PRoCeeD: Process state prediction for CRITIS using process inherent causal data and discrete event models

Abstract

It is getting harder for operators to secure their Critical Infrastructures (CRITIS). The reasons are a higher complexity and vulnerability of infrastructures in combination with the pressure of being cost-effective, as well as the availability of more evolving attack techniques. New and sophisticated Advanced Persistent Threats cannot be detected using common security measures like signature-based detection. New techniques for detection in CRITIS are necessary. As one part of a comprehensive detection framework for CRITIS we introduce PRoCeeD – Process secuRity by using Causal Data. Our approach combines methodologies from control theory, distributed computing and automata theory. The goal is to create a mathematical model of the nodes, i.e. Programmable Logic Controller or other control systems. Furthermore this is done in an automated fashion using existing information like the Source Code, input and output values like network traffic and process variables and data models. The generated model can be simulated in conjunction with on-line data of a running process to predict probable process states. A combination of this prediction with an anomaly detection framework can reveal attacks, misuses or errors that cannot be detected using common security measures.