Birliktelik Kural Analizi Tabanlı İzleme ve Bayes Ağları ile Operasyonel Teknoloji Sistemlerinde Siber Güvenlik Analizi

Öz

Artan teknoloji kullanımı ve sistemler arası entegrasyonun getirdiği kullanım kolaylığına ek olarak oluşan güvenlik açıkları günümüzde siber güvenliğin önemini artırmaktadır. Hükümetler, askeri, kurumsal, finans veya tıbbi kuruluşlar güvenlik tehdidi altında bulunmaktadır. Yaygınlaşan teknolojiyle beraber güvenli olmayan bilgisayar sistemleri, yıkıcı kesintilere, hassas bilgilerin ifşasına ve sahtekârlıklara yol açabilir. Endüstriyel varlıkların izlendiği ve kontrol edildiği sistemler Operasyonel Teknoloji (OT) olarak adlandırılır. Denetleyici Kontrol (PLC) ve Veri Toplama (SCADA) sistemleri OT sistem örneklerindendir. Bu sistemlere yapılan saldırılar, hayati önem taşıyan temel hizmetlerin sunulmasını engelleyebilir, ciddi ekonomik veya sosyal sonuçlara yol açabilir. Yapılarına güvenlik mekanizmalarının uygulanamayışı veya sahip oldukları eski bilişim teknolojilerinin yenilememesi sebepleri ile OT sistemler siber saldırılara karşı en savunmasız sistemlerdir. Bu çalışma kapsamında OT sistemleri için saldırı tespit ve uyarı sistemi geliştirilmiştir. OT sistemlerin mevcut durumu göz önüne alınarak tasarlanan sistem veri erişimini OPC sunucu üzerinden yapmakta ve bu sayede tüm OT sistemlerine minimum değişiklik ile bağlantı sağlayabilecek yapıdadır. OT sistemde meydana gelen işlemlerin algılanması ve analiz edilebilmesi için birliktelik analizi tabanlı aktivite kayıt oluşturma algoritması geliştirilmiş. Geliştirilen bu algoritma ile OT süreç bilgisi olmadan tüm aktivitelerin yorumlanabilmesine olanak sağlanmıştır. Oluşan aktivite bilgilerinin analizi için Bayes ağ tabanlı bir öğrenme sistemi tasarlanmıştır. Bu sistem sayesinde elde edilen kayıtlardan Bayes ağları oluşturulmakta ve sistem çalışma anında oluşan tüm aktiviteler değerlendirilerek olasılıklarına göre “Güvenli”, “Riskli” ve “Siber Saldırı” olarak gruplandırılmakta ve OT yetkililerine sunulmaktadır. Önerilen sistem her tür OT aktivitesine adapte olabilecek yapıdadır. Sistem mimari yapısı gereği sadece siber saldırı kategorisindeki işlemleri tespit etmekte kalmayıp sistemde yetkili kişilerin hatalı yâda kasıtlı müdahale veya program değişimlerini de algılayabilmektedir. Deneysel çalışmalarımız OT sisteme yapılan her türlü saldırının tespit edilebildiğini göstermektedir. Bu çalışma OT davranışlarının modellenerek öğrenildiği ve anormal davranışların tespit edilerek siber saldırıların tespit edildiği ilk çalışmadır.

Anahtar Kelimeler

• Siber Güvenlik
• Operasyonel Teknolojiler
• Akıllı Sistemler
• Makine Öğrenmesi

Cyber Security Analysis at Operational Technology Systems with Association Rule-Based Monitoring and Bayesian Networks

Abstract

In addition to the ease of use brought by the increasing use of technology and integration between systems, the resulting security vulnerabilities increase the importance of cybersecurity today. Governments, military, corporate, financial, or medical organizations are under security threats. With the spread of technology, unsafe computing systems can lead to devastating interruptions, sensitive information disclosure, and fraud. Systems in which industrial assets are monitored and controlled are called Operational Technology (OT). Supervisory Control (PLC) and Data Acquisition (SCADA) systems are examples of OT systems. Attacks on these systems can hinder the delivery of vital essential services and have serious economic or social consequences. OT systems are the most vulnerable systems against cyber-attacks since security mechanisms cannot be applied to their structures or the old information technologies they have are not renewed. Within the scope of this study, an intrusion detection and warning system has been developed for OT systems. The system, which is designed considering the current situation of OT systems, makes data access through the OPC server and thus, it is in a structure that can provide a connection to all OT systems with minimum changes. To detect and analyze the transactions occurring in the OT system, an association analysis based activity record creation algorithm has been developed. With this developed algorithm, it is possible to interpret all activities without OT process knowledge. A Bayes network-based learning system was designed to analyze the activity information. Bayes networks are created from the records obtained through this system and all activities that occur during the system operation are evaluated, grouped as "Safe", "Risky" and "Cyber Attack" according to their probabilities and presented to OT officials. The proposed system is capable of adapting to all types of OT activities. Due to the architecture of the system, it not only detects transactions in the cyberattack category but also detects faulty or deliberate intervention or program changes by authorized persons in the system. Our experimental studies show that any attack on the OT system can be detected. This study is the first study in which OT behaviors are modeled and learned, and cyberattacks are detected by detecting abnormal behaviors.

