Moving Target Cyber Defence for Operational Technology
Lead Research Organisation:
CARDIFF UNIVERSITY
Department Name: Computer Science
Abstract
Those targeted Operation Technology (OT) attacks seen in the public domain to date (e.g. Stuxnet, Triton, CrashOverride, BlackEnergy in Ukraine) demonstrate that attackers require specific OT environment knowledge for their attacks to succeed. Where information is either inaccurate or the attacks mi-programmed (e.g. as with Triton) the attacks become fragile and often fail. Therefore a key question is could we increase the fragility of OT attacks and improve the resiliency of the OT system?
As modelled in the ICS Cyber Kill Chain, an attacker spends a lot of their early effort and activities on gathering the necessary information to develop OT payloads and execute a successful attack. If this information changes then this information gathering process must repeat and the malware payloads updated. Therefore if the target system is changed at "regular" time intervals, then any information gathered by an attacker would have an expiration time on usefulness associated with it. If the target system changes frequently enough, this effectively could be a "never ending" loop of activity, or at the very least put pressure on the attacker to act very quickly.
The net result of this approach could achieve at least two outcomes; render targeted attacks less effective, frustrate the attackers sufficiently to deter them from targeted that specific OT system.
There is of course a balance to be struck, how much can an OT system be changed without impacting the business requirement of that system? Is there a point at which these changes are too frequent and the reliability / resilience of the system is negatively impacted? Therefore, this mitigation approach needs to be investigated to determine the viability, scalability and optimum approach to achieve the defensive benefits with the minimum amount of operational impact.
Key Objectives
**************
1. What is the state of the art and what are the results of previous research into moving target defence generally and then also more specifically in the OT sector?
2. Identify what criteria is "moveable" i.e. what are the aspects of an OT system that can be changed, and once known which offer the best "return" in terms of interfering with attacks in an OT system, whilst also minimizing operational impact on the OT system.
3. The mechanisms that could be implemented within OT systems that put this into practice.
4. Understand the other challenges to making this a reality e.g. safety, reluctance, training, etc..
Expected Deliverables
*********************
Appreciate with PhDs this is a moving target but to give an idea of expectation;
1. An overview of how this could be achieved technically based on the current "state of art".
2. A proof of concept showing how this could potentially work, practically, in a real OT system (note this is likely to be simplified, Thales will provide a 'real' system to test with).
3. Recommendations on how the potential blockers to such a threat mitigation might be overcome.
As modelled in the ICS Cyber Kill Chain, an attacker spends a lot of their early effort and activities on gathering the necessary information to develop OT payloads and execute a successful attack. If this information changes then this information gathering process must repeat and the malware payloads updated. Therefore if the target system is changed at "regular" time intervals, then any information gathered by an attacker would have an expiration time on usefulness associated with it. If the target system changes frequently enough, this effectively could be a "never ending" loop of activity, or at the very least put pressure on the attacker to act very quickly.
The net result of this approach could achieve at least two outcomes; render targeted attacks less effective, frustrate the attackers sufficiently to deter them from targeted that specific OT system.
There is of course a balance to be struck, how much can an OT system be changed without impacting the business requirement of that system? Is there a point at which these changes are too frequent and the reliability / resilience of the system is negatively impacted? Therefore, this mitigation approach needs to be investigated to determine the viability, scalability and optimum approach to achieve the defensive benefits with the minimum amount of operational impact.
Key Objectives
**************
1. What is the state of the art and what are the results of previous research into moving target defence generally and then also more specifically in the OT sector?
2. Identify what criteria is "moveable" i.e. what are the aspects of an OT system that can be changed, and once known which offer the best "return" in terms of interfering with attacks in an OT system, whilst also minimizing operational impact on the OT system.
3. The mechanisms that could be implemented within OT systems that put this into practice.
4. Understand the other challenges to making this a reality e.g. safety, reluctance, training, etc..
Expected Deliverables
*********************
Appreciate with PhDs this is a moving target but to give an idea of expectation;
1. An overview of how this could be achieved technically based on the current "state of art".
2. A proof of concept showing how this could potentially work, practically, in a real OT system (note this is likely to be simplified, Thales will provide a 'real' system to test with).
3. Recommendations on how the potential blockers to such a threat mitigation might be overcome.
People |
ORCID iD |
| Pete Burnap (Primary Supervisor) | |
| Roy Fishwick (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/X524736/1 | 01/10/2022 | 30/09/2027 | |||
| 2746196 | Studentship | EP/X524736/1 | 01/10/2022 | 30/09/2026 | Roy Fishwick |