Detection, correlation, and visualization of attacks against critical infrastructure systems

Digital control systems are essential to the safe and efficient operation of a variety of industrial processes in sectors such as electric power, oil and gas, water treatment, and manufacturing. Modern control systems are increasingly connected to other control systems as well as to corporate systems. They are also increasingly adopting networking technology and system and application software from conventional enterprise systems. These trends can make control systems vulnerable to cyber attack, which in the case of control systems may impact physical processes causing environmental harm or injury. We present some results of the DATES (Detection and Analysis of Threats to the Energy Sector) project, wherein we adapted and developed several intrusion detection technologies for control systems. The suite of detection technologies was integrated and connected to a commercial security event correlation framework from ArcSight. We demonstrated the efficacy of our detection and correlation solution on two coupled testbed environments. We particularly focused on detection, correlation, and visualization of a network traversal attack, where an attacker penetrates successive network layers to compromise critical assets that directly control the underlying process. Such an attack is of particular concern in the layered architectures typical of control system implementations.