With the increasing use of different intelligent electronic devices, such as digital protective relays and the overall modernisation of electrical energy systems, the influence of information infrastructure on the electrical energy network has increased substantially. Communications protocols have become key in the exchange of information and management of the electrical energy system. Despite their importance, these protocols have included virtually no security measures to encrypt information, verify authorised use and security policies. The protocols were designed for separate systems, and security was based on separating process systems by free space impedance, and in ambiguous and closed implementations of protocols that had specialised roles in the system and were often supported only by a single manufacturer.

With the increasing requirements for interoperability, new, standardised and open protocols were developed. As the electricity market developed, the significance of information, even without attacks, increased dramatically, and meanwhile, these process systems became at least indirectly linked with other systems. This new context brought an altered security perspective. The increase in the generally availability of information technology, threats such as hacker attacks aimed at the electricity market have now become more likely and easier to implement.

For these reasons, it was necessary to develop adequate program support for communications protocols in existing SCADA systems, so as to disable simple hacker attacks against systems used in industrial automation. An important security element was based on the physical inaccessibility of computer systems in industrial automation subsystems. Through the use of ordinary communications media (Ethernet, TCP/IP) and standardised information technology (Win OS, Java, .NET), systems can become significantly more exposed to vulnerabilities that can be abused by malicious users. Therefore, the use of ordinary techniques to protect applications and information flows is a fundamental requirement for security implementation in SCADA systems.

An additional requirement is the specific application of industrial protocols in cases of real time communications, which demands a separate means of applying the technological solutions for information security. Finally, even the most carefully specified technical requirements for communications equipment and protocols often cannot be implemented in industrial automation systems, where several dozens of generations of equipment are in simultaneous use. The typical life cycle of automation equipment is significantly longer than ordinary office equipment. This requires establishing a suitable procedural framework for the sustainable use of cybersecurity systems in industrial automation.

Implementation method

This project activity will consist of the following sub-activities:

1. Conceptual design of a modern architecture of industrial automated systems, with special emphasis on security

  • Designing the desired properties and elements of security architecture of industrial automated systems
  • Researching specific ways to apply existing technological solutions for information security due to the specific applications of industrial protocols for real time communications

2. Analysis of the IEC 62351 and IEC 62443 standards

  • Researching the applicability of IEC 62351 and IEC 62443 standards to existing SCADA systems
  • Technical analysis of IEC 62351 and IEC 62443 standards
  • Development of implementation architecture for IEC 62351 and IEC 62443 standards

3. Participation in the relevant IEC and HNZ standardisation boards (IEC TC57)

  • Analysis of IEC 62351 and IEC 62443 standards with the aim of focusing on technological implementation requirements for successful use
  • Discussion on the proposed solutions through participation in standardised bodies and boards
  • Setting new industry trends and technological solutions that offer a significant technological and market step up for first implementors

4. Analysis of existing industrial automated key infrastructure systems

  • Identification of security issues in the architecture and implementation of existing automated systems
  • Analysis of ways and possibilities to upgrade and improve key infrastructure automation systems

5. Defining the methodology for development of automation software and hardware, with special emphasis on security

  • Determining the methodology for the development, implementation, and testing of functionalities that enable secure information communication and uninterrupted operation of the SCADA application

6. Prototype implementation of the standards IEC 62351 and IEC 62443

  • Development of the prototype components for end-to-end information security of industrial protocols

7. Testing prototype implementation in a simulation environment and at international security testing workshops

  • Testing functionality and interoperability of prototype implementations using simulators, and components and devices of other manufacturers, with the aim of determining the suitability of implementation and altered functionalities
Results
  • Specified module architecture for the implementation of the IEC 62351 and IEC 62443 standards
  • Specified methodology for component development, with a security emphasis
  • Report on critical infrastructure system security and identification of possibilities for improvement and upgrading
  • Contributions to standardisation bodies
  • Establishment of an environment and laboratory validation of technological concepts
  • Selected rough module prototypes that give the best results
Output indicators
  • Laboratory validation of the technological concept
  • Publication of scientific and/or professional results

Experimental development (Phase 2)

PROJECT ACTIVITY 1.6.

Date of beginning: 1 July 2022
Date of conclusion: 30 June 2023

Proponent: Končar KET d.d.
Implementing partners: FER and CERT

Logical base

In order to facilitate prototype testing and interpretation of results, it is necessary to develop an operational environment that enables testing and guides further development. Laboratory equipment includes equipment of a number of representative manufacturers, such as ABB, Siemens, GE, etc.

Implementation method

This project activity will consist of the following sub-activities:

1. Implementation and demonstration of technology in an operational environment

  • Development of software components necessary for the demonstration of technology in an operational environment
  • Development of guidelines for the sustainable execution of the integration of new software components in an environment consisting of a large share of older generation components

2. Development of a platform for penetration testing of industrial automated systems

3. Implementation of penetration testing

  • Identification of vulnerabilities, attempts to use the discovered vulnerabilities and seek methods to remove or mitigate those vulnerabilities
Results
  • Developed platform prototype
  • Validation technology in an operational environment
  • Publication of scientific and/or professional results
Output indicators
  • Validation technology in an operational environment
  • Publication of scientific and/or professional results
Skip to content