SOCCRATES automates cybersecurity for industrial systems

SOCCRATES is a H2020 European project launched in September 2019 for a three-year period. It aims to develop at least one platform to automate the detection of certain attacks and launch appropriate countermeasures. In doing so, it should help cyber security operators for industrial systems act more quickly and effectively in the event of a cyber attack. Hervé Debar, an information systems security researcher at Télécom SudParis, explains how the research consortium, which includes the school, is going about developing this solution.  

What is the SOCCRATES platform?

Hervé Debar: The SOCCRATES platform is a “Security Information and Event Management” environment that aims to detect and block cyber-attacks more effectively. To do so, the platform collects data about the vulnerabilities present on the monitored system, malicious activity targeting the IT environment, and general information about the threat. It then proposes appropriate countermeasures for the attacks that are detected and makes it possible to implement them.

How does it hope to address the needs of companies and organizations?

HD: SIEM platforms are the core of Security Operating Centers (SOC), where operators  manage cyber threats. All operators of critical infrastructures must monitor their information systems as required by French and European regulations. Faced with growing threats, the SOCCRATES platform aims to provide a greater degree of automation, making it possible to respond to attacks more quickly and precisely. Operators could then focus on the most complex attacks.

What is your approach to developing this platform?

HD: The project focuses primarily on the knowledge with which SOC operators are provided in order to respond to attacks. This knowledge takes one of three forms. The first is increased knowledge of the monitored information system, and of the potential attack paths that could be used to compromise a vulnerable target. Blocking the easiest attack paths can help prevent a hacker from spreading throughout the system. The second form of knowledge is based on an understanding of the threat. This means observing internet attack phenomena in order to improve the detection mechanisms used. And the third form of knowledge involves understanding the impact an attack has on operations in order to assess the risks of countermeasures and the benefits in terms of limiting the impact of an attack.

What expertise are Télécom SudParis researchers contributing to this project?

HD: We’re contributing our expertise in cyber attack remediation, which we developed in particular through the MASSIF and PANOPTESEC European FP7 projects. Our work on these two projects, which were launched in 2013 and 2014, gave us the opportunity to develop in-depth knowledge about industrial cybersecurity, managing attacks and implementing countermeasures. Our response model provides a quantitative assessment of the impact — whether positive or negative — of the remediations proposed to block attacks.

Read more on I’MTech: SPARTA: Defining Cybersecurity in Europe

How do you plan to test the effectiveness of the SOCCRATES platform?

HD: The platform will be implemented and deployed in two pilot environments involving critical infrastructures. In the field of cloud computing, with the company Mnemonic, and in the energy sector with Vattenfall. Mnemonic is a managed security service provider. At Vattenfall, the SOCCRATES platform will be used to monitor networks that control electricity production and distribution.

Beyond these industry partners, how is the project organized?

HD: SOCCRATES is coordinated by the Netherlands Organisation for Applied Scientific Research (TNO). In addition to IMT, three are three Swedish partners (KTH, Foreseeti and Mnemonic), a Finnish partner (F-Secure), ATOS Spain, Vattenfall IT Services (Poland), the Austrian Institute of Technology (AIT), and another Dutch partner, ShadowServer. This consortium is divided into three kinds of contributions: vulnerability analysis, behavioral detection, and attack remediation. Our first major step is to define the use cases and demonstration scenarios that we will use to develop, approve and demonstrate the components of the project. We plan to do this by the end of January.

Learn more about SOCCRATES