– Collective intelligence supported by security aware nodes

                                               
Ilgin Safak                                                   Dure Adan Ammara                                     Karoly Makony
CISSAN Project Coordinator                    Blekinge Institute of Technology              Savantic AB
University of Jyväskylä                                                 

                                           
Veikko Markkanen                                Alexey Kirichenko                                      Tapio Frantti
University of Jyväskylä                        University of Jyväskylä                              University of Jyväskylä
v                              

Klaus Chmelina
Geodata ZT GmbH

Motivation

Interconnection of devices in critical infrastructures plays a major role in our everyday life. However, “when everything is connected, everything must be protected.”(1) Given both growing scale and the heterogeneity of Internet of Things (IoT) and Operational Technology (OT) systems and networks, it becomes practically impossible or at least it is very complicated to protect them against, for example, Distributed Denial of Service (DDoS) attacks (2) and new malware techniques and toolkits targeting Industrial Control Systems (ICS) (3) by using centralized security systems. Countering the security threats against IoT and OT is the primary objective of the three-year CELTIC-NEXT project CISSAN started in May 2023 with the participation of Austria, Finland, Spain, and Sweden. Cybersecurity solutions for IoT and OT environments are traditionally managed centrally, i.e., most security analytics and decision-making take place in so-called security backends (servers controlled by security providers). However, the project CISSAN employs multiple forms of local and collective intelligence gathering and collaboration among network nodes to enable more decentralised and distributed security and operational monitoring, event tracking, and attack detection in IoT and OT networks (see Fig. 1). CISSAN targets networks the maturity of which ranges from the design stage to the operational stage and aims to enable more reliable and earlier detection of malicious activities, graceful handling of the losses of connectivity with security backends, and saving on data transmission costs.

Figure 1: CISSAN as a transition enabler: from centralised to distributed paradigms

In this short article, we present several examples of the CISSAN’s activities in the first half of the project.

Synthetic network traffic data generation

Essentially any modern solution for security monitoring, cyberattack detection and response include AI-based or other data-driven algorithms. Given the scarcity of real-world attack data (or data with other desired non-trivial properties), tools for generating high-quality synthetic network traffic are pivotal for developing and testing IoT and OT cybersecurity solutions. In CISSAN, we focus on generative adversarial networks (GAN)-based approaches, leveraging their ability to capture the intricate patterns of real network traffic. Our comparative analysis of AI and non-AI methods has demonstrated that GANs achieve superior fidelity and utility over diffusion models and variational autoencoders (VAEs). The next step is to refine domain-specific GAN architectures tailored to SCADA traffic, which involves Supervisory Control and Data Acquisition (SCADA) data characteristics analysis, data quality assessment, and adaptation of generative models to reflect real-world anomalies and attack patterns. Additionally, we are exploring hybrid approaches, integrating GANs with diffusion models and Large Language Models (LLMs) for enhanced context awareness in synthetic data generation. This work is expected to improve and validate anomaly detection-based algorithms in the project.

Collective intelligence proof-of-concept solution in CISSAN Lab

To support the research in local and collective intelligence, the partners established CISSAN Lab – an experimental environment specifically designed to mirror real-world energy distribution and control systems (see Fig. 2). Incorporating industry-standard IT and OT equipment – including Remote Terminal Units (RTUs), network switches, routers, and SCADA servers – and simulating or replaying relevant data traffic, the CISSAN Lab provides an ideal setting for developing, testing, and demonstrating innovative security solutions.

Unsurprisingly, the first CISSAN’s collective intelligence proof-of-concept (PoC) algorithm was built and demonstrated in the Lab. The lightweight, distributed, and cooperative PoC algorithm was designed and implemented for ARM 32-bit microcontroller architecture, a typical platform for resource-constrained industrial devices. By monitoring RTU data structures for unauthorized changes, the algorithm triggers a coordinated response across multiple interconnected devices instead of relying on centralised security mechanisms. Importantly, this PoC demonstrated that modern industrial IoT and OT devices can support lightweight solutions improving cybersecurity without leading to operational disruptions or adding significant data transmission and computational overheads. Furthermore, the insights gained from the first PoC effort are helpful in the ongoing assessment of security-to-functionality trade-offs in other potential collaborative security algorithms. The CISSAN Lab is expected to play a key role in the project, serve as a bridge between theoretical research and real-world solutions and foster collaboration among the partners.

