INL's Sophia tool visualizes network communications to help detect anomalies.

The name Sophia may conjure memories of the silver screen siren, but the Sophia tool developed at DOE's Idaho National Laboratory has a different type of allure. The software sentry offers an easy, elegant way to help network operators detect intruders and other anomalies. Developers named the software using the Greek word for wisdom because that's what it provides to SCADA control system network administrators watching for cybersecurity threats.

Sophia passively monitors communication pathways in a static computer network and flags new types of conversations so operators can decide if a threat is present. The tool was popular with initial users—a handful of utilities and the vendors that sell utility control systems. A second stage of testing involved dozens of companies, and INL is now evaluating deployment of the technology to industry.

"It really is the flagship," said David Kuipers, a program manager with the DOE's National SCADA Test Bed Program at INL, which performs research and development of cybersecurity technology for the energy industry. "It's the first technology of this group that will be transitioned to industry."

Computer systems that run critical infrastructure such as power grids have been around for a long time. Historically, control systems running energy sector facilities didn't require much security because they were isolated from the outside world. But not anymore.

Such control systems are becoming more connected to the Internet via company computer networks. Administrators charged with securing these systems have a big task. They must maintain situational awareness of dozens or hundreds of computer systems that are constantly talking to each other.

For years, INL's critical infrastructure protection experts have been helping the energy industry think more about cybersecurity. With funding support from both the DOE's Office of Electricity Delivery & Energy Reliability and the U.S. Department of Homeland Security, INL has built world-class cybersecurity capabilities.

INL's unique experience, infrastructure and expertise enable full-scale vulnerability assessments of industry supervisory control and data acquisition (SCADA) systems. The first step of a control system vulnerability assessment often requires INL experts to map a company's entire network to locate the myriad devices and communication pathways.

The Sophia project began three years ago as a tool to automate that task for static networks—systems whose communication patterns are fairly fixed. Once the software develops a fingerprint for a given system, Sophia operates passively in the background and observes communications across the entire network. Anything out of the ordinary triggers an alert.


If your body had a sentry like Sophia, it might be able to detect the first whispers of a viral invasion before the bug could do enough damage to make you sick. It could also tell if you simply inhaled a bit of dust. Similarly, Sophia detects new network devices or communication pathways that may signal an intruder's presence early enough to thwart harm to the system.

If Sophia detects something suspicious, it simply alerts the operator or network administrator, who can then investigate. The software lets the human operator evaluate new activity—it doesn't attempt to decide if the novelty is threatening.


Source: Oak Ridge National Laboratory