ENGLISH / MAGYAR
Kövess
minket

Design and implementation of a SOC for ICS

2018-2019/I.
Dr. Buttyán Levente

Industrial Control Systems (ICS) are cyber-physical systems where embedded computers control and supervise physical processes such as the operation of a power plant or an assembly line. Such systems are increasingly exposed to cyber attacks, which may cause service outages or even physical damage of equipment. Ideally, we would like to prevent those attacks, but 100% prevention is usually not feasible in practice. The next best objective is to quickly detect and react to the attacks that may have serious consequences if not contained. This can be made possible by continuous monitoring of the operation of the embedded controllers and the networks that connect them, aiming at identifying suspicious events and anomalies, and triggering some corrective actions. Today, such monitoring, detection, and alert processing is usually done within a Security Operations Center (SOC), which consists of some monitoring infrastructure, human workforce, and well-defined procedures to handle cyber security events.

The task of the student is to design and implement a prototype SOC for ICS. This includes the review of the state-of-the-art and summarizing the main publications in this field, the development of a SOC concept for the special environment of ICS systems, the detailed design of an ICS SOC architecture, the implementation of the design, and the testing of the  implementation. The SOC architecture must take into account the stringent reliability and availability requirements in ICS systems. The implementation can be based on the integration of already existing components, such as network IDS systems, log collection frameworks, and SIEM systems. These existing systems should be reviewed, tested, and their applicability in an ICS SOC environment should be examined. Then, the implementation can boil down to the integration of some selected existing components. Both implementation and testing require a testbed that is similar to a real ICS environment. The establishment of such a testbed in the CrySyS Lab is also part of the student’s task. Testing also requires some attack implementations that the student must develop based on concepts and suggestions of the supervisor of the project. The architecture design, implementation, and the test process and results must be documented, and the overall experience of developing an ICS SOC must be summarized in the thesis. 


1
1