Moving Target Cyber Defence for Operational Technology

运营技术的移动目标网络防御

• 批准号: 2746196
• 金额: --
• 依托单位: CARDIFF UNIVERSITY
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2022
• 资助国家: 英国
• 起止时间: 2022 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-2746196
• 关键词: Moving; Target; Cyber; Defence; Operational

Those targeted Operation Technology (OT) attacks seen in the public domain to date (e.g. Stuxnet, Triton, CrashOverride, BlackEnergy in Ukraine) demonstrate that attackers require specific OT environment knowledge for their attacks to succeed. Where information is either inaccurate or the attacks mi-programmed (e.g. as with Triton) the attacks become fragile and often fail. Therefore a key question is could we increase the fragility of OT attacks and improve the resiliency of the OT system? As modelled in the ICS Cyber Kill Chain, an attacker spends a lot of their early effort and activities on gathering the necessary information to develop OT payloads and execute a successful attack. If this information changes then this information gathering process must repeat and the malware payloads updated. Therefore if the target system is changed at "regular" time intervals, then any information gathered by an attacker would have an expiration time on usefulness associated with it. If the target system changes frequently enough, this effectively could be a "never ending" loop of activity, or at the very least put pressure on the attacker to act very quickly. The net result of this approach could achieve at least two outcomes; render targeted attacks less effective, frustrate the attackers sufficiently to deter them from targeted that specific OT system. There is of course a balance to be struck, how much can an OT system be changed without impacting the business requirement of that system? Is there a point at which these changes are too frequent and the reliability / resilience of the system is negatively impacted? Therefore, this mitigation approach needs to be investigated to determine the viability, scalability and optimum approach to achieve the defensive benefits with the minimum amount of operational impact.Key Objectives ************** 1. What is the state of the art and what are the results of previous research into moving target defence generally and then also more specifically in the OT sector? 2. Identify what criteria is "moveable" i.e. what are the aspects of an OT system that can be changed, and once known which offer the best "return" in terms of interfering with attacks in an OT system, whilst also minimizing operational impact on the OT system. 3. The mechanisms that could be implemented within OT systems that put this into practice. 4. Understand the other challenges to making this a reality e.g. safety, reluctance, training, etc.. Expected Deliverables ********************* Appreciate with PhDs this is a moving target but to give an idea of expectation; 1. An overview of how this could be achieved technically based on the current "state of art". 2. A proof of concept showing how this could potentially work, practically, in a real OT system (note this is likely to be simplified, Thales will provide a 'real' system to test with). 3. Recommendations on how the potential blockers to such a threat mitigation might be overcome.

迄今为止在公共领域看到的那些有针对性的操作技术(OT)攻击(例如，乌克兰的Stuxnet、Triton、CrashOverride、BlackEnergy)表明，攻击者需要特定的操作技术(OT)环境知识才能成功攻击。如果信息不准确或攻击编程错误(例如，与Triton一样)，攻击就会变得脆弱，往往会失败。因此，一个关键的问题是，我们能否增加OT攻击的脆弱性，并提高OT系统的弹性？根据ICS Cyber Kill Chain的模型，攻击者花费大量早期工作和活动来收集必要的信息，以开发OT有效负载并执行成功的攻击。如果此信息发生更改，则必须重复此信息收集过程，并更新恶意软件有效负载。因此，如果以“定期”时间间隔更改目标系统，则攻击者收集的任何信息都将具有与之关联的有用信息的过期时间。如果目标系统的变化足够频繁，这实际上可能是一个“永无止境”的活动循环，或者至少会给攻击者施加压力，迫使其迅速采取行动。这种方法的最终结果至少可以达到两个结果：降低目标攻击的有效性，充分挫败攻击者，阻止他们瞄准特定的OT系统。当然，需要取得平衡，在不影响系统业务需求的情况下，可以对OT系统进行多大程度的更改？是否存在这些更改过于频繁并对系统的可靠性/恢复能力产生负面影响的情况？因此，需要对这种缓解方法进行研究，以确定以最小的作战影响实现防御效益的可行性、可扩展性和最佳方法。关键目标1.移动目标防御总体上的最新水平以及先前研究的结果是什么？2.确定什么标准是可移动的，即，OT系统的哪些方面可以改变，一旦知道，就干扰OT系统中的攻击而言，哪些方面提供了最佳的“回报”，同时还将对加班系统的运营影响降至最低。3.可在实施这一点的OT系统内实施的机制。4.了解实现这一目标的其他挑战，例如安全、不情愿、培训等。预期交付量*2.概念证明，说明这可能在实际的OT系统中如何工作(请注意，这可能会被简化，泰利斯公司将提供一个用于测试的真正的系统)。3.就如何克服这种威胁缓解的潜在障碍提出建议。