Enhancing SIEM Technology to Protect Critical Infrastructures

  • Luigi Coppolino
  • Salvatore D’Antonio
  • Valerio Formicola
  • Luigi Romano
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7722)


Coordinated and targeted cyber-attacks on Critical Infrastructures (CIs) and Supervisory Control And Data Acquisition (SCADA) systems are increasing and becoming more sophisticated. Typically, SCADA has been designed without having security in mind, which is indeed approached by reusing solutions to protect solely Information Technology (IT) based infrastructures, such as the Security Information and Events Management (SIEM) systems. According to the National Institute of Standards and Technology (NIST), these systems are often ineffective for CIs protection. In this paper we analyze limits of current SIEMs and propose a framework developed in the MASSIF Project to enhance services for data treatment. Particularly, the Generic Event Translation (GET) module collects security data from heterogeneous sources, by providing intelligence at the edge of the SIEM; the Resilient Storage (RS), reliably stores data related to relevant security breaches. We illustrate a prototypal deployment for the dam monitoring and control case study.


Security Information and Event Management (SIEM) Supervisory Control and Data Acquisition (SCADA) dam 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kim, S.H., Wang, Q., Ullrich, J.B.: A comparative study of cyberattacks. Commun. ACM 55(3), 66–73 (2012), doi:10.1145/2093548.2093568CrossRefGoogle Scholar
  2. 2.
    Symantec ® Applied Research. Symantec 2010 Critical Infrastructure Protection Study (Global Results) (October 2010)Google Scholar
  3. 3.
    White Paper, Symantec ® Intelligence Quarterly Report: October-December. Targeted Attacks on Critical Infrastructures (2010)Google Scholar
  4. 4.
    White Paper, Global Energy Cyberattacks: “Night Dragon”, McAfee ® FoundstonerProfessional Services and McAfee Labs (February 10, 2011)Google Scholar
  5. 5.
    Baker, S., Waterman, S., Ivanov, G.: In the Crossfire: Critical Infrastructure in the Age of Cyber War. McAffee© (2010),
  6. 6.
    Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security. National Institute of Standards and Technology (NIST), SP 800-82 (June 2011)Google Scholar
  7. 7.
  8. 8.
    MASSIF project, Scenario requirements Deliverable D2.1.1 (April 2011)Google Scholar
  9. 9.
    INSPIRE projectGoogle Scholar
  10. 10.
    Zeng, W., Chow, M.Y.: A trade-off model for performance and security in secured networked control systems. In: Proc. IEEE ISIE, pp. 1997–2002 (2011)Google Scholar
  11. 11.
    Xu, Y., Song, R., Korba, L., Wang, L., Shen, W., Lang, S.: Distributed device networks with security constraints. IEEE Trans. Ind. Informat. 1(4), 217–225 (2005)CrossRefGoogle Scholar
  12. 12.
    Landau, S.: Security and Privacy Landscape in Emerging Technologies. IEEE Security & Privacy 6(4), 74–77 (2008), doi:10.1109/MSP.2008.95CrossRefGoogle Scholar
  13. 13.
    RSATM Security. RSA enVisionTM Universal Device Support Guide (2008)Google Scholar
  14. 14.
    AlienVaultTM, Available OSSIM Plugin List (2010)Google Scholar
  15. 15.
    ArcSightTM, ArcSightTM Smartconnector (2009)Google Scholar
  16. 16.
  17. 17.
    Federal Rules of Evidence, The Committee on the Judiciary House of Representatives (December 1, 2010),
  18. 18.
    Sousa, P., Bessani, A., Correia, M., Neves, N., Verissimo, P.: Highly available intrusion-tolerant services with proactive-reactive recovery. IEEE Transactions on Parallel and Distributed Systems 21(4) (2010)CrossRefGoogle Scholar
  19. 19.
    BSD Syslog Protocol, RFC 3164,
  20. 20.
    Campanile, F., Cilardo, A., Coppolino, L., Romano, L.: Adaptable Parsing of Real-Time Data Streams. In: Proceedings of the 15th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP 2007), pp. 412–418. IEEE Computer Society, Washington, DC (2007), doi:10.1109/PDP.2007.16CrossRefGoogle Scholar
  21. 21.
    Coppolino, L., D’Antonio, S., Esposito, M., Romano, L.: Exploiting diversity and correlation to improve the performance of intrusion detection systems. In: International Conference on Network and Service Security, N2S 2009, June 24-26 (2009) ISBN: 978-2-9532-4431-1Google Scholar
  22. 22.
    Home of SMC: the State Machine Compiler,
  23. 23.
    Afzaal, M., Di Sarno, C., Coppolino, L., D’Antonio, S., Romano, L.: A Resilient Architecture for Forensic Storage of Events in Critical Infrastructures. In: 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering (HASE), October 25-27, pp. 48–55 (2012), doi:10.1109/HASE.2012.9Google Scholar
  24. 24.
    Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Buttyan, L., Gessner, D., Hessler, A., Langendoerfer, P.: Application of wireless sensor networks in critical infrastructure protection: challenges and design options (Security and Privacy in Emerging Wireless Networks). IEEE Wireless Communications 17(5), 44–49 (2010), doi:10.1109/MWC.2010.5601957CrossRefGoogle Scholar
  26. 26.
    Wolmarans, V., Hancke, G.: Wireless Sensor Networks in Power Supply Grids. In: SATNAC 2008. Wild Coast Sun (September 2008)Google Scholar
  27. 27.
    Bai, X., Meng, X., Du, Z., Gong, M., Hu, Z.: Design of Wireless Sensor Network in SCADA System for Wind Power Plant. In: Proceedings of the IEEE International Conference on Automation and Logistics, Qingdao, China (September 2008)Google Scholar
  28. 28.
  29. 29.
    Langner, R.: Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security and Privacy 9(3), 49–51 (2011), doi:10.1109/MSP.2011.67CrossRefGoogle Scholar
  30. 30.
    Bondavalli, A., Daidone, A., Coppolino, L., Romano, L.: A hidden Markov model based intrusion detection system for wireless sensor networks. International Journal of Critical Computer-Based Systems (IJCCBS) 3(3) (2012)Google Scholar
  31. 31.
    OSSIM AlienVaultTM,
  32. 32.
    Coppolino, L., D’Antonio, S., Formicola, V., Romano, L.: Integration of a System for Critical Infrastructure Protection with the OSSIM SIEM Platform: A dam case study. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 199–212. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Luigi Coppolino
    • 1
    • 2
  • Salvatore D’Antonio
    • 1
  • Valerio Formicola
    • 1
  • Luigi Romano
    • 1
  1. 1.Department of TechnologyUniversity of Naples “Parthenope”NaplesItaly
  2. 2.Epsilon S.r.l.NaplesItaly

Personalised recommendations