Under the background of digital transformation and development, the wave of new IT/CT/OT technologies has accelerated, the complexity of system connectivity has surged, the number of complex risk factors has increased, the cost of network attacks has been reduced, and the network security situation has become unprecedentedly complex. Industrial networks have become the main battlefield of cyberspace offensive and defensive confrontation. . The serious consequences of a cyber attack on critical information infrastructure can be catastrophic or unprecedented in the real world. There is an urgent need for a cost-effective and replicable approach to increase security awareness of cyber defense teams, increase the expertise and skills of OT cyber defense teams, test the feasibility and effectiveness of cyber defense technologies, products, solutions, and more. A test bed or industrial cyber range is the strategic choice to accomplish this mission of building a cost-effective, configurable, and scalable cyber range platform that simulates industrial control systems. Under the background of ubiquitous, digital, and intelligent industrial network, Antiy Technology continues to explore the essential characteristics of industrial network security that are cross-domain, complex, integrated, dynamic, and collaborative, and strives to create an industrial network shooting range platform that combines virtual and real, in order to meet the current needs of All-round needs of stakeholders (operators, regulators, defenders) in the construction of industrial network security capabilities for scientific research, teaching, training, drills, confrontations, competitions, tests, evaluations, and demonstrations. Combining the practical exploration and forward-looking technology tracking research in recent years, Andy Technology Industrial Network Security Research Institute has launched the “Industrial Network Shooting Range Talk” series. Ecological and industrial high-quality development.
With the establishment of the national cyberspace security strategic position, the demand for the construction of cyber ranges from all levels of the country, region and industry has emerged. As an important branch of the cyber range, the research and construction of the industrial cyber range is also in the ascendant. With the rapid development of related technologies in industrial network shooting range, more and more fields are being developed in the fields of industrial network security personnel education and training, system equipment testing and inspection, security new technology evaluation and verification, defense system planning and deduction, and system performance analysis and evaluation. play an important role.
In the first two issues of the talk series, Antiy Technology gave the definition of the industrial network shooting range and introduced the main uses of the industrial network shooting range. In this article, we will introduce several main dimensions of industrial network shooting range classification, summarize all classification dimensions, and finally propose our own classification method.
one
Classification of Industrial Network Shooting Ranges
1. Classification by technical implementation
The existing simulation technologies in the network range include physical simulation, virtual machine simulation, container simulation and modeling simulation.Physical simulation directly uses physical equipment to access the industrial network shooting range; virtual machine simulation deploys a hypervisor based on the hardware platform as a platform for managing and running virtual machines, and deploys operating systems, industrial control configuration software or controller simulation tools on the virtual machine. , typical virtual machines such as VMware and KVM, or process simulation based on MATLAB; Docker can be used as a lightweight container to encapsulate industrial control-related applications; modeling and simulation simulate the industrial production process by abstractly modeling the industrial production process[1].
Industrial cyber ranges can be classified according to the degree of simulation. Usually, it can be divided into three categories according to the degree of simulation: virtual industrial network shooting range, physical industrial network shooting range, and virtual-real combined industrial network shooting range.
(1) The virtual industrial network shooting range uses virtual machines, Docker or modeling and simulation to build industrial control scenarios. Koganti et al.[2]The industrial network shooting range of the power grid distribution circuit breaker system is constructed, and the SCADA system, PLC and physical system in the shooting range are all implemented in a virtual way.
(2) The physical industrial network shooting range directly uses physical equipment, which can replicate the industrial control scene one-to-one, with high fidelity, but it is expensive and difficult to expand and popularize. Typical physical shooting ranges, such as the Idaho National Laboratory in the United States, have built a real SCADA test range around electric power and water conservancy to support the attack test of real-world SCADA systems and other control systems.
(3) Combination of virtual and real shooting range The physical equipment and virtual equipment are combined to build an industrial control scene, taking into account the advantages of the former two. EPIC Range[3]The network part is constructed based on Emulab and connected to the physical PLC. The physical process is simulated by Simulink and its parallel scheme.
