Abstract:
Critical infrastructures in general and Industry Control Systems (ICS) in particular need specific protection. For instance, Advanced Persistent Threats (APT) are a well-known modus operandi of attackers to penetrate enterprise IT systems with the consequence of a severely disrupt production. The typical arms race leads to new, updated attack vectors. Hence critical infrastructures in general are vulnerable, and consequently our society, too. In this paper we propose an approach in the scope of ICS, which chains Cyber Threat Intelligence with the spatiotemporal analytical capabilities of a Geographic Information System (GIS). Our goal is an improved defense approach addressing the risk that a cyber-physical attack disrupts parts of the critical infrastructure. We furthermore quantify the threat and the extent of potential effects by providing reliable data on the expected level of risk/damage. Our approach of interlinking Cyber Threat Intelligence, incident response, and GIS operational models is evalutated using a prototype within a sample use case. For the implementation of the prototype, market-available products are used such as the Security Information and Event Management (SIEM) of the company LogPoint, the GIS of the company Esri and the MITRE ATT&CK framework. Our work shows how critical infrastructure protection can be improved through the optimized concatenation of existing procedures and technologies to make available knowledge actionable for defense. Our solution offers a unique starting point to combine the existing knowledge of Cyber Threat Intelligence with the knowledge of operational processes of critical infrastructures and put it at the service of the defender.