Biblio

Most of the countries evaluate their energy networks in terms of national security and define as critical infrastructure. Monitoring and controlling of these systems are generally provided by Industrial Control Systems (ICSs) and/or Supervisory Control and Data Acquisition (SCADA) systems. Therefore, this study focuses on the cyber-attack vectors on SCADA systems to research the threats and risks targeting them. For this purpose, TCP/IP based protocols used in SCADA systems have been determined and analyzed at first. Then, the most common cyber-attacks are handled systematically considering hardware-side threats, software-side ones and the threats for communication infrastructures. Finally, some suggestions are given.

In order to evaluate the network security risks and implement effective defenses in industrial control system, a risk assessment method for industrial control systems based on attack graphs is proposed. Use the concept of network security elements to translate network attacks into network state migration problems and build an industrial control network attack graph model. In view of the current subjective evaluation of expert experience, the atomic attack probability assignment method and the CVSS evaluation system were introduced to evaluate the security status of the industrial control system. Finally, taking the centralized control system of the thermal power plant as the experimental background, the case analysis is performed. The experimental results show that the method can comprehensively analyze the potential safety hazards in the industrial control system and provide basis for the safety management personnel to take effective defense measures.

Cyber-Physical Systems (CPS), such as Water Distribution Networks (WDNs), deploy digital devices to monitor and control the behavior of physical processes. These digital devices, however, are susceptible to cyber and physical attacks, that may alter their functionality, and therefore the integrity of their measurements/actions. In practice, industrial control systems utilize simple control laws, which rely on various sensor measurements and algorithms which are expected to operate normally. To reduce the impact of a potential failure, operators may deploy redundant components; this however may not be useful, e.g., when a cyber attack at a PLC component occurs. In this work, we address the problem of reducing vulnerability to cyber-physical attacks in water distribution networks. This is achieved by augmenting the graph which describes the information flow from sensors to actuators, by adding new connections and algorithms, to increase the number of redundant cyber components. These, in turn, increase the \textitcyber-physical security level, which is defined in the present paper as the number of malicious attacks a CPS may sustain before becoming unable to satisfy the control requirements. A proof-of-concept of the approach is demonstrated over a simple WDN, with intuition on how this can be used to increase the cyber-physical security level of the system.

The integration of modern information technologies with industrial control systems has created an enormous interest in the security of industrial control, however, given the cost, variety, and industry practices, it is hard for researchers to test and deploy security solutions in real-world systems. Industrial control testbeds can be used as tools to test security solutions before they are deployed, and in this paper we extend our previous work to develop open-source virtual industrial control testbeds where computing and networking components are emulated and virtualized, and the physical system is simulated through differential equations. In particular, we implement a nonlinear control system emulating a three-water tank with the associated sensors, PLCs, and actuators that communicate through an emulated network. In addition, we design unknown input observers (UIO) to not only detect that an attack is occurring, but also to identify the source of the malicious false data injections and mitigate its impact. Our system is available through Github to the academic community.

A long time ago Industrial Control Systems were in a safe place due to the use of proprietary technology and physical isolation. This situation has changed dramatically and the systems are nowadays often prone to severe attacks executed from remote locations. In many cases, intrusions remain undetected for a long time and this allows the adversary to meticulously prepare an attack and maximize its destructiveness. The ability to detect an attack in its early stages thus has a high potential to significantly reduce its impact. To this end, we propose a holistic, multi-layered, security monitoring and mitigation framework spanning the physical- and cyber domain. The comprehensiveness of the approach demands for scalability measures built-in by design. In this paper we present how scalability is addressed by an architecture that enforces geographically decentralized data reduction approaches that can be dynamically adjusted to the currently perceived context. A specific focus is put on a robust and resilient solution to orchestrate dynamic configuration updates. Experimental results based on a prototype implementation show the feasibility of the approach.

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a system's vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.

The detection of cyber-attacks has become a crucial task for highly sophisticated systems like industrial control systems (ICS). These systems are an essential part of critical information infrastructure. Therefore, we can highlight their vital role in contemporary society. The effective and reliable ICS cyber defense is a significant challenge for the cyber security community. Thus, intrusion detection is one of the demanding tasks for the cyber security researchers. In this article, we examine classification problem. The proposed detection system is based on supervised anomaly detection techniques. Moreover, we utilized classifiers algorithms in order to increase intrusion detection capabilities. The fusion of the classifiers is the way how to achieve the predefined goal.

