NCSA begins research on cyber attack defenses

The University’s National Center for Supercomputing Applications has begun research on fortifying critical infrastructures against potential cyber attacks. This research is funded by a federal $1.6 million grant that began Sept. 1.

This three-year grant from the National Science Foundation is a collaborative proposal to be shared between the NCSA and the International Computer Science Institute (ICSI) at the University of California, Berkeley.

The principal investigators for the project are Ravi Iyer, professor of electrical and computer engineering, Adam Slagell, chief information security officer of NCSA and Robin Sommer, senior researcher of ICSI.

Slagell said the NCSA received $900,000 of the grant to focus on power grid and smart grid systems, which entails work on the NCSA systems’ hardware as well as SCADA devices, a type of supervisory industrial control system, connected to the electrical grid. Berkeley received about $700,000 of the grant to work with partners on water, gas and building automation systems.

In its second year, the grant will fund one software developer who will work on network intrusion detection systems and two graduate students. It will also go towards a month of private investigators, professors and other senior staffs’ time as they write proposals and manage the project, Slagell said in an email.

Randal Butler, senior associate director at NCSA, said the research project will focus on critical infrastructure, such as water treatment facilities, power grids and transportation controls.

“It’s designed to look at how we might apply things like intrusion detection systems, which are ways to monitor network hosts and information feeds … to protect against a very specific kind of attack on critical infrastructure,” Butler said.

Iyer said the feature work of the project is focusing on how to protect industrial control systems from malicious attacks, whether it’s an individual attack that behaves like an insider, or a potential terrorist attack trying to destroy the system.

“We are very good at protecting against attacks that we know of,” he said. “We are very poor at protecting against attacks that we don’t know about.”

The project’s goal is to determine what kinds of cyber attacks are possible and how new systems can be protected against these attacks, especially when the attack in question is one that has yet to be faced, Iyer said.

“We want to get away from the notion that is typical in intrusion detection systems that require you to know about the attack ahead of time,” Slagell said. “The problem is that attacks against critical infrastructure are almost always new and novel. By the time you know about it, it’s often too late.”

Slagell said a signature-based approach, in which systems determine an attack by the signatures of past attacks, is not useful, so he and his team are trying to build a semantic model while looking at the power commands rather than the signatures and traffic.

During the project’s first year, researchers will be developing protocol analyzers for various SCADA protocols, continuing preliminary research and establishing partnerships to share information with company partners.

During the project’s second year, the researchers will aim to start deploying early prototypes with some partners while continuing their research. The goal of the third year will be to have a production-ready system available and used by many utility companies.

Butler said the NCSA has received a handful of different types of attacks in the past. These attacks include “ankle-biters,” which are attacks from people testing the system’s vulnerability.

Other hackers choose to attack merely to hone their skills or practice before moving on to a more secure target, still others want to gain control of the systems to use them to launch other attacks, and there are also hackers who launch the attack simply to prove a point.

“These are all lower level types of attacks,” Butler said. “They’re there for different reasons. They’re not typically there to bring our systems down — they’re there to cause problems for other people.”

Butler said the biggest threat the NCSA faces involves compromised accounts, in which a hacker obtains an NCSA system user’s login information and enters the system completely undetected.

“A huge part of our infrastructure is based on the detection part because we have to be an open environment,” Butler said. “We can’t just close off everything, so we really rely on being able to detect the attack. We can’t always deflect the bad guys. We have to detect if they’re going to do something before they do it.”

Jacqui can be reached at [email protected]