Academia.eduAcademia.edu

Autonomic Computing Architecture for SCADA Cyber Security

2017, International Journal of Cognitive Informatics and Natural Intelligence

Autonomic computing paradigm is based on intelligent computing systems that can autonomously take actions under given conditions. These technologies have been successfully applied to many problem domains requiring autonomous operation. One such area of national interest is SCADA systems that monitor critical infrastructures such as transportation networks, large manufacturing, business and health facilities, power generation, and distribution networks. The SCADA systems have evolved into a complex, highly connected system requiring high availability. On the other hand, cyber threats to these infrastructures have increasingly become more sophisticated, extensive and numerous. This highlights the need for newer measures that can proactively and autonomously react to an impending threat. This article proposes a SCADA system framework to leverage autonomic computing elements in the architecture for coping with the current challenges and threats of cyber security.

Autonomic computing architecture for SCADA cyber security Nazir, Sajid; Patel, Shushma; Patel, Dilip Published in: International Journal of Cognitive Informatics and Natural Intelligence DOI: 10.4018/IJCINI.2017100104 Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link to publication in ResearchOnline Citation for published version (Harvard): Nazir, S, Patel, S & Patel, D 2017, 'Autonomic computing architecture for SCADA cyber security', International Journal of Cognitive Informatics and Natural Intelligence, vol. 11, no. 4, pp. 66-79. https://doi.org/10.4018/IJCINI.2017100104 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Take down policy If you believe that this document breaches copyright please view our takedown policy at https://edshare.gcu.ac.uk/id/eprint/5179 for details of how to contact us. Download date: 14. Dec. 2021 International Journal of Cognitive Informatics and Natural Intelligence Autonomic Computing Architecture for SCADA Cyber Security 1. INTRODUCTION Cognitive computing relates to intelligent computing platforms that are based on the disciplines of artificial intelligence, machine learning, and other innovative technologies. These technologies can be used to design systems that mimic the human brain to learn about their environment and can autonomously predict an impending anomalous situation. IBM first used the term ‘Autonomic Computing’ in 2001 to combat the looming complexity crisis (Ganek and Corbi, 2003). The concept has been inspired by the human biological autonomic system. An autonomic system is self-healing, selfregulating, self-optimising and self-protecting (Ganek and Corbi, 2003). Therefore, the system should be able to protect itself against both malicious attacks and unintended mistakes by the operator. Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control complex infrastructures of national importance such as transportation networks, power generation and manufacturing plants. SCADA systems can be visualised as a layered architecture, as shown in Figure 1. The field devices (sensors, etc.) at the lowest layer interact with the physical processes. At layer 2, the Programmable Logic Controllers (PLC), and Remote Terminal Units (RTUs) aggregate data values from the lower layer and communicate the commands and their responses through the communications network to the SCADA server and Human Machine Interface (HMI). The generation of commands at the top layer and collection of responses from the lowest layer results in the monitoring and control of the process. The applicability of SCADA systems has become widespread due to industrial automation, cost reduction and growth in global economies (Nazir et al., 2017). Fig. 1. Layered Architecture of a SCADA system. Traditionally, SCADA systems were developed as closed systems with security being the overriding factor, and no Internet connectivity. However, to leverage efficiency and gain a competitive advantage, International Journal of Cognitive Informatics and Natural Intelligence the systems are increasingly becoming connected to the Internet and cloud technologies. SCADA system security vulnerabilities were first highlighted by the Stuxnet attack (Karnouskos, 2011). Subsequently, there has been an increase in the frequency and sophistication, of the attacks as evidenced by Constantin (2014). Isolation and obscurity as a mechanism for protection is no longer an option for critical infrastructures (Mahoney and Gandhi, 2011). At the same time systems are getting so complex that it is difficult to develop effective defence strategies, as there is a lack of understanding of the complex interactions between the many system entities (Khadraoui and Feltus, 2015). Digital forensics becomes difficult due to the increased numbers and complexity of the cases (Taveras, 2013). The systems complexity and interactions go beyond the capability of system developers and integrators as a result of interconnectivity (Kephart and Chess, 2003). Thus, increasingly there is a lack of understanding of the holistic system, which makes it very difficult to tune a system and to make decisions in case of changed requirements. This has led to a realization that conventional and inflexible techniques will not help. What is needed is a new way of looking at the problem of cyber security that is robust, manageable and self-realising with a minimum requirement to monitor