Cybersecurity Platform for Assessment and Training for Critical Infrastructures – Legacy to Digital Twin

The main goal of the CybWin-project has been the development of a cybersecurity platform with physical, replicated and simulated components of real-world critical infrastructure, empowered with tools for RAMS (reliability, availability, maintainability, safety) assessment, vulnerability assessment, attack simulation, incident prediction and response. CybWin has three focal domains: energy production, energy distribution and air traffic management. The project has provided academia and industry a unique possibility to address real cybersecurity challenges on realistic, full-scale critical infrastructure systems. This has provided academia with access to realistic systems and data, and outcomes from research have had direct, practical impact. For participating industry the project has provided access to expertise, and supported a better understanding of systems cyber security, and direct improvement of systems and solutions. Participating third-party system- and solution-providers have received relevant performance data and experience from the project to further improve their products and solutions. CybWin has cooperated with other research projects and provided access to infrastructure and generated knowledge throughout the project. CybWin project members have, in addition to 29 peer-reviewed papers and journals, actively participated in workshop, lectures, dissemination and public media appearances representing the project. CybWin has provided use cases and academic support to BSC and MSC students. In the period 2020-2022 CybWin has arranged the EnCyCriS workshop in conjunction with the International Conference on Software Engineering (ICSE) – resulting in another 20 peer-reviewed articles within cybersecurity of CI. CybWin has supported one PhD-candidate and a PostDoc position, hosted by NTNU. The PhD work has resulted in a framework for modeling cybersecurity training exercises which further has been refined and improved through experimentation, resulting in 3 conference articles and 3 conference journals. The PostDoc position has resulted in 2 articles. Some examples of research results in the CybWin project are: To better understand the threat landscape of the critical infrastructure, CybWin has proposed a methodology of six processes for conducting a quantitative information security vulnerability assessment. The methodology was applied and a quantitative vulnerability assessment for the Norwegian critical infrastructure has been published. State-of-the-art and state-of-the-practice studies have been conducted to elicit available: integrated risk model for RAMS and cybersecurity that could be applied during fast evolving cyber incidents; key competencies for critical Infrastructure cybersecurity; human preparedness and training for cybersecurity; simulation modelling for cybersecurity incident prediction. These studies will form the basis for the developing novel solutions for system and RAMS and security modelling, simulation models for incident response, and frameworks for human competencies, preparedness, and training for cybersecurity. Three testbeds representing each of the focal domains are being implemented, where these testbeds contain hardware in the loop simulated systems that could be used for cybersecurity experimentation. In 2021 and 2022 the test bed for energy distribution was developed and ongoing research address a set of attack vectors, the corresponding system behavior, identification of appropriate incident response, resulting in concrete measures for improving system resilience and operator response. In 2021 within air traffic control, a cyber security experiment focusing on the air traffic controller’s ability to identify cyber system behavior was performed, revealing a need for controller training in cyber conditions. This work was strengthened in 2022 with the development of cybersecurity scenarios for Eurocontrol simulation and training center for air traffic controllers in Luxembourg. Three experiments were performed using licensed controllers and the results of the experiments are already included in Eurocontrol training courses. Further publications related to the project are forthcoming, including results from technical experiments, operator experience and lessons learned. Several project partners are pursuing more research and collaboration from where the project let of, with an interest in both technical and practical cyber security on CI. The CI enclaves in the IFE Cyber Security Centre supports future research applications into cyber security on both EU and national level.

The CybWin project have established three a hardware-in-the-loop (HIL) enclaves in the IFE CyberSecurity Centre; namely the digital station (DS) (Statnett), ARTAS radar tracker and server (Eurocontrol), Safety fan (IFE). DS from Statnett is a representative of real world substations with Siemens substation equipment. ARTAS is a radar signal server providing air traffic controllers with a situation data display. The enclaves are of value as they provide realistic environments for cybersecurity research and testing. As example for DS, the laboratory has been used to gain insights and a deeper understanding of the cybersecurity challenges involved in the current SCADA communication over the IEC 104 protocol. It has also enabled Statnett to study the challenges related to introducing IEC 61850 process bus into substations. The project has established a collaborative effort that spans across asset owner, vendor, research and regulatory within power distribution. This collaborative effort will be expanded going forward to include more stakeholders from the power grid industry. Results have been elicited to Power grid stakeholders, especially distribution system operators (DSO) such as Elvia and production companies such as Statkraft, but also to other transmission system operators (TSO), especially the Swedish and Finish TSOs Svk and Fingrid. Cyberattacks have been performed on the ARTAS radar tracker system and two operational experiments on licensed air traffic controllers have been performed. The attacks on ARTAS provided an independent verification of the internal penetration test results. Operational simulator scenario created a starting point for the development of further scenarios that will be used for preparing ATCOs for ATC targeted cyber-attacks. Within nuclear the IFE safety fan setup enclave provided important insights on cyber behavior of operational technology and impacts to the control room and operator overview, as well as supporting improvement of procedures and ways of working bridging safety and security in operations. The HIL laboratory has a societal impact as it can be used to emulate cyber-attacks, emulate failure situations and other cybersecurity related incidents in CI in a controlled environment to allow for effective troubleshooting and safe development of response actions. The overall project setup entailing highly relevant stakeholders has provided a platform for close and secure collaboration across domains. PhD position at NTNU has produced a framework for developing cybersecurity training exercises, work based on systematic literature review, mapping and interviews of cybersecurity competencies and challenges in critical infrastructure companies – summarized in seven journals and papers. The PhD dissertation “Cybersecurity Training for Critical Infrastructure Protection” is defended Q1 2023.

CybWin addresses the call on Digital Vulnerabilities by developing knowledge of applicable digital vulnerabilities and threats to the Norwegian Critical Infrastructure (CI). The core deliverable of CybWin is a cybersecurity platform with physical, replicated and simulated components of real-world CIs, empowered with tools for RAMS (reliability, availability, maintainability, safety) assessment, vulnerability assessment, attack simulation, incident prediction and response. CybWin also emphasizes the role of humans in cybersecurity by looking into human preparedness and training. The annual reports from the Norwegian National Security Authority shows an increase in number and seriousness of the cyber-attacks. This requires well-trained Computer Emergency Response Teams who can assess the risk of a cyber-attack and respond with appropriate actions. To help these teams, there exist some testbeds for cybersecurity, but the testbeds are predominantly for academic purpose, or for industrial, national security or military purpose. The CybWin platform will be unique in Norway since it will (1) be a highly configurable test-bed with realistic depiction of real-world CIs and their threat environment, (2) use high-fidelity simulation technologies for cybersecurity- and RAMS- incident prediction and response, and (3) support assessments of human factors in cybersecurity incident process and operational safety. CybWin also aims to address the relevant cybe-security challenges and solutions in a larger-scale by aiming for EU projects. To this end, CybWin has three relevant international partners with industrial and academic experiences in CIs. Furthermore, this project is an amalgamation of earlier and ongoing joint efforts in cybersecurity by the project partners. The strength of CybWin is also that it includes owners of two Norwegian CIs, research institutes and universities working in relevant research fields, a cybersecurity solutions provider, and international partners.