A collaborative cyber incident management system for European interconnected critical infrastructures

TLDR: This paper proposes a system architecture for a National SOC, defining the functional components and interfaces it comprises, and describes the functionalities provided by the different system components to support SOC operators in performing incident management tasks.

Abstract: Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.