Biblio

An Intrusion Detection System (IDS) is a core element for securing critical systems. An IDS can use signatures of known attacks, or an anomaly detection model for detecting unknown attacks. Attacking an IDS is often the entry point of an attack against a critical system. Consequently, the security of IDSs themselves is imperative. To secure model-based IDSs, we propose a method to authenticate the anomaly detection model. The anomaly detection model is an autoencoder for which we only have access to input-output pairs. Inputs consist of time windows of values from sensors and actuators of an Industrial Control System. Our method is based on a multipath Neural Network (NN) classifier, a newly proposed deep learning technique. The idea is to characterize errors of an IDS's autoencoder by using a multipath NN's confidence measure \$c\$. We use the Wilcoxon-Mann-Whitney (WMW) test to detect a change in the distribution of the summary variable \$c\$, indicating that the autoencoder is not working properly. We compare our method to two baselines. They consist in using other summary variables for the WMW test. We assess the performance of these three methods using simulated data. Among others, our analysis shows that: 1) both baselines are oblivious to some autoencoder spoofing attacks while 2) the WMW test on a multipath NN's confidence measure enables detecting eventually any autoencoder spoofing attack.

With an increasing number of adversarial attacks against Industrial Control Systems (ICS) networks, enhancing the security of such systems is invaluable. Although attack prevention strategies are often in place, protecting against all attacks, especially zero-day attacks, is becoming impossible. Intrusion Detection Systems (IDS) are needed to detect such attacks promptly. Machine learning-based detection systems, especially deep learning algorithms, have shown promising results and outperformed other approaches. In this paper, we study the efficacy of a deep learning approach, namely, Multi Layer Perceptron (MLP), in detecting abnormal behaviors in ICS network traffic. We focus on very common reconnaissance attacks in ICS networks. In such attacks, the adversary focuses on gathering information about the targeted network. To evaluate our approach, we compare MLP with isolation Forest (i Forest), a statistical machine learning approach. Our proposed deep learning approach achieves an accuracy of more than 99% while i Forest achieves only 75%. This helps to reinforce the promise of using deep learning techniques for anomaly detection.

Industrial Control Systems (ICS) are complex systems made up of many components with different tasks. For a safe and secure operation, each device needs to carry out its tasks correctly. To monitor a system and ensure the correct behavior of systems, anomaly detection is used.Models of expected behavior often rely only on cyber or physical features for anomaly detection. We propose an anomaly detection system that combines both types of features to create a dynamic fingerprint of an ICS. We present how a cyber-physical anomaly detection using sound on the physical layer can be designed, and which challenges need to be overcome for a successful implementation. We perform an initial evaluation for identifying actions of a 3D printer.

The operation of the modern power grid is becoming increasingly reliant on its underlying communication network, especially within the context of the rapidly growing integration of Distributed Energy Resources (DERs). This tight cyber-physical coupling brings uncertainties and challenges for the power grid operation and control. To help operators manage the complex cyber-physical environment, ensure the integrity, and continuity of reliable grid operation, a two-stage approach is proposed that is compatible with current ICS protocols to improve the deliverability of time critical operations. With the proposed framework, the impact Denial of Service (DoS) attack can have on a Transmission Control Protocol (TCP) session could be effectively prevented and mitigated. This coordinated approach combines the efficiency of congestion window reconfiguration and the applicability of physical-only mitigation approaches. By expanding the state and action space to encompass both the cyber and physical domains. This approach has been proven to outperform the traditional, physical-only method, in multiple network congested scenarios that were emulated in a real-time cyber-physical testbed.

Many critical industrial control systems integrate a mixture of state-of-the-art and legacy equipment. Legacy installations lack advanced, and often even basic security features, risking entire system security. Existing research primarily focuses on the development of secure protocols for emerging devices or protocol translation proxies for legacy equipment. However, a robust security framework not only needs encryption but also mechanisms to prevent reconnaissance and unauthorized access to industrial devices. This paper proposes a novel Edge Security Gateway (ESG) that provides both, communication and endpoint security. The ESG is based on double ratchet algorithm and encrypts every message with a different key. It manages the ongoing renewal of short-lived session keys and provides localized firewall protection to individual devices. The ESG is easily customizable for a wide range of industrial application. As a use case, this paper presents the design and validation for synchrophasor technology in smart grid. The ESG effectiveness is practically validated in detecting reconnaissance, manipulation, replay, and command injection attacks due to its perfect forward and backward secrecy properties.