Modbus over TCP/IP is one of the most popular industrial network protocol that are widely used in critical infrastructures. However, vulnerability of Modbus TCP protocol has attracted widely concern in the public. The traditional intrusion detection methods can identify some intrusion behaviors, but there are still some problems. In this paper, we present an innovative approach, SD-IDS (Stereo Depth IDS), which is designed for perform real-time deep inspection for Modbus TCP traffic. SD-IDS algorithm is composed of two parts: rule extraction and deep inspection. The rule extraction module not only analyzes the characteristics of industrial traffic, but also explores the semantic relationship among the key field in the Modbus TCP protocol. The deep inspection module is based on rule-based anomaly intrusion detection. Furthermore, we use the online test to evaluate the performance of our SD-IDS system. Our approach get a low rate of false positive and false negative.

We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques.

Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex \textbackslashtextbackslashemph\process-based\ attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case.

Currently, security protection in Industrial Control Systems has become a hot topic, and a great number of defense techniques have sprung up. As one of the most effective approaches, area isolation has the exceptional advantages and is widely used to prevent attacks or hazards propagating. However, most existing methods for inter-area communication protection present some limitations, i.e., excessively depending on the analyzing rules, affecting original communication. Additionally, the network architecture and data flow direction can hardly be adjusted after being deployed. To address these problems, a dynamical and customized communication protection technology is proposed in this paper. In detail, a security inter-area communication architecture based on Software Defined Network is designed firstly, where devices or subsystems can be dynamically added into or removed from the communication link. And then, a security inspection method based on information entropy is presented for deep network behaviors analysis. According to the security analysis results, the communications in the network can be adjusted in time. Finally, simulations are constructed, and the results indicate that the proposed approach is sensitive and effective for cyber-attacks detection.

Due to flexibility, low cost and rapid deployment, wireless sensor networks (WSNs)have been drawing more and more interest from governments, researchers, application developers, and manufacturers in recent years. Nowadays, we are in the age of industry 4.0, in which the traditional industrial control systems will be connected with each other and provide intelligent manufacturing. Therefore, WSNs can play an extremely crucial role to monitor the environment and condition parameters for smart factories. Nevertheless, the introduction of the WSNs reveals the weakness, especially for industrial applications. Through the vulnerability of IWSNs, the latent attackers were likely to invade the information system. Risk evaluation is an overwhelmingly efficient method to reduce the risk of information system in order to an acceptable level. This paper aim to study the security issues about IWSNs as well as put forward a practical solution to evaluate the risk of IWSNs, which can guide us to make risk evaluation process and improve the security of IWSNs through appropriate countermeasures.

In this paper, an industrial testbed is proposed utilizing commercial-off-the-shelf equipment, and it is used to study the weakness of industrial Ethernet, i.e., PROFINET. The investigation is based on observation of the principles of operation of PROFINET and the functionality of industrial control systems.

Industrial Control Systems (ICS) are found in critical infrastructure such as for power generation and water treatment. When security requirements are incorporated into an ICS, one needs to test the additional code and devices added do improve the prevention and detection of cyber attacks. Conducting such tests in legacy systems is a challenge due to the high availability requirement. An approach using Timed Automata (TA) is proposed to overcome this challenge. This approach enables assessment of the effectiveness of an attack detection method based on process invariants. The approach has been demonstrated in a case study on one stage of a 6- stage operational water treatment plant. The model constructed captured the interactions among components in the selected stage. In addition, a set of attacks, attack detection mechanisms, and security specifications were also modeled using TA. These TA models were conjoined into a network and implemented in UPPAAL. The models so implemented were found effective in detecting the attacks considered. The study suggests the use of TA as an effective tool to model an ICS and study its attack detection mechanisms as a complement to doing so in a real plant-operational or under design.

Often considered as the brain of an industrial process, Industrial control systems are presented as the vital part of today's critical infrastructure due to their crucial role in process control and monitoring. Any failure or error in the system will have a considerable damage. Their openness to the internet world raises the risk related to cyber-attacks. Therefore, it's necessary to consider cyber security challenges while designing an ICS in order to provide security services such as authentication, integrity, access control and secure communication channels. To implement such services, it's necessary to provide an efficient key management system (KMS) as an infrastructure for all cryptographic operations, while preserving the functional characteristics of ICS. In this paper we will analyze existing KMS and their suitability for ICS, then we propose a new KMS based on Identity Based Cryptography (IBC) as a better alternative to traditional KMS. In our proposal, we consider solving two security problems in IBC which brings it up to be more suitable for ICS.

