Ontology-based detection of cyber-attacks to SCADA-systems in critical infrastructures
The integration of networks within an organization made many critical infrastructures (CI) and their underlying communication networks that were rather isolated in the past, accessible from outside via internet. CI heavily rely on the security of their supervisory control and data acquisition (SCADA) systems. As attackers are using ever more sophisticated technologies the threats are always increasing. Therefore it is important to detect attacks quickly and react efficiently to them, thus increasing reliability, security and resilience of the system. To specify a model of security events, attacks and vulnerabilities, we propose an ontology. The system logs provide the events, which the intrusion detection systems (IDS) may recognize as suspicious and could be part of an attack. With the help of data bases for known vulnerabilities together with the system model ongoing attacks may be identified. The ontology-framework together with a respective reasoning component forms the common ground for compliance monitoring and correlation of security events and serves as a basis for the specification and implementation of security data normalization. Then security policies (or goals) can be refined into implementable configurations on critical infrastructure network devices.