The electron mobility μ exhibits oscillatory behavior with gate electric field F in an asymmetrically doped double V-shaped AlxGa1-xAs quantum well field effect transistor structure. By changing F, single-double-single subband occupancy of the system is obtained. We show that μ oscillates within double subband occupancy as a function of F near resonance of subband states due to the relocation of subband wave functions between the wells through intersubband effects.

With the development in IC technology, testing the designs is becoming more and more complex. In the design, process testing consumes 60-80% of the time. The basic testing principle is providing the circuit under test (CUT) with input patterns, observing output responses, and comparing against the desired response called the golden response. As the density of the device are rising leads to difficulty in examining the sub-circuit of the chip. So, testing of design is becoming a time-consuming and costly process. Attaching additional logic to the circuit resolves the issue by testing itself. BIST is a relatively a design for testability technique to facilitate thorough testing of ICs and it comprises the test pattern generator, circuit under test, and output response analyzer. Quick diagnosis and very high fault coverage can be ensured by BIST. As complexity in the circuit is increasing, testing urges TPGs (Test Pattern Generators) to generate the test patterns for the CUT to sensitize the faults. TPGs are vulnerable to malicious activities such as scan-based side-channel attacks. Secret data saved on the chip can be extracted by an attacker by scanning out the test outcomes. These threats lead to the emergence of securing TPGs. This work demonstrates providing a secured test pattern generator for BIST circuits by locking the logic of TPG with a password or key generated by the key generation circuit. Only when the key is provided test patterns are generated. This provides versatile protection to TPG from malicious attacks such as scan-based side-channel attacks, Intellectual Property (IP) privacy, and IC overproduction.

Data on software vulnerabilities, products and exploits is typically collected from multiple non-structured sources. Valuable information, e.g., on which products are affected by which exploits, is conveyed by matching data from those sources, i.e., through their relations. In this paper, we leverage this simple albeit unexplored observation to introduce a statistical relational learning (SRL) approach for the analysis of vulnerabilities, products and exploits. In particular, we focus on the problem of determining the existence of an exploit for a given product, given information about the relations between products and vulnerabilities, and vulnerabilities and exploits, focusing on Industrial Control Systems (ICS), the National Vulnerability Database and ExploitDB. Using RDN-Boost, we were able to reach an AUC ROC of 0.83 and an AUC PR of 0.69 for the problem at hand. To reach that performance, we indicate that it is instrumental to include textual features, e.g., extracted from the description of vulnerabilities, as well as structured information, e.g., about product categories. In addition, using interpretable relational regression trees we report simple rules that shed insight on factors impacting the weaponization of ICS products.

In recent years, many modifications have been done to combat the weaknesses of the Vigenère Cipher Algorithm. Several studies have been carried out to rectify the flaw of the algorithm’s repeating key nature by increasing the key length equal to that of the plain text. However, some characters cannot be encrypted due to the limited set of characters in the key. This paper modified the algorithm’s key generation process using a Pseudo-Random Number Generator to improve the algorithm’s security and expanded the table of characters to up to 190 characters. The results show that based on Monobit examination and frequency analysis, the repeating nature of the key is non-existent, and the generated key can be used to encrypt a larger set of characters. The ciphertext has a low IC value of 0.030, which is similar to a random string and polyalphabetic cipher with an IC value of 0.038 but not equal to a monoalphabetic cipher with an IC value of 0.065. Results show that the modified version of the algorithm performs better than some of the recent studies conducted on it

As a decoy for hackers, honeypots have been proved to be a very valuable tool for collecting real data. However, due to closed source and vendor-specific firmware, there are significant limitations in cost for researchers to design an easy-to-use and high-interaction honeypot for industrial control systems (ICSs). To solve this problem, it’s necessary to find a cost-effective solution. In this paper, we propose a novel honeypot architecture termed HoneyVP to support a semi-virtual and semi-physical honeypot design and implementation to enable high cost performance. Specially, we first analyze cyber-attacks on ICS devices in view of different interaction levels. Then, in order to deal with these attacks, our HoneyVP architecture clearly defines three basic independent and cooperative components, namely, the virtual component, the physical component, and the coordinator. Finally, a local-remote cooperative ICS honeypot system is implemented to validate its feasibility and effectiveness. Our experimental results show the advantages of using the proposed architecture compared with the previous honeypot solutions. HoneyVP provides a cost-effective solution for ICS security researchers, making ICS honeypots more attractive and making it possible to capture physical interactions.

