The innovation of network forecasting is a new approach to securing industrial control networks that is based upon 1) discovering, monitoring, and modeling all devices on a network, 2) using these models to predict future device behavior, 3) evaluating past predictions with current observations of networked device behavior, and 4) investigating prediction-observation discrepancies to discover misbehaving devices. The intellectual merit of the innovation lies in its departure from traditional network security paradigms. Traditional approaches, such as signature-based anti-virus and intrusion prevention systems, detect misbehaviors by recognizing repeats of past behaviors; these approaches necessarily overlook one-of-a-kind or zero-day misbehaviors. In contrast, network forecasting incorporates an understanding of correct and expected network behavior so that aberrant behavior can be identified even if it has not been seen before. The approach will be built upon the foundation of Continuous Device Profiling (CDP), which concretely models and monitors the active roles that devices assume on the network. Network forecasting will predict near-future CDP characteristics of devices; when predictions fail to match reality on the network, network operators can respond without needing to fully understand the details of the threat that caused the disturbance.

The broader/commercial impact of this innovation is substantial because critical infrastructure represents both a significant investment and a substantive risk in modern society. While recent cyber attacks may have heightened public awareness of these threats, such infrastructure has been the object of sustained concern from government and private-sector groups for many years. However, as our need for increased security in critical infrastructure has grown, the effectiveness of network security methods has diminished; the pace of effective cyber attacks and network breaches is increasing, not decreasing, as time passes. If successful, network forecasting has the potential to transform the security and monitoring practices in nearly all domains of critical infrastructure, far beyond the power plant demonstration this proposed effort will undertake. The stakes are high: future cost savings, technological advances and economic prosperity all presume the existence of secure, networked critical infrastructure. Substantial advances in the security of such infrastructure, such as that promised by network forecasting, can help protect that future.

Project Report

The purpose of this NSF SBIR Phase I and IB project has been to develop and evaluate network forecasting. Network forecasting is a technique, based on Observable’s proprietary Continuous Device Profiling (CDP) technology, that aims to predict in advance how a networked device will behave on a computer network. Improved security is the goal: if a typically correct network forecast for a device (generated in the past) does not match the device’s observed behavior (as measured in the present), then the difference could be due to hacking, malfunction or, perhaps, some other benign change in role for the device. Observable’s hypothesis has been that devices in industrial control networks, like power plants, would have very deterministic behavior that could be accurately forecast. Overwhelmingly, our Phase I and IB results support this view. The innovations and developments planned for the SBIR effort included the following. Establish Continuous Device Profiles for customer industrial control environment. Implement standalone, on-site analytics, modeling and reporting back-end implementation. Design and evaluate the feasibility of CDP network forecasting. Observable aimed to achieve metrics and quantitative goals such as "profiles of 90% of the systems on subnet A can be predicted 10 minutes in advance within 10% aggregate accuracy." All of these goals have been achieved. Our research activities consisted of 3 major categories: 1) deployment and network discovery, 2) development of continuous device profiles, and 3) deploy and evaluate network forecasting. During the Phase IB period, we continued in the directions outline in our major categories and also explored how this Network Forecasting might integrate with existing power plant cyber security processes. We feel that the results achieved in this Phase I and IB project represent very strong validation of the core concepts of network forecasting in industrial control networks. We summarize our conclusions as follows. Network forecasting works. We developed and deployed our network forecasting approach in an operating power plant, and the results show that network forecasting can accurately predict the network behavior of devices down to 5-minute granularities. Based on our Phase I results, our utility partner, sees value in this technology and wants to keep the technology deployed in the current plant, and deploy it in others as well. We have had early, positive discussions with a major VAR and system integrator interested in helping to market our nascent service to customers in the utility and energy sectors.

Project Start
Project End
Budget Start
2013-01-01
Budget End
2013-12-31
Support Year
Fiscal Year
2012
Total Cost
$180,000
Indirect Cost
Name
Observable Networks, Inc
Department
Type
DUNS #
City
Saint Louis
State
MO
Country
United States
Zip Code
63105