A Distributed Security Event Correlation Platform for SCADA

Abstract

Critical Infrastructures rely on Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) to operate the networks and systems of vital assets for the functioning of society and economy. SCADA systems were traditionally isolated and used closed architectures with proprietary protocols, but nowadays this systems use open standards with open architectures that are highly interconnected with other corporate networks and the internet. As a result, the vulnerability of these systems to cyber-attacks increased considerably. This thesis is integrated in the work developed by the Laboratory of Communications and Telematics for CockpiCI, an European Framework FP7 research project, whose goal is to provide intrusion detection, analysis and protection techniques to Critical Infrastructures. The design and implementation of an event correlation platform for detection of cyberattacks in SCADA systems are detailed in this thesis. The developed correlation platform implements the means to collect, process and correlate security events from differently distributed sources. The validation performed to this system demonstrated its resiliency, performance and correlation capabilities to detect cyber-attacks. The platform presented will be deployed in a test bed that includes critical infrastructures simulated by real equipment and enterprise Industrial Control Systems, this will allow a further validation of its concepts and capabilities.