With their role as an integral part of its infrastructure, Industrial Control Systems (ICS) are a vital part of every nation's industrial development drive. Despite several significant advancements - such as controlled-environment agriculture, automated train systems, and smart homes, achieved in critical infrastructure sectors through the integration of Information Systems (IS) and remote capabilities with ICS, the fact remains that these advancements have introduced vulnerabilities that were previously either nonexistent or negligible, one being Remote Access Trojans (RATs). Present RAT detection methods either focus on monitoring network traffic or studying event logs on host systems. This research's objective is the detection of RATs by comparing actual utilized system capacity to reported utilized system capacity. To achieve the research objective, open-source RAT detection methods were identified and analyzed, a GAP-analysis approach was used to identify the deficiencies of each method, after which control algorithms were developed into source code for the solution.

Cyber-attacks on our Nation's Critical Infrastructure are growing. In this research, a Cyber Threat Intelligence (CTI) framework is proposed, developed, and tested. The results of the research, using 5 different simulated attacks on a dataset from an Industrial Control System (ICS) testbed, are presented with the extracted IOCs. The Bagging Decision Trees model showed the highest performance of testing accuracy (94.24%), precision (0.95), recall (0.93), and F1-score (0.94) among the 9 different machine learning models studied.

Algorithms for unsupervised anomaly detection have proven their effectiveness and flexibility, however, first it is necessary to calculate with what ratio a certain class begins to be considered anomalous by the autoencoder. For this reason, we propose to conduct a study of the efficiency of autoencoders depending on the ratio of anomalous and non-anomalous classes. The emergence of high-speed networks in electric power systems creates a tight interaction of cyberinfrastructure with the physical infrastructure and makes the power system susceptible to cyber penetration and attacks. To address this problem, this paper proposes an innovative approach to develop a specification-based intrusion detection framework that leverages available information provided by components in a contemporary power system. An autoencoder is used to encode the causal relations among the available information to create patterns with temporal state transitions, which are used as features in the proposed intrusion detection. This allows the proposed method to detect anomalies and cyber attacks.

The paper gives an overview of the ICS security and focuses on Control Systems. Use of internet had security challenges which led to the development of ICS which is designed to be dependable and safe. PCS, DCS and SCADA all are subsets of ICS. The paper gives a description of the developments in the ICS security and covers the most interesting work done by researchers. The paper also provides research information about the parameters on which a remotely executed cyber-attack depends.

Cyber-Physical Systems (CPS) suffer from extendable vulnerabilities due to the convergence of the physical world with the cyber world, which makes it victim to a number of sophisticated cyber-attacks. The motives behind such attacks range from criminal enterprises to military, economic, espionage, political, and terrorism-related activities. Many governments are more concerned than ever with securing their critical infrastructure. One of the effective means of detecting threats and securing their infrastructure is the use of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). A number of studies have been conducted and proposed to assess the efficacy and effectiveness of IDS through the use of self-learning techniques, especially in the Industrial Control Systems (ICS) era. This paper investigates and analyzes the utilization of IDS systems and their proposed solutions used to enhance the effectiveness of such systems for CPS. The targeted data extraction was from 2011 to 2021 from five selected sources: IEEE, ACM, Springer, Wiley, and ScienceDirect. After applying the inclusion and exclusion criteria, 20 primary studies were selected from a total of 51 studies in the field of threat detection in CPS, ICS, SCADA systems, and the IoT. The outcome revealed the trends in recent research in this area and identified essential techniques to improve detection performance, accuracy, reliability, and robustness. In addition, this study also identified the most vulnerable target layer for cyber-attacks in CPS. Various challenges, opportunities, and solutions were identified. The findings can help scholars in the field learn about how machine learning (ML) methods are used in intrusion detection systems. As a future direction, more research should explore the benefits of ML to safeguard cyber-physical systems.

