CockpitCI Papers published in peer-reviewed journals, books and conference proceedings:
1) FTCUC: Abstract submitted for book chapter for the upcoming Springer volume “Recent Advances in Computational Intelligence in Defense and Security“. The proposal, untitled “How to improve cyber-security awareness on Industrial Control Systems: lessons from the CockpitCI project”.
2) FTCUC: An paper about CockpitCI is under preparation for the International Journal of Cyber Warfare and Terrorism (IJCWT): title to be defined
3) Book chapter: F.Caldeira, T. Cruz, P.Simões, and E.Monteiro, “Towards protecting critical infrastructures” in Cybersecurity Policies and Strategies for Cyberwarfare Prevention, Editor: Jean-Loup Richet, published by IGI-Global (accepted, awaiting publication).
4) Book chapter: P.Simões, T.Cruz, J.Proença and E.Monteiro, “Specialized Honeypots for SCADA Systems”, in Cyber Security: Analytics, Technology and Automation. Editor: Martti Lehto, Springer Series on Intelligent Systems, Control and Automation: Science and Engineering (accepted, awaiting publication).
5) T.Cruz, J.Barrigas, J.Proença, A.Graziano, S.Panzieri, L.Lev, and P.Simões, “Improving Network Security Monitoring for Industrial Control Systems“, in 14th IFIP/IEEE Int. Symposium on Integrated Management (IM 2015), Ottawa (CANADA), 2015.
6) L.Rosa, P.Alves, T.Cruz, P.Simões, and E.Monteiro , “A Comparative Study of Correlation Engines for Security Event Management“, in 10th Int. Conf. on Cyber Warfare and Security (ICCWS-2015), Kruger National Park, South Africa 2015.
7) T.Cruz, J.Proença, P.Simões, M.Aubigny, M.Ouedrago, A.Graziano, and Yasakhetu, L. , “Improving Cyber-Security Awareness on Industrial Control Systems: The CockpitCI Approach“, Journal of Information Warfare – ISSN 1445 3347 (online) / ISSN 445-3312 (printed), vol. 13, issue 4, 2015.
Abstract: Cyber-threats are one of the most significant problems faced by modern Industrial Control Systems (ICS), such as SCADA (Supervisory Control and Data Acquisition) systems, as the vulnerabilities of ICS technology become serious threats that can ultimately compromise human lives. This situation demands a domain-specific approach to cyber threat detection within ICS, which is one of the most important contributions of the CockpitCI FP7 project (http://CockpitCI.eu). Specifically, this paper will present the CockpitCI cyber-detection and analysis layer, including a description of its components, in terms of role, operation, and remote management.
8) C.Harpes, M.Aubigny, “CockpitCI: How to monitor cyber-risks on a critical infrastructure“, in Revue Technique Luxembourgeoise, Mars 2015.
Abstract: This article explains the context of Critical Infrastructure protection, the political ambition and practical risk to achieve this. Some results of CockpitCI are given, and a follow-up project, called Smart Grid Luxembourg Cockpit aiming to tailor security for the future network of smart electricity meter in Luxembourg is announced. This paper also describes the two software products developed by itrust consulting in the framework of the project: a meta anti-virus appliance called AVCaesar and a software version monitoring tool called Software Checker.
