Context-Based Real-Time OT-IT Systems Integrity Management

CORESIM aims at developing decision support to aid in selecting the best possible response to a cyber-attack on a Cyber Physical System (CPS) with respect to cost and process integrity. The focus is on petroleum CPS and power grid (including power from shore) CPS, but the results are expected to be applicable to other CPS domains. Motivation behind the project is to prevent physical damage to equipment as was the case in the Stuxnet attack where several hundred centrifuges in a nuclear enrichment facility were severely damaged, and to prevent disruption to the process which was the case in the Ukrainian power grid attack in 2015 where more than 225,000 subscribers lost power. The objectives of the project is to (1) build knowledge and methodologies for integrating dynamic process-aware cybersecurity monitoring, detection and response into a framework to protect cyber physical systems (CPS) as part of critical infrastructure protection, and (2) form a basis for automated decision support and mediating action advisory for integrity of cyber physical systems (CPS) and operational process. Expected results: - Reusable models of Cyber Physical System for Petroleum and Power Grid. - Framework for modelling process state characterization and its context to enable the detection of process misbehavior.? - Capabilities to identify and classify cyber-attacks so to understand the potential consequence and cause (why the attack is possible). - Reusable models to classify cyber-attacks to enable efficient incident management. - Decision support models that understand the Cyber Physical System and its process for determining best possible response to a cyber-attack.

Cyber-attacks on Cyber Physical Systems (CPS) can have detrimental impact also in the physical world, with potential consequences to both operational personnel and the underlying physical process, as experienced in the Stuxnet and Ukraine Power Grid attacks. Petroleum production facilities are a key infrastructure for Norway. On a drilling rig, an attack might deactivate the blow-out preventer, with potential consequences similar to the Macondo incident (https://snl.no/Deepwater_Horizon-ulykken). The project aims to develop knowledge and methodologies for process-aware cyber security for modern systems control. This shall be achieved through complementing current Industrial Control System (ICS) Intrusion Detection Systems (IDS) with domain specific knowledge-based models and methods that consider the function of the whole CPS, forming a basis for process-aware risk analysis for attack response advisory. Such development shall help enable a robust and relevant response to cyber-attacks, with avoidance of unnecessary downtime and loss of revenue or public services due to false alarms or low-risk attacks. Planned collaboration with Equinor, Statnett, Kongsberg Maritime, Siemens Energy, ABB Motion, the Petroleum Safety Authority (Ptil) and the Norwegian Water Resources and Energy Directorate (NVE) will ensure involvement from both public and private sector in the project, while covering both the petroleum sector and its power supply. Knowledge transfer between research and industry partners shall be ensured through close collaboration throughout the project by means of quarterly status meetings and through two (2) case studies annually where project results will be tested and evaluated. The project shall employ a postdoc through project partner NTNU with Prof.dr. Sokratis Katsikas as the main supervisor and Prof.dr. Siv Hilde Houmb as co-supervisor. The project will also aim to involve students on bachelor and MSc level at NTNU.