There is an increasing concern about possible hostile modification done to ICs, which are used in various critical applications. Such malicious modifications are referred to as Hardware Trojan. A novel procedure to detect these malicious Trojans using Genetic algorithm along with the logical masking technique which masks the Trojan module when embedded is presented in this paper. The circuit features such as transition probability and SCOAP are used as suitable parameters to identify the rare nodes which are more susceptible for Trojan insertion. A set of test patterns called optimal test patterns are generated using Genetic algorithm to claim that these test vectors are more feasible to detect the presence of Trojan in the circuit under test. The proposed methodologies are validated in accordance with ISCAS '85 and ISCAS '89 benchmark circuits. The experimental results proven that it achieves maximum Trigger coverage, Trojan coverage and is also able to successfully mask the inserted Trojan when it is triggered by the optimal test patterns.

Recently, with the spread of Internet of Things (IoT) devices, embedded hardware devices have been used in a variety of everyday electrical items. Due to the increased demand for embedded hardware devices, some of the IC design and manufacturing steps have been outsourced to third-party vendors. Since malicious third-party vendors may insert malicious circuits, called hardware Trojans, into their products, developing an effective hardware Trojan detection method is strongly required. In this paper, we propose 25 hardware-Trojan features based on the structure of trigger circuits for machine-learning-based hardware Trojan detection. Combining the proposed features into 11 existing hardware-Trojan features, we totally utilize 36 hardware-Trojan features for classification. Then we classify the nets in an unknown netlist into a set of normal nets and Trojan nets based on the random-forest classifier. The experimental results demonstrate that the average true positive rate (TPR) becomes 63.6% and the average true negative rate (TNR) becomes 100.0%. They improve the average TPR by 14.7 points while keeping the average TNR compared to existing state-of-the-art methods. In particular, the proposed method successfully finds out Trojan nets in several benchmark circuits, which are not found by the existing method.

with the continuous growing threat of cyber terrorism, the vulnerability of the industrial control systems (ICS) is the most common subject for security researchers now. Attacks on ICS systems keep increasing and their impact leads to human safety issues, equipment damage, system down, unusual output, loss of visibility and control, and various other catastrophic failures. Many of the industrial control systems are relatively insecure with chronic and pervasive vulnerabilities. Modbus-Tcpis one of the widely used communication protocols in the ICS/ Supervisory control and data acquisition (SCADA) system to transmit signals from instrumentation and control devices to the main controller of the control center. Modbus is a plain text protocol without any built-in security mechanisms, and Modbus is a standard communication protocol, widely used in critical infrastructure applications such as power systems, water, oil & gas, etc.. This paper proposes a passive security solution called Deep-security-scanner (DSS) tailored to Modbus-Tcpcommunication based Industrial control system (ICS). DSS solution detects attacks on Modbus-TcpIcs networks in a passive manner without disturbing the availability requirements of the system.

Digitization has pioneered to drive exceptional changes across all industries in the advancement of analytics, automation, and Artificial Intelligence (AI) and Machine Learning (ML). However, new business requirements associated with the efficiency benefits of digitalization are forcing increased connectivity between IT and OT networks, thereby increasing the attack surface and hence the cyber risk. Cyber threats are on the rise and securing industrial networks are challenging with the shortage of human resource in OT field, with more inclination to IT/OT convergence and the attackers deploy various hi-tech methods to intrude the control systems nowadays. We have developed an innovative real-time ICS cyber test kit to obtain the OT industrial network traffic data with various industrial attack vectors. In this paper, we have introduced the industrial datasets generated from ICS test kit, which incorporate the cyber-physical system of industrial operations. These datasets with a normal baseline along with different industrial hacking scenarios are analyzed for research purposes. Metadata is obtained from Deep packet inspection (DPI) of flow properties of network packets. DPI analysis provides more visibility into the contents of OT traffic based on communication protocols. The advancement in technology has led to the utilization of machine learning/artificial intelligence capability in IDS ICS SCADA. The industrial datasets are pre-processed, profiled and the abnormality is analyzed with DPI. The processed metadata is normalized for the easiness of algorithm analysis and modelled with machine learning-based latest deep learning ensemble LSTM algorithms for anomaly detection. The deep learning approach has been used nowadays for enhanced OT IDS performances.