9) F. Liberati, A. Lanna, D. Macone, R. Baldoni, R. Cusani, F. Delli Priscoli, “CockpitCI: a tool for Critical Infrastructure Protection against Cyberattacks”, International Journal of Critical Infrastructures, published by Inderscience Enterprises Ltd, United Kingdom, submitted in December 2014
10) André Riker, Tiago Cruz, Bruno Marques, Marilia Curado, Paulo Simões, Edmundo Monteiro, “Efficient and Secure M2M Communications for Smart Metering”, accepted in the 19th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA’2014), Barcelona, Spain, 16 – 19 September 2014
11) T.Cruz, J.Proença, P.Simões, M.Aubigny, M. Ouedrago, A.Graziano, L.Yasakhetu, “Improving cyber-security awareness on Industrial Control Systems: the CockpitCI approach“, in 13th European Conference on Information Warfare and Security ECCWS 2014, Piraeus (Greece), July 2014
Abstract: Originally isolated by design, Critical Infrastructures (CI) based on Industrial Control Systems (ICS) – such as SCADA (Supervisory Control and Data Acquisition) systems – were born within the scope of industrial process control technologies. Having evolved from proprietary systems, ICS eventually started adopting open architectures and standards, becoming increasingly interconnected with existing corporate networking infrastructures and even the Internet. (…) In this paper we present the CockpitCI cyber-detection and analysis layer, also including a detailed description of its most relevant components in terms of role, integration and remote management. This paper will also show how the proposed solution might be effective in dealing with such cyber-threats, by presenting relevant examples.
12) Leandros A. Maglaras, Jianmin Jiang, Tiago Cruz, “An integrated OCSVM mechanism for intrusion detection in SCADA systems”, IET Electronics Letters, Volume 50, issue 25, December 2014, p 1935-1936
Abstract: Intrusion detection in real time systems is a problem without a profound solution. In Supervisory Control and Data Acquisition (SCADA) systems the absence of a defense mechanism that can cope with different types of intrusions is of great importance. False positive alarms, or mistakes regarding the origin of the intrusion mean severe costs for the system. We present an integrated Class Support Vector Machine (OCSVM) mechanism that is distributed in a SCADA network, as a part of a intrusion detection system (IDS), providing accurate information about the origin and the time of an intrusion. The module reads the network traffic, splits traffic according to the source of the packets and creates a cluster of OCSVM models. These trained models run in parallel and can accurately and fast recognize different types of attacks.
13) Ester Ciancamerla, Benedetto Fresilli, Michele Minichino, Tatiana Patriarca and Serguei Iassinovski, “An electrical grid and its SCADA under cyber attacks, modelling versus a Hybrid Test Bed“, proceeding of 48th Annual International Carnahan Conference on Security Technology Rome, Italy – October 13-16, 2014, pp. 182 – 187. (ISBN 978-1-4799-3531-4)
14) S.Iassinovski, M. Minichino E., Ciancamerla, “Quality of service indicators from simulation of electricity distribution system controlled by SCADA under cyber attacks“. Proceedings of the Congress on Intelligent Systems and Information Technologies, IS&IT’14. Scientific publication in 4 volumes. – Moscou: Physmathlit, 2014, vol. 4, pp 48 – 55 (ISBN 978-5-9221-1572-8).
15) E. Ciancamerla, B. Fresilli, M. Minichino, S. Palmieri, T. Patriarca “Quality of Service of an Electrical Grid Under Cyber Attacks on its Supervisory Control And Data Acquisition System” ENEA magazine: EAI special issue I 2014 – ENEA technologies for security
16) E. Ciancamerla, M. Minichino, T. Roman, S. Voronca “Attack scenarios and expected consequences in SCADA System of a Power Grid“, proceedings of National Symposium on “Informatics, Automation and Telecommunications in Energy, the Tenth Edition – Sinaia, Romania – 22-24 October 2014.
17) Michele Minichino, Maurizio Aiello, Paul MacGregor “The protection of critical infrastructures: Institutional needs, research and industrial solutions” invited talk – Horizon 2020:Transforming Global Challenges in Opportunities for Growth – European Parliament, Brussels, 25th September 2014
18) E. Ciancamerla, M. Minichino “La Qualita’ del Servizio delle Reti Elettriche sotto attacchi informatici ai loro sistemi di Telecontrollo (SCADA)“, invited talk – Cyber Security Energia 2014 – 1° National Conference, Rome – 03 luglio 2014
19) Leandros A. Maglaras, Jianmin Jiang, “A novel intrusion detection method based on OCSVM and K-means recursive clustering“, EAI Transactions on Security and Safety, accepted, EAI Transactions on Security and Safety, vol. 2, no 3, e5, pp. 1-10, January 2015.
