This posts provides an update on response against cyber-physical attacks and impact mitigation (WP5). To read the previous article on WP5, please follow THIS LINK.
In WP 5 a milestone has been reached where all developed tools of the WP are operational on the CyberRange as first versions. These tools are (1) the Incident Management Portal developed by Airbus CyberSecurity, (2) the Investigation Tool by ISEP, (3) the Impact Propagation Simulation by Fraunhofer, (4) the Business Impact Assessment by INOV and (5) the Crisis Alerting System by Satways (see Figure 1). The main achievement, besides the development of the tools, is the implementation of webservices on the respective virtual machines on the CyberRange for each developed tool. They enable the communication of the tools and the exchange of data.
Figure 1: Interrelations between the tools deployed on the CyberRange
First, the Incident Management Portal receives an alert on the CyberRange due to a cyber-physical attack on some airport system. It provides a graphical user interface to visualize the information. Alerts will be analysed by a SOC (Security Operation Centre) operator, supported by the Investigation Tool and the Business Impact Assessment and other systems connected on the CyberRange (see other WPs). The Investigation Tool uses a machine learning engine that correlates data from different time frames to detect unusual events and to improve attack evidence identification. The Business Impact Assessment is a tool to evaluate the damage of cyber-threats on airport services using dependency graphs and business process modelling. In SATIE, it is especially employed to analyse the impact of cyber-threats on airport baggage handling services.
Next, depending on the kind of alert and properties of the attack, the alert will be classified as incident. The incident will then be communicated to the Crisis Alerting System and the Impact Propagation Simulation. The latter will introduce the incident to a simulation environment that allows to propagate the threat through the airport systems. The impact will be quantified through pre-defined performance functions which will also enable the evaluation of the airport systems’ recovery and finally their resilience. Different mitigation options can be tested which will allow a decision support. These results are provided to the Incident Management Portal and the Crisis Alerting System.
Finally, the Incident Management Portal provides the SOC operator with access to the visualizations received as URLs included in the output messages from the Investigation Tool, the Business Impact Assessment and the Impact Propagation Simulation. The Crisis Alerting System combines the information from security and safety systems of the airport with information provided by the SOC and the Impact Propagation Simulation in order to provide the operational picture to AOC (Airport Operation Centre) operators. Moreover, the notification and alerting of involved safety agencies and related passengers is supported.
The next steps involve the development of secure communication channels between the tools using single-sign-on solutions and LDAP credentials. The tools and the respective graphical user interfaces will be gradually enriched with more information and finally tested with cyber-physical attacks on airport systems.
Note: This output reflects the views only of the author(s), and the European Union cannot be held responsible for any use which may be made of the information contained therein. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 832969.