Professor Yasuo Okabe and Associate Professor Hiroki Takakura of the Academic Center for Computing and Media Studies (ACCMS), Kyoto University, have collaborated with the National Institute of Information and Communication Technology (NITC) and Yokogawa Electric Corporation (Yokogawa) to develop a traffic analysis and visualization technology for verifying the network integrity of control systems in critical infrastructures including electricity, gas, and water utilities. This technology enables rapid detection of security incidents, such as malware infection, by analyzing and visualizing traffic flow on control system networks. Yokogawa has incorporated this technology in the industry's first "network healthiness check service", which is a combination of technologies for visualizing, collecting, and analyzing traffic data to check network integrity of control systems. This new technology is expected to contribute to enhanced security of control systems used in critical infrastructures.
The research group turned its attention to and focused on a characteristic of control system networks; identifying the normal traffic condition of a control system network is much easier than identifying that of information networks in general because the former is specifically designed and operated for particular purposes while the latter involves a variety of traffic flows in the system.
First, this newly developed technology saves data on traffic flows in the control system in its normal condition as a "white list". Then, this list and actual behavior of the control system network are compared over time in order to detect the differences between them, which indicate unexpected incidents in communication, such as increases in traffic or communication with unknown IP addresses, both of which could be caused by malware infection.
In addition, using NIRVANA (Network Incident Analysis Center for Tactical Emergency Response <NICTER> Real-network Visual Analyzer), a real-time traffic visualization system, which was developed by NICT and can now be transferred by contract, the technology was improved to be able to support communication protocols unique to control systems, thereby making it much easier to ascertain traffic conditions when abnormalities are detected.
As this technology obviates the need to install detection software in every control system server, it allows easy implementation and enables incident detection without affecting the high degree of availability that control systems are required to maintain.
Outline of the newly developed technology