Abstract: In this paper we present an intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system, based on the combination of One-Class Support Vector Machine (OCSVM) with RBF kernel and recursive k-means clustering. Important parameters of OCSVM, such as Gaussian width σ and parameter ν affect the performance of the classiffer. Tuning of these parameters is of great importance in order to avoid false positives and overfitting. The combination of OCSVM with recursive k- means clustering leads the proposed intrusion detection module to distinguish real alarms from possible attacks regardless of the values of parameters σ and ν, making it ideal for real-time intrusion detection mechanisms for SCADA systems. Extensive simulations have been conducted with datasets extracted from small and medium sized HTB SCADA testbeds, in order to compare the accuracy, false alarm rate and execution time against thebase line OCSVM method.
20) Leandros A. Maglaras, Jianmin Jiang, “A real time OCSVM Intrusion Detection module with low overhead for SCADA systems“, International Journal of Advanced Research in Artificial Intelligence (IJARAI), Vol. 3, No.10, pp. 45-53, October, 2014.
Abstract: In this paper we present a intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM (One-Class Support Vector Machine) is an intrusion detection mechanism that does not need any labeled data for training or any information about the kind of anomaly is expecting for the detection process. This feature makes it ideal for processing SCADA environment data and automate SCADA performance monitoring. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. In order to decrease the overhead induced by communicated alarms we propose a new detection mechanism that is based on the combination of OCSVM with a recursive k-means clustering procedure. The proposed intrusion detection module OCSVM is capable to distinguish severe alarms from possible attacks regardless of the values of parameters and , making it ideal for real-time intrusion detection mechanisms for SCADA systems. The most severe alarms are then communicated with the use of IDMEF files to an IDSIDS (Intrusion Detection System) system that is developed under CockpitCI project. Alarm messages carry information about the source of the incident, the time of the intrusion and a classification of the alarm.
21) Leandros A. Maglaras, Jianmin Jiang, “Intrusion Detection in SCADA systems using machine learning techniques“, in proceedings of the IEEE Science & Information conference, London, 27-29 August 2014
Abstract: In this paper we present a intrusion detection module capable of detecting malicious network traffic in a Supervisory Control and Data Acquisition (SCADA) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM is an intrusion detection mechanism that does not need any labeled data for training or any information about the kind of anomaly is expecting for the detection process. This feature makes it ideal for processing SCADA environment data and automate SCADA performance monitoring. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. The module is part of an IDS (intrusion detection system) system developed under CockpitCI project and communicates with the other parts of the system by the exchange of IDMEF messages that carry information about the source of the incident, the time and a classification of the alarm.
22) Leandros A. Maglaras, Jianmin Jiang, “OCSVM model combined with K-means recursive clustering for intrusion detection in SCADA systems“, in proceedings of the IEEE Qshine, Rhodes, 18-20 August 2014
In this paper we present a intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system, based on the combination of One-Class Support Vector Machine (OCSVM) with RBF kernel and recursive k-means clustering. The combination of OCSVM with recursive k-means clustering leads the proposed intrusion detection module to distinguish real alarms from possible attacks regardless of the values of parameters σ and ν, making it ideal for real-time intrusion detection mechanisms for SCADA systems. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. The module is part of an IDS (Intrusion Detection System) system developed under CockpitCI project.
Abstract: Despite the incommensurable effort made from across computer sciences disciplines to provide more secure systems, compromising the security of a system has now become a very common and stark reality for organizations of all sizes and from a variety of sectors. The lax in the technology has often been cited as the salient cause of systems insecurity. In this paper we advocate the need for a Security Assurance (SA) system to be embedded within current IT systems. Such a system has the potential to address one facet of cyber insecurity, which is the exploit of lax within the deployed security and its underlining policy. We discuss the challenges associated to such an SA assessment and present the flavor of its evaluation and monitoring through an initial prototype. By providing indicators on the status of a security matter that is more and more devolved to the provider as it is the case in the cloud, the SA tool can be used as a means of fostering better security transparency between a cloud provider and client.
