security information analytics - the sparks … · security information analytics dr. andrew byrne,...
TRANSCRIPT
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SECURITY INFORMATION ANALYTICS Dr. Andrew Byrne, EMC Research Europe
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
OUTLINE
Background Data Sources Security Analytics
– Anomaly Detection Algorithms – Performance – User Interface
Exploitation
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
OUTLINE
Background Data Sources Security Analytics
– Anomaly Detection Algorithms – Performance – User Interface
Exploitation
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SPARKS ACTIVITIES St
akeh
olde
r Eng
agem
ent
Smart Grid Security Analysis
Smart Grid Security Standards
Smart Grid Security & Resilience Measures
Smart Grid Cyber Security Demonstration
Financial, Legal & Social Capability
Security & Resilience Measures
Resilient Control Attack Detection
Authentication Intrusion Detection
Security Analytics
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SMART GRID SECURITY
Consumers
Smart Meter Data
Utilities
Smart Meters
Controllers
Anomalies
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SECURITY & RESILIENCE MEASURES
Security Information Analytics
Data-Driven
Detectors
Knowledge-Based Detectors
Stab
le O
pera
tion Resilient
Control
Predictive
Control
Virtual Sensors
Anomaly Isolation Variable
Subsetting An
omal
ies
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
OUTLINE
Background Data Sources Security Analytics
– Anomaly Detection Algorithms – Performance – User Interface
Exploitation
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
NIMBUS MICROGRID (CORK, IRELAND) SCADA & BMS
(8 electrical meters + thermal…)
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
OUTLINE
Background Data Sources Security Analytics
– Anomaly Detection Algorithms – Performance – User Interface
Exploitation
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
ALGORITHMS
Knowledge-based (needs domain expertise): – Deviation from set-point (grid specifications)
– Rule violations (physical laws; system model)
– Dead-sensor clustering (operator-selected time windows)
Data-driven (implicitly learns “normal” patterns):
– KL-divergence (histogram over full day)
– Single-class SVM (classification – normal vs anomalous)
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
OUTLINE
Background Data Sources Security Analytics
– Anomaly Detection Algorithms – Performance – User Interface
Exploitation
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
EXPLOITATION TO DATE
RSA Security Analytics: – BlackEnergy malware detection in release 10.5. – Target market may be extended to ICS infrastructure.
Customer conversations:
– Water utilities (UK & others). – Electricity distributors. – Major Saudi utility.