systems to make decisions. What is proposed is an entirely new way of thinking about the problem where the system itself is intelligent and helps to maintain and extend its behaviour, with the use of autonomic computing (Kephart and Chess, 2003). The basic principles of autonomic computing are highly relevant for the protection of the increasingly complex SCADA system because: (i) the boundaries between physical and virtual systems have been blurred through virtualisation. It is possible to host a cluster of machines in a virtual environment; (ii) even with hardware there are sufficient advances in other domains with self-healing materials; (iii) advances in machine learning, artificial intelligence and the knowledge base need to be capitalised for protection; (iv) the systems are highly interconnected and the distributed nature of the systems pose an exponential complexity. There has been some research on autonomic computing applications to complex SCADA systems. The application of autonomic computing for smart grids has been discussed (Greer and RodriguezMartinez, 2012) as a solution to manage system complexities. Key components of a self-protecting SCADA system have been proposed and a survey of techniques provided for the realisation of such systems (Chen Abdelwahed, 2014). Also, there are few dedicated research groups (Autonomic Computing Lab; Cloud and Autonomic Computing Centre; Fortes et al., 2014) focusing research on the applicability of autonomic computing to cyber security. JADE (JADE, 2009) provides a framework for building autonomic management systems. A test bed was developed for modelling critical infrastructures for testing autonomic technologies (Autonomic Computing Lab; Cox, 2011). However, there is a lack of progress in developing architectures to support applications before the full potential of autonomic computing for SCADA security can be realised. We propose to use the autonomic computing paradigm features to SCADA system security, in particular focussing on selfprotecting SCADA systems. This paper incorporates autonomic computing paradigm elements to extend the SCADA architecture to safeguard against the emerging cyber security challenges and threats facing SCADA industrial applications. In section 2 the relevant features of SCADA systems are described. Cognitive computing is discussed in section 3. Section 4 covers the autonomic computing paradigm. Section 5 proposes the architectural framework for SCADA cyber security and finally section 6 concludes the paper. 2. SCADA SYSTEMS VULNERABILITIES AND THREATS LANDSCAPE SCADA systems were developed to be used as stand-alone systems which by their very nature made it difficult for an outside attacker to exploit the system. However, the many benefits associated with interconnecting the system to the Internet have transformed the SCADA systems into a highly interconnected system (Taveras, 2013; Nazir et al., 2017) accessible over the Internet (Fig 2). Therefore the protection offered by an unconnected SCADA system is not available anymore. The benefits are too International Journal of Cognitive Informatics and Natural Intelligence lucrative to be ignored by vendors and industry. Unfortunately it comes with an increased exposure to threats. The system interactions are complex, opening new threat entry points as there are many third party libraries and hardware assembled with components from around the world, with exploitable threats such as backdoors, often unknown to the SCADA system vendor. The systems developers design customized solutions to address a particular problem. The systems are fairly long term deployments as the controlled processes have large financial and industrial outlays. The criticality of maintaining the process means that the systems remain in continuous operation and have a range of redundancies incorporated to protect stalling the system for foreseeable problems. SCADA communications protocols such as Modbus, Distributed Network Protocol (DNP), IEC 870-5 and T103 are described by GE Communications Protocol. Most SCADA communications protocols have no encryption as they were designed when the SCADA systems existed only as stand-alone systems, rendering protocol authentication unnecessary. The Modbus protocol is one of the most common protocols for SCADA systems that operate on simple request-response messaging (Al Baalbaki et al., 2013). The diversity of the protocols and their inoperability also creates obstacles to design secure communications (Sheldon et al., 2004). There are many publicly available tools that can capture network traffic wirelessly. Also the wireless devices that feed data to the SCADA system provide easy entry points for the intruder into the system because the end devices do not have adequate protection, due to very low power requirements. SCADA application vendors design their software to be hosted on generic operating systems such as Windows and Linux variants for widespread deployments; however, this makes SCADA applications exposed to the same vulnerabilities as that of the operating system. The long operational lifetime of SCADA software means that the host operating system may be beyond technical support. The features being added to the SCADA systems add further complexity and the systems become difficult to develop and maintain. Thus it becomes difficult to understand and restore systems to their operational state from a compromised state resulting from a cyber attack. Fig. 2. Multiple pathways and Internat Connectivity to a Production