Title: MetaPhortress: A Situational Awareness Platform

Fossil fuel power generation plants risk service interruptions caused by malicious attacks from insider threats and cybercriminals. Although cyber warfare threatens all sectors of the United States’ critical infrastructure, the energy sector’s reliance on networked industrial control systems renders it particularly vulnerable to cyberattacks; therefore, comprehensive situation awareness of power plant health, operation, and cybersecurity has become critical to keeping the power on. The team is creating an automated situation awareness tool that adapts its proven, patented cyber feature- extraction and behavior analysis platform to provide comprehensive, simultaneous coverage of power plant industrial control systems, information technology networks, and physics access control systems. The tool performs data fusion upon networked sensor outputs to characterize nominal operational modes, then uses data analytics to detect deviations from those modes to determine which anomalous conditions correspond to malicious behavior and alert system operators to emerging cyber incidents. The enabling platform employs a temporal aggregation methodology that models dynamic, emergent threat behaviors, and models the behaviors of known threats. The methodology is threat-centric; it categorizes the behavior of network entities instead of being a standard alert- or alarm-centric approach that classifies individual network incidents without associating them to entities. Aggregated behavior analysis makes the proposed situation awareness tool uniquely adept at discovering malicious entities that attempt multiple vectors across attack surfaces and attacks that unfold over varied timescales. In Phase II, the team successfully developed and delivered a runtime prototype of the system. To accomplish this, the team researched detailed system requirements, developed detailed design elements, developed and tested the prototype software, and conducted integration testing in representative operation environments. The team worked with power generation experts, energy sector hardware and software vendors, and power plant operators to ensure the software tool communicates cyber situation information effectively. The team has implemented an initial set of advanced cyber threat detection and data processing features in the prototype, as well as user-facing elements that communicate the analytics outputs to energy stakeholders in a clear and useful way. The automated tool will ultimately provide situation awareness for the full range of power generation infrastructure, including renewable and nuclear power generation. In Phase II, the team built build upon the Phase I efforts by iteratively testing the system prototype to advance and complete the project research, while continuing to collaborate with industry subject matter experts in order to mature the software for delivery in Phase III. The Phase III effort will add distributed capabilities to the tool that will allow power plant owners and operators to coordinate their detection of area-wide anomalous conditions, obtain the information they need for mitigation, and ultimately share their detected threat behavior information with other facilities.