Open Source Intelligence

The term “Open Source Intelligence”, or OSINT, describes methods for collecting, analysing and using data from publicly available sources of information in an intelligence context[1]. In the context of railway security, many different sources of information that are publicly available may become relevant in different situations. Typical sources of information include general environmental data sources such as emergency weather warnings, situational data such as traffic data related to special events, or security-related data such as terrorism threat level updates, as well as specific technical threat data sources such as manufacturer advisories on device or system vulnerabilities or product recalls and identified cyber threats and cyber security vulnerabilities.

Figure 1: SAFETY4RAILS OSINT Processing Pipeline

Given the abundance of online data sources, accessing and using OSINT data productively requires the automation of the retrieval of relevant data in order to remove information flow bottlenecks, filter data so that irrelevant data is not presented to operators in order to reduce risks related to information overload, analyse the retrieved data in order to appropriately attribute risk and impact estimations to them for human operator review and to store and communicate the created OSINT data for further use by other components of the analytics system and for presentation to human operations specialists.

Open Source Intelligence Analytics In SAFETY4RAILS

In SAFETY4RAILS, we have developed and integrated an OSINT subsystem that specialises in two areas of analytics: cyber security OSINT and environmental and security event OSINT.

For cyber security analytics, SAFETY4RAILS partner Tree Technologies has integrated an enhanced version of their TISAIL cyber security OSINT platform into the overall S4RIS platform. TISAIL implements capabilities for monitoring public repositories and data feeds for information on new relevant cyber security threats and vulnerabilities relevant to a specific system configuration present in a rail or metro network configuration. It uses advanced analytics rules to extract relevant information from the retrieved raw data and also implements functionalities that enable it to proactively scan networks for indicators of compromise that are provided as part of cyber security data.

For environmental and security event OSINT, SAFETY4RAILS partner has developed a new subsystem that gathers data from publicly available news feeds such as weather update and warning systems and security alert feeds, as well as data from social media content sources, where media content generated by users is analysed and aggregated in order to identify OSINT data with sufficiently high confidence for presenting it to human operations specialists. This analysis is carried out using a state-of-the-art natural language processing and analytics pipeline that can identify events and their properties and can group events reported by social media posters to avoid information overload.

Data from both of these specialised tools is then accumulated into a single OSINT data repository jointly developed by the partners involved in Task 4.2, where all gathered data is represented using a unified standard data format established as part of the open source MISP project [2], so that data describing both cyber and physical OSINT information is represented in the same way, while retaining advanced information for both cyber and physical data that can be used in analytics processes that specialise on either of the two. All gathered data can be presented, inspected and edited by human operations experts using the MISP project database browser if the task necessitates such actions. The system also automatically generates lists of the top threats relevant to a particular operator environment that have been reported in various time periods for higher-level risk management purposes.

Open Source Intelligence in the SAFETY4RAILS S4RIS Platform

The data gathered, evaluated, enriched and logically represented through the OSINT analytics subsystem in SAFETY4RAILS is communicated to the overall S4RIS platform as input data for further analytics processing and importantly also for presentation on the S4RIS decision support dashboard system. In this way, the information distilled from the abundance of available data sources on many different potentially relevant sources of information is made available directly to operations staff and those tasked to make decisions in emergency situations.

As the OSINT data uses the component identifiers and threat taxonomy used throughout the S4RIS platform, the data gathered can easily be cross-referenced with data from other sources, and it can be used to remedy vulnerabilities in a timely manner.

User trials carried out in the project indicate that the SAFETY4RAILS end user partners value the information provisioning capabilities offered by the OSINT subsystem. We expect that the solutions deployed in SAFETY4RAILS will have a future both as part of the joint and individual commercialisation after the conclusion of our project.

[1] Wikimedia Foundation. Open-Source Intelligence. Wikipedia. [Online] [Cited: 19 04 2021.] https://en.wikipedia.org/wiki/Open-source_intelligence.

[2] MISP Project. Best Practices in Threat Intelligence. MISP Project. [Online] [Cited: 19 04 2021.] https://www.misp-project.org/best-practices-in-threat-intelligence.html.

July 2022 – INNO