Now in its 5th year, the conference has established itself as the largest annual Digital Energy summit in the country: the event brought together senior IT, Digital and business leaders, providing a unique forum for knowledge exchange, discussion and high-level networking. The programme explored the use of Information Technology in driving tangible outcomes across the organisation, looking at key trends and providing practical insight from an array of industry leaders.
5. OFFICIAL: NONE
OFFICIAL: NONE
• Strategy - A more resilient Scotland/UK !
• What are the threats?
• Where does SBRC sit in the landscape?
• Who you gonna call?
• Incident planning & response!.
• Challenges!
• Under-reporting & signposting.
Agenda.
7. OFFICIAL: NONE
OFFICIAL: NONE
The Ambition
Safe, secure and prosperous: Scotland’s cyber resilience strategy
Scotland can be a world leader in cyber resilience and
be a nation that can claim, by 2020, to have achieved
the following outcomes:
i. Our people are informed and
prepared to make the most of
digital technologies safely.
ii. Our business organisations
recognise the risks in the digital
world and are well prepared to
manage them.
iii. We have confidence in, and
trust, our digital public services.
iv. We have a growing and
renowned cyber resilience
research community
v. We have a global reputation for
being a secure place to live and
learn, and to set up and invest
in business.
vi. We have an innovative cyber
security, goods and services
industry that can help meet
global demand.
8. OFFICIAL: NONE
OFFICIAL: NONE
LEADERS BOARD
COMMS
DFM
PUBLIC SECTOR
Private Sector
Leadership
SKILLS RESEARCH
BUSINESS
ENABLEMENT
Cyber Expert Group for Scotland
Business membership groups –
SCDI/CBI/IOD/COC/SLTA/STUC/LS (FSB National)
Trusted Partners – Cyber Essentials Accreditors
9. OFFICIAL: NONE
OFFICIAL: NONE
National Cyber Resilience Leaders Board
Development of action plans
1. Learning and skills
2. Public sector cyber resilience
3. Private sector cyber resilience
4. Third sector cyber resilience
5. Systems of advice, support and response
6. Economic opportunity
7. Communications and awareness raising
Aligned
approach
10. OFFICIAL: NONE
OFFICIAL: NONE
Building blocks of SG Private Sector Plan
• Cyber Catalysts Scheme
• Grading of risk and standards – cyber aware up to NIS supply chain
• Public sector framework
• Leadership and awareness raising
• CISP/SCINET
• unregulated sectors and third sector
• Innovation and Growth - + Advice Support and resources
• Supporting the SME community co-operating nationally and
internationally
11. OFFICIAL: NONE
OFFICIAL: NONE
Why we do what we do?
The Scottish & UK government is committed to making
the UK a secure and resilient digital nation.
A key aspect of this strategy is through robust
engagement and an active partnership between
government, industry and law enforcement to
significantly enhance the levels of cyber security across
UK networks.
21. OFFICIAL: NONE
OFFICIAL: NONE
In August 2017, a petrochemical company
with a plant in Saudi Arabia was hit by a
new kind of cyber attack. The attack was
not designed to simply destroy data or
shut down the plant, investigators believe.
It was meant to sabotage the firm’s
operations and trigger an explosion.
27. OFFICIAL: NONE
OFFICIAL: NONE
Key questions that all CEOs & CISO’s should be
asking this week?
• "Are we vulnerable to a cyber intrusion, SQL injection, ransomware or DDoS
based attacks?“
• "What assurance activity have we done to confirm that we are not
vulnerable?“
• "If we were compromised, would an attacker be able to gain access to
unencrypted sensitive data?“
• “Are we satisfied have we engaged sufficient 3rd party security provider?"
• “What is our company posture on security?”
• “What and how vibrant is your overarching cyber security policy?”
30. OFFICIAL: NONE
OFFICIAL: NONE
Scottish Government
Police Scotland
Scottish Fire & Rescue
SBRC
CYBER
RETAIL
AND
TOURISM
SUPPLY
CHAIN
Curious FrankSAFER
COMMUNITIES
BBN
RESILIENCE Menu of
Services
Menu of
Services
34. OFFICIAL: NONE
OFFICIAL: NONE
Cyber-security Information Sharing Partnership (CiSP)
CiSP is a joint industry and government initiative set up to exchange
cyber threat information in real time, in a secure, confidential and
dynamic environment, increasing situational awareness and reducing
the impact on UK business.
35. OFFICIAL: NONE
OFFICIAL: NONE
CiSP Business Benefits
• Engagement with Industry and Government counterparts in a secure environment
• Early warning of cyber threats
• Ability to learn from experiences, mistakes and successes and seek advice
• An improved ability to protect your organisation’s network
• Access to subject or sector specific content including latest incidents
• Improved cyber situational awareness at NO COST to your organisation
36. OFFICIAL: NONE
OFFICIAL: NONE
Under this scheme, which is backed by Government and supported by industry,
organisations can apply for a badge which recognises the achievement of
government-endorsed standards of cyber hygiene.
37. OFFICIAL: NONE
OFFICIAL: NONE
Trusted Partners
• Launched by SBRC and Police Scotland on 9th February 2017
• Nationally accredited Cyber Essentials Certifying Bodies based or operating across Scotland
• Initially 12 independent Certifying Bodies in Scotland, now increased to 20
• Cyber Essentials Approved Practitioners list launched on 31st May 2017
• Nationally accredited to provide Cyber Essentials consultancy and advice but don’t certify
• Trusted Partners & Approved Practitioners integral to Scottish Government’s Cyber Resilience
Strategy and contributed during the development and consultation phase of Action Plans.
39. OFFICIAL: NONE
OFFICIAL: NONE
PERTH
Current Position
SCOTLAND’S KNOWLEDGE
RESOURCE
ST ANDREWS
EDINBURGH
DUNDEE
SCOTLAND’S CYBER
CRIME CENTRE
SCOTLAND’S CYBER QUARTER
LONDON
NATIONAL CYBER SECURITY
CENTRE
GLASGOW
FINTECH HUB
KILMARNOCK
HALO- FUTURE DIGITAL
SKILLS CENTRE
GARTCOSH
LINLITHGOW
ORACLE CYBER SCOTLAND
BASE
PS ABERDEEN CYBER HUB
40. OFFICIAL: NONE
OFFICIAL: NONE
So what are the challenges/threats?
