Method for Policy Scheme Identification from SCADA Component Metamodel

On Designing Automatic Reaction Strategy for Critical Infrastructure SCADA System

Christophe Feltus and Djamel Khadraoui
Service Science & Innovation, Public Recherche Centre Henri Tudor, 29, avenue J.F. Kennedy
L-1855 Luxembourg, LUXEMBOURG


Background

The huge amount of information managed by Critical Infrastructure (CI) argues for the support of
SCADA systems which behave as very complex and sophisticated tools. These latter support CI
operators in monitoring and governing the system security by elaborating the operational policies
amongst the architecture components. In [1] and [2] we have exploited enterprise architecture
management tool to construct an integrated SCADA metamodel dedicated to these components
artefacts and structured according to (1) three layers of abstraction, namely: Organization,
Application, and Technical layer and (2) two semantically consistent types of policies: the
Permissive Policy and the Cognitive Policy. The results of the SCADA modelling and policy
engineering approach constitute, as illustrated through the CockpitCI project case study, a global
analytical tool for the SCADA operators which may rely on a rational and unified component
security based architecture to continuously monitor and manipulate the policy attributes
acknowledging their impact on the whole CI system. In this poster, we illustrate how the
metamodel for SCADA components is used together with the method for policy scheme
identification to support automatic reaction strategy.


Conclusions - Automatic Reaction Strategy in 3 functions











References

[1] Jonathan Blangenois, Guy Guemkam, Christophe Feltus,
Djamel Khadraoui, Organizational Security Architecture for
Critical Infrastructure, 8
th
FARES 2013 IEEE, Germany.
[2] Djamel Khadraoui, Christophe Feltus, Critical
Infrastructures Governance - Exploring SCADA Cybernetics
through Architectured Policy Semantic, IEEE SMC 2013,
United Kingdom.
[3] Lankhorst, M. ArchiMate language primer, 2004.

Acknowledgment

The research is funded by the CockpitCI project within the
7th framework Programme of the European Union (topic
SEC-2011.2.5-1 Cyber-attacks against critical infrastructures).


Approach











Automatic Reaction Strategy Architecture



Practionners of the critical infrastructures call for an integrated approach for the architecture components management. However, up to date, the automatic reaction strategy has been perceived and addressed as an isolated
system. Its integration with the reaction CI components such as antivirus, firewall, IDS, RTU, correlation engine and so forth has remained lacunar mainly due to the lack of a common available representation language.
The SCADA component metamodel, supported by the method for policy scheme identification, allows facing this intgeration by considering the ARS as an integral part of the SCADA architecture. Amongst the main
artefacts swhich construct the ARS architecture, we denote:
At the ogranizational layer
The Main CI Investigator which acts as the guarantor of the component RPo and RPa deployment based on the Expected Automatization Levels whichi is
a specialization of a business object [3]
The Organizational Automatic Reaction Strategy, defines by the rule, is, hence, modelled by means of a business function.
At the application layer
The Application Automatic Reaction Strategy, also defined by the rule, is modelled by means of an application function.
The Application ARS is associated with the Detection/correlation collaboration which facilitates the information exchanges between the CI application modules
and realizes the application policy deployement to the CI component application artefacts.
The Application ARS is also guarantee by the Main CI Investigator.

The Automatic Reaction Strategy
is function of the following
specialization and realization
Objects:

SCADA
component
metamodel [1]
Cognitive and Permissive Policies design [2]
Automatic
Reaction Design
Policy Reaction
Engine
Policy scheme identification steps:
I. Identification of the structure of the CI architecture in terms of unitary modules (components) including
their 3 abstraction layers build upon the SCADA metamodel (i.e., organization, application and technical)
II. Identification of the external parameters of the CI such as potential threat probes and indicators that may
impact the CI normal functioning (flood, hijacking, ), the physical environment, the contractual SLA
(service level agreement)
III. A. Identification of the Cognitive Policies artefact of a CI component which needs information from
succeeding artefacts (see [2])
III. B. Identification of the Permissive Policies artefact of a CI component which needs permission upon
the succeeding lower layer artefacts (see [2])



Policy scheme formalisation steps:
I. Depict artefacts Master-Slave communication couple (organization-organization, organization-technical,
technical-technical)
II. Identification of cognitive behaviour and permissive behaviour based on the automatic reaction strategy
III- 1. If Cognitive policy, alignment of the reaction strategy with the inter-artefacts knowledge
requirement, external probes and monitoring tools.
III- 2. If Permissive policy, alignment of the reaction strategy with the requirement of access to artefacts


CI monitoring
Policy scheme
Identification
Formalization steps

The reaction strategy (ARS) is defined by the rules (r
1n
) uses by the Main CI Investigator to choose between the available reaction policy (RP
1m
) option in accordance with the critical
infrastructure Expected Automatization Levels (EAL) and considering the RP at the Organization (o) and/or at the Application (a) level.
CONCEPT Organizational ARS CONCEPT Application ARS


SPECIALIZATION
Analytical functional policies

REALIZATION
Alert analysis module
Correlation policy Detection ZW 0.1 Module
Visualisation policy Correlation Appli 1.1

1 2
3
4
5 6
1
2
3
4 5
6
PRE
PRE

Metamodel for SCADA component:
Allows modeling each component of a SCADA architecture following a unique modeling
architecture in three abstraction layers
Enhancement of the ArchiMate modeling language with the Policy concept as a specialization of
an organizational/application service.
Case study related to the modeling of the CockpitCI SCADA architecture
Definition of a Policy scheme Identification Method Based on the Component Metamodel
Policy scheme identification / formalization / Iteration engine
Applicable to Cognitive vs. Permissive policies, inter- an intra- components artefacts
Automatic Reaction Strategy Architecture
Definition of the Automatic Reaction Strategy / elaboration of the related model as a specialization
of the SCADA component metamodel
Case study related to the modeling of the CockpitCI SCADA architecture
(i) CI SCADA
Component model
(ii) CI SCADA
Policy scheme
(iii) Automatic
Reaction Strategy
Components
Policies
Potential
threats
CockpitCI
SCADA
Architecture