With the continuous emergence of cyber attacks, the security of industrial control system (ICS) has become a hot issue in academia and industry. Intrusion detection technology plays an irreplaceable role in protecting industrial system from attacks. However, the imbalance between normal samples and attack samples seriously affects the performance of intrusion detection algorithms. This paper proposes SE-IDS, which uses generative adversarial networks (GAN) to expand the minority to make the number of normal samples and attack samples relatively balanced, adopts particle swarm optimization (PSO) to optimize the parameters of LightGBM. Finally, we evaluated the performance of the proposed model on the industrial network dataset.

Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) use advanced computing, sensors, control systems, and communication networks to monitor and control industrial processes and distributed assets. The increased connectivity of these systems to corporate networks has exposed them to new security threats and made them a prime target for cyber-attacks with the potential of causing catastrophic economic, social, and environmental damage. Recent intensified sophisticated attacks on these systems have stressed the importance of methodologies and tools to assess the security risks of Industrial Control Systems (ICS). In this paper, we propose a novel game theory model and Monte Carlo simulations to assess the cybersecurity risks of an exemplary industrial control system under realistic assumptions. We present five game enrollments where attacker and defender agents make different preferences and we analyze the final outcome of the game. Results show that a balanced defense with uniform budget spending is the best strategy against a look-ahead attacker.

Controller area network is the serial communication protocol, which broadcasts the message on the CAN bus. The transmitted message is read by all the nodes which shares the CAN bus. The message can be eavesdropped and can be re-used by some other node by changing the information or send it by duplicate times. The message reused after some delay is replay attack. In this paper, the CAN network with three CAN nodes is implemented using the universal verification components and the replay attack is demonstrated by creating the faulty node. Two types of replay attack are implemented in this paper, one is to replay the entire message and the other one is to replay only the part of the frame. The faulty node uses the first replay attack method where it behaves like the other node in the network by duplicating the identifier. CAN frame except the identifier is reused in the second method which is hard to detect the attack as the faulty node uses its own identifier and duplicates only the data in the CAN frame.

With the advancement of network technology, more electronic devices have begun to connect to the Internet. The era of IoE (Internet of Everything) is coming. However, the number of serious incidents of cyberattacks on important facilities has gradually increased at the same time. Security becomes an important issue when setting up plenty of network devices in an environment. Thus, we propose an innovative mechanism of the Moving Target Defense (MTD) to solve the problems happening to other MTD mechanisms in the past. This method applies Dynamic Host Configuration Protocol (DHCP) to dynamically change the IPv4 address of information equipment in the medical environment. In other words, each of the nodes performs IP-Hopping and effectively avoids malicious attacks. Communication between devices relies on DNS lookup. The mechanism avoids problems such as time synchronization and IP conflict. Also, it greatly reduces the costs of large-scale deployment. All of these problems are encountered by other MTD mechanisms in the past. Not only can the mechanism be applied to the medical and information equipment, it can also be applied to various devices connected to the Internet, including Industrial Control System (ICS). The mechanism is implemented in existing technologies and prevents other problems, which makes it easy to build a system.

Many industrial control systems (ICS) are reliant upon programmable logic controllers (PLCs) for their operations. As ICS and PLCs are increasingly targeted by cyber-attacks, research facilitating the resiliency of their physical processes is imperative. This paper proposes an approach which leverages PLC containerization, input/output (I/O) multiplexing, and orchestration to respond to cyber incidents and ensure continuity of critical processes. A proofof-concept capability was developed and evaluated on live ICS testbed environments. The experimental results indicate the approach is viable for control applications with soft real-time requirements.

The digitalization process did not circumvent either railway domain. With new technology and new functionality, such as digital interlocking system, automated train operation, object recognition, GPS positioning, traditional railway domain got a vulnerability that can be exploited. Another issue is usage of CotS (Commercial-of-the-Shelf) hardware and software and openness of traditionally closed system. Most of published similar paper are focused on cyber security and security & safety model for securing of assessment in this kind of domain, but this paper will deal with this upcoming railway technology and digital investigation process in such kind of environment. Digital investigation process will be presented, but not only in ICS and SCADA system, but also in specific, railway environment. Framework for investigation process and for maintaining chain of custody in railway domain will be proposed.