26) Yasakethu, Lasith and Jiang, Jianmin and Graziano, Antonio, “Intelligent risk detection and analysis tools for critical infrastructure protection“, EUROCON, 2013 IEEE
27) Jiang, Jianmin and Yasakethu, Lasith, “Anomaly Detection via One Class SVM for Protection of SCADA Systems”, Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2013 International Conference on, IEEE, 2013. p. 82-88
Abstract: Funded by European Framework-7 (FP7), the CockpicCI project aims at developing intelligent risk detection, analysis and protection techniques for Critical Infrastructures (CI). In this paper, we describes our recent research on automated anomaly detection from central Supervisory Control and Data Acquisition (SCADA) systems and their related commands/measurements in the SCADA-field equipment communications. The work exploits the concept of one-class SVM (Support Vector Machines) and adaptively controls its decision parameter to detect unusual patterns from inputs and generate alarms for on-site engineers to further investigate. Experiments on simulation data sets from telecommunication networks illustrate that the proposed algorithm achieves high detection rates, providing excellent potential for further research and development towards practical tools for protection of SCADA systems.
28) C. Foglietta, S. Panzieri, D. Macone, F. Liberati, A. Simeoni, “Detection and Impact of Cyber Attacks in a Critical Infrastructures Scenario: the CockpitCI Approach“, International Journal System of Systems Engineering, Volume 4, Issue 3, pp. 211-221, 2013, DOI 10.1504/IJSSE.2013.057669.
Abstract: The critical infrastructure protection is a key point from a social and economic point of view. The FP7 MICIE project has achieved promising results in evaluating impact of failures and faults in interdependent physical systems, as critical infrastructures. In order to achieve this goal, the consortium developed an online risk prediction tool, able to acquire information by local physical systems through their control centres and obtain accurate and synchronised predictions using shared interdependency models. However, results of MICIE project are not enough in order to quickly and effectively react to all adverse events that may occur over the system of systems and, in particular, to face cyber threats and attacks. The EC FP7 CockpitCI project aims to improve resilience and dependability of CIs through the design and the implementation of an alerting system that provides to CI operators an efficient tool to support them in the prevention of cyber attacks impact on real systems and in the implementation of possible consequence containment strategies in case of attack.
29) A.Di Pietro, C.Foglietta,S.Palmieri,S.Panzieri, “Assessing the Impact of Cyber Attacks on Interdependent Physical Systems”, Critical Infrastructure Protection VII, IFIP Advances in Information and Communication Technology Volume 417, 2013, pp 215-227.
Abstract: Considerable research has focused on securing SCADA systems and the physical processes they control, but an effective framework for the real-time impact assessment of cyber attacks on SCADA systems is not yet available. This paper attempts to address the problem by proposing an innovative framework based on the mixed holistic reductionist methodology. The framework supports real-time impact assessments that take into account the interdependencies existing between critical infrastructures that are supervised and controlled by SCADA systems. Holistic and reductionist approaches are complementary approaches that support situation assessment and evaluations of the risk and consequences arising from infrastructure interdependencies. The application of the framework to a sample scenario on a realistic testbed demonstrates the effectiveness of the framework for risk and impact assessments.
30) Paulo Simões, Tiago Cruz, Jorge Proença, Edmundo Monteiro, “Honeypots especializados para Redes de Controlo Industrial”, 7th Iberian-American Congress on Informatics Security (CIBSI 2013), Panama, October 2013.
31) A.Bobbio, L.Egidi, E.Ciancamerta, M.Minichino, R.Terrugia, “Weighted attack trees for the Cybersecurity analysis of SCADA Systems“, DHSS, 2013 International Defense and Homeland Security Simulation Workshop, Athens, Greece, 25-27 September 2013.
