Standardizing the BAS/CS of Critical Infrastructure Cybersecurity Alerts

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. Researchers at the Johns Hopkins Applied Physics Laboratory (APL) seek wider adoption of a cybersecurity framework designed to standardize alerts across industrial control systems (ICS) essential to the nation’s critical infrastructure, which includes the defense industrial base, nuclear reactors, communications and food and agriculture, among other sectors.

Control systems for essential service, including electricity, water and natural gas, remain high-priority hacking targets, according to an APL article. Defending these systems is complicated by the sheer variety of technologies, protocols and available cybersecurity solutions in use, which makes it challenging to share information and identify threats. Control systems use dozens of different formats for an array of sensor data, and dozens of vendors that each have different detection systems and analytic tools. For example, two sensors can look at the same raw network data but interpret that data in different ways, researchers explain in the article. Different sensors can tag the same attack with different names and descriptions.

To resolve the challenge, APL researchers developed BAS/CS (Behavioral Alerting Sets for Control Systems), which is designed to address the variability problem on multiple levels, the APL article explains. First, every event flagged by a sensor, such as an attempt to remotely log into a system or a new protocol seen on the network, is tagged with a common identification number that works across different sensors and vendor offerings.

The system then evaluates these tagged sensor events using correlation rules for generating alerts. Correlations that meet certain conditions within a defined period of time trigger an alert for control system operators. A remote login attempt followed by the suspicious use of a system process, for example, would raise an alert. Like the sensor event identifications, the correlation detection rules and the language of the alerts are standardized across systems.

“One of the big benefits is having a common language that everyone can talk about—from the operators and control system environments to the more traditional cyber defenders—and being able to understand what’s actually happening in these systems,” Alex Beall, an APL control system cybersecurity researcher, told SIGNAL Media during a recent Zoom interview.

During the same Zoom interview, Harley Parkes, an APL cyber defense expert who led the creation and development of BAS/CS, touted its vendor-agnostic nature. If you’re able to standardize the way you do alerting and tagging of data, then you can replace sensors. You can replace some of the feeds that generate alerts so that you can actually go with best-of-breed technologies and continue to operate and alert on the threat over time.”

Beall added that the vendor agnosticism includes both data and rules. “We viewed BAS/CS as the way—at the alert level—to try to make it so that not only are we vendor agnostic from these sensors that are providing data, but we’re also vendor agnostic for what’s running these rules. There’s no special bit of code or technology that is required to be able to use the BAS/CS rules.”

BAS/CS is the solution to a challenge unveiled during development of MOSAICS—More Situational Awareness for Industrial Control Systems—the first-ever comprehensive, integrated and automated solution for ICS security. The APL is developing MOSAICS in partnership with Sandia National Laboratories, Pacific Northwest National Laboratory and Idaho National Laboratory. The MOSAICS team has worked extensively with the U.S. Navy, Air Force and others.