Keywords

• Cyber Security
• Operational Technologies
• Intelligent Systems
• Machine Learning

Kaynakça

1. Mukkamala, S., Sung, A., & Abraham, A. (2005). Cyber security challenges: Designing efficient intrusion detection systems and antivirus tools. Vemuri, V. Rao, Enhancing Computer Security with Smart Technology.(Auerbach, 2006), 125-163.
2. Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2013). Network anomaly detection: methods, systems and tools. Ieee communications surveys & tutorials, 16(1), 303-336.
3. Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control systems (ICS) security. NIST special publication, 800(82), 16-16.
4. Framework, S. (2010). Policy Statement on Improving the Resilience of Critical Infrastructure to Disruption from Natural Hazards. London: Cabinet Office.
5. Henrie, M. (2013). Cyber security risk management in the SCADA critical infrastructure environment. Engineering Management Journal, 25(2), 38-45.
6. Guan, J., Graham, J. H., & Hieb, J. L. (2011, July). A digraph model for risk identification and mangement in SCADA systems. In Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics (pp. 150-155). IEEE.
7. Patel, S., Tantalean, R., Ralston, P., & Graham, J. (2005). Supervisory control and data acquisition remote terminal unit testbed. Intelligent Systems Research Laboratory technical report TR-ISRL-05-01, Department of Computer Engineering and Computer Science. Louisville, Kentucky: University of Louisville, 24, 26.
8. Yan, J., Liu, C. C., & Govindarasu, M. (2011, March). Cyber intrusion of wind farm SCADA system and its impact analysis. In 2011 IEEE/PES Power Systems Conference and Exposition (pp. 1-6). IEEE.

9. Ericsson, G. N. (2007). Toward a framework for managing information security for an electric power utility—CIGRÉ experiences. IEEE transactions on power delivery, 22(3), 1461-1469.
10. Amin, M. (2002). Security challenges for the electricity infrastructure. Computer, 35(4), supl8-supl10.
11. Schneider, K., Liu, C. C., & Paul, J. P. (2006). Assessment of interactions between power and telecommunications infrastructures. IEEE Transactions on Power Systems, 21(3), 1123-1130.
12. Alves, T., & Morris, T. (2018). OpenPLC: An IEC 61,131–3 compliant open source industrial controller for cyber security research. Computers & Security, 78, 364-379.
13. Davis, C. M., Tate, J. E., Okhravi, H., Grier, C., Overbye, T. J., & Nicol, D. (2006, September). SCADA cyber security testbed development. In 2006 38th North American Power Symposium (pp. 483-488). IEEE.
14. Ericsson, G. N. (2010). Cyber security and power system communication—essential parts of a smart grid infrastructure. IEEE Transactions on Power Delivery, 25(3), 1501-1507.
15. Seijo Simó, M., López López, G., & Moreno Novella, J. I. (2017). Cybersecurity vulnerability analysis of the plc prime standard. Security and Communication Networks, 2017.
16. Byres, E., & Lowe, J. (2004, October). The myths and facts behind cyber security risks for industrial control systems. In Proceedings of the VDE Kongress (Vol. 116, pp. 213-218).
17. Xie, P., Li, J. H., Ou, X., Liu, P., & Levy, R. (2010, June). Using Bayesian networks for cyber security analysis. In 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN) (pp. 211-220). IEEE.
18. Coluccia, A., D’Alconzo, A., & Ricciato, F. (2013). Distribution-based anomaly detection via generalized likelihood ratio test: A general maximum entropy approach. Computer Networks, 57(17), 3446-3462.
19. Fronza, I., Sillitti, A., Succi, G., Terho, M., & Vlasenko, J. (2013). Failure prediction based on log files using random indexing and support vector machines. Journal of Systems and Software, 86(1), 2-11.
20. Vickers, N. J. (2017). Animal communication: when i’m calling you, will you answer too?. Current biology, 27(14), R713-R715.
21. Mahnke, W., Leitner, S. H., & Damm, M. (2009). OPC unified architecture. Springer Science & Business Media.
22. Lieping, Z., Aiqun, Z., & Yunsheng, Z. (2007, July). On remote real-time communication between MATLAB and PLC based on OPC technology. In 2007 Chinese Control Conference (pp. 545-548). IEEE.
23. Zheng, L., & Nakagawa, H. (2002, August). OPC (OLE for process control) specification and its developments. In Proceedings of the 41st SICE Annual Conference. SICE 2002. (Vol. 2, pp. 917-920). IEEE.
24. Resnick, C. (2012). Kepware Communication Solutions Help Optimize OPC Connectivity. ARC View.
25. Piatetsky-Shapiro, G. (1991). Discovery, analysis, and presentation of strong rules. Knowledge discovery in databases, 229-238.
26. Agrawal, R., Imieliński, T., & Swami, A. (1993, June). Mining association rules between sets of items in large databases. In Proceedings of the 1993 ACM SIGMOD international conference on Management of data (pp. 207-216).
27. Agrawal, R., & Srikant, R. (1994, September). Fast algorithms for mining association rules. In Proc. 20th int. conf. very large data bases, VLDB (Vol. 1215, pp. 487-499).
28. Guo, Y., Bai, G., & Hu, Y. (2012, December). Using bayes network for prediction of type-2 diabetes. In 2012 International Conference for Internet Technology and Secured Transactions (pp. 471-472). IEEE.
29. He, J., Bai, S., & Wang, X. (2017). An unobtrusive fall detection and alerting system based on Kalman filter and Bayes network classifier. Sensors, 17(6), 1393.
30. Eibe, F., Hall, M. A., & Witten, I. H. (2016). The WEKA workbench. Online appendix for data mining: practical machine learning tools and techniques. In Morgan Kaufmann.