Deception Defense Platform for Cyber-Physical Systems

There is an ever-increasing number of cyber-attacks targeted at cyber-physical systems vital to the operation of our critical infrastructure. Everything from disruption, destruction, data loss, or general rampant internet threats have become a risk to cyber-physical systems that were once thought isolated and secure from cyber threats. As with the advent and proliferation of Internet in the 90s, deploying cyber defenses is critical to robust and resilient operation. Deception defense fits well within the limitations of OT environments, as a security technology solution that is low impact to operations while providing benefits for both incumbering active threats and boosting defender awareness. Integrating decoys into existing installments slows impact and is relatively easy. Decoys give valuable time to defenders to mitigate and respond to threats actively attempting to cause impact on their most critical systems. However, traditional deception needs enhancements to appear realistic and be effective within OT environments.

In this whitepaper you will learn about the research and development that goes into high fidelity deception of field devices using model driven simulations. The features presented will be discussed in the context of an electrical distribution substation and as they have been implemented within the Attivo Networks BOTsink platform. A high-fidelity OT decoy has three main attributes which include services, variables, and behavior. Our approach to simulating a model to generate realistic decoy behavior is explored including description of two approaches; a physics model-based approach and a data driven approach. The performance of two machine learning techniques are investigated in their ability to learn a good enough model of the physics of the system.

PNNL Deception Defense whitepaper_cover.png