Chouliaras[4]et al. conducted a comprehensive survey on the manufacturers of network shooting ranges and testbeds (TBs). The results are shown in Figure 1. The survey found that the number of shooting ranges realized by physical simulation is the least, and the number of virtual simulations is the largest. in between.
Figure 1 Research on the realization of network range and test bed technology
Denis Donadel, Federico Turrin[7]In the study of etc., after classifying and sorting out more than 50 major industrial network shooting ranges and test beds in the world, there are 18 physical industrial network shooting ranges, 21 virtual industrial network shooting ranges, and 22 hybrid ones. .
2. Classification by task division
The industrial network shooting range generally includes multiple task teams in a specific network environment. Each team is divided into different categories and marked with specific colors according to the roles they undertake. It can be divided into up to 7 teams marked with different colors, namely Red, blue, green, yellow, white, grey and purple.
The red team is mainly responsible for implementing network attacks, such as using virus, malware and other infection vectors to attack the user’s computer; the blue team is mainly responsible for protecting the network and defending against attacks, and managing the availability and security of network infrastructure and applications; the green team is responsible for simulating legitimate Users connect their communication terminals to the network infrastructure managed by the red team through a wired or wireless network connection; the yellow team is responsible for monitoring and reporting network security posture information; the white team is responsible for creating cybersecurity training demonstration scenarios and monitoring and evaluating whether the red team is Successfully defended against cyberattacks initiated by the blue team; the gray team was responsible for maintaining normal network traffic and service requests; the purple team could be viewed as an integration of the blue and red teams, i.e. simulating both cyber offensive and defensive actions and skills[5].
Chouliaras[4]et al. conducted a survey of users participating in the shooting range, and the results are shown in Figure 2. As expected, the teams that users mainly participate in are the blue side and the red side.
Figure 2 Network shooting range team participated in the survey
3. Classification by scene purpose
Based on the scenarios and purposes of use, the current industrial network shooting ranges can be roughly divided into five categories: military defense, scientific research and education, corporate business, government agencies, and other applications. Ukwandu[6]et al. investigated the purpose of the network shooting range and formed a pie chart as shown in Figure 3. It can be seen that the industrial network shooting range used for scientific research and education accounts for 31% of the total industrial network shooting range, which is used for military and national defense. Ranges for business and corporates each accounted for 24%, range for government agencies accounted for 16%, and other applications such as open source and service providers combined accounted for 5%.
Figure 3 Pie chart of scene purpose ratio
4. Classification by Support Agreement
Different industrial network ranges and test beds support different industrial protocols. According to the types of supported industrial protocols, industrial network ranges and test beds can be divided into different categories. Conti[7]In the paper, et al. made a detailed summary of the support of different industrial protocols by various types of industrial network ranges and test beds. Here we present the percentage distribution of various protocols in industrial network ranges and test beds in the form of a pie chart. Happening.
Figure 4 Pie chart of the proportion of industrial protocols
two
Classification method analysis
In addition to the above-mentioned classification dimensions, the industrial network shooting range can also be classified from the dimensions of industry scenarios (electric power, metallurgy, ports, intelligent manufacturing, etc.), management methods, and monitoring methods.
Antiy Technology has collected and sorted out all dimensions that can be used for classification of industrial network shooting ranges and test beds, and formed a mind map as shown in Figure 5, hoping to help everyone understand industrial network shooting ranges and test beds from different dimensions.
Figure 5 Mind map of all dimensions of industrial network shooting range
The monitoring method refers to how the industrial network shooting range monitors the user’s operation, input path selection and team composition. It needs to capture the progress and evaluate the performance in different scenarios, and is responsible for the connection between the remote user and the platform, and also needs to verify the operating status of the platform and Various services and scenarios provided.
Management means that the management layer provides a series of interfaces for various users to manage the collection, storage, and analysis of data describing scenarios and user interactions. Information is provided to users through a dashboard, along with the available scenarios and attack types for each scenario. This layer also manages users and their roles, and is responsible for generating reports.
