Integrated Public Security Centre (CISP)

• Integrated Public Security Centre (CISP) is a dual-layer framework that structures real-time cyber-physical defense using formal graph models to assess interdependencies in critical infrastructure.
• The system employs process-aware anomaly detection with modular ANNs, rule-based expert systems, and statistical methods to identify and isolate irregularities.
• CISP enhances operational resilience through redundant communication channels, automated recovery protocols, and transparent security controls accepted by operators.

An Integrated Public Security Centre (CISP) provides a mathematically structured, two-layered architecture for the real-time coordination, resilience, and process-aware cyber-physical defense of community-scale Critical Infrastructure (CI) systems. The CISP architecture, as rigorously specified for mid-sized communities, enables collaborative situational awareness and incident response while ensuring operator transparency and acceptance. It is grounded in formal models of interdependency, real-time anomaly detection using both expert systems and modular artificial neural networks (ANNs), and policy-driven security controls. All workflow, system interfaces, and acceptance criteria are explicitly defined to allow for non-disruptive integration with legacy Process Control Systems (PCS) and support resilience against both cyber and physical contingencies (Foreman, 2016).

1. System Architecture and Functional Layers

The CISP architecture is hierarchically organized in two major layers—Local CI-Site Modules and a Community Coordination Hub—linked via bi-directional, redundant communication channels.

• Layer 1: Local CI-Site Module
  • Read-only Data Acquisition Interface to existing PCS (SCADA/PLC/DCS)
  • Sensor & Data Bus for high-frequency telemetry
  • Preprocessing & Normalization Engine
  • Modular Anomaly Classifiers (small ANNs per control loop)
  • Rule-Based Expert System (RBES) generating advisory alerts
  • Human-Machine Interface (HMI) for operator situational awareness and manual override
  • Local Resilience Agents that enforce isolation/fallback routines on failure
• Layer 2: Community Coordination Hub
  • Secure Aggregation Gateway (TLS/VPN, mutual authentication)
  • Time-series Community Data Lake for multi-site status
  • Community-Scale Anomaly Classifier (ANN + dependency graph logic)
  • Community RBES to encode and automate cross-CI interdependencies
  • Orchestration & Incident Management Console
  • Public Notification & Escalation Interfaces

Communication Redundancy is enforced using a primary Ethernet/MPLS network with QoS, a failover cellular/mesh radio network, a publish/subscribe message bus (e.g., MQTT over TLS), and explicit heartbeat channels for link health. This integrated stack supports both high reliability and low operator burden (Foreman, 2016).

2. Formal Modeling of Critical Infrastructure Interdependencies

Community CI is modeled as a directed graph $G = (V, E)$, where $V = \{v_1, v_2, ..., v_n\}$ represents CI sites (for example, water plants, substations, factories), and $E \subseteq V \times V$ represents dependencies such that $v_i \rightarrow v_j$ denotes "$v_j$ depends on $v_i$". The architecture formally quantifies these relationships:

• Adjacency Matrix: $A \in \{0,1\}^{n \times n}$, where $A_{ij} = 1$ if $(v_i \rightarrow v_j) \in E$.
• Vulnerability Weight Matrix: $W \in \mathbb{R}^{n \times n}$, where $W_{ij} \in [0,1]$ encodes dependency strength (fraction of service $v_j$ would lose if $v_i$ fails).
• Risk Propagation Model: With $r \in \mathbb{R}^n$ as the vector of local failure probabilities, risk propagates as $r^{(1)} = r^{(0)} + W^T r^{(0)}$, or in closed form $r = (I - W^T)^{-1} r^{(0)}$ for small $W$ (Neumann series).
• Contagion Analysis: The Laplacian $L = D - A$, with $D_{ii} = \sum_j A_{ij}$, is used for spectral clustering to detect vulnerability clusters within the CI network.

This formalism ensures that the CISP does not merely aggregate alarms but reasons about cascading and cross-domain risks, supporting proactive coordination (Foreman, 2016).

3. Data Pipeline and Intrusion Detection Methodology

Data flow in CISP employs process-aware, pipeline-based detection with both statistical and expert-driven elements:

