Charles River Analytics, Inc. SBIR Phase I Award, June 2022

Existing cybersecurity solutions do not provide descriptive actionable information upon detection of an attack or anomaly, nor do they make accurate mitigation recommendations, making it hard to respond quickly to an adverse event. Compounding this issue in operational technology (OT) systems is: (1) OT systems have unique architectures and use a variety of different, potentially proprietary, protocols, making generalizable solutions difficult to create; and (2) any cybersecurity solution must not interfere with the normal operations of the system. Considering the criticality of OT systems, their cybersecurity must be taken more seriously, with a focus on providing information that results in quicker responses to threats to avoid downtime.This proposal will result in a cyberattack detection and inference solution for OT systems that provides actionable feedback to security personnel, allowing for faster attack classification and response times. The solution will run on its own device, interfacing with OT systems in a way that avoids interfering with normal activity. The solution will also run an anomaly detection framework that provides the evidence of an anomaly to an engine that uses systemic functional grammars (SFGs), a concept from computational linguistics, to represent the attack space. The engine will use the evidence provided by the anomaly detection component to probabilistically determine what attack is currently ongoing, the most likely alternatives, and recommended mitigations, then send this information to security personnel who can take the steps necessary to remediate the attack.Phase I will consist of developing a proof of concept for the solution’s software components. We will work with our subcontractor to identify a target OT system to interface with. We will utilize their subject matter expertise and lab to obtain normal operating data, as well as attack data, from a simulated operational technology system and then leverage this data to put together an end-to-end demonstration of the software components, which include: (1) data ingestion and transformation; (2) ensemble anomaly detection; (3) systemic functional grammar engine; (4) attack evidence to attack class mapping; and (5) recommending mitigations. Phase II will consist of integrating the software component with hardware and integrating the full device with a physical system for testing.We believe the proposed approach has significant commercial benefit, not only because of its cuttingedge anomaly detection component, but because the grammar engine can interface with any anomaly detection capabilities, not just ours. This means the attack mapping engine can be leveraged by other anomaly detection solutions and vice versa. The ability to ground attack classification using probabilistic evidence allows for higher confidence in detected attack vectors, allowing for more concrete mitigation recommendations. These capabilities will lead to better actionable cyber intelligence solutions across the operational technology sector.