2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM) Diagnostics and Assessment of the Industrial Network Security Expert System Polina Repp Electrical Engineering Department Perm National Research Polytechnic University [email protected] Abstract—The paper dwells on the design of a diagnostic system and expert assessment of the significance of threats to the security of industrial networks. The proposed system is based on a new cyber-attacks classification and presupposes the existence of two structural blocks: the industrial network virtual model based on the scan selected nodal points and the generator of cyberattacks sets. The diagnostic and expert assessment quality is improved by the use of the Markov chains or the Monte Carlo numerical method. The numerical algorithm of generating cyberattacks sets is based on the LPĲ -sequence. Keywords—Cyber-attack; Network Security; Industrial Safety; Classification; Vulnerability I. INTRODUCTION Currently, providing security is one of the most urgent problems in all spheres of human activities. In accordance with the socio-economic requirements the regulatory and the legal base, technical regulations and control algorithms are changing. Since modern society cannot exist without information technology, the protection against cyber threats is an actual problem. The design of security algorithms and creation of new ways of hacking – is a mutually interconnected and dynamic process. Evolution of cyber danger moves from localized to global threats. If several years ago a target of the attack was a person (burglary of bank cards, e-mail, etc.), now cybercriminals are setting up more ambitious targets. For example, in November 2010 the Belarusian hacker disabled a uranium enrichment plant centrifuge in Iraq for a week. Using a previously unknown OS Windows vulnerability, an attacker used a Trojan virus to access SQL data base management. The investigation of this case has not been completed. In 2012, the power plant in the USA was disabled for three weeks. Ten computers of the control system were infected with a Mariposa virus, which was brought on the disc by a technician from outside organization. In Germany, the whole steel plant control system was damaged in late 2014. The result of the attack by groups of hackers who used the means of social engineering to get a network access was blocking the possibility of closing one of the blast furnaces in the required manner. This is not a fill list of all accidents at major industrial enterprises and in social infrastructure. Since 2008 there is a special international RISI database , which contains general information on these incidents since 1982. Typical structure of the automated technological enterprise process management system includes: production, storage, distribution, transportation, support and office activities. Each element has its own sub-network which generates a set of industrial enterprise network. Despite the fact that each of these is equally vulnerable to cyber-attacks, the specificity of attacks influence for each sub-network is different, which is shown in Table 1. TABLE I. THE SPECIFICITY OF CYBER-ATTACKS ACTION ON INDUSTRIAL ENTERPRISE SUB-NETWORKS Sub-network Cyber-threat Consequences of attack Production Industrial downtime Delays the product delivery and output Storage Process logic changing (e.g. recipe changing) Ecological disaster Distribution Deactivation of the supply management system Spoilage Transportation Interception of equipment control Penalty payment Support Leaked data about the operation algorithm or characteristics of the production process Penalties for violations of information security requirements Office activities General threats Reputational damage A simple solution to the problem is the localization of the entire information flow within the enterprise or infrastructure. But modern providers of automation systems require their customers to have a remote access for the remote support of their product. This means fabricators are required to have a permanent channel to the Internet, for example, to access the update servers for installed software. In Russia, this problem is tried to be solved by developing own unique software products and releasing regularly updates which has to actualize this software independently, in accordance with changes in external parameters. In addition to the contradictions of the global unification trend, this approach has additional security issues. In particular, the human factor is not being considered. In order to have leverage over the customer’s administration developers supply their product with backdoors - deliberately altered fragments of the program, allowing the attacker (in this case the developer) to carry out unauthorized access to the information network resources based on changes in the protection system properties . 