• Global, international, industrial & automated
• Jurisdictional reach & anonymous
• Increased criminal opportunities - Anyone can be (or hire) a cyber criminal!
• Lack of clear & concise statistical data.
• Under reporting
• Technological advances provide opportunities but equally increases the threat
of cybercrime - The ‘Internet of Things’
• Social media as an attack vector
• Disaster Recovery & Business Continuity
44. OFFICIAL: NONE
OFFICIAL: NONE
Reporting of Cyber Incidents
• Incident evaluation and early reporting.
• Police Scotland 101 – Incident No. & Action Fraud.
• Business continuity and impact prime consideration.
• ICT response and mitigation. Scene preservation?
• Where possible preserve original copies of emails, attachments, device images and logs.
• Is there a mandatory obligation to report?
• Report to NCSC, Cert UK / GovCert UK .
• Report to Scottish Government if appropriate.
• Identify point of contact for law enforcement to facilitate enquiries and evidence gathering.
• Submit attack details to CISP platform if appropriate share.cisp.org.uk (can assist with
mitigation and fix)
46. OFFICIAL: NONE
OFFICIAL: NONE
Why Curious Frank?
We’re Curious.
Not just about you but about Cyber Security in general. We’re curious to see what the latest threats are and how they
work, we’re curious to find out how to defend against them, we’re curious to learn the latest techniques and put them
in to practice to help secure businesses networks. Most of all we’re curious to find out how we can help you.
We’re Frank.
We’ll tell you in plain and simple terms what we think needs to be done to help protect your business. We’ll tell you in
an open and honest manner what we found during our testing and what you can do to rectify any issues.
We’re Curious, we’re Frank
50. OFFICIAL: NONE
OFFICIAL: NONE
Opportunities & Challenges
• End to end order and delivery process
• Online vulnerabilities
• Supply chain and contractual management
• Procurement policies
• Premises Assessments
• Transport
• Post-Brexit
52. OFFICIAL: NONE
OFFICIAL: NONE
• On and off-line management of instore process
• Warehouse deliveries and management
• Information sharing and protocols
• Supply Chains
• Staff vulnerabilities online trading
• International competition
• Mainstream Mega 4 competition
58. What is IoT?
• Networked sensors, analytical engines, actuators
• Connected non-traditional computing platforms
• Industrial Control Systems ICS
– Distributed Control Systems DCS
– Supervisory Control And Data Acquisition SCADA
– Programmable Logic Controllers PLC
– Remote Terminal Units RTU
– Intelligent Electronic Devices IED
– https://blog.trendmicro.com/securing-three-families-iot/
59. Copyright 2018 Trend Micro Inc.59
Typical DCS ConfigurationProcess Historical Archives Engineering and Operator Workstations
Ethernet TCP/IP
Micro FCU
LAN/WAN Hub
SCADA Data ServerField Control
Unit
PLC I/O
Field
Devices
Field
Devices
PLC I/O
Field Control
Unit
LAN/WAN HubLAN/WAN Hub
LAN/WAN Hub Field
Devices
Micro FCU
Field
Devices
Operator
Workstation
Micro FCU
SCADA Data Server
PLC I/O
Field
Devices
PLCs, RTUs, Other 3rd Party
PLCs, RTUs, Other 3rd Party
---- Protocol: TCP/IP, Modbus, OPC, DDE, or Proprietary ----
---- Connection: VSAT, LAN, WAN, Radio, Microwave -----
60. What is Information Security?
• Information shall not be Lost, Altered, or
Inadvertently Disclosed
– I.e., Availability, Integrity, Confidentiality
• ISO 7498-2, Security across the ISO/OSI
Reference Model
– Identification, Authentication, Data Confidentiality, Data
Integrity, Non-repudiation
61. Integrating Information Security
• Information Security Integrated with SDLC
(DevSecOps)
• Security Management Integrated with IT/OT
Management (Operations)
• Actuators (ICS) are out of scope for information
security
– Industrial processes are not “information”
62. IoT 0.9 and 1.0 Limitations
• Hard-coded credentials (no identification or authentication)
• Plain-text communication (no data integrity or confidentiality)
• Flat system architecture (no secure kernel)
• Simple or no software/firmware update
• Minimal logging or alerting
• Proprietary networking
• Very low power
• Sometimes physically inaccessible
• Lightweight systems management infrastructure (if any)
– XMPP, MQTT, CoAP, 6LowPAN
63. Securing IoT 1.0
• Restrict to segmented network
– Reduce attack surface
• Monitor network traffic
– Detect unwanted signals
• Monitor processor utilization
– Detect unwanted processes
• Deploy out-of-band sensors
– Logging, analysis, reporting
• Freeze servers and infrastructure
– No updates, no upgrades, no installs
68. Case Study: Medical Instruments
• Initially little technology in operating rooms
• Technological improvements – patient
monitors, blood-gas analysis, EKG, EEG, but
independent
• Introduce networked OR suite, link to
hospital IT network …
• Wannacry ransomware
70. Copyright 2018 Trend Micro Inc.70
Medical Implants (could happen)
“… adversaries could change the
settings of the neurostimulator
to increase the voltage of the
signals that are continuously
delivered to the patient’s brain.
This could prevent the patient
from speaking or moving, cause
irreversible damage to his brain,
or even worse, be life-
threatening.”
