A collaborative cyber incident management system for European interconnected critical infrastructures

Giuseppe Settanni, Florian Skopik, Yegor Shovgenya, Roman Fiedler, Mark Carolan, Damien Conroy, Konstantin Boettinger, Mark Gall, Gerd Brost, Christophe Ponchel, Mirko Haustein, Helmut Kaufmann, Klaus Theuerkauf, Pia Olli

Research output: Contribution to journalArticleScientificpeer-review

10 Citations (Scopus)

Abstract

Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.

Original languageEnglish
Pages (from-to)166-182
Number of pages17
JournalJournal of Information Security and Applications
Volume34
DOIs
Publication statusPublished - 1 Jun 2017
MoE publication typeA1 Journal article-refereed

Fingerprint

Critical infrastructures
National security
Control systems
Information management
Information systems
Monitoring
Costs

Keywords

  • Cyber incident handling
  • Cyber incident reporting
  • Cyber security
  • Information sharing
  • Security operation center

Cite this

Settanni, Giuseppe ; Skopik, Florian ; Shovgenya, Yegor ; Fiedler, Roman ; Carolan, Mark ; Conroy, Damien ; Boettinger, Konstantin ; Gall, Mark ; Brost, Gerd ; Ponchel, Christophe ; Haustein, Mirko ; Kaufmann, Helmut ; Theuerkauf, Klaus ; Olli, Pia. / A collaborative cyber incident management system for European interconnected critical infrastructures. In: Journal of Information Security and Applications. 2017 ; Vol. 34. pp. 166-182.
@article{891d3107b3944ad58e098cf41a7fae0e,
title = "A collaborative cyber incident management system for European interconnected critical infrastructures",
abstract = "Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.",
keywords = "Cyber incident handling, Cyber incident reporting, Cyber security, Information sharing, Security operation center",
author = "Giuseppe Settanni and Florian Skopik and Yegor Shovgenya and Roman Fiedler and Mark Carolan and Damien Conroy and Konstantin Boettinger and Mark Gall and Gerd Brost and Christophe Ponchel and Mirko Haustein and Helmut Kaufmann and Klaus Theuerkauf and Pia Olli",
year = "2017",
month = "6",
day = "1",
doi = "10.1016/j.jisa.2016.05.005",
language = "English",
volume = "34",
pages = "166--182",
journal = "Journal of Information Security and Applications",
issn = "2214-2134",
publisher = "Elsevier",

}

Settanni, G, Skopik, F, Shovgenya, Y, Fiedler, R, Carolan, M, Conroy, D, Boettinger, K, Gall, M, Brost, G, Ponchel, C, Haustein, M, Kaufmann, H, Theuerkauf, K & Olli, P 2017, 'A collaborative cyber incident management system for European interconnected critical infrastructures', Journal of Information Security and Applications, vol. 34, pp. 166-182. https://doi.org/10.1016/j.jisa.2016.05.005

A collaborative cyber incident management system for European interconnected critical infrastructures. / Settanni, Giuseppe; Skopik, Florian; Shovgenya, Yegor; Fiedler, Roman; Carolan, Mark; Conroy, Damien; Boettinger, Konstantin; Gall, Mark; Brost, Gerd; Ponchel, Christophe; Haustein, Mirko; Kaufmann, Helmut; Theuerkauf, Klaus; Olli, Pia.

In: Journal of Information Security and Applications, Vol. 34, 01.06.2017, p. 166-182.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - A collaborative cyber incident management system for European interconnected critical infrastructures

AU - Settanni, Giuseppe

AU - Skopik, Florian

AU - Shovgenya, Yegor

AU - Fiedler, Roman

AU - Carolan, Mark

AU - Conroy, Damien

AU - Boettinger, Konstantin

AU - Gall, Mark

AU - Brost, Gerd

AU - Ponchel, Christophe

AU - Haustein, Mirko

AU - Kaufmann, Helmut

AU - Theuerkauf, Klaus

AU - Olli, Pia

PY - 2017/6/1

Y1 - 2017/6/1

N2 - Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.

AB - Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.

KW - Cyber incident handling

KW - Cyber incident reporting

KW - Cyber security

KW - Information sharing

KW - Security operation center

UR - http://www.scopus.com/inward/record.url?scp=85007290928&partnerID=8YFLogxK

U2 - 10.1016/j.jisa.2016.05.005

DO - 10.1016/j.jisa.2016.05.005

M3 - Article

VL - 34

SP - 166

EP - 182

JO - Journal of Information Security and Applications

JF - Journal of Information Security and Applications

SN - 2214-2134

ER -