• Sensor Layer: Read-only, time-synchronized taps (e.g., PROFINET, Modbus-TCP, DNP3 at 1–10 Hz) ensure no actuation at CI sites.
• Preprocessing & Normalization: Variables are mean-standardized $(x_i(t) \to (x_i(t) - \mu_i) / \sigma_i)$ and outliers capped. Low-pass filtering or EWMA is applied ($y_i(t) = \alpha x_i'(t) + (1-\alpha) y_i(t-1)$).
• Detection Stack:
  • Rule-Based Detection (RBES): Encodes rules such as $IF$ FlowRate $<$ $F_{min}$ $AND$ PumpSpeed $>$ $S_{max}$ $THEN$ "Pump Overload" event.
  • ANN-Based Anomaly Detection: For each local loop $j$, a small $f_j(\cdot)$ ANN predicts next state; anomaly score $S_j(t) = [e_j(t)]^2 / \sigma_j^2$, $e_j(t) = y_j(t) - f_j(y_j(t-1), u_j(t-1))$. The centralized CISP computes $$\mathrm{LLR}(t) = \sum_j \left( \frac{e_j(t)^2}{\sigma_j^2} - 1 - \ln\frac{e_j(t)^2}{\sigma_j^2} \right)$$ and flags anomalous operation if $\mathrm{LLR}(t) > \tau$.
• Pipeline: Sensor → Sampling → Normalization → Feature Extraction → ANN Classification → RBES Correlation → Operator Advisory/Automated Alert → Community Hub.

This methodology ensures process-aware anomaly detection, supporting both cyber-threat detection and fault isolation (Foreman, 2016).

4. Resilience Mechanisms and Metrics

CISP is explicitly designed for resilience at both local and community-wide levels:

• Failure Isolation: The read-only local module design precludes write-back to PCS, minimizing the likelihood of incident propagation. If a classifier or communication path fails, the module switches to passive monitoring.
• Automated Recovery: On anomaly detection, the system can suggest operator action, automatically isolate ports, or switch to manual control locally. At the community level, it can re-route resources (e.g., dispatch mobile generators, trigger mutual aid).
• Redundant Communications: Dual-homing (fiber/VPN and cellular mesh) ensures automatic failover within 500 ms.
• Operational Availability Metrics: Defined by Mean Time To Failure (MTTF), Mean Time To Recovery (MTTR), and calculated Availability $A = \mathrm{MTTF}/(\mathrm{MTTF}+\mathrm{MTTR})$. All modules log failure and recovery events, enabling optimization of recovery scripts, hot backups, and operator training to achieve $A \geq 99.9\%$ as a design target.
• Periodic Drills: End-to-end exercises are recommended for tangible measurement and continuous improvement of system resilience.

By empirically grounding both architecture and operational workflows in these metrics, CISP offers measurable enhancement of CI reliability (Foreman, 2016).

5. Security Protocols and Operator Acceptance

• Authentication & Authorization: Enforced through mutual TLS with X.509 certificates spanning all CI sites and the Community Hub, supplemented by both Role-Based and Attribute-Based Access Control (RBAC and ABAC).
• Secure Information Sharing Policy: Expressed in first-order logic (FOL) to guarantee minimal privilege; operators at a site can read status, councils may issue coordinated commands; all other operations default-denied.
• Operator Acceptance Criteria:

1. Read-only interface guarantees no impact on pre-existing control loops.
2. All alerts are advisory, with operator override always possible at the HMI.
3. RBES decision rules must be fully inspectable and annotated with engineering rationale.
4. Installation is strictly limited to less than four hours per site, with no disruption to ongoing operations.

These acceptance criteria operationalize the principle of "no negative impact," ensuring that security enhancements are compatible with incumbent engineering practice (Foreman, 2016).

6. Coordinated Response Orchestration: Example Scenario

An illustrative deployment involves a water-treatment plant detecting anomalous chlorine dosing (indicative of potential cyber-intrusion) and a neighboring substation reporting voltage sag:

• The Water Plant Module's ANN flags an abnormal injection rate; the local RBES issues an advisory and disconnects the SCADA port.
• The local module pushes alerts to the Community Hub, which evaluates dependencies using the $W$ matrix. Relevant manufacturing sites are preemptively warned, and public advisories may be scheduled.
• At the substation, its local module correlates voltage anomalies with the water plant event and recommends load shedding.
• The Community Hub orchestrates isolation and recovery, dispatches backup generators, and updates council dashboards with live risk and ETA data.

Pseudocode extracted from operations logic defines the automated workflows for these coordinated actions, exemplifying the event-driven, mathematically grounded response planning intrinsic to CISP (Foreman, 2016).

7. Implementation Considerations and Operational Significance

A CISP, as defined by Foreman (2016) (Foreman, 2016), demonstrates that seamless CI integration can be achieved by enforcing strict read-only data acquisition, embedding both statistical and rule-based interpretability, and basing response coordination on formal graph-theoretic interdependency models. Critical success factors include minimizing operator burden, maximizing modularity, and continuous measurement/improvement of resilience. The framework avoids "black-box" opacity by mandating explainable expert-policy artifacts. Moreover, its rapid deployment model provides the potential for immediate security and continuity gains in heterogeneous legacy system landscapes.

The architecture's systemic coordination approach supersedes isolated vendor solutions by making interdependency, redundancy, and transparency foundational features—not add-ons—thus providing the technical template for scalable, community-level cyber-physical defense (Foreman, 2016).