Figure 2: CISSAN Lab setup

Use cases

The CISSAN efforts are guided by and evaluated in the three main project use cases: smart transportation, energy grid monitoring and control, and underground construction monitoring. In addition to the technical research and development efforts, the project agenda also includes the facilitation of security compliance and governance for the owners and operators of IoT and OT networks.

Smart transporation

The project partners aim to analyze Global Positioning System (GPS) coordinates of buses to understand the data, its properties, and the types of anomalies present. We collect bus coordinates from a Message Queuing Telemetry Transport (MQTT) broker, and use various additional variables such as speed, acceleration, distance travelled, and proximity to bus stops to enhance anomaly detection. Initial findings indicate that Machine Learning (ML) algorithms are effective in identifying anomalies in large datasets. Future work involves determining what additional data sources could enhance our understanding of public transportation systems, how to better handle and clean large volumes of GPS data, what new variables or features could improve anomaly detection, and whether it is possible to make machine learning findings more interpretable and actionable.

Anomaly detection in energy grid control devices

The project partners are exploring AI-based anomaly detection methods for both network traffic data (including Internet protocol headers) and operational data (such as physical sensor signals), with the anomaly detection models training and running locally in smart energy grid substations. These methods are instrumental in detecting cyberattacks and operational failures. To improve the reliability of detection, we are pursuing a hybrid approach, combining the local analytics at substations with subsequent centralised aggregation and analysis. This approach helps us extend the benefits of local intelligence mentioned earlier with a network-wide view available in grid monitoring centres. Using synthetic anomalies injected into real (captured) energy grid data, we evaluated and demonstrated the effectiveness of the CISSAN’s lightweight AI models running in Remote Terminal Units (RTUs) in identifying security and operational issues. Building a scalable framework for centralised aggregation of the output of local models is part of the future project work, as well as adding explainability features for providing grid operators with deeper insights into detected anomalies and network behaviour.

Sensor data verification in mining and construction projects

In today’s mining and construction projects, huge amounts of monitoring data are collected from sensors of diverse types. Their numbers range from a few to several ten-thousands, e.g., in complex urban metro projects. The monitoring data are acquired manually or automatically and then transferred via different gateways and networks to IoT platforms where they are managed, analysed, and used to support operator decision-making and even to automatically control construction machinery. The integrity and high quality of monitoring data are therefore of utmost importance for the efficient execution and safety of projects.

To verify that sensor data are unchanged, a data signing method is developed in CISSAN. The method employs a specially designed security chip, which can be connected to sensors and/or embedded in gateways, for signing data at creation. This enables data integrity verification before the use of the data. Furthermore, a data quality assessment solution is developed to compute the “believability” scores of monitoring data by applying empirical rules (which involve relevant sensor statistics and similarity metrics). Depending on the scores, the data are either rejected or accepted, and this information is communicated to the users before they access the data.

Conclusion

In the first half of the project, CISSAN produced a set of innovative algorithms and technologies for countering IoT and OT security and operational threats. The project aims to improve them, and develop new algorithms and technologies. These efforts will be complemented by integrating and validating the CISSAN results in the project use cases, the CISSAN Lab, and other relevant environments.

Acknowledgements: This work was supported by the Austrian Research Promotion Agency (FFG), Business Finland, Centre for the Development of Industrial Technology (CDTI), and Swedish Agency for Innovation Systems (Vinnova) (BF) within the EUREKA CELTIC-NEXT project CISSAN (www.celticnext.eu), coordinated by the University of Jyväskylä (Finland)

Further information

• CISSAN project webpage – https://www.jyu.fi/en/projects/cissan
• CISSAN on the CELTIC-NEXT web – https://www.celticnext.eu/project-cissan/

1 Hypponen’s Law: If it’s smart, it’s vulnerable. Available at: https://blog.f-secure.com/hypponens-law-smart-vulnerable/

2 ENISA Threat Landscape 2024. Available at: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024

3 What’s the Scoop on FrostyGoop: The Latest ICS Malware and ICS Controls Considerations. Available at: https://www.sans.org/blog/whats-the-scoop-on-frostygoop-the-latest-ics-malware-and-ics-controls-considerations/; Operational Technology Cybersecurity Threat Landscape And Key Shifts. Available at: https://www.csa.gov.sg/resources/publications/operational-technology-cybersecurity-threat-landscape-and-key-shifts