System. International Journal of Cognitive Informatics and Natural Intelligence The cyber attack paradigms have progressed much beyond the simple attack methodologies such as man-in-the-middle (MITM) and Denial of Service (DOS) attacks (Chen and Abdelwahed, 2014), and are waged with increasing sophistication to hide detection. The traditional defence approaches are unable to cope with the latest attack methodologies where for example, the system parameters are altered, and are individually legitimate, but on the whole result in system collapse. Correct operation of the system needs not only the correct commands but commands that are consistent with the prevailing state of the system. It is possible for an attacker to inject a valid sequence of commands that gradually take the system to an unstable condition. The systems also operate under very tight timing constraints and can have undesired consequences in case of timing violation. Even the smallest intrusions on the critical infrastructure controls, can result in malfunctions which have devastating ripple effects on the system as a whole. The system is susceptible to attacks with minor effects, which can alter the system behaviour in a negative manner, leading to a ripple effect that compromises the whole system. The SCADA system entities are generally spread over a large geographical area, thus necessitating synchronisation of information at each location. The threat landscape is rapidly evolving (Khadraoui and Feltus, 2015) and has gained momentum because the SCADA systems are now accessible over the Internet, and are no longer protected by obscurity as the communications protocols and characteristics are available to interested parties. Currently, both the state and non-state agents are trying to exploit the system’s vulnerabilities. Cox (2011) discusses in detail threat ontologies. In contrast to the attacks launched from outside, threats can also emanate from an innocent or deliberate mistake from an insider. Such attacks could cause more harm as they could be launched with some understanding about the system operation. PROTECTION SCHEMES Some recent technology adoptions and improvements in the SCADA systems are promising to aid developing systems that can result in an autonomic SCADA system. System protection can be ensured through many techniques. The majority depend on the judgement of a human to provide safeguards for the system. The latest trends and innovations, such as virtualisation, analytics and databases, and wireless communications, which must work together in close collaboration to achieve the system mission, have been applied to SCADA systems. The integrated framework can rightly be called systems of systems as the complexity has increased beyond simple control and monitoring tasks, the fundamental basis of SCADA. This complexity implies that developing and maintaining such systems are reaching the limits of human cognition (Kephart and Chess, 2003; Huebscher and McCann, 2008). System vendors have been cognisant of the prevailing cyber security environment and have added a number of features to the product offerings. These features include, for example multiplexing proxy, encryption and role based access to make the intruder’s task difficult. Most SCADA vendors allow integration with relational databases in addition to the built-in historical databases that have some advantages (SQL). Relational databases such as Oracle have their own integrated analytics and data mining services that can make it easier to uncover any anomalous activity. The machine learning and data analytics techniques have revolutionised many application domains and have recently been introduced in SCADA applications software. Such native integration makes it easier for the SCADA developers to analyse the systems operations and identify impending attacks (Kirsch et al., 2014; Carcano et al., 2011). Machine learning and other such techniques can effectively analyse a system to detect anomalous activities. Such unsupervised anomaly detection schemes are more appropriate and efficient compared to human analysts (Jiang and Yasakethu, 2013) and other signature based approaches (Chen Abdelwahed, 2014). The system can thus learn new approaches and provide defence against as yet unseen scenarios, as in the case of supervised learning approaches. The other techniques of interest could be based on agent based, artificial intelligence, and adaptive systems (Greer and Rodriguez-Martinez, 2012). The future of cyber security lies with exploiting such techniques International Journal of Cognitive Informatics and Natural Intelligence that can not only autonomously assess the threats to the system security, but also contain and mitigate the threat from spreading, resulting in more damage. The operator alert can notify the human operator to initiate disaster recovery operations. Virtualisation techniques provide many benefits that can advantageously be applied to support the autonomic computing paradigm. Virtualisation enables easy containment of an attack, restoring and disaster recovery, change and optimisation of system resources, etc., in a truly elastic manner. A recent breakthrough in this direction is that of the Autonomic Computing paradigm. With Autonomic Computing, the ultimate control still rests with a human but the drudgery of data manipulation and threat assessment can be taken out of the loop. 3. COGNITIVE INFORMATICS AND COMPUTING Cognitive Informatics is a broad and multidisciplinary field of cognition and information