Standardizing Cyber Analytics to Secure Critical Infrastructure

A team at the Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, has developed a framework for standardizing alerts generated by cybersecurity systems defending critical infrastructure, dramatically improving the efficiency with which they respond to potential attacks.

Known as BAS/CS — short for Behavioral Alerting Sets for Control Systems and pronounced “basics” — the capability is already in use by military control system operators.

Control systems for essential services — including electricity, water and natural gas — remain high-priority hacking targets. Defending these systems is complicated by the sheer variety of technologies, protocols and available cybersecurity solutions in use, which makes it extremely challenging to share information and identify threats.

“There are dozens of formats for every type of sensor data, and dozens of vendors that each have different detection systems and analytic tools,” said Alex Beall, a control system cybersecurity researcher who, along with APL colleague and cyber defense expert Harley Parkes, led the creation and development of the capability. “For example, two sensors can both be looking at the same raw network data but interpret that data in different ways. Different sensors can tag the same attack with slightly different names and descriptions.”

Remapping the Cyber Threat Landscape

The BAS/CS framework addresses the variability problem on multiple levels. First, every event flagged by a sensor — for instance, an attempt to remotely log into a system or a new protocol seen on the network — is tagged with a common identification number that works across different sensors and vendor offerings.

The system then evaluates these tagged sensor events using correlation rules for generating alerts. Correlations that meet certain conditions within a defined period of time trigger an alert for control system operators. A remote login attempt followed by the suspicious use of a system process, for example, would raise an alert. Like the sensor event IDs, the correlation detection rules and the language of the alerts are standardized across systems.

Parkes noted that BAS/CS can be implemented in existing security and event management capabilities and analytics platforms to help mitigate cyber threats to control systems in real time, free of charge.

Development, Refinement and Deployment

BAS/CS stems from early work on MOSAICS, or More Situational Awareness for Industrial Control Systems, an APL-developed capability for real-time operational defense of industrial control systems. While analyzing tactics, techniques and procedures from known cyberattacks, the MOSAICS team, led by Parkes, had the idea to standardize the identification of sensor events with ID tags.

From there, the BAS/CS team took an iterative approach, mapping sensor events to the tags it developed and enlisting subject-matter experts to review those mappings. Team members used cyber defense tools from a variety of vendors and subjected BAS/CS to adversarial testing to further refine the mappings, correlations and alerts produced by the system.

BAS/CS has been deployed through MOSAICS to defend U.S. Navy control systems and has been well received by users. As one Navy operator commented on BAS/CS: “From my 10 years of experience with U.S. Air Force Cyber Protection Teams, and now on this Navy mission, the promise of automating the correlation of different log types certainly represents a top five or even higher game changer that could dramatically strengthen cyber defenses.”

Beall said the team is working with other APL, government and industry partners to expand adoption and has had some good discussions with vendors and users in the industrial control system community.

“BAS/CS is a dynamic and living capability,” he said. “We’re always improving the analytics, taking feedback on where there might be gaps in the tagging, exploring new sensors and how those sensors might map into the framework.”