32) Lasith Yasakethu, Jianmin Jiang, “Intelligent Risk Detection and Analysis Tools for Critical Infrastructure Protection”, IEEE Eurocon conference, Croatia, July 2013.
Abstract: The protection of the national infrastructures from cyber-attacks is one of the main issues for national and international security. In this article we describe a new European Framework-7 (FP7) funded research project, CockpicCI, and introduce intelligent rick detection, analysis and protection techniques for Critical Infrastructures (CI). The paradox is that CIs massively rely on the newest interconnected and vulnerable, Information and Communication Technology (ICT), while the control equipment, legacy software/hardware, is typically old. Such a combination of factors may lead to very dangerous situations, exposing systems to a wide variety of attacks. To overcome such threats, the CockpitCI project combines machine learning techniques with ICT technologies to produce advance intrusion detection and reaction tools to provide intelligence to field equipment. This will allow the field equipment to perform local decisions in order to self-identify and self-react to abnormal situations introduced by cyber-attacks.
33) E.Ciancamerta, M.Minichino, S.Palmieri, “Modelling SCADA and corporate network of medium voltage power grid under cyber attacks”, SECRYPT 2013, Iceland, 29-31 July 2013.
34) E.Ciancamerta, M.Minichino, S.Palmieri, “Modeling cyber attacks on a critical infrastructure scenario“, IISA2013, 10-12 July 2013.
Abstract: Critical infrastructures, such as electrical grids, are monitored and controlled by SCADA (Supervisory Control And Data Acquisition) systems. Cyber attacks against SCADA might put CI and in turn industrial production, environment integrity and human safety at risk. Here, with reference to an actual case study, constituted by an electrical grid, its SCADA system and a corporate network, we discuss how cyber threats, vulnerabilities and attacks might degrade the functionalities of SCADA and corporate network and, in turn, lead to outages of the electrical grid. We represent SCADA and corporate network under malware propagation, Denial of Service and Man In The Middle attacks, and predict their consequent functionalities. Particularly, we use Netlogo to identify possible malware propagation in relation to SCADA & corporate security policies adopted from the utility and NS2 simulator to compute the consequences of such cyber attacks on SCADA and in turn on electrical grid functionalities.
35) P.Simoes, T.Cruz, J.Proença, E.Monteiro, “On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks”, 12th European Conference on Information Warfare and Security (ECIW2013), Jyväskylä, Finland, July 2013.
Abstract: In the last few years, Industrial Control Systems (ICS) have evolved from proprietary systems to open architectures, strongly interconnected with other corporate networks and even with the Internet. Initially, ICS systems were isolated by nature, being limited to the process network. Security was guaranteed by both obscurity and isolation (a bad practice, anyway!). However, the progressive move towards interconnecting the ICS with corporate networks and the internet, together with the use of mainstream ICT technologies and the increasing adoption of open, documented protocols, exposed serious weaknesses in SCADA (Supervisory Control and Data Acquisition) platforms. SCADA systems are becoming increasingly similar to ICT systems. While ICT systems put more focus on confidentiality and data integrity, ICS systems are built with availability as top priority, often at the cost of confidentiality and data integrity. This kind of SCADA-oriented cyber threat awareness constitutes the core topic of CockpitCI, a European project focused on improving the resilience and dependability of Critical Infrastructures (such as energy production and distribution grids). As part of this project, we have been researching novel strategies to develop, deploy and manage low cost honeypots for the SCADA field networks.
36) M.Ouedraogo, M.Khodja, D.Khadraoui, “Predicting the QoS of Critical Infrastrcurture trough Analysis of the Cyber Security Vulnerabilities”, ARES-RISI 2013 Workshop.
Abstract: In this paper, we first present an attack-graph based estimation of security risk and its aggregation from lower level components to an entire service. We then presents an initiative towards appreciating how the quality of service (QoS) parameters of a service may be affected as a result of fluctuations in the cyber security risk level. Because the service provided by critical infrastructure is often vital, providing an approach that enables the operator to foresee any QoS degradation as a result of a security event is paramount. We provide an illustration of the risk estimation approach along with a description of an initial prototype developed using a multi-agent platform.
