Publications

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

From manufacturing plants to power grids, industrial control systems are increasingly controlled and networked digitally. While networking these systems together improves their efficiency and convenience to control, it also opens them up to attacks by malicious actors. When these attacks occur, forensic investigators should be able to determine what was compromised and which corrective actions need to be taken.In this paper, we propose a method to investigate attacks on industrial control systems by simulating the logged inputs of the system over time using a model constructed from the control programs. We detect any attacks that will lead to perturbations of the normal operation of the system by comparing the simulated output to the actual output. We also perform dependency tracing between the inputs and outputs of the system, so that attacks can be traced from the anomaly to their sources and vice-versa. Our method can greatly aid investigators in recovering the complete attack graph used by the attacker using only the input and output logs from an industrial control system. To evaluate our method, we constructed a hybrid testbed with a simulated version of the Simplified Tennessee Eastman process, using a hardware-inthe-loop Allen-Bradley Micrologix 1100 PLC. We were able to accurately detect all attack anomalies with a false positive rate of 0.3% or less.

Sandia has an extensive background in cybersecurity research and is currently extending its state-of-the-art modeling via emulation capability. However, a key part of Sandia's modeling methodology is the discovery and specification of the information-system under study, and the ability to recreate that specification with the highest fidelity possible in order to extrapolate meaningful results. This work details a method to conduct information system discovery and develop tools to enable the creation of high-fidelity emulation models that can be used to enable assessment of our infrastructure information system security posture and potential system impacts that could result from cyber threats. The outcome are a set of tools and techniques to go from network discovery of operational systems to emulating complex systems. As a concrete usecase, we have applied these tools and techniques at Supercomputing 2016 to model SCinet, the world's largest research network. This model includes five routers and nearly 10,000 endpoints which we have launched in our emulation platform.

Abstract not provided.

Abstract not provided.

Today’s networked systems utilize advanced security components such as Next Generation Firewall (NGFW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and methods for network traffic classification. A fundamental aspect of these security components and methods is network packet visibility and packet inspection. To achieve packet visibility, a compute mechanism used by these security components and methods is Deep Packet Inspection (DPI). DPI is used to obtain visibility into packet fields by looking deeper inside packets, beyond just IP address, port, and protocol. However, DPI is considered extremely expensive in terms of compute processing costs and very challenging to implement on high speed network systems. The fundamental scientific paradigm addressed in this research project is the application of greater network packet visibility and packet inspection at data rates greater than 40Gbps to secure computer network systems. The greater visibility and inspection will enable detection of advanced content-based threats that exploit application vulnerabilities and are designed to bypass traditional security approaches such as firewalls and antivirus scanners. Greater visibility and inspection are achieved through identification of the application protocol (e.g., HTTP, SMTP, Skype) and, in some cases, extraction and processing of the information contained in the packet payload. Analysis is then performed on the resulting DPI data to identify potentially malicious behavior. In order to obtain visibility and inspect the application protocol and contents at high speed data rates, advanced DPI technologies and implementations are developed.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Adversary sophistication in the cyber domain is a constantly growing threat. As more systems become accessible from the Internet, the risk of breach, exploitation, and malice grows. To thwart reconnaissance and exploitation, Moving Target Defense (MTD) has been researched and deployed in various systems to modify the threat surface of a system. Tools are necessary to analyze the security, reliability, and resilience of their information systems against cyber-Attack and measure the effectiveness of the MTD technologies. Today's security analyses utilize (1) real systems such as computers, network routers, and other network equipment; (2) computer emulations (e.g., virtual machines); and (3) simulation models separately. In this paper, we describe the progress made in developing and utilizing hybrid Live, Virtual, Constructive (LVC) environments for the evaluation of a set of MTD technologies. The LVC methodology has been most rooted in the Modeling Simulation (MS) work of the Department of Defense. With the recent advances in virtualization and software-defined networking, Sandia has taken the blueprint for LVC and extended it by crafting hybrid environments of simulation, emulation, and human-in-The-loop. Furthermore, we discuss the empirical analysis of MTD technologies and approaches with LVC-based experimentation, incorporating aspects that may impact an operational deployment of the MTD under evaluation.

Adversary sophistication in the cyber domain is a constantly growing threat. As more systems become accessible from the Internet, the risk of breach, exploitation, and malice grows. To thwart reconnaissance and exploitation, Moving Target Defense (MTD) has been researched and deployed in various systems to modify the threat surface of a system. Tools are necessary to analyze the security, reliability, and resilience of their information systems against cyber-Attack and measure the effectiveness of the MTD technologies. Today's security analyses utilize (1) real systems such as computers, network routers, and other network equipment; (2) computer emulations (e.g., virtual machines); and (3) simulation models separately. In this paper, we describe the progress made in developing and utilizing hybrid Live, Virtual, Constructive (LVC) environments for the evaluation of a set of MTD technologies. The LVC methodology has been most rooted in the Modeling Simulation (MS) work of the Department of Defense. With the recent advances in virtualization and software-defined networking, Sandia has taken the blueprint for LVC and extended it by crafting hybrid environments of simulation, emulation, and human-in-The-loop. Furthermore, we discuss the empirical analysis of MTD technologies and approaches with LVC-based experimentation, incorporating aspects that may impact an operational deployment of the MTD under evaluation.

Sandia National Laboratories performed a 6-month effort to stand up a "zero-entry" cyber range environment for the purpose of providing self-directed practice to augment transmedia learning across diverse media and/or devices that may be part of a loosely coupled, distributed ecosystem. This 6-month effort leveraged Minimega, an open-source Emulytics™ (emulation + analytics) tool for launching and managing virtual machines in a cyber range. The proof of concept addressed a set of learning objectives for cybersecurity operations by providing three, short "zero-entry" exercises for beginner, intermediate, and advanced levels in network forensics, social engineering, penetration testing, and reverse engineering. Learners provided answers to problems they explored in networked virtual machines. The hands-on environment, Cyber Scorpion, participated in a preliminary demonstration in April 2017 at Ft. Bragg, NC. The present chapter describes the learning experience research and software development effort for a cybersecurity use case and subsequent lessons learned. It offers general recommendations for challenges which may be present in future learning ecosystems.

Abstract not provided.

Abstract not provided.

Abstract not provided.