INL's Intelligent Cyber Sensor defends against system failure, cybersecurity attacks
By Michelle Blacker and Drew Thomas for INL Communications & Governmental Affairs
The human body's white blood cells act as sentries, continuously on the lookout for signs of disease. They warn the body of outside threats and learn to adapt to these threats.
|INL researcher Todd Vollmer is working with university and industry partners to integrate the Intelligent Cyber Sensor into a control system.|
Similar to the human body, an industrial system has several components that are in constant need of observation. When one component is affected, the system as a whole could be compromised. The Intelligent Cyber Sensor, developed by Idaho National Laboratory researchers, acts like the white blood cells of an industrial control situational awareness system — alerting and protecting the system from potential harm.
INL's Instrumentation, Control and Intelligent Systems (ICIS) research is centered on developing components, programs, systems and individual applications that require monitoring, control and human interaction. The research covers five technological areas, including sensors. The objective of sensor research is to develop specialized sensors and sensing systems that are designed to monitor critical infrastructure and withstand demanding environments.
What makes it different?
The unique concept behind the Intelligent Cyber Sensor is that it learns by observation and adapts as it experiences new situations. Current technology uses predetermined rules to make a decision, basically an 'if x, then y' scenario. It is unable to learn and adapt to the circumstances and change if necessary.
The Intelligent Cyber Sensor stands alone in its field because it is capable of having predetermined rules set, but at the same time, it can autonomously create new rules as it observes outside threats, much like a white blood cell develops antibodies to combat new strains of bacteria. This continual "learning" through observation sets the technology apart from current monitoring technologies. In essence, the sensor utilizes machine learning for industrial control system network behaviors. This means that a device can monitor network traffic and identify activities that should not be present, including the identification of threats that were not anticipated when the technology was initially deployed.
|Learn how the Intelligent Cyber Sensor identifies threats by viewing this behavior video.|
Three years ago, Todd Vollmer, a counterintelligence cyber specialist working with INL's ICIS group, started development of the Intelligent Cyber Sensor as a Laboratory Directed Research and Development (LDRD) project. Vollmer, who is working on a doctorate in computer science, provides necessary expertise in both computer systems and computational intelligence.
The LDRD project allowed INL researchers to initially focus on creating and refining anomaly behavior detection schemes. Now, after a successful conclusion to the research project, funding from the U.S. Department of Energy's Office of Electricity Delivery and Energy Reliability will allow INL researchers to test expanded functionality of the technology.
"This research reexamines work done a decade ago but focuses on control system implementation as opposed to traditional information technology areas," said Vollmer. "It brings a strong analytical tool into the arsenal available to INL researchers. Computational techniques are applicable to a broad array of problems faced by laboratory research projects."
How it all works
Simply put, the technology is unique because it acts like a security camera — watching traffic go by without being intrusive. The system has three main functions.
|The Intelligent Cyber Sensor, which is about the size of a desk telephone, filters what goes in and out of a controlled system.|
First, it acts as an identifier by recognizing network traffic as it enters the controlled system and distinguishes between component failure and cyber security incidents. It monitors the overall health of a system as a first responder to an incident that could take place.
Second, it alerts system operators and potentially prohibits abnormal network traffic. As it observes activity, it can locate an intrusion and then, in turn, notify an operator so a decision can be made.
Third, it acts as a "honey pot." A term commonly used by cybersecurity experts, honey pot describes equipment that acts as a decoy to those on the outside. For example, an intruder may see the alert system as a harmless telephone instead of the Intelligent Cyber Sensor. The operator, however, knows that it’s the sensor that adds an element of defense. An intruder may be fooled into attempting to interact directly with the sensor and thereby provide valuable information.
The current technology development integrates the Intelligent Cyber Sensor into an overall control systems approach to protecting infrastructure. Strategic collaborations have been established among INL, University of Idaho, Center for Advanced Energy Studies and University of Illinois. INL researchers are finding ways to reduce the amount of "false-positives," or false alarms, in the Intelligent Cyber Sensor to create a more accurate alert system.
The technology has many possible applications, including support for smart grid applications. A Cooperative Research and Development Agreement is being negotiated that will allow INL to work with industry by evaluating, designing and integrating each party's technology into a common solution for use in a smart grid application.
Vollmer looks at these partnerships as a way to expand capabilities at INL.
"Partnerships with industry are vital to realizing a successful operational implementation of the cyber sensor," Vollmer said. "Strategic partnerships allow INL to use expertise and technologies from other organizations to see how the Intelligent Cyber Sensor can be deployed into a control system. Partners provide a different view on the problem and discussions generate new directions for functional implementation."