37) Lasith Yasakethu, Jianmin Jiang, “Computerized risk detection towards Critical Infrastructure Protection: An Introduction of CockpitCI Project”, Proceedings of The Global Virtual Conference 2013 (GV-CONF 2013), Goce Delchev University Macedonia & THOMSON Ltd. Slovakia, April 2013. ISBN: 978-80-554-0649-7, ISSN: 1339-2778, vol. 1, issue 1, pp. 602–606, 2013.
Abstract: In this article we describe a new European Framework-7 (FP7) funded research project, CockpicCI, and introduce the concepts of intelligent risk detection, analysis and protection techniques for Critical Infrastructure (CI) Protections. Typical attacks could be performed blocking communication from central Supervisory Control and Data Acquisition (SCADA) to local equipment or inserting fake commands/measurements in the SCADA-field equipment communications. The paradox is that CIs massively rely on the newest interconnected and vulnerable, Information and Communication Technology (ICT), while the control equipment, legacy software/hardware, is typically old. To overcome such threats, the CockpitCI project combines machine learning techniques with ICT technologies to produce advance intrusion detection and reaction tools to provide intelligence to field equipment. This will allow the field equipment to perform local decisions in order to self-identify and self-react to abnormal situations introduced by cyber-attacks.
38) Jonathan Blangenois, Guy Guemkam, Christophe Feltus, Djamel Khadraoui, “Organizational Security Architecture for Critical Infrastructure” (ARES-FARES 2013 workshop)
39) Lasith Yasakethu, Jianmin Jiang, “Real-Time Intrusion Detection for Critical Infrastructure Protection: CockpitCI Approach”, eForensics magazine-Network, Vol-1, No-4, pp18-25, December 2012.
Abstract: Cyber-attacks against control systems are considered extremely dangerous for critical infrastructure operation. Today, the protection of critical infrastructures from cyber-attacks is one of the crucial issues for national and international security. Over the past ten years, intrusion detection and other security technologies for critical infrastructure protection have increasingly gained in importance.
40) M.Castrucci, E.Ciancamerta, F.Delli Priscoli, S.Iassinovski, F.Liberati, D.Macone, M.Minichino, S.Panzieri, A.Simeoni, “Detection of and reaction to cyber attacks in a Critical Infrastructures scenario: the CockpitCI approach”, International Defense and Homeland Security Simulation Workshop, Vienna, Austria, 19-21 September 2012.
42) E.Ciancamerta, M.Minichino, S.Palmieri, “On prediction of QoS of SCADA accounting cyber attacks”, Probabilistic Safety Assessment and Management Conference (PSAM11) and the Annual European Safety and Reliability Conference (ESREL 2012), Helsinki, Finland, 25-29 June 2012.
43) A.Bobbio, A.Bonaventura, E.Ciancamerta, D.Lefevre, M.Minichino, R.Terrugia, “Temporal network reliability in perturbed scenarios: Application to a SCADA system”, in procceding IEEE Annual Reliability and Maintainability Symposium, RENO, 2012.
Abstract: The role of network reliability in the analysis of Critical Infrastructures (CI) is investigated showing that the traditional approach must be extended in two directions: to include the packet propagation time along the links for real time analysis, and to include networks in which many sources may be variously connected to many sinks. A case study of a SCADA system controlling a power grid, originated from the EU Project MICIE (MICIE – Tool for systemic risk analysis and secure mediation of data exchanged across linked CI information infrastructures) , is examined in details, by considering the system in normal operation and when perturbed by malicious attacks. The paper describes an analytical model that can provide timely and accurate information about the reliability status of the system, and that can rapidly be adapted to the changing configurations of the interacting networks. The aim of this work is to explore the feasibility of providing the human operators with a reliability monitor that assists them in checking the status of the system.