December 2022 issue

Service offering: Guidance on the use of attack detection systems

© Fraunhofer

With the enactment of the 2nd IT Security Act, operators of critical infrastructures are obliged to take appropriate organizational and technical precautions to prevent disruptions to the protection goals of "availability", "integrity", "authenticity" and "confidentiality". In order to implement this across the board, the new Section 8a (1a) of the Federal Office for Information Security Act (BSI Act - BSIG) explicitly refers to the introduction of systems for attack detection (SzA) [1]:

"Attack detection systems in the sense of this law are processes supported by technical tools and organizational integration for detecting attacks on information technology systems. In this context, attack detection is performed by comparing the data processed in an information technology system with information and technical patterns that indicate attacks."
(Section 2 (9b) BSIG)

For the implementation, the BSI published an orientation guide for the use of attack detection systems on 29.09.2022 [2], which describes the introduction of SzA for operators of critical infrastructure by defining three task areas: Logging, Detection, and Response (see figure).

The various steps of planning and implementation require above all the fundamental analysis of one's own infrastructure as a basis on the way to successful planning and implementation of suitable systems.

We will be happy to support you on the path to compliance with Section 8a (1) and work with you to develop concepts for the successful introduction of the SzA in the specific circumstances of your company and your process structures. We will address this topic more explicitly in the next issue. 

 

[1] https://www.gesetze-im-internet.de/bsig_2009/__8a.html
[2] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/KRITIS/oh-sza.pdf

Service offering: Cyber-physical anomaly detection for IT-secure operation of electrical networks (CyPhAn)

Fraunhofer | Anomaly detection
© Fraunhofer | Anomalieerkennung

The advancing convergence of IT and OT infrastructures in the field of electrical power supply is leading to increasing communications networking of sensors and actuators as well as automation in the control and monitoring of electrical networks. The predominant use of TCP/IP-based transmission protocols is hardly sufficiently protected and a comprehensive consideration of IT security aspects plays a rather subordinate role in electrical network management. In particular, the energy supply sector and infrastructures dependent on it are exposed to a particularly high risk from IT attacks (see, for example, the Black Energy attack in Ukraine).

Network-based intrusion detection systems (NIDS) are a widely used approach for attack detection in computer networks. On this basis, the CyPhAn monitoring system, which is specially designed for network operators, was developed. This system performs in-depth decoding and evaluation of communication, including the measurement and control signals transmitted in the process, between the field and control levels. Expert systems and AI models (e.g. recurrent Seq2Seq networks) are combined in a hybrid approach and enable simultaneous monitoring of the state of the data communication and the electrical network based on the analysis of all relevant protocol information. For this purpose, CyPhAn provides the following monitoring functions:

  • the detection of communication-related anomalies or IT attacks (CyPhAn.Network),
  • the detection of process-related anomalies (CyPhAn.Phasor) as well as
  • the classification of the operational state including a simultaneous location and identification of technical operational anomalies (CyPhAn.Class)

Thus, among other things, effects of faulty or corrupted communication on operational processes can be directly detected and appropriate countermeasures can be initiated. As a platform-independent, modular software solution CyPhAn offers additional functions

  •  for data management (message bus),
  • for configuration or training of the monitoring algorithms,
  •  for interoperable data exchange via standardized interfaces (e.g. CIM) and
  • a web-based visualization interface.

This enables flexible integration into existing control system architectures as well as direct coupling to higher-level control system applications (e.g. SCADA). The basic system architecture as well as some visualization examples are shown in the figure.

Through the simultaneous information evaluation on communication and process level, different anomalies can be classified as well as the actual operating state of the electrical network and the communication state of the data transmission can be evaluated correctly. Thus, CyPhAn represents a holistic and powerful monitoring solution for safeguarding network operations for control center operators, especially while ensuring secure data transmission. This represents a new quality especially in the increasing fusion of the classical control center operation and the new requirements for the development of SOCs (Security Operation Center). The solution represents an important tool with regard to the establishment of cyber resilience in the energy supply. With the use of CyPhAn, IT attacks in particular can be detected in advance and corresponding consequential effects such as data theft, supply outages or even network instabilities can be minimized. This increases the quality of supply in the network area and can be used in the future as a new quality feature "IT-secure energy" for upgrading energy services.

Research: HyLITE - Digital-Twin-centric services and applications for the dynamic operation and protection of the future energy supply system.

Fraunhofer | Graphic RESIST
© Fraunhofer | Graphic HyLITE

Despite high requirements within the framework of legal regulations such as the IT Security Act or the introduction of IT security management systems (ISMS), energy suppliers remain the focus of cyber attacks. Network control centers, which are responsible for secure network operation, are particularly sensitive. Thousands of data and measured values are analyzed in these control rooms every day, critical operating situations are detected and appropriate switching and control processes are derived. If an attacker gains access from outside and, for example, intentionally manipulates measured values, this can lead to incorrect switching actions and even to a blackout as a worst-case scenario.

