by Florian Skopik and Thomas Bleier
Cyber-attacks are becoming increasingly sophisticated, targeted and coordinated. Consequently, new paradigms are required for detecting attacks in critical cyber-physical systems, such as the smart grid. Many attack detection tasks are currently performed within individual organizations, and there is little cross-organizational security information sharing. Information sharing is a crucial step to acquiring a thorough understanding of large-scale cyber-attack situations, and is necessary to warn others against threats.
The smooth operation of critical infrastructures, such as telecommunications or electricity supply is essential for our society. In recent years, however, operators of critical infrastructures have increasingly struggled with cyber security problems . Through the use of ICT standard products and increasing network interdependencies , the surfaces and channels of attack have multiplied. New approaches are required to tackle this serious security situation. One promising approach is the exchange of network monitoring data and status information of critical services across organizational boundaries with strategic partners and national authorities. The main goal is to create an extensive situational awareness picture about potential threats and ongoing incidents, which is a prerequisite for effective preparation and assistance in large-scale incidents.
The Challenges of Sensitive Information Sharing
In practice, security information sharing is usually accomplished via ad-hoc and informal relationships. Often, national Computer Emergency Response Teams (CERTs) assume the role of a contact point for coordinating and aggregating security incidence reports. However, the information that is provided is usually not targeted to particular vertical industry sectors, such as power grids. We suggest that sector-oriented views, along with rich information and experience reports are required to make such platforms more effective. Furthermore, there is a crucial trade-off to be considered: existing platforms require information to be verified centrally (in order to avoid hoaxes); therefore, the speed of information distribution suffers. Timeliness of information is very important when protecting against aggressive attackers and zero-day exploits. Consequently, there is a need for new standards that employ suitable direct sharing models, which allow the targeted exchange of specific information about discovered vulnerabilities of ICT systems utilized in critical infrastructure control systems, as well as current threats (such as new SCADA (supervisory control and data acquisition)-targeted malware) and recent incidents. The application of these standards further implies the existence of a federated trust and reputation model to address reservations of users, and to attract a critical mass of users. This is also in line with the objectives of the recently introduced European "Network and Information Security" (NIS) directive . NIS explicitly recommends the implementation of national cyber security centres, which are not only informed about the security status of the national critical infrastructure providers, but also play a coordinating role in the prevention of, or protection from attacks.
Figure 1: Overview of CIIS Research Efforts
The Project “Cyber Incident Information Sharing” (CIIS)
The research project “Cyber Incident Information Sharing” (CIIS) aims to develop methods and technologies for the exchange of information on cyber incidents to better defend against cyber-attacks and to streamline the analysis of current threats. CIIS assumes that preventive mechanisms and resilient architectures for critical infrastructures are in place. If, despite these measures, an attack is successful, a number of counter measures are being studied (see Figure 1). In particular, a novel anomaly detection mechanism is being developed, which utilizes large-scale event processing and correlation to detect anomalous system behaviour. This anomaly detection approach is specifically designed to enable incident information sharing on top in a privacy-preserving way. In order to draw conclusions from exchanged data about current threats and to enable an assessment of current risks and concrete actions to be deployed, further tools for interactive analysis and visualization and establishing situational awareness for the technical operations personnel are being developed. Exchanging best practices to deal with cyber-attacks and providing aid to affected organizations mitigates the impact of successful cyber-attacks and ensures fast recovery.
CIIS Project Consortium
In order to attain these ambitious goals and finally ensure the wide applicability of developed tools, the project consortium consists of a vital mix of experts with a thorough knowledge of the area of security (Austrian Institute of Technology), visualization and situational awareness (VRVis Forschungs GmbH), and critical infrastructure operation (T-Systems Austria, Energie AG). Additionally, the involvement of experts in the field of social sciences (Institute for the Sociology of Law and Criminology, Netelligenz e.U.) is essential to illuminate issues of trust and privacy in the exchange of sensitive information and to investigate incentives to participate in such initiatives. In addition to the development of scientific methods, the proper demonstration of the applicability in a real-world environment is of paramount importance in order to test and evaluate the planned system. Pilot cases are supported on the one hand through operators of critical infrastructures, on the other hand by national authorities (Ministry of the Interior, Ministry of Defence and Sports).
Moreover, CIIS consortium members are actively involved in international initiatives, such as the Multinational Capability Development Campaign (MCDC) which enables beneficial collaborations across Austria’s borders. CIIS is a two-year national project running from 2013 to 2015 and is financially supported by the Austrian security-research program KIRAS and by the Austrian Ministry for Transport, Innovation and Technology (BMVIT).
 R. Langner: “Stuxnet: Dissecting a cyberwarfare weapon”, Security & Privacy, IEEE, 9(3), 49-51, 2011
 S. M. Rinaldi: “Modeling and simulating critical infrastructures and their interdependencies”, IEEE HICSS, 2004
 Commission Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union; http://ec.europa.eu/digital-agenda/en/news/commission-proposal-directive-concerning-measures-ensure-high-common-level-network-and, 07/02/2013.
Florian Skopik and Thomas Bleier
Austrian Institute of Technology, AIT/AARIT, Austria