71. Case Study: Power Generation
• Initially hard-wired on site
• Technological improvements – sensors, safety
systems, but still local
• Introduce networked remotely managed
operation and oversight
• Link to utility corporate network …
• Aurora attack: open breaker, close breaker
73. Copyright 2018 Trend Micro Inc.73
SCADA Vulnerabilities from ZDI
Over 250 SCADA submissions to Zero-Day Initiative, 2015/2016
• Lack of authentication/authorization and insecure defaults
23.36%
• Memory corruption 20.44%
• Credential management 18.98%
• Code injection 8.76%
• Others 28.46%
74. How Trend Micro Can Help
• Monitor network traffic (work and home)
• Observe processor utilization
• Report software/firmware level
• Analyze logs
• Integrate with SEIM
• Consolidate reporting, management
– One pane of glass
75. Conclusions and Future Work
• “History doesn’t repeat itself, but it rhymes.”
– We’ve been here before: PC security 1988, LAN security 1992,
Internet security 1995, Wi-Fi security 1999, Cloud security
• Inventory IoT landscape
– Asset management, discovery, categorization
• Upgrade weak IoT devices, networks
• Support secure IoT architecture
• Plan for regulatory mandates
76. Copyright 2018 Trend Micro Inc.76
References
Typical DCS Architecture from “Protecting Industrial Control Systems from Electronic
Threats,” Joseph Weiss, Momentum Press, 2010
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-
exploits/the-state-of-scada-hmi-vulnerabilities
Taiwan ransomware attack http://www.cbc.ca/news/technology/ransomware-
cybersecurity-hack-conditions-1.4114349
Securing Wireless Neurostimulators. Proceedings of Eighth ACM Conf on Data and
Application Security and Privacy, Tempe, AZ, Mar 19, 2018 (CODASPY ’18), 12 pp.
https://doi.org/10.1145/3176258.3176310
ARM Platform Security Architecture
https://developer.arm.com/products/architecture/platform-security-architecture
Sayano Shushenskaya Dam Accident
https://www.youtube.com/watch?v=yfZoq68x7lY
105. CONFIDENTIAL FOR INTERNAL USE ONLY
The IT Resilience Platform
Releasing data mobility in the multi-cloud, multi-site world
Nick Williams
106. CONFIDENTIAL FOR INTERNAL USE ONLY
++
Mergers & Acquisitions
Move to Cloud
Datacenter Consolidation
Maintenance & Upgrades
PLANNEDUNPLANNED
User Errors
Infrastructure Failures
Security & Ransomware
Natural Disasters
IT Resilience
107. CONFIDENTIAL FOR INTERNAL USE ONLY
Deliver an always-on
customer experience
Move with ease
and without risk
Leverage cloud to
accelerate business
Workload
Mobility
Multi-Cloud
Agility
Continuous
Availability
Zerto IT Resilience Platform
108. CONFIDENTIAL FOR INTERNAL USE ONLY
One Platform For IT Resilience
Multi-Cloud Workload Mobility Non-Disruptive
Orchestration & Automation
Continuous Data Replication
Continuous Data Protection
Application Consistency Grouping
Journal-based Recovery
Long-term Retention
Analytics & Control
109. CONFIDENTIAL FOR INTERNAL USE ONLY
IT Resilience Platform
Powerful & Resilient
Scale-out, compression, throttling
Production
Site
BC/DR
Site
No Impact Protection and Testing
Block-level, no snapshots, no agents
Continuous Data Protection
Checkpoints in seconds, Recover any to any
vCenter
VM-Level Replication
vCenter
Simple Deployment
No downtime install in minutes
110. CONFIDENTIAL FOR INTERNAL USE ONLY
Solve for Multi-Cloud
Zerto Virtual Replication 6.0
Single platform for continuous availability,
data protection and workload mobility
to, from, and between multiple clouds.
111. CONFIDENTIAL FOR INTERNAL USE ONLY
Any2Any
Mobility
Remote
Upgrades
JFLR
for Linux
Network
Analysis
Continued
Scalability
Multi-Cloud, Hybrid Cloud
Zerto Virtual Replication 6.0
Enhanced
APIs
112. CONFIDENTIAL FOR INTERNAL USE ONLY
Any2Any Mobility
Azure to Azure
Failback from AWS
Public Cloud to Public Cloud
113. CONFIDENTIAL FOR INTERNAL USE ONLY
Any2Any: Microsoft Azure
Intra-Cloud – Region to Region
New Azure regions support-Azure
Government, Germany, China
Replication & Automation
On-Premises
One-to-Many
Bi-directional
Replication & Automation
New Intra-Cloud
Azure Azure
114. CONFIDENTIAL FOR INTERNAL USE ONLY
Replication & Automation
Any2Any: AWS
Failback from AWS
On-Premises
S3
• No performance impact
• No agents
• One experience, One platform
115. CONFIDENTIAL FOR INTERNAL USE ONLY
Any2Any: Multi-Cloud
Inter-Cloud – Public Cloud to Public Cloud
* Azure to AWS One-to-Many supported
Replication & Automation
On-Premises
Bi-directional
Replication & Automation
New Inter-Cloud
S3
Azure
116. CONFIDENTIAL FOR INTERNAL USE ONLY
Any2Any:Multi-Cloud, Hybrid Cloud
One-to-Many
On-Premises On-Premises
On-Premises
Azure Zerto CSPIBM Cloud
Azure
S3
IBM Cloud Zerto CSP
118. CONFIDENTIAL FOR INTERNAL USE ONLY
Simplicity Through Automation
4-Click
Recovery
Process
Click Failover1
Select Apps2
Verify3
Start Failover4
FOR INTERNAL USE ONLY || 119 ||
119. CONFIDENTIAL FOR INTERNAL USE ONLY
Zerto Analytics
Multi-Site, Multi-Cloud Visibility
New Network Performance Analysis
New 30 Day Network History
API Driven
123. CONFIDENTIAL FOR INTERNAL USE ONLY
New Live Network Reports
Zerto Analytics
Network Performance
History
• Throughput-max/avg
• WAN Traffic-max/avg
• Zoom in to troubleshoot
124. CONFIDENTIAL FOR INTERNAL USE ONLY
New Live Network Reports
Zerto Analytics
IOPs History
• IOPs-max/avg
• Zoom in to troubleshoot
125. CONFIDENTIAL FOR INTERNAL USE ONLY
Continued Scalability
Support 10,000 VMs within each
ZVM / VMware vCenter pair
126. CONFIDENTIAL FOR INTERNAL USE ONLY
Any2Any
Mobility
Remote
Upgrades
JFLR
for Linux
Network
Analysis
Continued
Scalability
Multi-Cloud, Hybrid Cloud
Zerto Virtual Replication 6.0
Enhanced
APIs
128. CONFIDENTIAL FOR INTERNAL USE ONLY