978-1-5090-5648-417$31.00 ©2017 IEEE 2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM) Modern IT-market offers a range of turnkey solutions for enterprise information security at any level and scale: software and hardware, and outsourcing services. In addition, there are approved standards, protocols, technical documentation and certification, designed to regulate the sphere of information security. Though, among the existing varieties of products there are no network diagnostics. That means, the company that is acquiring (or building) their information security system has no opportunity to test its effectiveness before the actual cyberattack will be carried out. Thus, due to the obvious danger and the possible catastrophic consequences of global cyber threats for modern industrial and social infrastructure, an important challenge is to provide effective tools to combat them. The proposed system of identification, diagnosis and expert assessment of the significance of threats to the security of industrial networks as such a tool can be considered. II. BRIEF SURVEY OF EXISTING RESEARCHES Practical significance of this problem is emphasized in . The authors describe a number of available simulators of computer attacks (ARENA, Cohen, Secusim, OPNET Modeler, Sakhardante, NetENGINE etc.), noting the lack of cooperation between the private sector and the government (military sector) in the developments. Also the lack of available simulators with the “prediction” function of the consequences for a particular attack for a particular network is mentioned. Furthermore, foreign scientists have made lots of attempts to create a unified cyber-attacks classification. One of the main problems was the lack of universal terminology, as the authors  mark. Moreover, most classifications do not satisfy such requirements as comprehensible and unambiguous ones. For example, in , the authors used an intuitive approach. Classifications by a number of authors , ,  are unambiguous, complete and comprehensible. The work by  has undeniable advantages, but it does not meet the requirement of an exhaustive survey. In this case, it should be noted that an adequate classification is a prerequisite for creating both a simulation of cyber-attacks and an expert system for assessing the safety of industrial information networks. III. PROPOSED CLASSIFICATION OF CYBER-ATTACKS This paper is dedicated to an attempt of creating a new cyberattack classification. A. Terms It is necessary to distinguish between the concepts: • Cyber-attack is a process/action, aimed to capture the computer network and/or its destabilization control. • Cyber-threat is a potential for a cyber-attack success under certain conditions • Vulnerability is a lack, a weak point in the system, inadequate software and hardware as well as its operating personnel that an attacker can use to accomplish own tasks g personnel, which an attacker can use to accomplish their tasks . B. Requirements for classification A successful taxonomy should satisfy several requirements for its universal acceptance . Typical requirements include the following: • Accepted – builds on previous work that is well accepted. • Mutually exclusive – each attack can only be classified into one category, which prevents overlapping. • Comprehensible – clear and concise information; able to be understood by experts and those less familiar. • Complete/exhaustive – available categories are exhaustive within each classification, it is assumed to be complete. • Unambiguous – involves clearly defined classes, with no doubt of which class an attack belongs. • Repeatable – the classification of attack should be repeatable. • Terms well defined – categories should be well defined, and those terms should consist of established terminology that is compliant within the security community. • Useful – use and gain insight into a particular field of study, particularly those having great interest within the field of study . Furthermore, it should be noted that the correct method of classification can only be based on a systematic approach. C. Multilevel classification for cyber-attacks In general, it is purposed to divide cyber-attacks into two groups: external and internal. External threats include nine categories, most of which are divided into subcategories. Internal threats include two categories: “Vulnerabilities in software” (which is the responsibility of its vendor) and “Data leakage” (which is the responsibility of a company’s HR). The Fig. 1 shows the classification scheme of cyber-attacks. Due to the fact that computer viruses are the most wide spread type of cyber-attacks, detailing was made only for the corresponding block. This is the most common type of cyber threats. The scheme will allow designing an effective search form for diagnostics software interface. IV. PROPOSED DIAGNOSTIC AND ASSESMENT OF INDUSTRUAL NETWORK SECURITY EXPERT SYSTEM A. Overview The main purpose of technical diagnostics is