Architecture for a system providing a common operating picture of critical infrastructure

This paper presents an architecture for the Situational Awareness of Critical Infrastructure and Networks (SACIN) framework, which offers a common operating picture of the critical infrastructure with its interdependencies. SACIN delivers the common operating picture through a brokered agent-based architecture. The design follows the Joint Directors of Laboratories (JDL) data fusion model to allow integration of different critical infrastructure systems. A generic agent component is customized for each source system to produce events and allow JDL level 0 integration. Three different analysis components collect the events and produce meaningful objects, current state and future impact estimations in accordance with JDL levels 1 to 3. Brokered architecture allows level 4 control from various components, and JDL level 5 user interface is offered through a Web application. A prototype system has been developed to test and evaluate the SACIN framework. Apache ActiveMQ message broker was used to implement the brokered architecture, and other system components were implemented using Spring framework. The system architecture was tested using real-world data from intrusion detection system (IDS)-generated syslog and a supervisory control and data acquisition (SCADA) system snapshot. Customized agents for IDS and SCADA systems demonstrated that the system can process event and dependency data from different sources as part of the common operating picture and consequently can support situational awareness.