Not just insurance
Production Site
VM-Level Replication
AWS
• Hybrid Cloud • Multi-Cloud• One-to-Many
129. Security & Resilience for next generation infrastructures
and the IoT: activities and lessons learned
5th Digital Energy Conference 2018
Aberdeen, 1-2 May, 2018
Dr. Angelos K. Marnerides
Lecturer (Assistant Professor) in Computer Networks
InfoLab21
School of Computing & Communications
Lancaster University
angelos.marnerides@lancaster.ac.uk
130. Outline
• Resilience in Systems
• Part I : Activities on SmartGrid E2E cybersecurity & resilience
– EU EASY-Res
– Upside KTP
– Showcase: Anomaly detection/power profiling on AMIs
• Part II: SCC ICS testbed – cybersecurity & resilience assessment
– ICS testbed Architecture
– Showcase: Attack detection in ICS
• Part III: On large-scale IoT-based attacks
– MATI: Macroscopic Analysis of ioT-based Intrusions
– Showcase: Botnet scan traffic characterisation
131. Resilience in systems
• System resilience is defined as the ability of a system to maintain acceptable levels of
operation in the face of challenges, including:
– Malicious attacks, operational overload, misconfigurations equipment failures
– Resilience management encompasses the traditional FCAPS (fault, configuration, accounting,
performance, and security) functionalities
• The Networking group as well as the Security Lancaster Institute in SCC at Lancaster
University (since the early 2000s) addresses system resilience in a range of topics such as
the backbone Internet, cloud computing, sensor networks, the SmartGrid, ICS and the
IoT (national/international research projects, 50+ PhD/MSc/BSc theses).
132. Part I:
Enable Ancillary Services bY Renewable Energy Sources
(EASY-RES) - EU H2020, 2018-2021
• Aims:
– Develop novel control algorithms for all converter-interfaced Distributed Renewable Energy
Sources (DRESs) and enable them to operate similarly to conventional Synchronous Generators
(SGs)
– Providing damping of transients, reactive power, fault ride through and fault-clearing capabilities
• Lancaster contribution
– Definition of a novel high-level substrate architecture for interactions in the EASY-RES ecosystem
– Development of novel mechanisms for secure and resilient data communication
– Provision of data processing, analysis, and visualization to support the Transmission System
Operator (TSO) and Distribution System Operator (DSO) operations such as accounting,
optimization and control support.
133. Part I:
EASY-RES (cont..)
identification of roles
stakeholders inside
EASY-RES ecosystem
their correspond
connection with diffe
software components. T
subtask is closely rel
to WP5, but within T
the focus lies on softw
component side;
Analysis of avail
communica
infrastructure
selection of feas
communication chan
for use within the pro
(considering
requirements analy
This also includes
Legend
TSO = Transmission System Operator
DSO = Distribution System Operator
ICA = Individual Control Area
μG = micro grid
BESS = Battery Energy Storage System
DRES = Distributed Renewable Energy
Source
SDDC = Software Defined Data Centre
PKI = Public Key Infrastructure
AS = Ancillary Service
134. Part I:
Upside LTD – Knowledge Transfer Partnership
• Funding body : Innovate UK, duration: 2 years (2018-2020)
• Upside LTD runs a virtual energy store:
– Shifting electricity usage from peak to off-peak times
– Relieve stress on the grid
– Reduce costs and environmental impact
• Technology
– Use available battery capacity (e.g. UPS capacity)
– Interconnect batteries to form a distributed system
– A power plant with properties of an IoT application
135. Part I:
Upside LTD – Knowledge Transfer Partnership (cont..)
• Goal:
– Design & implement a novel, unified security framework that expands the OpenADR
protocol, complies with ISO27001 standard and GDPR.
• Core technical objectives:
– Secure the end-to-end (E2E) interaction of their customers with their cloud-based services
and further empower service reliability.
→ E2E Privacy-aware Public Key Infrastructure (PKI)
– Detect in advance any malicious intent throughout the complete E2E communication
between the Upside Fleet Devices and the Upside Cloud services.
→ Anomaly detection under privacy-aware Big Data analytics.
136. Part I:
Showcase: Power consumption profiling
& anomaly detection on smart meter data
• Consumption from an Advanced Metering Infrastructure “pilot” deployment in the US
(440 households in the state of Massachusets in 2016).
• Novel mathematical methods on feature composition and data clustering using time-
frequency and information theory metrics (i.e., information entropy).
0
5
10
15
20
0
500
1000
1500
2000
0
1
2
3
4
5
6
x 10
4
Renyi Entropy (bits)Mean Frequency Marginals (Hz)
MeanTimeMarginals(sec)
HC
LC
EC
MC
LMC
Load altering attack
Appliance-level failures
Attacks & Failures (320 houses microgrid)
v Marnerides, A., K., Smith, P., Schaeffer-Filho, A., Mauthe, A. Power Consumption Profiling
using Energy Time-Frequency Distributions in Smart Grids, in IEEE Communication Letters,
Processing cost < 1.2 sec
Common “bad” clustering Our method
137. Part II:
U. Lancaster Industrial Control Systems Lab
• Primarily funded by the GCHQ.
• Supported by Fujitsu, Raytheon and Airbus.
• 5 active academics, 10 PhD students, 8 MSc students
141. Part III:
Large-scale IoT-based attacks (background)
• Large-scale network intrusions/attacks (e.g. DDoS)….
→ recently seen as coordinated large-scale IoT-based attacks (e.g. Mirai botnet)
→ IoT devices : compromised “bots” for a given botmaster
• How such devices are initially located?
– Customized network scans (shown shortly in the showcase...)
