ICTDM2014 _ Towards Cyber-Security Protection of Critical Infrastructures by Generating Security Policy for SCADA Systems

Towards Cyber-Security Protection of Critical Infrastructures by Generating Security Policy for SCADA Systems Djamel Khadraoui, Christophe Feltus Public Research Centre Henri Tudor, Luxembourg-Kirchberg, Luxembourg

March, 2014 1

Table of contents • Introduction and ArchiMate «theory»

• State of the art • Policy Concept and Metamodel Core •

Agent System Metamodel • • • •

Organizational Layer Application Layer Technical Layer Inter-Layer Link

• Policy modelling • •

Organizational Policy Application policy

• Case study in Financial CI

• Conclusions

2

Introduction -

-

Critical infrastructure monitored and protected by SCADA system SCADA operate at different abstraction levels of the CI SCADA based on 3 functions: • data acquisition • alert correlation • policy instanciation and deployment SCADA based on agents and agent systems (MAS)  NO INTEGRATED MODELING APPROACH TO INTEGRATE ALL DIMENSIONS.

3

ArchiMate «theory» -

http://pubs.opengroup.org/architecture/archimate2-doc/ 3 abstraction layers (business, application and technical) ArchiMate core concepts:

- ArchiMate objective is to model enterprise architecture 4

State of the art Gaia: is a framework for the development of agent architectures based on a lifecycle approach AUML and MAS-ML: are extensions of the UML language for the modelling of MAS

Prometheus: defines a metamodel of the application layer and allows to generate organizational diagrams, roles diagrams, classes’ diagrams, sequences diagrams and so forth CARBA: provides a dynamic architecture for MAS similar to the middleware CORBA Observation: No solution for modelling, in a common model, the different abstractions layer of an SCADA system

5

Policy Concept and Metamodel Core …. the policy semantic : Our goal is to introduce the Agents policy as a Core metamodel concept as a intermediairy to handle passive and active structures for realization of a behaviour Event

Context

Responsibilities

Event: something done by a Structure Element that generates an execution of a Policy. Context: configuration of Passive Structure that allows the Policy to be executed Responsibility: a state assigned to an Agent (human or software) to signify him its obligations and rights in a specific context.. 6

Agent System Metamodel – Organizational layer

Organizational Policies are behavioural components of the organization whose goals are to achieve an Organizational Service to a role depending on Events

7

Agent System Metamodel – Application layer

The Application layer is used to represent the Application Components and their interactions with the Application Service derived from the Organizational Policy of the Organizational layer

8

Agent System Metamodel – Technical layer

Technical layer is used to represent the structural aspect of the system and highlights the links between the Technical layer and the Application layer and how physical pieces of information called Artifacts are produced or used.

9

Agent System Metamodel – Interlayer links Artefact of the Technical Layer realizes Data Object of the Application Layer which realizes Organizational Object of the Organizational layer Application Service uses the Organizational Policy to determine the services it proposes Technical layer bases his Infrastructure Service on the Application Policy of the Application layer 10

ArchiMate metamodel for MAS 1 Allows defining: 1. Organizational policy 2. Application policy

2

11

Organizational policy The set of rules that defines the organizational Responsibilities and governs the execution, by the Organization domain, of behaviours that serve the Product domain in response to a Process domain occurred in a specific context, symbolized by a configuration of the Information domain. Organizational Policy can be represented as an UML Use Case -

-

Roles represent the Actors which have responsibilities in the Use Case Collaboration concepts show the connections between them. Products, Value and Organizational Service provide the Goal of the Use Case. Pre and Post conditions model the context of the Use Case and are symbolized in the Metamodel as the Event concept (Precondition) and the Organizational Object (Pre/Post condition). 12

Application policy The set of rules that defines the application Responsibilities and governs the execution, by the Application domain, of behaviours that serve the Data domain to achieve the application strategy

UML provides support for modelling the behaviour performed by the Application domain as Sequence Diagram. Configuration of the Data domain can be expressed as Preconditions of the Sequence Diagram and symbolized by the execution of a test-method on the lifeline of the diagram.

13

Petroleum distribution case study

14

ACE, PIE et RDP

15

Architecture’s components • The ACE Agent’s collects, aggregates and analyses network information and confirms alerts are sent to the PIE • The PIE Agent’s receives a confirmed alert from the ACE, set the severity level and the extent of the network response (depending on the alert layer). The high level alert messages are transferred to the RDP.

• The RDP Agent’s is composed of two modules • The Cryptography Analysis (CA) is in charge of analysing the keys previously instantiated by the PIE. • The Component Configuration Mapper, selects the appropriate communication channel.

16

Focus on the alerte correlation Instantiation of the metamodel to engineer the 3 layers policies At the application layer : Sequences diagrams:

17

Example of ArchiMate Instanciation of the ACE agent

18

Example of ArchiMate

Policies

Instantiation of all agents

19

Conclusions (1/2) -

SCADA are supported by increasingly used multi-agent(*) which are particularly appropriate in the context of critical architecture: • Heterogeneous system • Open solutions • Distributed components

-

Lack of global architecture from MAS modelling

-

Adapting ArchiMate® for a MAS usage

* Davidson, E.M.; McArthur, S.D.J.; McDonald, James R.; Cumming, T.; Watt, I., "Applying multi-agent system technology in practice: automated management and analysis of SCADA and digital fault recorder data," Power Systems, IEEE Transactions on , vol.21, no.2, pp.559,567, May 2006

20

Conclusions (2/2) -

ArchiMate® adaptation allowed: • Structuring of the policy concept, • Synchronizing the behaviour between many types of agents, spread over different types of critical architecture management components such as the alert correlation engine, the intrusion detection tools, and so forth.

-

Acquiring Issuing financial validation by case study • Clarification of the connection between the synchronization of the event that is generated at the level of one component policy and the one that triggers policies to another component.

21

Acknowledgment The research described in this paper is funded by the CockpitCI research project within the 7th framework Programme (FP7) of the European Union (EU) (topic SEC2011.2.5-1 – Cyber-attacks against critical infrastructures – Capability Project).

22

Thank you for your attention ! Any questions ?

23