to organize efficient processes determining the technical condition of the complex, multi-component objects, which should include industrial information network of an enterprise. Diagnosis is performed by hardware or software, internal or external technical tools implementing a particular algorithm for diagnosis. During studying, development and implementation of diagnosis processes of industrial information network technical 2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM) Fig. 1 Classification scheme for cyber-attacks condition it is necessary to solve the same problems, which arise during the studying, development and implementation of all management processes. In the first place, it is the task of studying the physical properties of an information network and its security vulnerabilities, the problem of constructing mathematical models and information network vulnerabilities models. The following are the problems of model information network analysis, which is needed to obtain necessary data for the construction of the diagnosis algorithms. The next group consists of tasks related to the development of construction principles, pilot testing and commercialization of information network diagnostic system. Finally, the diagnostic system design problem in general and the study of its characteristics and properties (including experimental testing) . The main subjects of research of the industrial information network system technical diagnostics design classification tree is shown on Fig. 2. In this study the problem of determining diagnostic algorithms is solved. As experiments of the real existing network of a running enterprise are not allowed and process technology stops can cause unwanted effects, the proposed diagnostic system presupposes the existence of two structural blocks: • The industrial network virtual model, based on the scan selected nodal points/markers (Block 2 on Fig. 3); • The generator of cyber-attacks sets (Block 1 on Fig. 3). Fig. 3 Functional diagram of the technical diagnosis system of the security state of the industrial enterprise network. Fig. 2 The main subjects of research of the industrial information network system technical diagnostics design classification tree The proposed multilevel classification of internal and external cyber-attacks allows constructing a model of a safety diagnostic system that generates test kits to detect attacks reactions of the industrial network virtual model to these attacks. Experiments are set with a sufficient sample to provide reliable statistics. While generating sets of cyber-attacks their weight is taken into account, which depends on: 2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM) • Frequency of cyber-attacks (popularity among hackers). • The complexity of implementation (technical and technological resources used). • The possibility of a preventive the attack during its execution (if detected). • The degree of damage (magnitude of the consequences for the network and whole enterprise). • The complexity of remediation. basis of this diagnostic algorithm is the Markov chain. The structural scheme for this method is shown on Fig. 5. Thus, the proposed diagnostic system is also endowed with expert functions. B. Mathematical methods It is possible to build a cyber-attacks model in two ways. The first method is based on the use of numerical probabilistic methods (e.g. Monte Carlo). In this case, the sets (combinations) of attacks are formed by using a random number generator built on the Sobol sequence (LPĲ sequence). The examination is conducted by determining the stability factor (Kstab) for tested network, depending on the detected vulnerabilities. j =m i=n K stab = ¦ (a i k i ) j (1) i −1 j =1 In (1): ai – weight of i-cyber-attack; ki – resistance to i-cyberattack factor; i - the number of cyber-attacks in the set (i=[1; n]); j – the number of cyber-attack set (j=[1; m]). The stability factor inversely related to critical vulnerability. This coefficient can be determined through a standard metric CVSS, estimating critical vulnerabilities for a given system. The resistance value depends on: access vector (AV), access complexity (AC), authentication (Au), confidentiality (C), integrity (I) and availability (A). As a criterion for the worst-case vulnerability min Kstab. is chosen. A limit of not more than three attacks at a time is introduced. The algorithm is shown on Fig. 4. Fig. 5 Structural scheme for cyber-attack model design based on Markov’s chain A table of conditional probabilities of correspondence between cyber-attacks, cyber threats and vulnerabilities is created for the operations. This table is based on the analysis of data provided by Data Bank of information security threats. The fragment of this table is shown on Fig. 6. Conditional probability describes how likely this cyber-threat will lead to this cyber-attack for a given vulnerability. For the calculation of the condition probability of cyberattack (z) success in case of some vulnerability (x), which characterized the internal attribute/parameter of the studied system, and some cyber-threat (y), which characterizes the presence of certain external conditions/factors the expert analysis of the dataset series, received in practical way, is performed. The result of the analysis is the determination of probabilities: ሺሻǦ Ǣ ..