– Recently: Hacker-friendly Search Engines (HfSEs)
• How attackers hide such scans and themselves?
– IP Spoofing over legit IPv4/IPv6 addresses
– Darkspace’s unused IPv4/IPv6 address range (a.k.a Internet background radiation)
142. Part III:
Large-scale IoT-based attacks
(activities: SCC threat intelligence lab)
• Fujitsu have provided:
– Equipment and licencing
– Technical resource to build the
system
• Provides a fully isolated experimental
environment
– Typical honeypot
– Experimental networks for malware
analysis
– Malware teardown and reverse
engineering
– Automated testing and realistic traffic
– IoT testbed integration
143. Part III:
Activities: MATI - Macroscopic Analysis of ioT-based Intrusions
• Supported by the GCHQ, Fujitsu, Raytheon
• Technical Aims:
➢ IPv4/IPv6 Darkspace & HfSEs
measurement & monitoring
➢ Network Traffic Big Data-based
Characterization
➢ Service resilience impact prediction
➢ Cloud-based Diagnostic Tool Development
(MATIaaS)
144. Part III:
Showcase: Botnet scanning characterisation
• Network scans → botnet propagation
• Scanning is also a useful NOC tool and may
be considered as a legitimate process.
• Can we distinguish botnet-related scanning
activity from other types?
• Approach: Comparison of botnet scans vs.
NMAP scans of various types using real
network traffic from backbone Internet links
(2014-2016).
• Method: Multivariate timeseries analysis of
flow features under conditional entropy
Conclusion: Botnet-related scans
are carefully crafted and they look
alike in terms of their entropy!
145. Future Directions
• Next generation infrastructures systems have large
overlap with
– the …”not so smart” yet Grid
– Internet of Things (IoT) applications
– Industrial Control Systems (ICS)
– The Internet backbone
• Energy and ICS systems have unique security
challenges
– Security & resilience impacts on the physical world
– Energy systems cannot be shut down
– Energy systems are highly distributed
– System changes/improvements are challenging
Work in this space requires
collaboration between
industry and academia!
148. 149
TECHNOLOGY TRENDS MADE
POSSIBLE BY CLOUD COMPUTING
THAT ARE TRULY REVOLUTIONARY
HYBRID CLOUD MANAGEMENT ALLOWS ORGANISATIONS TO
ACTUALLY DELIVER BUSINESS CHANGE
SKILLS & EXPERIENCE WITHIN OIL & GAS WILL ENSURE BARRIERS TO
CLOUD CAN BE OVERCOME
172. Copyright ThinkTank Maths Ltd 2017
Embracing the possible: applying cross-transferable
innovation from other industries
Angela Mathis
Chief Executive
Digital Energy 2018
5th Annual Conference
2nd May 2018
173. Copyright ThinkTank Maths Ltd 2017
New MER Landscape
OGA
- technology plans, behaviour and R&D spend measurement
- Operator evaluation; leader, fast follower, informed buyer
- NDR (National Data Repository)
https://www.ogauthority.co.uk/media/4807/documentsscottish-oil-
club-presentation.pdf
‘ONE’
- vision and leadership
OGTC
- shared risk investment (50% and in-kind)
- JIP opportunities
- partner with new capability providers
174. Copyright ThinkTank Maths Ltd 2017
Accelerating innovation through applied learning from other sectors
….aerospace, defence, transport, health
176. Copyright ThinkTank Maths Ltd 2017
What do all our customers have in common?
• Need support in decision-making to drive better outcomes
• Huge, unstructured, fast-growing complex datasets
…want to find and operationalise the value in their Data
• Data analysis …various technics (maths & stats)
• Need new tools that are integrated into existing processes – must fit within
the system and context of how organisations currently do business
…’trusted’, userfriendly, legacy-compatible software
177. Copyright ThinkTank Maths Ltd 2017
Director, Public Health and Intelligence
“In God we trust;
all others must bring data.”
W . Edwards Deming
Public Health Improvement
“Data driven action”
Example: Health
178. Copyright ThinkTank Maths Ltd 2017
Population Health Challenge
Life expectancy compared with other European countries.
Scotland
179. Copyright ThinkTank Maths Ltd 2017
Benchmarking the energy sector against the digital
innovation curve of other industries
180. Copyright ThinkTank Maths Ltd 2017
Why Digitalisation Now?
May 3,
Slide
181
Global data generation has
increased by 90% in the
past two years
Processing power costs have
decreased by 50 times
since 2007
3D printing will increase by
2,000% between
2015 and 2030
The use of digital
sensors will grow by
700,000% by 2030
181. Copyright ThinkTank Maths Ltd 2017
Examples of cross-transferable capability
intelligence and application
182. Copyright ThinkTank Maths Ltd 2017
- Asset Integrity; through-life monitoring and risk assessment (CBM),
anomaly detection, root cause analysis, prediction of failure (integrity kick)
for timely maintenance
- Manage Drilling Operations; dynamic wellbore positioning accuracy,
wellbore planning, relief well planning, wellbore stability prediction –
preventing troubles while drilling (e.g. avoiding stuck pipe ...)
- P&A; identify viable cost savings, predict leakage to surface (HSE compliance)
Cross-over capability from Military and Aerospace
to the Oil and Gas industry.
183. Copyright ThinkTank Maths Ltd 2017
TTM’s Trusted Reasoning Architecture (TRA) is a novel mathematical architecture for
semi-autonomous (man-in-the-loop) ‘command and control’ decision aids, intelligent cockpit,
urban search, drones... (UK Ministry of Defence)
TRA-based systems :
- non rule-based
- learn (capture the world real-time and update their situational awareness),
- flag up subtle anomalies in static and real-time sensor data
Why ‘trusted’?
