Using Situational Intelligence

John Reed, Space-Time Insight


Preventing, detecting and responding to security threats

We expect utility services to be everywhere we are: charging our electronics in airports, flame-grilling our meals in restaurants, and filling drinking fountains in our public parks.  To provide this level of service and convenience, utilities build networks of wires and pipes and communications channels that for the typical utility total in the tens of thousands of miles.  Despite and because of their importance, utilities face challenges in securing these networks from physical and cyber attack.

Specifically, the Critical Infrastructure Protection (CIP) standards from the North American Electric Reliability Corporation mandate that utilities identify critical assets, define security management and establish recovery plans.  The critical asset identification methodology calls for a risk-based assessment of control centers, transmission stations, generation resources and restoration resources.  Updates to these standards, now in progress, would expand these requirements to additional utility asset operations. 

To be continually vigilant, utilities need to prepare for and prevent the possibility of attacks, and then quickly and accurately detect and respond to any attacks that do occur.  Preparation for, prevention and detection of, and responding to attacks each introduce complexity to the security challenge.  A major contributor to this complexity is the fact that with so many systems evaluating different security measures, it is very difficult to connect isolated but potentially-related events.  As a result, potentially dangerous situations may be ignored while investigation into false alarms consumes time and money (see Figure 1).

Click image to enlarge

Figure 1: Data from IT, security, operations and external systems is siloed, hindering detection, understanding of threats, and response to them

Situational intelligence

The new field of situational intelligence offers a better vantage point in the assessment of risk to critical assets.  By using real-time visual analytics to integrate IT systems data, operational events (such as security camera triggers, building entry triggers, communication events, etc.), and external data about the physical world (such as gunshot detectors, social media and weather data), situational intelligence can convert the constant flow of data into a probability-based threat index augmented by an assessment of the consequences of attack (see Figure 2).

Click image to enlarge

Figure 2: Situational intelligence correlates, analyzes and visualizes data from security and other systems to provide a comprehensive assessment of security threats across an organization

The risk from physical or cyber attack can be determined based on the probability of an attack happening and the consequences of an attack that does occur.  Utilities need to assess the security of the network’s physical and cyber assets that they commission, plus existing networks that may have been deployed many years ago.

The probability of attack on utility assets often comes down to motive and location. 

Issues include:
• Are physical systems and assets safe from field workers, contractors, and ex-employees? 

• Are cyber systems and assets safe from third party and external threats such as denial-of-service (DoS) attackers?

• Is a physical asset easily accessible to those wishing to cause damage or disruption? 

• Is a cyber asset – such as a computer, control system or communication network component - indicating unexpected connections, failed logins or uncharacteristically extended response times?

The physical position of an asset helps identify its potential vulnerability.  Utilities also need to assess the criticality of assets.  In other words, if an asset is attacked, what might the consequences be?  Damage to a residential electricity meter probably has little consequence in the big picture.  Damage to an electricity substation, on the other hand, can have major consequences.   Once you understand both the possibility and consequences of physical or cyber attack, you can work to lower your overall risk of attack. 

Making connections and detecting attacks

Situational intelligence begins with a utility's network connectivity model, its assets upstream or downstream and their relation to each other on the network.  Visualizations can display utility assets on the network using two- or three-dimensional maps.  Analytics continually calculate the probability of attack against an asset, and the consequences of such an attack to the network and the customers who rely on it.  By combining the probability and consequence of attack, situational intelligence can calculate a risk score for every asset.  This scoring allows utilities to prioritize which high-risk assets to fortify first. 

Utilities can have millions of assets attached to thousands of miles of networks.  Many of those assets generate their own streams of data from meters, sensors, cameras and other devices.  That equates to a wide area to patrol and lots of data to protect.

Individual assets can report anomalous conditions.  Smart electricity meters generate tamper alarms.  Heat detectors in substations can report high temperatures.  Synchrophasors can detect changes in voltage on the power grid.  All of these signals could contribute to preparation for an imminent attack. 

Separating wheat from chaff

To separate actual attacks from malfunctions or flukes, it is useful to correlate multiple data points that occur close to each other in both space and time.  For instance, if you know that a substation control room door alarm indicates that someone opened it, it would be helpful to correlate that alarm with a work order indicating authorization to enter and a video feed from the control room if available. That way, it would be easier to determine if the door alarm represents personnel misuse, an alarm malfunction or an actual security breach.

In a large-scale event, dozens of alarms may trigger at once.  For instance, if an entire building is somehow damaged, all alarm-equipped assets in that building will send out signals.  Instead of receiving dozens of individual notifications, operators would benefit from a system that correlates those individual items in real-time into a single, larger, more meaningful message.  On the other hand, a coordinated threat such as a DoS attack, may strike several targets simultaneously.  Detecting a pattern across multiple attacks while they are still in effect can shape a utility's response to the situation. 

Using situational intelligence data and alarms from multiple, disparate sources can be correlated and presented to users in a single view, drawing attention to anomalous conditions and facilitating fast, informed decision-making (see Figure 3).

Click image to enlarge

Figure 3: Data from assets, devices, video feeds, servers and other sources is unified for users so they can gain a 360 degree view of a situation

Responding to Attacks

Your situational intelligence system has detected an attack—now what?  First, you need to understand exactly what has happened.  For example, a neighborhood's smart meter communications can be knocked out because of accidental damage to a cellular communications relay, or because of deliberate sabotage.  How you respond, in particular whom you dispatch to the location of the relay, could vary greatly between these two scenarios. 

Utility customers expect that if and when attacks occur, utility service continues to the greatest extent possible.  You need to assess the damage from the attack, plus who and what the damage affects.  Damage to a substation is bad; damage to a substation that supplies facilities like hospitals, fire stations, and water treatment plants is worse. 

After detecting an attack, you need to know who should be notified, which utility crews should be dispatched where, which first responders to contact, and what reports need to be filed.  The period immediately following an attack is critical for damage control, injury prevention, evidence collection, and suspect apprehension.

Because situational intelligence correlates data across the dimensions of space, time and network node, operators can quickly close in on the root cause of an event.  They can also see at a glance the network impact upstream and downstream of the event.  For example, in the case of contamination of the local water supply, fast notification to customers downstream of the contamination point can head off more serious impacts and allow first responders to focus more on the contamination itself. 

Being ready

Situational intelligence also allows users to define ahead of time what steps to take in case of attack, and puts multiple systems and sources of information on a single pane of glass to ease the work of network operators.  When an alarm is triggered, operators have at their fingertips the type of alarm, its location, the protocol for response, and the systems and information necessary to respond.

Once an attack has been addressed, it's good to review process and procedures, to improve security and prevention and to better prepare for the next possible attack.  Situational intelligence systems can capture spatial-temporal-nodal information for later playback.  This helps operators, administrators and investigators study, assess and revise responses to attacks. 

Given our reliance on their output, securing complex utility networks is crucial for our functioning society.  Many utilities and other organizations already possess multiple, separate systems that can notify operators of physical or cyber alerts.  What's lacking is a single view into the multiple people, systems and sources of data that come into play in anticipating, preventing, detecting and responding to attacks. 

Situational intelligence solutions, such as those from Space-Time Insight, can provide the real-time view into the probability and consequences of attack that utilities need in order to defend their networks against physical and cyber threats.