୧ ൌ ቐ ሺሻǦ Ǧ Ǣ (2) ሺሻǦ Ǧ Ǥ.. It is assumed that the vulnerability of x (internal property of the system) and the cyber-threat y (a set of external factors or conditions) are independent variables. Then the probability of their simultaneous occurrence is: P ( x ∗ y ) = P( x) * P( y) (3) The conditional probability of the hypothesis that the cyberthreat (z) allows to successfully implement particular cyberattack (y) in case of system vulnerability (x), is given by Bayes’ formula: Fig. 4 Structural scheme for cyber-attack model design based on Monte Carlo method In the second case, the test is carried out in steps. Test at each step is determined by the previous results. That means the first set of attacks determines the most probable vulnerability. Then other cyber-threats matching this vulnerability are determined; and for this information a new cyber-attacks test kit is formed. The dimension of the sets can be increased. The P ( z | ( x * y )) = P ( z | ( x * y )) P (( x * y ) | z ) P ( z ) (4) = P( x * y) P( x * y) In (4): P(z|(x*y)) – the probability of cyber-attack success in case of simultaneous performance of event x (vulnerability presence) and event y (cyber-threat presence); P((x*y)|z) – the probability of presence of particular vulnerability and particular cyber-threat in case the hypothesis about the cyber-attack success is true. 2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM) Fig. 4 The fragment of vulnerability/cyber-attack/cyber threat correspondence table As a criterion for the worst-case vulnerability max P(z|(x*y)) is chosen. C. Expected results The diagnostic results is the passport of the vulnerabilities (for Russia it is designed in accordance with GOST(State Standard) R 56545-2015 – that means it should obey the law of the country). For large industrial objects, this document could become the basis for making decisions on suspension of the enterprise in order to prevent major accidents and global catastrophes. V. CONCLUSIONS The assigned problem of protecting e industrial networks against cyber threats was proposed to solve with the use of a system of diagnosis and expert assessment of the significance of threats. The proposed new classification is important for building an effective simulation of cyber-attacks. As the detailing is held only for computer viruses, further research will be focused on the details of the other attacks. Additionally, the comparing of the effectiveness of the proposed cyber-attack generation algorithms is nessary. However, the proposed algorithms allow achieving the higher diagnostic quality and safity the industrial networks, than similar models used in practice. ACKNOWLEDGMENT The reported study was done within the postgraduate research at Perm National Research Polytechnic University (Russia). REFERENCES  The Repository of Industrial Security Incidents. [Online]. Available: http://www.risidata.com/.  The base model of personal data security threats at their processing within the information systems of personal data (extract). Federal Service for Technical and Export Control (FSTEC). FSTEC standard. 2008  S.P. Leblanc, A. Partington, I. Chapman, and M. Bernier, “An Overview of Cyber Attack and Computer Network Operations Simulation,” in Proc. of the Military Modeling & Simulation Symposium MMS '11, 2011, pp. 92-100.  J.D. Howard, and A.T. Longstaff, “A Common Language for Computer Security Incidents,” SANDIA REPORT, SAND98-8667, 1998.  C.B. Simmons, G. Shiva Sajjan, H. Bedi, D. Dasgupta, “AVOIDIT A Cyber Attack Taxonomy,” in Proc. of 9th Annual Symposium On Information Assurance -ASIA’14, Albany, 2014.  S. Hansman, and R. Han, “A taxonomy of network and computer attacks,” Computers and Security, vol. 24, is. 1, pp. 31-43, 2005.  J. King, K. Lakkaraju, and A. Slagell, “A taxonomy and adversarial model for attacks against network log anonymization,” in Proc. of SAC ’09, Honolulu, Hawaii, 2009.  M. Kjaerland, “A taxonomy and comparison of computer security incidents from the commercial and government sectors,” Computers and Security, vol. 25, is. 7, pp. 522-538, 2006.  J. Mirkovic, and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communication Review, vol. 34, is. 2, pp. 39-53, 2004.  Data Bank of information security threats. Federal Service for Technical and Export Control (FSTEC). [Online]. Available: http://www.bdu.fstec.ru/.  V.V. Karibskiy, P.P. Parkhomenko, E.S. Sogomonyan, V.F. Halchev, “Technical Diagnostics Fundamentals,” Energy, vol. 1, pp. 18-19, 1976.