- they explain their reasoning to the human operator
Example : ‘Trusted’ Decision Support Systems
with Dynamic Situation Awareness
184. Copyright ThinkTank Maths Ltd 2017
SiteCom WITSML Server
“Real-time”
Visualisation Archive
CSV
Internal Archive
Bespoke format
“Static data” ServerNominal Field Values
BGGM + IFR + IIFR
BGS TRA Server ( + Client )
Sensor Data from BHA
MWD + LWD
Drilling Company
TRA Clients
Browser
“Drill Simulator”
Historical Surveys
CSV, LAS
Trusted
Reasoning
Architecture
(TRA)
Example 1: Dynamic System for Wellbore Positioning Quality Control
Trusted Reasoning Architecture (TRA) Workflow
185. Copyright ThinkTank Maths Ltd 2017
Dynamic System for Wellbore Positioning Quality Control
Decision support: Output Visualisation Screen and Dashboard
186. Copyright ThinkTank Maths Ltd 2017
Quality Control from LWD data provides information about the magnetic environment at higher
resolution than sparse MWD surveys.
• Additional information about geological environment
• Provides information to refine magnetic processing methods
Dynamic System for Wellbore Positioning Quality Control
High Resolution LWD-based Quality Control – Using Different Data
187. Copyright ThinkTank Maths Ltd 2017
Example 2:
Prediction of Well Integrity and Leakage to Surface
Intelligent Diagnostic and Decision Support System
Optimised Plug and Abandonment
192. Copyright ThinkTank Maths Ltd 2017
Leadership
Domain Experts
i.e. operations,
engineering, I.T.
Maths/Stats capability
DATA
The Essentials
193. Copyright ThinkTank Maths Ltd 2017
- Leadership engagement; resource and budget commitment
- create an empowered, multi-skilled expert team with a shared vision
- partner to fill skills gap (Maths/Stats)
- identify and prioritise business issues of strategic importance
- agree a project ‘challenge statement’
- define target outcomes; savings, efficiency goals
- gather existing data and check what you can do with it
Getting started
194. Copyright ThinkTank Maths Ltd 2017
Fundamental change: avoid siloed teams, siloed data
and isolated programmes
195. Copyright ThinkTank Maths Ltd 2017
Example : New Space or Space 4.0
from Air Traffic Control to Smart Airports and Cities
- utilising existing core engineering and I.T. competencies
- breaking the traditional organisational and domain expert siloes
- creating new (versatile) capability, not (static) products
- capturing value and opportunity of ‘data’
- create new working partnerships with innovative small companies
(e.g. A.I., data analysis, machine learning, etc)
196. Copyright ThinkTank Maths Ltd 2017
Removing the blinkers and improving visibility and collaboration
197. Copyright ThinkTank Maths Ltd 2017
Consortium (JIP) Aspirational Projects are great as a sector call to action,
….it’s the deliverables in the road-map that count
Companies can explore ‘the art of the possible’ as a sector
– shared ideas, costs & risks
Aerospace example: ‘The Conscious Aircraft’ or Digital Twin
- CBM, failure detection, root cause analysis, predictive maintenance
- pilot decision support (towards single pilot) augmented intelligence
- efficient power usage
198. Copyright ThinkTank Maths Ltd 2017
“It takes courage to take on and recognise new ways of working. There is a need for a breed
of sector leaders who are brave, courageous and committed.”
Colette Cohen, CEO, UK Oil & Gas Technology Centre
November 2016
“Digitalisation requires bold, forward-looking leadership.”
Grethe Moen, CEO, Petoro AS - July 2017
199. Copyright ThinkTank Maths Ltd 2017
Thank you
Contact: Angela Mathis, CEO
a.mathis@thinktankmaths.com
ThinkTank Maths Limited
www.thinktankmaths.com
206. MER UK Strategy – Central Obligation
Relevant persons must take the steps necessary to
secure that the maximum value of economically
recoverable petroleum is recovered from the strata
beneath UK waters.”
Oil and gas production over the period 2016–2050 is
now projected to total 11.7 billion barrels of oil
equivalent (boe) – An extra 2.8 Billion barrels
We need to use our data more effectively …….
209. OGTC Digital transformation
themes
Using digital technology to drive operating performance
Digitally enabled
supply chain
Smart
facilities
Optimised
production
Digital
and data
architecture
Digitally
enabled worker
Artificially intelligent
sub-surface teams
Deliver more barrels Become more efficient
216. Data
stores
Data
stores
Data
stores
Dev Ops
Cloud
Data Science
Platforms & API
Agile workbench
Foundation – Making
data infrastructure
available
Platform – Making
data available by
building a solid base
Data Scientist
Data
Engineer
Domain
Expertise
Data Science –
explore scenarios and
answer questions
217. We inspire, accelerate and fund technology and innovation
Driving digital trsnaformation
We are all about technology innovation…
Inspire Stimulate Accelerate Deliver
… working in partnership with industry.
218. Current project activity
7 projects
already underway
14 Proposals under
evaluation
Direct Approach or
Open Call
First call for ideas complete:
73 Ideas submitted
4 Projects identified
£1.2 million of OGTC
funding
£1.4 million industry
matching
219. Digital Technology Themes
Digitally Enabled
Supply Chain
Digital Sub Themes Industry Sponsors
Artificially
Intelligent
Subsurface teams
Digitally Enabled
Worker
Smart Facilities
Production
Optimisation
Digital and Data
Architecture
Industry Owner Value focus
Efficiency Task Force
Supply Chain Forum
• Track & Trace
• Integrated Planning
• Data Exchange - Standardisation &
Collaboration
• Vessel Logistics
• Applying Data Science
• Machine & Cognitive Learning
• Alexa for Subsurface
• NDR 3.0
• Open application platforms
• Wearable Technology
• AR/VR workplace support
• Digital Assistants
• Back Office automation and bots
• Upskilling
• Digital Twins and 3D model
convergence
• Remote Operations
• IOT and operational data platforms
• Condition Based Monitoring
• Shell
• BP
•
•
Inventory reduction
Reduced Duplicate orders
Increased Asset Uptime
• Smart Optimisers
• Well integrity
• Production monitoring
• Sensor Development
• Communication technologies
• Cyber security
• Data Architecture
• NDR 4.0 – Open Data platforms
Exploration Task Force
Asset Stewardship Task
Force
221. = Area of Interest
Northern North Sea Area of Interest:
• Use Machine learning techniques to
identify remaining ‘overlooked pay’
• Use available well data within the AOI
• Excludes seismic data for this phase
• ~1,200 exploration wells
• Up to 7,000 including A&D wells
• Mainly log data plus available
associated data, e.g. core, reports, etc.