sciences that investigates the human information processing and its applicability for computing applications. A comprehensive review of the cognitive informatics framework is provided by Wang (2007a) and it also describes the applications from the fields of computing and software engineering. It uses Concept Algebra (CA), Real-Time System Algebra (RTPA) and System Algebra (SA) to formulate and represent knowledge using a formal notation. It can have diverse goals based on the application field but the overriding aim is to improve the human-machine interaction through better decision making. The hard problems in various engineering and scientific fields can be solved much easily if we knew the cognitive processes of the human brain (Wang, 2007a). For example, object recognition and classification problem in computer vision is hard for computers but comes naturally to humans, where a lot of progress has been made by mimicking the cognitive processes of the brain through Artificial Neural Networks (ANN). Similarly, the application of machine learning and agent based processing can help overcome the cyber threats facing the SCADA systems. The theoretical framework for cognitive informatics and cognitive computing is presented by Wang et al. (2015) using a reductive model of the brain. It has been argued that the brain and natural intelligence can be explained through the reductive hierarchy at different levels. The cognitive processes of formal inferences are described by Wang (2011b) cover both the applied and theoretical research processes using Real-Time Process Algebra (RTPA). It theorizes and demonstrates how the formal inferences in the human brain can be described using the cognitive processes of deduction, induction, abduction, and analogy. It provides a set of mathematical models and cognitive process for formal inference. This formalization of models is also helpful to design the intelligent computers based on Cognitive Computing (CC). Cognitive computing comprises of intelligent computing methodologies to build autonomous systems that mimic the inference mechanisms of the human brain (Wang, 2009). Thus a system can detect anomalies, events and entities in a system through pattern recognition and data mining. These pro-active and self-learning systems can provide an effective defence against cyber threats, as signature based approaches can only work against known threats, It is also very important for critical infrastructure cyber security systems that the threat is anticipated and predicted before it strikes, otherwise it could be difficult to contain the resulting damage. The future developments in the field of cognitive informatics have been described by Wang et al. (2011a; 2011c). The advances in the field of cognitive informatics have led to the development of cognitive computing. Computing can be classified at four levels in computation intelligence: data, information, knowledge, and intelligence (Wang et al., 2011c; 2015). Data and information processing have been well studied but the same has not been the case for the higher levels of computational intelligence are yet to be studied. This will foster an era of an intelligent revolution that will meet the human needs of wisdom and intelligence. Highly intelligent systems will be accessible to ordinary people to solve everyday problems (Wang et al., 2015). The recent trend of “Cognitive processes of the brain, particularly the perceptive cognitive processes, are the fundamental means for describing autonomic International Journal of Cognitive Informatics and Natural Intelligence computing systems, such as robots, software agent systems, and distributed intelligent networks.” (Wang, 2007b). 4. AUTONOMIC COMPUTING PARADIGM The roots of autonomic computing can be traced to the work by Norbett Wiener, John von Neumann, Alan Turing, and Claude E. Shannon on automata (Wang, 2007b). Autonomic computing leads to intelligent behaviours such as those driven through goals and inferences (Wang, 2007b). The theoretical and engineering foundations for autonomic computing together with a comprehensive set of theoretical foundations that is, cognitive informatics, behaviours, and intelligent science have been identified and the theorems for imperative and autonomic computing provide a solid foundation for the application of the field of autonomic computing to engineering applications (Wang, 2007b). Autonomic Computing is one of the trans-disciplinary applications of Cognitive Informatics and an autonomic computing system using its intelligence can autonomously carry out its actions based on the set of events and goals (Wang, 2007a; 2007b). This contrasts with an imperative system whose behaviour is controlled by a stored program and is thus deterministic. The motivation for autonomic systems is to deal with the system complexity, which has reached an overwhelming proportion and is inspired by the human nervous system (Poslad, 2011). The increase in system complexity and applications heterogeneity has made it difficult to process the information. This has necessitated the use of paradigms inspired by biological systems such as autonomic computing (Parashar and Hariri, 2005) that have a goal to realise systems and applications which operate autonomously based on high level rules to meet the system mission. It differs from Artificial Intelligence (AI) in that unlike those systems the ultimate decision may be taken by the human operator The basic idea of the Autonomic Computing paradigm is that the system should be intelligent to enable it to develop and maintain itself in an optimised state. The human body’s feedback and control mechanisms (Kephart and Chess, 2003; Parashar and Hariri, 2005) have formed the basis of general systems theory and holism for the development and management of computer based systems. The autonomic computing paradigm mimics the autonomic human nervous system. The ability to selfmanage SCADA system security threats by developing learning systems that recognise vulnerabilities will be hugely advantageous. The agents and software services will form a part of the systems, gathering data and monitoring systems continuously (Yang et al., 2005). Autonomic computing can result from the use of different technologies, however an autonomic system must demonstrate the following four main features: self-configuring; self-healing; selfoptimising; and self-protecting (Ganek and Corbi, 2003): 1) Self-configuring: The system must be able to reconfigure its behaviour based on the changing system requirements. For example, to acquire more system resources, such as memory, in case the system is overburdened. 2) Self-healing: In response to detecting a compromised element in its configurtion, or lack of resources, an autonomic system can respond by repairing itself to a good state. Based on this assessment the system should be able to, for example, isolate the system components that have been compromised and continue operation with the remaining elements and at the same time attemping to restore the compromised system elements. 3) Self-optimising: The system must be able to assess the current state of the system variables and be abe to tune them to result in an optimised tuned behaviour. This is crucial as in the case of complex systems there are thousands of system parameters that can affect the system performance. Knowing or applying them all for best results is beyond the grasp of the human mind, in a resonable amount of time. 4) Self-protecting: The system should be aware of the normal system operation and be able to continuously monitor the current system state to determine when deviations occur. It can then take measures to contain the threat and to handle it International Journal of Cognitive Informatics and Natural Intelligence Autonomic computing facilitates identifying factors that relate to a specific state – homeostasis. The development of a knowledge network will help to identify what ‘homeostasis’ is and when there is an imbalance, to understand the structure of the network, the defences, the threats and the attacks. The threats can be classified into two categories: 1) process-related: when valid credentials are used to make legitimate changes that can impact on industrial processes. These can also be due to an error in the input of incorrect values or an actual attack (Crawford, 2006) by, for example, disgruntled employees; and 2) system-related: which are exploited via software or configuration vulnerabilities. For example, flaws in communication protocols, which are low level (layers 1 and 2) attacks on the SCADA architecture (Pidikiti et al., 2013). Developing a mechanism to mine logged data on process-related incidents is a potential solution to developing an autonomic computing approach for SCADA security. Identifying user activities and classifying the actions into signed-on or known user actions allows the analysis of threats as legitimate system commands by legitimate users, or by illegitimate users, to distinguish the threats into attacks or errors by developing a knowledge base (Hadžiosmanović et al., 2012). The autonomic computing system incorporated to monitor a SCADA system may generate false alarms and therefore it may be necessary, based on the application domain, for a human operator to make a final decision based on the evidence. 5. ARCHITECTURAL FRAMEWORK FOR SCADA SECURITY In this section we provide a brief overview of the architectures proposed in the research literature and propose a framework that can be used to design SCADA systems that have built-in layered protection against both known and unknown threats. An autonomic system enables a SCADA system to optimise, configure and protect itself in case of changing the system state to a compromised one. The work to date for securing SCADA security focuses on discrete approaches. However, we propose an integrated approach that combines, the discrete knowledge based approaches with cognitive approaches. The memory layer of the Layered Reference Model of the Brain (LRMB) (layer 2), reflects the knowledge base that captures the short term, long term and transient memories. This can be utilised to capture process- and systems-related threats. Memory can be defined as a set of subconscious cognitive processes that retain the external or internal information about various SCADA security events. The subconscious knowledge base is inherited from the range of events and threats identified, and the conscious subsystem, however, is acquired and flexible, based on the autonomic computing paradigm (Wang et al., 2006a; Wang and Wang, 2006b). Some autonomic architectures have been proposed in the research literature. The IBM autonomic computing system comprises, monitoring, analysing, planning, executing and a knowledge base component (Ebbers et al., 2006) and was proposed for large-scale commercial systems. The architecture utilises Touchpoint Autonomic Managers that are self-configuring, self-healing, self-optimizing and selfprotecting. An introduction to autonomic computing together with the challenges and opportunities are presented in Parashar and Hariri (2005). An Ultrastable system is discussed with reference to living organisms and human nervous system. The authors highlight the challenges in designing the general purpose systems that can address the emerging needs and complexity of services and applications. They propose architecture for an autonomic element as a smallest functional unit and propose a manager for each autonomic element. Chen and Abdelwahed (2014) highlight the need for better security for the SCADA system and present an autonomic security model comprising of risk assessment, early warning and prevention, intrusion detection, and intrusion response. The signature based detection techniques can only be useful against known attacks whereas the anomaly based detection techniques have a high false alarm rate. Similarly demilitarised zones, access controls and firewalls do not provide adequate protection as with International Journal of Cognitive Informatics and Natural Intelligence time the attackers learn the vulnerabilities of the communication protocols and those of the operating system. A detailed survey of autonomic computing models and applications is provided by Huebscher and McCann(2008). An Autonomic Critical Infrastructure Protection (ACIP) system using anomaly detection and autonomic computing is proposed by Al-Baalbaaki and Al-Nashif (2013). The modular system has online monitoring, feature selection and correlation, multi-level behaviour analysis, visualisation, and adaptive learning. The evaluation of ACIP is described using Modbus traffic generator for the Modbus traces between a server and five different PLCs. The proposed system could detect and stop a variety of attacks on the Modbus protocol (Al-Baalbaaki and Al-Nashif, 2013). It was shown that by incorporating knowledge of a physical model of the system it was possible to identify the attacks through changes in system behaviour (Cardenas et al., 2011). The detection of attacks was formulated as anomaly-based intrusion detection. The results show that the response algorithm keeps the system in a safe state during an attack. Automatic response mechanisms were proposed on system state estimation. However, they caution that an automatic detection and response methodology might not be applicable for all processes in control systems. A methodology for designing a smart critical architecture that protects communications, controls and computations using moving target defence and autonomic computing is proposed by Hariri et al. and also develop a Resilient Smart Critical Infrastructure Testbed (RSCIT). A general autonomic computing environment (Autonomia) was developed for control and management of smart critical infrastructures. A survivable cyber-secure infrastructures (SCI) architecture is proposed by Sheldon et al. (2004) for a power grid and proposes a cognitive agent architecture combining agent-based and autonomic computing. Cognitive components are described as comprising of processes that are reactive, deliberate, or reflective. In contrast to the architectures above, our proposed architecture combines three features to provide a threat-resilient SCADA framework: (i) virtualisation of computing and networking resources (ii) hierarchy of autonomic managers (AMs) to identify threats at different scales (iii) protection against false alarms. Virtualisation refers to creating a virtual rather than physical version of computer hardware, storage and networks. The advantages are that the computing resources can be elastically assigned as required and it is much easier to monitor the virtual machines. In case of a cyber attack, a clean instance can be easily launched and the compromised machine can be isolated for forensics. Also, Disaster recovery and rollback can be performed easily. We propose hosting the SCADA system on a virtual platform. The advantages are that it can provide high availability through protection against hardware and software failures. Thus creating a broad generalised structure based on virtualisation wherein appropriate technologies can be selected to best suit an application within the given framework. We propose the concept of hierarchical autonomic managers that can scale protection from a small to a wide area. A domain autonomic manager, 𝐴𝑀𝑑 performs real-time analysis of their limited domain (database, communications, etc.,) at a small scale. These domain-based analyses are then aggregated at the local system level, 𝐴𝑀𝑙 for identification of anomalies to counter the threats locally. This relieves the central autonomic manager, 𝐴𝑀𝑐 to take more holistic actions. Thus, a central autonomic manager can perform an analysis of system wide aggregated analysis to counter system wide variations to identify possible threats. Thus, the inference of AM is based on the intelligent aggregation of the inferences of its lower level AM. Inferences 𝐴𝑀𝑐 = ∑𝑁𝑖=1 𝐼𝑛𝑓𝑒𝑟𝑒𝑛𝑐𝑒𝑠𝐴𝑀𝑙 We argue that despite the current state-of-the-art in autonomic computing applications, such as, machine learning and neural networks applied to SCADA systems, the ultimate decision should lie with the human operator. This is due to the criticality of the SCADA applications that might jeopardise the International Journal of Cognitive Informatics and Natural Intelligence safety and health of people, or compromise national security and infrastructures in case of false alarms. This of course, will vary from one application to another and a human decision-maker could be in the loop at some or all layers of AMs. The hierarchy of autonomic managers abstracts the information as it proceeds from low to high levels (domain to global) and can recommend actions to make it easier for a human operator to make a decision. The structure and execution cycle of an AM is shown in Fig 3. It plans based on the given goals and rules, executes its plan which could be monitoring, comparison, infers the result of its execution to be an anomaly or a progression towards one, reports the inference to its higher AM. The knowledge base is analogous to the human nervous system storing structured and unstructured information used by the autonomic manager during its operation. Fig 3. Structure and execution cycle of an autonomic manager. The autonomic manager, as shown in Fig 3, can be used at various security layers of the system. The hierarchy helps to place the inferences at appropriate levels and the intelligence can travel up to the highest layer, that is, the central AM. A SCADA system can have a large geographical spread, exposing it to exploitation at many locations, therefore necessitating an autonomic manager at each location that can monitor the security in the local areas and coordinate the efforts through the central manager. A simplified SCADA system architecture is shown in Figure 4. At the heart of the system is a central autonomic manager, that can enforce the broad threat mitigation and containment policies in the managed system as defined by the system administrator. The knowledge base provides the various historical system models that are continuously modified to the current state and are analysed to check conformance. The local autonomic managers continually observe the system state and act promptly in case of identified security threats to the local system. Our proposed architecture provides a broad generalised structure based on virtualisation wherein appropriate technologies can be selected to best suit an application within the given framework. The identification of anomalies at an area level helps to counter the threats locally, relieving the central autonomic manager to take more holistic actions to counter system wide threats. International Journal of Cognitive Informatics and Natural Intelligence Fig 4. Proposed Architecture for an autonomic SCADA system. It is also pertinent to point out here that the autonomic manager itself can be the target of a cyber attack. Such exploitation can be avoided through redundant deployments of managers and an integrated approach as proposed. 6. CONCLUSION The evolving cyber threat landscape dictates changes to cyber defence approaches for the protection of SCADA systems. Unlike the traditional defence approaches where the response is governed by tailoring and monitoring according to threats, the concept of autonomic computing provides an advantage, as the systems are self-protecting. Thus, the cognitive and autonomic computing paradigms are very promising to develop SCADA system cyber security architectures that facilitate proactive threat mitigation methodologies. The autonomous nature enables flexible and scalable solutions across a wide range of SCADA system architectures and applications. This paper provides an overview of the autonomic computing based architectures for SCADA security. We propose the concept of hierarchical autonomic managers that helps to extract, aggregate and refine intelligent inferences for ultimate decision making by a human operator. The proposed framework is generic and can be suitably applied across a range of real-world SCADA applications. ACKNOWLEDGMENT The research is sponsored by London South Bank University and Firstco Ltd., London, UK, through Innovate UK funding. REFERENCES Autonomic Computing Lab. http://acl.ece.arizona.edu/research.html [Accessed 20 August 2017]. International Journal of Cognitive Informatics and Natural Intelligence Al Baalbaki, B., Al-Nashif, Y., Hariri, S. and Kelly, D., 2013, May. Autonomic critical infrastructure protection (acip) system. In Computer Systems and Applications (AICCSA), 2013 ACS International Conference on (pp. 1-4). IEEE. Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I.N. and Trombetta, A., 2011. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Transactions on Industrial Informatics, 7(2), pp.179-186. Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y. and Sastry, S., 2011, March. Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM symposium on information, computer and communications security (pp. 355-366). ACM. Chen, Q. and Abdelwahed, S., 2014, April. Towards realizing self-protecting SCADA systems. In Proceedings of the 9th Annual Cyber and Information Security Research Conference (pp. 105108). ACM. Cloud and Autonomic Computing Centre: https://sites.google.com/nsfcac.org/home [Accessed 20 August 2017]. Constantin L., 2014. “New Havex malware variants target industrial control system and SCADA users,” PC World, Jun 2014. Cox, D.P., 2011. The application of autonomic computing for the protection of industrial control systems. The University of Arizona. Crawford, M., 2006. Utility hack led to security overhaul. Computerworld, 2006, pp.1-2. Ebbers M., Byrne F., Adrados P. G., Martin R., and Veilleux J., 2006. Autonomic Computing (Chapter 8) IBM Introduction to the New Mainframe: Large-Scale Commercial Computing. ftp://public.dhe.ibm.com/systems/z/z_coursematerials/lscc/Large_Scale_Commercial_Computing_S tudent.pdf [Accessed 20 August 2017]. Fortes J., Parashar M., Hariri S., Banicescu I., 