Real-Time Anomaly Detector (RTAD)
Real time anomaly detection on cyber-physical infrastructures using machine learning and signature-based detection of abnormal behaviours within the network. It provides an additional layer of security by detecting potential threats from the logs of the system. The tool is composed of three main components: a security Big Data platform, machine learning algorithms, and signature-based rules. You will find more information about the RTAD under Key Exploitable Results here.
Cross Layer Security Information and Event Management (XL-SIEM)
This tool receives events coming from different sources to generate correlated alarms that indicate the risk level, and detailed information about the event (description, IP source and destination, Port source and destination, Protocols). The tool can perform automatic countermeasures or generate tickets for further investigation. It provides enhanced capabilities to address storage limitations, correlation, performance and visualization issues, enabling a reduced reaction time. It is part of the STOP-IT platform. You will find more information about the XL-SIEM under Key Exploitable Results here.
Network Traffic Sensors and Analysers (NTSA)
It incorporates five categories of sensors able to identify different malicious patterns such as TTL-based attacks, brute force attacks, DNS answer attacks, time-based attacks, and domain-based attacks. The Network Traffic Sensors and Analysers go one step beyond of traditional anomaly detection systems based on pattern and regular expressions analysis, by using well-known machine learning mechanisms: One-class Support Vector Machine (One-class SVM) to identify abnormal behaviour in the traffic capture based on a multi-featured approach that restricts the analysis to a modelled IP address and extended in terms of samples (valid and invalid ones). Read more about NTSA here.
The toolbox of technologies for securing IT and SCADA systems contains real-time fault diagnosis tools of anomalies affecting integrated sensors/actuators and assets operated by SCADA systems; IT communication analysis systems to ensure security using established network protection rules and traffic monitoring; and blockchain schemes, applied to protect the integrity of the data generated during critical infrastructure operation (logs, sensor data, etc.), both against intentional attacks or malfunction. The accompanying PDF report supports the use of the developed tools, describing their technical requirements, installation procedures and usage instructions.
This video gives an overview of different STOP-IT tools and shows the developed functionalities:
STOP-IT developed a toolbox of technologies for securing critical water infrastructure assets from physical threats. It contains a set of novel tools, such as smart locking mechanisms, computer vision and sensor-based tools and authorization and intrusion detection technologies. The supporting PDF document provides a detailed technological description of these tools, setup instructions, examples of the tools usage and results, contact information for the developers of each tool as well as a short discussion about relevant privacy and security concerns.
The cyber threat sharing system is collecting sources of existing threats from relevant feeds, structures the information and sends out personalized alerts. This service ensures the mitigation of threats to critical infrastructure and enhances the coordination, establishing exchange methods to prevent, reduce, mitigate and recover from existing threats. It also allows coordination to deal with those threats in a global approach.
STOP-IT has developed a Public Warning Notification System (PWNS) with two main functionalities: detect and report incidents and inform users and citizens.
The PWNS processes data, alerts and detected incidents from external sources and reports them to the STOP-IT core platform. At this initial stage the incident has to be validated by a human operator in most cases. Once this is done, the anomaly is notified to the system that, by cross-checking with other incident-related data from different sources, can identify the risk situation. This assessment then will be sent to the visualisation interface for water utilities, which starts a response plan with actions to be executed. These are based on different parameters set by water operators and can include both corrective and mitigation measures. The system also sends the information and instructions to follow to the users and citizens using the most appropriate channels, i.e. email, SMS, mobile app notifications, etc.
Water agencies, regulators, municipalities and environmental agencies can benefit from this Public Warning Notification System. The tool is publicly available and open source. At this stage however, the system uses OneMind, the proprietary solution of Worldsensing, as visualisation interface. The STOP-IT solution for the user interface is currently being developed by RISA within the project.
The system operation can be seen in this video.
Find the PWNS here: https://stop-it-project.eu/results/public-warning-notification-system/
The Risk Identification Database (RIDB) is an organized collection of data, which includes the identification of threats, risk sources, risk factors, causal relations and the description of risk events.
The purpose of the RIDB is to identify risk events, related to physical and cyber threats that can occur in water distribution systems and utilities, their locations, and causes. The RIDB therefore is a source of information to identify and select potential risk events to be further elaborated and/or combined into risk scenarios to be analysed and treated by applying STOP-IT solutions and security considerations.
For whom is the RIDB useful and why?
All water utilities need to consider the effects of the most risky cyber and physical events in their facilities. The RIDB is a repository of cyber-physical threats identifying the majority of the most risky threats provided by water operators, civil engineers, head of operations, IoT engineers, system engineers, etc. In that sense, RIDB is a data source included in several tools applied in risk analysis also developed in STOP-IT project such as PSA Explorer, InfraRisk and others (see figure).
The RIDB is available for public access here.
As a protection measure against physical threats, STOP-IT partners Mekorot and Aplicatzia developed Meklock, a smart lock system that is useful for any company that maintains and operates facilities with multiple buildings, entrances and cabinets with large quantities of expensive equipment, vulnerable to break-ins and sabotage.
Meklock is an innovative access-control mobile app with a sophisticated management system that interacts with electronic locks. With the help of the system it is possible to track entry of authorized users or enable or disable remote privileges for opening and locking doors. It does not require the implementation of wired or wireless infrastructure and therefore reduces maintenance costs. It increases the safety, is user friendly and flexible, offers navigation to facilities and works with a standalone system, among other things.
The Meklock system is ready to use. In case of interest, please contact Gil Groskop (Groskop@MEKOROT.CO.IL).