Deliverable =
• Ranked list of ‘overlooked pay’
opportunities in order of confidence
222. Approved projects
Asset Healthcare and
Diligence
Assessment using
Advanced Analytics
Value OGTC / Industry
Using predictive
technology and
behavioural diagnostics to
identify human risk
SEER - Alarm RCA
Application
Well Intelligence
Application
LoRaWAN for
offshore
Marine Logistics
Vessel Optimisation
UK Hub - Shared
supplier information
repository for the UK
Oil and Gas Industry
Seismic in the
Cloud
Goal Value driver scoreTRL
£86,200 46.42% / 48.46% Fix Today 4 - 6 69%
£164,910
£598,000
19% / 81 %
36.46% / 22.92%
38.93% / 57.73%
41.09% / 47.27%
28.73% / 69.75%
37.62% / 60.7%
41.2% / 51.43%
£2,170,900
£982,950
£89,900
£27,500
£264,500
Fix Today
Fix Today
Fix Today
Fix Today
Fix Today
Fix Today
MER UK
71.5%4 - 6
5 - 9
4 - 8
7 – 8
3 - 4
6 - 8
6 - 7
71.5%
72%
68.5%
64%
75%
TBC
Cults Telecom
Services Ltd
224. Closing Panel Session
Steven Ritchie, Baker Hughes GE
Stephen Ashley, OGTC
Angela Mathis, Think Tank Maths
Jackie Doyle, Opportunity North East
Emma Perfect, Lux Assure
#de18
228. Security & Resilience for next generation infrastructures
and the IoT: activities and lessons learned
5th Digital Energy Conference 2018
Aberdeen, 1-2 May, 2018
Dr. Angelos K. Marnerides
Lecturer (Assistant Professor) in Computer Networks
InfoLab21
School of Computing & Communications
Lancaster University
angelos.marnerides@lancaster.ac.uk
229. Outline
• Resilience in Systems
• Part I : Activities on SmartGrid E2E cybersecurity & resilience
– EU EASY-Res
– Upside KTP
– Showcase: Anomaly detection/power profiling on AMIs
• Part II: SCC ICS testbed – cybersecurity & resilience assessment
– ICS testbed Architecture
– Showcase: Attack detection in ICS
• Part III: On large-scale IoT-based attacks
– MATI: Macroscopic Analysis of ioT-based Intrusions
– Showcase: Botnet scan traffic characterisation
230. Resilience in systems
• System resilience is defined as the ability of a system to maintain acceptable levels of
operation in the face of challenges, including:
– Malicious attacks, operational overload, misconfigurations equipment failures
– Resilience management encompasses the traditional FCAPS (fault, configuration, accounting,
performance, and security) functionalities
• The Networking group as well as the Security Lancaster Institute in SCC at Lancaster
University (since the early 2000s) addresses system resilience in a range of topics such as
the backbone Internet, cloud computing, sensor networks, the SmartGrid, ICS and the
IoT (national/international research projects, 50+ PhD/MSc/BSc theses).
231. Part I:
Enable Ancillary Services bY Renewable Energy Sources
(EASY-RES) - EU H2020, 2018-2021
• Aims:
– Develop novel control algorithms for all converter-interfaced Distributed Renewable Energy
Sources (DRESs) and enable them to operate similarly to conventional Synchronous Generators
(SGs)
– Providing damping of transients, reactive power, fault ride through and fault-clearing capabilities
• Lancaster contribution
– Definition of a novel high-level substrate architecture for interactions in the EASY-RES ecosystem
– Development of novel mechanisms for secure and resilient data communication
– Provision of data processing, analysis, and visualization to support the Transmission System
Operator (TSO) and Distribution System Operator (DSO) operations such as accounting,
optimization and control support.
232. Part I:
EASY-RES (cont..)
identification of roles
stakeholders inside
EASY-RES ecosystem
their correspond
connection with diffe
software components. T
subtask is closely rel
to WP5, but within T
the focus lies on softw
component side;
Analysis of avail
communica
infrastructure
selection of feas
communication chan
for use within the pro
(considering
requirements analy
This also includes
Legend
TSO = Transmission System Operator
DSO = Distribution System Operator
ICA = Individual Control Area
μG = micro grid
BESS = Battery Energy Storage System
DRES = Distributed Renewable Energy
Source
SDDC = Software Defined Data Centre
PKI = Public Key Infrastructure
AS = Ancillary Service
233. Part I:
Upside LTD – Knowledge Transfer Partnership
• Funding body : Innovate UK, duration: 2 years (2018-2020)
• Upside LTD runs a virtual energy store:
– Shifting electricity usage from peak to off-peak times
– Relieve stress on the grid
– Reduce costs and environmental impact
• Technology
– Use available battery capacity (e.g. UPS capacity)
– Interconnect batteries to form a distributed system
– A power plant with properties of an IoT application
234. Part I:
Upside LTD – Knowledge Transfer Partnership (cont..)
• Goal:
– Design & implement a novel, unified security framework that expands the OpenADR
protocol, complies with ISO27001 standard and GDPR.
• Core technical objectives:
– Secure the end-to-end (E2E) interaction of their customers with their cloud-based services
and further empower service reliability.
→ E2E Privacy-aware Public Key Infrastructure (PKI)
– Detect in advance any malicious intent throughout the complete E2E communication
between the Upside Fleet Devices and the Upside Cloud services.
→ Anomaly detection under privacy-aware Big Data analytics.
235. Part I:
Showcase: Power consumption profiling
& anomaly detection on smart meter data
• Consumption from an Advanced Metering Infrastructure “pilot” deployment in the US
(440 households in the state of Massachusets in 2016).
• Novel mathematical methods on feature composition and data clustering using time-
frequency and information theory metrics (i.e., information entropy).
