Article
Font Size: SmallerFont Size: DefaultFont Size: Larger
  • 日本語トップ

Technology for Visualizing and Analyzing Control System Traffic to Verify its Integrity

- Quick detection of security incidents that threaten critically important infrastructure -

  • 日本語
  • Print this page
September 16, 2015

National Institute of Information and Communications Technology
Yokogawa Electric Corporation
Kyoto University

Points

    • A new technology that quickly detects, visualizes, and analyzes control system security incidents
    • The developed technology has no impact on the availability of infrastructure control systems 
    • Improves security of control systems used by public utilities 

NICT announces that it has worked with the Yokogawa Electric Corporation (Yokogawa, President: Takashi Nishijima), Professor Yasuo Okabe of Kyoto University, and former Associate Professor Hiroki Takakura of Kyoto University to jointly develop a technology that visualizes and analyzes control system traffic to verify its integrity. This technology, which has been integrated by Yokogawa in an industry-first network healthiness check service, can quickly detect security incidents such as a malware infection. This combines visualization technology with the collection and analysis of traffic data to verify the integrity of control system networks, and is expected to improve the security of control systems used by public utilities.

Background

Control system security has become a serious concern in recent years due to the proliferation of cyber-attacks targeting critically important infrastructure like public utilities: electric power, gas, and water. As control systems increasingly rely on operating systems and standard protocols that are both open and versatile, cyber-attacks are very common now with various infection routes not only via the Internet but also via USB memory devices and other media, making it difficult to prevent all malware infections. Therefore, there is an urgent need for a technology that can quickly detect security incidents. Such technology should not have an impact on control system availability (stable, continuous operation) as these systems need to keep operating without interruption for very long periods, even as long as several decades.

Achievements
Figure 1 Schematic diagram of the developed technology

Figure 1 Schematic diagram of the developed technology
[Click picture to enlarge]

NICT, Yokogawa, and Kyoto University jointly developed a technology for visualizing and analyzing control system traffic to verify its integrity and quickly detect security incidents such as malware infections.

Unlike general information systems where the amount and direction of traffic keep changing, it is easier with control system networks to identify when traffic conditions are normal as these systems are designed and used for a specific purpose. We focused on this characteristic.

Our technology saves data on normal control system traffic conditions as a white list. With reference to this list, the technology monitors the dynamic state of the control system network to detect any abnormalities such as an increase in traffic or communication with an unknown IP address that could be caused by malware.

Furthermore, by using NIRVANA, a real-time traffic visualization system developed by NICT, we improved this technology to comply with unique communications protocols used by control systems. As a result, this technology can identify traffic conditions much easier when an abnormality is identified (Figures 2 and 3).

Since there is no need to install detection software on each control system host (or server), this technology is easy to be introduced and does not impact control system availability.

Figure 2  Example of control network visualization (under normal conditions)
Figure 2 Example of control network visualization (under normal conditions)
[Click picture to enlarge]


Figure 3  Example of control network visualization (when an incident has occurred)

Figure 3 Example of control network visualization (when an incident has occurred)
In this case, a host in control room A has become infected with malware and there has been an increase in network traffic.
[Click picture to enlarge]
Future perspectives

This technology has been integrated in Yokogawa’s cyber security support service for control systems (URL: http://www.yokogawa.com/vps/gsv/gsv-netck-en.htm), and is expected to make the control systems used in critically important infrastructure more secure. With the aim of making the world a safer place, we will continue researching and developing cyber security technologies for control systems.

Glossary

NIRVANA (NIcter Real-network Visual ANAlyzer)

A system developed by NICT to visualize and analyze traffic in real time. NIRVANA reduces the load of managing large-scale, complex networks by visualizing traffic. It enables action to be taken quickly when a failure occurs. NIRVANA is a NICT technology that is available for transfer under a license agreement.

Real-time Traffic Visualization by NIRVANA

Real-time Traffic Visualization by NIRVANA
(Left: Packet-by-packet Visualization Mode, Right: Address Block View)
[Click picture to enlarge]



Technical Contact

Takahiro Kasama, Masashi Eto, and Daisuke Inoue
Network Security Research Institute
NICT
Tel: +81-42-327-6225
E-mail:

Kenichi Eso, Kazuya Suzuki, and Hiroshi Hoshino
PA Systems Planning Dept.
Yokogawa Electric Corporation
Tel: 81-422-52-0212
E-mail:

Yasuo Okabe
Academic Center for Computing and Media Studies
Kyoto University
Tel: +81-75-753-7458
E-mail:

Media Contact

Sachiko Hirota
Public Relations Department
NICT
Tel: +81-42-327-6923
E-mail:

Hiroshi Kubo
Corporate Communications Dept.
Yokogawa Electric Corporation
Tel: 81-422-52-5530
E-mail:

Kenji Shindo
Public Relations Division
Kyoto University
Tel: +81-75-753-2071
E-mail: