Enable breadcrumbs token at /includes/pageheader.html.twig

Standardizing the BAS/CS of Critical Infrastructure Cybersecurity Alerts

Researchers seek wide adoption of new cybersecurity capabilities for industrial control systems.

Researchers push for widespread adoption of new standardized cybersecurity capabilities that could help secure industrial control systems essential to the nation’s critical infrastructure. Credit: Rajamurthy-stock.adobe.com

Researchers at the Johns Hopkins Applied Physics Laboratory (APL) seek wider adoption of a cybersecurity framework designed to standardize alerts across industrial control systems (ICS) essential to the nation’s critical infrastructure, which includes the defense industrial base, nuclear reactors, communications and food and agriculture, among other sectors.

Control systems for essential service, including electricity, water and natural gas, remain high-priority hacking targets, according to an APL article. Defending these systems is complicated by the sheer variety of technologies, protocols and available cybersecurity solutions in use, which makes it challenging to share information and identify threats. Control systems use dozens of different formats for an array of sensor data, and dozens of vendors that each have different detection systems and analytic tools. For example, two sensors can look at the same raw network data but interpret that data in different ways, researchers explain in the article. Different sensors can tag the same attack with different names and descriptions.

To resolve the challenge, APL researchers developed BAS/CS (Behavioral Alerting Sets for Control Systems), which is designed to address the variability problem on multiple levels, the APL article explains. First, every event flagged by a sensor, such as an attempt to remotely log into a system or a new protocol seen on the network, is tagged with a common identification number that works across different sensors and vendor offerings.

The system then evaluates these tagged sensor events using correlation rules for generating alerts. Correlations that meet certain conditions within a defined period of time trigger an alert for control system operators. A remote login attempt followed by the suspicious use of a system process, for example, would raise an alert. Like the sensor event identifications, the correlation detection rules and the language of the alerts are standardized across systems.

“One of the big benefits is having a common language that everyone can talk about—from the operators and control system environments to the more traditional cyber defenders—and being able to understand what’s actually happening in these systems,” Alex Beall, an APL control system cybersecurity researcher, told SIGNAL Media during a recent Zoom interview.

During the same Zoom interview, Harley Parkes, an APL cyber defense expert who led the creation and development of BAS/CS, touted its vendor-agnostic nature. If you’re able to standardize the way you do alerting and tagging of data, then you can replace sensors. You can replace some of the feeds that generate alerts so that you can actually go with best-of-breed technologies and continue to operate and alert on the threat over time.”

Beall added that the vendor agnosticism includes both data and rules. “We viewed BAS/CS as the way—at the alert level—to try to make it so that not only are we vendor agnostic from these sensors that are providing data, but we’re also vendor agnostic for what’s running these rules. There’s no special bit of code or technology that is required to be able to use the BAS/CS rules.”

BAS/CS is the solution to a challenge unveiled during development of MOSAICS—More Situational Awareness for Industrial Control Systems—the first-ever comprehensive, integrated and automated solution for ICS security. The APL is developing MOSAICS in partnership with Sandia National Laboratories, Pacific Northwest National Laboratory and Idaho National Laboratory. The MOSAICS team has worked extensively with the U.S. Navy, Air Force and others.

MOSAICS was initially envisioned as a cyber attack detection system. The APL leveraged its expertise in systems engineering and ongoing work in integrated adaptive cyber defense to develop MOSAICS into a true operational defense capability. The result allows operators to detect and characterize cyber attacks on their systems in real time, and will eventually support automated and even autonomous response and recovery protocols.

MOSAICS is spreading within the Department of Defense, or DOD. The Navy Information Warfare Center (NIWC) Atlantic, an early MOSAICS partner, for example, revealed last March that MOSAICS could be included in the department’s building codes. The implementation of MOSAICS into the department’s Unified Facilities Criteria 1-200-01, DOD Building Code (General Building Requirements), would provide detailed systems-engineering requirements that safeguard ICS by guiding engineers in the design and development of cyber technologies.

“It is exciting to see something that began here years ago as an idea for a science and research project poised to impact ICS standards not only in our Navy but also within DOD and possibly beyond,” Kevin Charlow, NIWC Atlantic’s acting executive director, said in the announcement. “Using a scientific and technological approach, our systems engineering professionals launched this MOSAICS framework that is now shaping and prompting wholesale change.”

In the same announcement, Richard Scalco, a senior cybersecurity engineer at NIWC Atlantic and the government’s lead for MOSAICS technical management, noted that it would be a major achievement for MOSAICS to find its way into building code specifications typically known only for mechanical and electrical requirements. “These specifications would be part of a comprehensive set of standards and regulations for the design, construction and maintenance of all military facilities, which could help DOD ensure safety, security, durability and functionality for critical ICS,” he said.

BAS/CS is now being included with MOSAICS in some cases, and the APL researchers are pushing for more widespread adoption. “We are working with a number of different sponsors to implement the MOSAICS framework, and that includes BAS/CS analytics and rules, proving that out in these operational environments,” Parkes reported. “We’re in that process of refining some of those rules today. That’s our next step, and then, based on those successes, promoting some of this framework, and the successes that we have had with it, and getting that out there more broadly.”

The two do not, however, have to be used together. “You could use BAS/CS without MOSAICS. BAS/CS is focused on the analytic approach, so that’s really the core around how we’re tagging and normalizing all of the different sensor data feeds no matter what tools you’re using,” Beall said.

Parkes added that some within the Defense Department are tackling MOSAICS and BAS/CS implementation on their own. Additionally, some outside the Defense Department, including some state and local agencies and international partners and allies, are showing interest, the researchers said.

In the United States, it is crucial that industry adopt better cybersecurity solutions, such as BAS/CS, because the private sector owns the vast majority of critical infrastructure systems. “We’d love to see vendors tagging the data themselves. If they provide the tag, then the rules will automatically work. We would love to be able to transition from APL doing all this work and get others out there doing it—and they are starting to adopt that.”