0
5
10
15
20
0
500
1000
1500
2000
0
1
2
3
4
5
6
x 10
4
Renyi Entropy (bits)Mean Frequency Marginals (Hz)
MeanTimeMarginals(sec)
HC
LC
EC
MC
LMC
Load altering attack
Appliance-level failures
Attacks & Failures (320 houses microgrid)
v Marnerides, A., K., Smith, P., Schaeffer-Filho, A., Mauthe, A. Power Consumption Profiling
using Energy Time-Frequency Distributions in Smart Grids, in IEEE Communication Letters,
Processing cost < 1.2 sec
Common “bad” clustering Our method
236. Part II:
U. Lancaster Industrial Control Systems Lab
• Primarily funded by the GCHQ.
• Supported by Fujitsu, Raytheon and Airbus.
• 5 active academics, 10 PhD students, 8 MSc students
240. Part III:
Large-scale IoT-based attacks (background)
• Large-scale network intrusions/attacks (e.g. DDoS)….
→ recently seen as coordinated large-scale IoT-based attacks (e.g. Mirai botnet)
→ IoT devices : compromised “bots” for a given botmaster
• How such devices are initially located?
– Customized network scans (shown shortly in the showcase...)
– Recently: Hacker-friendly Search Engines (HfSEs)
• How attackers hide such scans and themselves?
– IP Spoofing over legit IPv4/IPv6 addresses
– Darkspace’s unused IPv4/IPv6 address range (a.k.a Internet background radiation)
241. Part III:
Large-scale IoT-based attacks
(activities: SCC threat intelligence lab)
• Fujitsu have provided:
– Equipment and licencing
– Technical resource to build the
system
• Provides a fully isolated experimental
environment
– Typical honeypot
– Experimental networks for malware
analysis
– Malware teardown and reverse
engineering
– Automated testing and realistic traffic
– IoT testbed integration
242. Part III:
Activities: MATI - Macroscopic Analysis of ioT-based Intrusions
• Supported by the GCHQ, Fujitsu, Raytheon
• Technical Aims:
➢ IPv4/IPv6 Darkspace & HfSEs
measurement & monitoring
➢ Network Traffic Big Data-based
Characterization
➢ Service resilience impact prediction
➢ Cloud-based Diagnostic Tool Development
(MATIaaS)
243. Part III:
Showcase: Botnet scanning characterisation
• Network scans → botnet propagation
• Scanning is also a useful NOC tool and may
be considered as a legitimate process.
• Can we distinguish botnet-related scanning
activity from other types?
• Approach: Comparison of botnet scans vs.
NMAP scans of various types using real
network traffic from backbone Internet links
(2014-2016).
• Method: Multivariate timeseries analysis of
flow features under conditional entropy
Conclusion: Botnet-related scans
are carefully crafted and they look
alike in terms of their entropy!
244. Future Directions
• Next generation infrastructures systems have large
overlap with
– the …”not so smart” yet Grid
– Internet of Things (IoT) applications
– Industrial Control Systems (ICS)
– The Internet backbone
• Energy and ICS systems have unique security
challenges
– Security & resilience impacts on the physical world
– Energy systems cannot be shut down
– Energy systems are highly distributed
– System changes/improvements are challenging
Work in this space requires
collaboration between
industry and academia!
247. 248
TECHNOLOGY TRENDS MADE
POSSIBLE BY CLOUD COMPUTING
THAT ARE TRULY REVOLUTIONARY
HYBRID CLOUD MANAGEMENT ALLOWS ORGANISATIONS TO
ACTUALLY DELIVER BUSINESS CHANGE
SKILLS & EXPERIENCE WITHIN OIL & GAS WILL ENSURE BARRIERS TO
CLOUD CAN BE OVERCOME
257. WHAT WE OFFER
Agility, insight and a personal approach
Specialis
m
Security
our Sole
Focus for
16 Years
Stability
Part of multi-
billion Bytes
Altron Group
Expertise
Fully
accredited
engineers &
account
managers
In-house
Consultanc
y Full
Technical
Services
Portfolio
Top Tier
Vendor
Status
Commercial
Value &
Technical
Delivery
Unrivalled
Support
No First line
- Escalation
Engineers
on Every
Call
258. OUR EXPERTISE
Network Security Application SecurityContent Security Data Security
Access &
Authentication Mobile SecuritySecurity Intelligence
Breach & Vulnerability
Management
259. OUR EXPERTISE
Network Security Application SecurityContent Security Data Security
Access &
Authentication Mobile SecuritySecurity Intelligence
Breach & Vulnerability
Management
Next Generation Firewall;
Endpoint Security;
Intrusion Prevention;
Network Access Control;
Malware/APT Protection
Web Security; Email
Security; Anti Spam;
Content Control; Antivirus
Data Loss Prevention;
Data Theft Protection;
Data Encryption; Data
Classification
Load Balancing; Denial of
Service; Web Application
Firewall; Datacentre
Security; Cloud
Application Delivery
Multifactor Authentication;
Privileged Accounts;
Access Policy
Management; VPN;
Removables
Network Visibility;
Anomaly Detection; SIEM;
Log Management; Rogue
Devices; Internal Threats
Attack Detection; Patch
Management;
Vulnerability
Management; Penetration
Testing
Mobile Threat Prevention;
Secure Remote Access;
Mobile Device
Management; BYOD
Security
260. INDUSTRY
LEADING
COMPANY
FOCUS ON
YOUR
BUSINESS
CHALLENGES
EXPERIENCED
, QUALITY
CONSULTANC
Y
DIRECT TO
ENGINEER –
NO FIRST LINE
Top Tier Partnerships with World Leading Technology Providers = Value + Insight
• Speak to an accredited
support expert straight away
• Fix in shortest possible time -
avoid downtime
• Translate business challenges
into technical projects
• Experience and market insight
of security specialist
• Proven Track record -
16 years of consistent growth
• Specialists in field –
100% security focused
• All engineers 5 years+
consulting & support experience
• Full engineer engagement in
pre-sales & account reviews