This is another post in a series of articles about the SATIE project work-packages (WPs). The idea is to present the reader with more information on the work planned in the project and how planned activities will help to achieve the project goals. This post is about WP5, while future posts will discuss other project WPs.

Aims and Work Plan of WP5

In WP5 several technical solutions are developed and work together towards a response to and mitigation strategies against cyber-physical attacks. The solutions are (i) the anticipated impact assessment and decision support system with a web-oriented architecture, (ii) the forensics investigation system for timeline analysis, (iii) the incident management portal and (iv) the crisis alerting system. Based on these connected systems, the response mechanisms in case of successfully conducted cyber and physical attacks will be improved. Furthermore, the consequences and impact of such attacks will be minimized. In the following, the single systems and corresponding implementation steps are presented.

Figure 1: Interrelations between the tools

Impact propagation simulation for anticipated impact assessment

The goal of the impact propagation simulation for anticipated impact assessment is to analyse the consequences of failures in airport systems and to deliver the data base for resilience assessment and possible mitigation strategies. It is based on a model which includes various aspects of impacts and their possible propagations. The model represents the airport and its systems, defines important system parts and services. It will be integrated in the software tool CaESAR developed at Fraunhofer EMI. This software tool allows operators to analyse the impact of cyber, physical and combined attacks and possible impacts of it through different services. The results of the impact propagation assessment can be used for a resilience assessment with cyber, physical, cyber-physical, economic and societal aspects.

Investigation System with time series analysis of multistep threat scenarios

The investigation tool will be able to deal with the analysis of data from heterogeneous systems, over different time frames and to correlate them to find evidences of the causes of an attack. For that the investigation tool will analyse syslog data and rules from the correlation engine and unify the physical security and logical security investigation. It will analyse additional security details, providing contextual and semantic data, to identify causes for security events and threats started by an alert, and feed the correlator with new and/or improved rules. ML methodologies will be applied for outlier detection, going beyond traditional one-class algorithms and considering ensemble methods to detect unusual events that may help to find evidences of attacks. An intelligent dashboard will also be developed in order to support decision makers in a deep analysis of how the breaches and the assets were explored and compromised.

Cyber-physical incident management portal for enhanced awareness

The incident management portal will help to analyse, respond and remediate the incidents from reception until the resolution. The aim of the incident management system is to efficiently manage alerts and incidents in order to mitigate the risks and reduce response time. It is based on a web portal, which displays aggregated alerts in near real time. The web portal embeds several graphical widgets about forensics investigation and simulation of impact propagation. A graphical framework is developed that allows operators to qualify security incidents and optimize decision making in case of complex scenarios of threat.

Crisis alerting system for coordinated security and safety responses

The crisis management and alerting system performs two main functions: The first one is the generation of the Operational Picture by integrating information from the Airport Security Operations Center and other security & safety management systems. The second function is an incident information sharing and alerting service for the various stakeholders involved during the response. The main objective is to communicate information to the right person, at the right moment on the right channel, considering data content and data sensitivity (e.g. confidentiality).

Note: This output reflects the views only of the author(s), and the European Union cannot be held responsible for any use which may be made of the information contained therein. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 832969.

This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement number 832969.

Copyright 2021 SATIE. All rights reserved. Privacy Policy