The recovery component ensures that all policies and patches are up to date. This component is responsible for maintaining the operational state of the cyber range, performing regular backups, and limiting the leakage of cyber attacks from the cyber range. This capability is critical for digital forensics following range accidents and cyberattacks.
The attack type component contains descriptions of different attacks, including the security configuration of vulnerabilities in the scenario, building a vulnerability database, and high- and low-level descriptions of each vulnerability mapped to the OSI Model, etc.
The scenario component is subdivided into 5 sub-components, focusing on (1) the narrative, the scenario must have a goal and the outcome of any action, dilemmas and conflicts can also be added to enrich the learning environment. (2) The realm defines the context of the scene currently being simulated. (3) Education supports the user to learn the skills needed to complete the scenario through coaching, scoring, demonstration, analysis, and role-based review of actions with the user or through specific case studies. (4) Gamification is used to embed game mechanics to drive and maintain user stickiness levels. (5) The type of scene can be a static scene with a single goal, or a scene that dynamically evolves with each action of the user.
As a type of industrial network range, test beds are preferentially used in OT environments. We also summarize testbed dimensions based on the previously discussed taxonomy of industrial cyber ranges. As shown in Figure 6, these dimensions also reflect the future development and technical direction of the testbed.
Figure 6 Mind map of all dimensions of the test bed
The education section is used to explore new security scenarios, and is most often used to develop and validate scenarios for optimal learning.
The modeling component provides control and guides the process in new cases, which are created and processed in a controlled environment that satisfies a set of constraints.
Build components provide comprehensive information about underlying technologies and vendors, and inform deployment characteristics.
The execution component provides real-time, configuration-based, remote and other different scenarios, which can deeply understand its impact on modeling or testing system behavior, and can evaluate the behavior under different execution scenarios.
Evaluation: Model evaluation within the test bed can be done manually or automatically. The former is performed by human intervention, while the latter requires the use of algorithms that take into account key variables of the system.
The post-incident component ensures the integrity of post-incident procedures as a basis for investigating new cases, as well as confirming the effectiveness of processes used to test attacks or failures of new cases. Standard investigations and forensic investigations are two types of post-mortem investigations, the former used to provide a detailed review that helps understand each stage of an incident from start to finish. Forensic investigations take a scientifically derived and validated approach capable of collecting, verifying, identifying, analyzing and interpreting evidence from digital sources.
The learner component contains the specific domain knowledge required for specific modules and performance measurement, and records each learner’s progress, with reports typically displayed in the learner dashboard.
three
summary
As digital transformation accelerates, and in the process of advancing cybersecurity capabilities in the industrial sector, we increasingly feel how deep-rooted the divide between IT and OT is. IT stands for agility, scalability, and weak real-time, while OT prioritizes real-time, determinism, unbreakable functional safety/availability. The fusion of IT and OT integration is the general trend, but the bridging and alignment of the differences in personnel, technology, process, and culture between the two is still a slow process. The emergence of the industrial network shooting range is a powerful tool to show these gaps and cognitions and promote the integration of the two.
The research and practice of Antiy Technology shows that the industrial network shooting range should give full play to its role and effectiveness. The six aspects of technology realization, task team, scene purpose, industrial protocol, monitoring method, and management method are the most important dimensions of the industrial network shooting range. As shown in Figure 6, we can give different classifications of industrial network shooting ranges from these six dimensions, which also support the construction and application of industrial network shooting ranges.
Figure 7 6 important dimensions of industrial network shooting range
As the basic platform for the research of industrial network security, the industrial network range has important research value and application value. As a relatively new and still developing technology, industrial cyber range can be divided into different categories from different dimensions, and according to these categories current research trends on the topic can be developed. This paper focuses on the classification and construction methods of industrial network shooting range, introduces several main dimensions of industrial network shooting range classification in detail, summarizes all classification dimensions, and finally proposes its own 6-dimensional classification method.
The Links: FZ900R12KE4HOSA1 2MBI400TB-060 IGBTCOMPANY