In a previous project, AI methods were already developed for automatic fault detection as well as for the detection of critical network states (line failures, power plant outages) based on so-called PMU sensors. In the research project "Digital-Twin-centric Services and Applications for Dynamic Operation and Protection of the Future Energy Supply System" (HyLITE), funded by the German Federal Ministry of Economics and Climate Protection (BMWK), this approach has now been further developed to cover the entire network traffic including transmitted PMU and SCADA measurements between the grid and control system, a particularly sensitive area in grid operation. Project partners are the Technical University of Ilmenau (Department of Electrical Power Supply), SIEMENS AG and the Fraunhofer Institute for Factory Operation and Automation IFF.

Taking into account the latest developments in network control technology and the increasing use of digital twins, a threat analysis was first conducted for the underlying system architecture. Based on this, a new approach was developed at Fraunhofer IOSB-AST, which automatically monitors all network and process information between the network and control system in real time and checks it for manipulation. The result is an AI-supported, intelligent monitoring solution for network control systems, which first automatically learns the normal behavior at the measurement and communication level. The software can detect not only the current operating situation and technical failures or faults, but also anomalies in the measured values or data traffic between the electrical network and the control system. This makes it possible for the operator in charge to monitor network operation and the communications equipment used in real time. It is accessed via a real-time web-based visualization that provides a quick overview of the AI-based anomaly assessments.

The AI-based monitoring solution was successfully tested within the laboratory environment at Fraunhofer IOSB-AST using real-time simulations. In addition to various operating situations and technical faults, IT attacks on common transmission protocols such as IEC 61850 or IEEE C37.118 can be simulated as well as their effects on dynamic network operation investigated.

Podcast: AI protects energy networks from cyberattacks

Fraunhofer | Podcast
© Fraunhofer | Podcast

"The topic of cyber resilience will play an increasingly important role among security managers in the coming years."

Cyberattacks on utility networks have increased sharply in recent years. When the power goes out, it's not just in the home that the lights go out, subways stop running, and cellular networks stop working. Energy providers have improved their protective measures in recent years and are investing in IT security.

Our expert Steffen Nicolai explains how AI helps to detect attacks from the network even faster - and what progress the utilities have already made.

Spotify

iTunes

Introduction of the staff of the cyber security learning lab for energy and water supply.

Fraunhofer | Dipl.-Inf. Oliver Nitschke
© Fraunhofer | Dipl.-Inf. Oliver Nitschke

In this section we would like to introduce you to our colleagues. Today, we introduce you to Oliver Nitschke- our research fellow. Oliver has also been working at the Learning Laboratory for Cybersecurity (LLCS) for Energy and Water Supply since the very beginning. He explains what makes his job as a research fellow at LLCS particularly exciting in this interview. 

 

What exactly do you do at the learning lab as a research associate?

My job encompasses many different aspects, which share a common goal: Continuously raising the security level of our critical infrastructures. In training courses, I impart the necessary knowledge and skills to achieve this - preferably in an entertaining, informative and, above all, practical manner. By auditing digitization concepts and IT/OT infrastructures, I uncover vulnerabilities before attackers can and support operators in securing them. Both focuses also require the development and implementation of training and testing platforms. I played a major role in developing the prototype of our training platform. Currently, I am involved in building a CTF (Capture the Flag) environment within our lab. Of course, I also supervise several students as research assistants, interns and graduates as junior staff for the learning lab as well as urgently needed specialists for utilities.

What do you think makes the learning lab unique?

Through the existing and future consortia, the learning lab covers all key topics in the context of IT security and creates the opportunity to also provide broad-based companies, utilities and societies with holistic support in securing their infrastructures.

The learning lab for energy and water supply at AST offers customers real environments to experience, understand and apply attacks and security measures. This is especially evident in training courses, when our participants highlight the high practical content, the many "AHA moments" and the in-house convenience provided by our mobile training platform.

Where do you see the biggest challenges for energy and water utilities in the context of cybersecurity today?

The "top 5" should be familiar to everyone. I would like to add the following: Skills shortages, complexity, legal requirements and the general situation are challenges that make a structured, positive and targeted approach to a holistic view of security much more difficult and may well cause resignation among employees. Here, it is important for CIOs, ISBs and supervisors to act as role models and to keep the information security culture alive and continue to develop it. There is no company, no utility that is not attacked - but the vast majority is secure and resilient enough not to suffer any (serious) damage - this basis must be maintained and expanded.

You've been on the Cybersecurity Learning Lab team since the beginning. How have you been able to develop and what personal strengths do you bring to the learning lab?

Thinking outside the box, asking the right question in the right place, being interested in and communicating between technical interfaces, and the odd quirky idea - that's how you could describe the use of my personal strengths for the LLCS. Personally, I have learned a lot, especially in the area of IT/OT. It is an interesting combination, both technically and personally. As a trainer, you never stop learning, and with the Fraunhofer Academy you have a good partner at your side. A few days ago, I was able to formally confirm my competencies as a lecturer by successfully passing the Certified Scientific Trainer exam.

Describe the LLCS for energy and water supply at Fraunhofer IOSB-AST in three words.

Interdisciplinary, (inter)active, empowering.

Next training dates

You can find the current training dates here: