Third GLACIER project meeting in Cologne in mid-November

The participants of the BMBF project GLACIER came together for the third consortium meeting on November 13th in Cologne in the offices of rt-solutions.de GmbH to discuss the status of the project and to agree on the high-level architecture. In particular, the decision upon which database systems to use for storage of analysis and result data was made. Furthermore, the model of an industrial plant with typical control components was presented, which forms the basis for various use cases of anomaly detection. Other use cases were presented based on drafts, which are to be implemented in the next project steps.

After the high-level architecture of the SIEM system had been fundamentally elaborated by all project partners involved in joint telephone conferences since the last meeting, this time the question about data storage within the system components was discussed. The distributed recognition system holds different data at different points of the process chain, but the purposes of the data pots differ fundamentally (long-term archiving, real-time analysis, user interaction) and thus also the requirements for data storage. Read and write speeds, reliability and the type of access and search functions (SQL vs. NoSQL) are determining factors. In the course of the meeting, these questions were comprehensively clarified and will subsequently be incorporated into the architectural design and the result will be finalized in a following telephone conference.

Furthermore, the prototypical replica of a small factory with typical machine components and control units was presented, which is one of the use cases to be examined within the project. A use case is to be understood as a closed set of technical components, the log data generated by them and typical weak points and attack scenarios, which are to be used to test anomaly detection and to demonstrate attacks on technologies used in industry. The model represents a sorting machine with an attached gripper arm. Both components are each controlled by a control system (PLC) that are typically used in industrial sites. The aim of the Use Case is to demonstrate the compromise of one of the two PLCs by an attacker, the manipulation of the process (sabotage) and finally the detection of this external intervention by the anomaly detection. The connection of the "mini factory" to a log infrastructure still has to be designed and implemented.

Other use cases presented and agreed upon at the meeting include the replication of an electronic access control system (doors with NFC tokens), the environmental control and monitoring of a factory building (motion detectors, temperature, gas and fire sensors, lighting control) and the WLAN infrastructure used by service technicians to access the facilities in the factory building. These use cases provide a cross-section of the possible log sources of a typical manufacturing hall.

In the course of the meeting it was agreed to develop and integrate the use cases in an agile end-to-end approach in order to be able to develop and test the function and performance of the anomaly detection system at an early stage. Further use cases, which cover areas such as production control, office work, remote maintenance and classic IT systems, are planned after the integration of the first use cases.