EPSRC logo

Details of Grant 

EPSRC Reference: EP/N022866/1
Title: Analysing and Detecting Advanced Multi-stage Attacks against ICS (ADAMA)
Principal Investigator: McLaughlin, Dr K
Other Investigators:
Researcher Co-Investigators:
Project Partners:
Airbus Operations Limited
Department: Sch of Electronics, Elec Eng & Comp Sci
Organisation: Queen's University of Belfast
Scheme: First Grant - Revised 2009
Starts: 01 June 2016 Ends: 30 September 2018 Value (£): 99,552
EPSRC Research Topic Classifications:
Fundamentals of Computing Information & Knowledge Mgmt
Modelling & simul. of IT sys.
EPSRC Industrial Sector Classifications:
Aerospace, Defence and Marine Transport Systems and Vehicles
Related Grants:
Panel History:
Panel DatePanel NameOutcome
02 Dec 2015 EPSRC ICT Prioritisation Panel - Dec 2015 Announced
Summary on Grant Application Form
Industrial Control Systems (ICS) are used in sectors such as energy, manufacturing, transport, etc., and consequently play a fundamental role in the operation of many critical national infrastructures. In the last few decades ICS have evolved to incorporate new capabilities and connectivity, provided by integrating modern information and communications technology (ICT). However, a significant problem that has emerged due to this new set of technologies and high degree of interconnectivity is that ICS have become exposed to the myriad security problems that beset traditional ICT systems.

Of great concern is the trend towards advanced multi-stage attacks against ICS, which continue to emerge. These can involve remote exploitation and lateral movements (pivots) across multiple systems. Recent attacks suggest that traditional crimeware type malware is being adapted explicitly for ICS; e.g. BlackEnergy and Havex exhibit malware modules that appear to have been developed to target ICS features and vulnerabilities. New threats against ICS supporting national infrastructures continue to emerge, and criminal and state entities are known to be targeting such systems. Consequently it is of great importance that we analyse and understand how advanced attacks against ICS behave and can be better detected.

Common initial attack vectors include highly targeted spear-phishing against executives or engineers with valuable credentials, or opportunistic watering hole attacks against websites of specific interest to ICS personnel. Following the initial infiltration of an ICS network, the malware will likely try to execute actions including escalating its privileges on the host system, attempting to connect to a command and control server, downloading further payload packages, enumerating the network, pivoting and propagate further, exfiltrating data, and so on. A highly targeted, or "weaponised", payload is likely to enumerate ICS devices on the network or attempt to sniff and identify particular ICS related network traffic.

Detecting advanced multi-stage attacks is difficult in IT systems, but approaches towards detection and response for ICS are comparatively less mature. Moreover, attacks discovered in the wild continue to evolve in sophistication. Stopping such attacks demands continual monitoring of the infrastructure and it is difficult to provide operators with targeted security status information in the face of advanced multi-stage ICS threats.

This research aims to develop and test an approach that enhances real-time cyber-security monitoring capabilities for networked ICS environments. The objective is to present information to an operator that is more closely correlated to advanced multi-stage threats, rather than individual alerts, thereby improving the ability of the operator to gauge the current security status of the system.

A threat measurement based approach will be used to investigate how the real-time cyber-security status of an ICS network environment can be measured in terms of an observable threat presence. It is hypothesised that such a status can be appraised by using suitable metrics, which may be derived by analysing, decomposing and modelling known advanced multistage threats. The analysis will target the development of threat models based on a combination of reported ICS attacks and an investigation of future potential advanced threats based on emerging trends in crimeware. A proposed solution will be implemented and tested in a test-bed environment based on a realistic factory automation environment.

Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: http://www.qub.ac.uk