2014. Center for Cloud and Autonomic Computing (CAC). Compendium of Industry-Nominated NSF I/UCRC Technological Breakthroughs. Ganek, A.G. and Corbi, T.A., 2003. The dawning of the autonomic computing era. IBM systems Journal, 42(1), pp.5-18. GE, Communications Protocol, https://www.gegridsolutions.com/app/DownloadFile.aspx?prod=gesapm&type=8&file=7 [Accessed 20 August 2017]. Greer, M. and Rodriguez-Martinez, M., 2012. Autonomic computing drives innovation of energy smart grids. Procedia Computer Science, 12, pp.314-319. International Journal of Cognitive Informatics and Natural Intelligence Hadžiosmanović, D., Bolzoni, D. and Hartel, P.H., 2012. A log mining approach for process monitoring in SCADA. International Journal of Information Security, pp.1-21. Hariri S., Pacheco J., Tunc C., and Al-Nashif Y. ( ). A Methodolgy for Designing Resilient and Smart Critical Infrastructures. http://ecedha.org/docs/default-source/source/designing-resilient-and-smartcritical-infrastructures.pdf?sfvrsn=0 [Accessed 20 August 2017]. Huebscher, M.C. and McCann, J.A., 2008. A survey of autonomic computing—degrees, models, and applications. ACM Computing Surveys (CSUR), 40(3), p.7. JADE - A framework for developing autonomic administration software. http://raweb.inria.fr/rapportsactivite/RA2009/sardes/uid40.html [Accessed 20 August 2017]. from Jiang, J. and Yasakethu, L., 2013, October. Anomaly detection via one class svm for protection of scada systems. In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2013 International Conference on (pp. 82-88). IEEE. Karnouskos, S., 2011, November. Stuxnet worm impact on industrial cyber-physical system security. In IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (pp. 4490-4494). IEEE. Kephart, J.O. and Chess, D.M., 2003. The vision of autonomic computing. Computer, 36(1), pp.41-50. Kirsch, J., Goose, S., Amir, Y., Wei, D. and Skare, P., 2014. Survivable SCADA via intrusion-tolerant replication. IEEE Transactions on Smart Grid, 5(1), pp.60-70. Khadraoui, D. and Feltus, C., 2015. Designing Security Policies for Complex SCADA Systems Protection. INFOCOMP 2015, p.66. Mahoney, W. and Gandhi, R.A., 2011. An integrated framework for control system simulation and regulatory compliance monitoring. International Journal of Critical Infrastructure Protection, 4(1), pp.41-53. Nazir, S., Patel, S. and Patel, D., 2017. Assessing and augmenting SCADA cyber security: A survey of techniques. Computers & Security, 70, pp.436-454. Parashar M. and Hariri S., 2005. Autonomic Computing: An Overview,” in Unconventional Programming Paradigms. Lecture Notes in Computer Science, vol 3566. Springer, Berlin, Heidelberg. Pidikiti, D.S., Kalluri, R., Kumar, R.S. and Bindhumadhava, B.S., 2013. SCADA communication protocols: vulnerabilities, attacks and possible mitigations. CSI transactions on ICT, 1(2), pp.135141. Poslad, S., 2011. Ubiquitous computing: smart devices, environments and interactions. John Wiley & Sons. International Journal of Cognitive Informatics and Natural Intelligence Sheldon, F., Potok, T., Langston, M., Krings, A. and Oman, P., 2004, July. Autonomic approach to survivable cyber-secure infrastructures. In IEEE Int. Conf. on Web Services (ICWS 2004), California, USA. SQL The Next Big Thing in SCADA, White Paper, Inductive Automation, 2012. https://www.automation.com/pdf_articles/inductive_automation/WhitePaper_SQL_The_Next_Big_ Thing_in_SCADA.pdf [Accessed 20 August 2017]. Taveras, P., 2013. SCADA live forensics: real time data acquisition process to detect, prevent or evaluate critical situations. European Scientific Journal, ESJ, 9(21). Wang Y., Wang Y., Patel S.,and Patel D., 2006a. A layered reference model of the brain (LRMB),”. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 36(2), 124-133. Wang Y. and Wang Y., 2006b. Cognitive informatics models of the brain” IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 36(2), 203-207. Wang Y., 2007a. The Theoretical Framework of Cognitive Informatics. Int’l J. of Cognitive Informatics and Natural Intelligence, 1(1), 1-27. Wang Y., 2007b. Towards Theoretical Foundations of Autonomic Computing. Int’l J. of Cognitive Informatics and Natural Intelligence, 1(3), 1-16. Wang Y., 2009. Cognitive Computing and machinable thought. In 2009 8th IEEE International Conference on Cognitive Informatics, Kowloon, Hong Kong, pp. 6-8. Wang Y., Widrow B., Zhang B., Kinser W., Sugawara K., Sun, F., Lu J., Lu J., Weise T., and Zhang D., 2011a. Perspectives on the Field of Cognitive Informatics and its Future Development. Int’l J. of Cognitive Informatics and Natural Intelligence, 5(1), 1-17. Wang Y., 2011b. The Cognitive Processes of Formal Inferences. Int’l J. of Cognitive Informatics and Natural Intelligence, 1(4), 75-86. Wang Y., Berwick R. C., Haykin S., Pedrycz W., Kinser W., Baciu G., Zhang D., Bhavsar V. C., and Gavrilova M., 2011c. Cognitive Informatics and Cognitive Computing in Year 10 and Beyond. Int’l J. of Cognitive Informatics and Natural Intelligence, 5(4), 1-21. Wang Y., Rolls E. T., Howard N., Raskin V., Kinsner W., Murtagh F., Bhavsar V. C., Patel S., Patel D., and Shell D. F., 2015. Cognitive Informatics and Computational Intelligence: From Information Revolution to Intelligence Revolution, International Journal of Software Science and Computational Intelligence (IJSSCI), 7(2), 50-69. Yang L., Cao X., Gen X., and Zhang J., 2012. A Knowledge expression method of SCADA network attack and defence based on factor state space. Journal of Theoretical and Applied Information Technology, 46(2).