Fulbright Fellow collaborates on cybersecurity of national infrastructure

Cybersecurity expert Prof. Guillermo Francia recently joined us as a Fulbright Fellow. We hear about his work in protecting critical infrastructure.

Hi Guillermo, first off, welcome to Imperial and to London. What do you research, and what brings you here?

Thanks. In Jacksonville State University I’m the Director of the Center for Information Security and Assurance. We research cybersecurity of Critical Infrastructure, which could be a nuclear plant or water distribution system for example. 

I was introduced to Professor Chris Hankin, Director of the Institute for Security Science & Technology, who also works in this area. We thought a collaboration could be interesting, and I was awarded a Fulbright Award to come to Imperial.

What are the cyber threats to Critical National Infrastructure?

With national infrastructure we have a situation where cyber and physical worlds blur. An attacker, e.g. a terrorist or nation-state, can hack the computer control systems with physical consequences. 

For example, last year an attack on the Ukraine power grid cut power to over 220,000 people. Imagine if that hit a hospital that lacked backup generators. Perhaps even worse, an attacker could in theory shut down the cooling pumps in a nuclear plant, and cause a meltdown much worse than the disaster at Fukushima.

How real is the threat? 

It’s here and growing. Attackers are getting more sophisticated, and we’re uncovering hundreds more vulnerabilities in hardware each month. In the first week of March 2017 alone, some 348 vulnerabilities were discovered!

Also, connectedness and management systems are changing. I was at a water distribution system not long ago, and one of the workers pulled out his smartphone to control pumps 24km away. This presents all sorts of security headaches. 

So how is your research helping?

I focus on how we can detect security breaches. I’m doing this using Behavioural Analysis augmented with Threat Intelligence and Deep Packet Inspection of Network Traffic.

Threat Intelligence is data which can identify previously seen attackers. For example, we might see traffic in our network from an IP address used in another cyberattack. This sort of intelligence can be used to spot and stop attackers, often in the early stages of an attack, such as the reconnaissance stage.

But if we don’t have intelligence we need another way of detecting intrusions. Behavioural Analysis detects abnormalities in a network in real-time. You first get an idea of what ‘normal’ network behaviour is, which in a water system could be the normal routine how pumps are controlled. At 6am they start up, at around 10am they reduce the flow, and at 5pm switch off. We then look for significant deviations from this, to flag up for closer inspection.

Deep packet inspection is a way to investigating the payload of network packets. In a way, it is a form of digital forensics on control systems. Since control system protocol packets are encapsulated in standard TCP/IP packets, a high level inspection for malicious payload is not enough. 

How does the work at the ISST tie-in?

I’m collaborating with Dr Cheng Feng at the Institute for Security Science and Technology to develop this Behavioural Analysis tool.

Back in Jacksonville we have a model water distribution system testbed set up, where my students have been collecting network data. Cheng at the ISST has developed a neural network which will allow the computer to learn what the normal behaviour is, and in turn what abnormal behaviour is. We can then simulate cyberattacks to see if the neural network can detect the abnormal behaviour.

What is a neural network?

An artificial neural network is an approach to computer programming that loosely mimics a brain, structured with many interconnected units. The goal is to solve problems more like a human might, with pattern recognition and learning. It’s a powerful technique that will have a big impact on cybersecurity.

What’s next?

I’m at the Institute for Security Science and Technology until May, so not much longer. After this I’ll head back to Jacksonville, but in the meantime I’m happy to be publishing papers and attending conferences with colleagues at Imperial.

Distinguised Professor Guillermo Francia is Director of the Center for Information Security and Assurance, Jacksonville State University. You can see more about his research here.