OpenFlow has recently emerged as a powerful paradigm to help build dynamic, adaptive and agile networks. By decoupling control plane from data plane, OpenFlow allows network operators to program a centralized intelligence, OpenFlow controller, to manage network-wide traffic flows to meet the changing needs. However, from the security's point of view, a buggy or even malicious controller could compromise the control logic, and then the entire network. Even worse, the recent attack Stuxnet on industrial control systems also indicates the similar, severe threat to OpenFlow controllers from the commercial operating systems they are running on. In this paper, we comprehensively studied the attack vectors against the OpenFlow critical component, controller, and proposed a cross layer diversity approach that enables OpenFlow controllers to detect attacks, corruptions, failures, and then automatically continue correct execution. Case studies demonstrate that our approach can protect OpenFlow controllers from threats coming from compromised operating systems and themselves.

A lot of research in security of cyber physical systems focus on threat models where an attacker can spoof sensor readings by compromising the communication channel. A little focus is given to attacks on physical components. In this paper a method to detect potential attacks on physical components in a Cyber Physical System (CPS) is proposed. Physical attacks are detected through a comparison of noise pattern from sensor measurements to a reference noise pattern. If an adversary has physically modified or replaced a sensor, the proposed method issues an alert indicating that a sensor is probably compromised or is defective. A reference noise pattern is established from the sensor data using a deterministic model. This pattern is referred to as a fingerprint of the corresponding sensor. The fingerprint so derived is used as a reference to identify measured data during the operation of a CPS. Extensive experimentation with ultrasonic level sensors in a realistic water treatment testbed point to the effectiveness of the proposed fingerprinting method in detecting physical attacks.

New generations of industrial control systems offer higher performance, they are distributed, and it is very likely that they are internet connected in one way or another. These trends raise new challenges in the contexts of reliability and security. We propose a novel approach that tackles the complexity of industrial control systems at design time and run time. At design time our target is to ease the configuration and verification of controller configurations through model-driven engineering techniques together with the contract-based design paradigm. At run time the information from design time is reused in order to support a modular and distributed self-adaptive software system that aims to increase reliability and security. The industrial setting of the presented approach are control devices for hydropower plant units.

Cyber-Physical Systems (CPS) represent a fundamental link between information technology (IT) systems and the devices that control industrial production and maintain critical infrastructure services that support our modern world. Increasingly, the interconnections among CPS and IT systems have created exploitable security vulnerabilities due to a number of factors, including a legacy of weak information security applications on CPS and the tendency of CPS operators to prioritize operational availability at the expense of integrity and confidentiality. As a result, CPS are subject to a number of threats from cyber attackers and cyber-physical attackers, including denial of service and even attacks against the integrity of the data in the system. The effects of these attacks extend beyond mere loss of data or the inability to access information system services. Attacks against CPS can cause physical damage in the real world. This paper reviews the challenges of providing information assurance services for CPS that operate critical infrastructure systems and industrial control systems. These methods are thorough measures to close integrity and confidentiality gaps in CPS and processes to highlight the security risks that remain. This paper also outlines approaches to reduce the overhead and complexity for security methods, as well as examine novel approaches, including covert communications channels, to increase CPS security.

Intrusion detection has been an active field of research for more than 35 years. Numerous systems had been built based on the two fundamental detection principles, knowledge-based and behavior-based detection. Anyway, having a look at day-to-day news about data breaches and successful attacks, detection effectiveness is still limited. Even more, heavy-weight intrusion detection systems cannot be installed in every endangered environment. For example, Industrial Control Systems are typically utilized for decades, charging off huge investments of companies. Thus, some of these systems have been in operation for years, but were designed afore without security in mind. Even worse, as systems often have connections to other networks and even the Internet nowadays, an adequate protection is mandatory, but integrating intrusion detection can be extremely difficult - or even impossible to date. We propose a new lightweight current-based IDS which is using a difficult to manipulate measurement base and verifiable ground truth. Focus of our system is providing intrusion detection for ICS and SCADA on a low-priced base, easy to integrate. Dr. WATTson, a prototype implemented based on our concept provides high detection and low false alarm rates.

Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. In this paper we aim to overcome these challenges through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We present the implementation of our IDS, SENAMI, for use with Siemens S7 devices. We evaluate the effectiveness of SENAMI in a comprehensive testbed environment, demonstrating validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reach recall values greater than 0.96, indicating few attack scenarios generating false negatives.

In this work, we address the problem of designing and implementing honeypots for Industrial Control Systems (ICS). Honeypots are vulnerable systems that are set up with the intent to be probed and compromised by attackers. Analysis of those attacks then allows the defender to learn about novel attacks and general strategy of the attacker. Honeypots for ICS systems need to satisfy both traditional ICT requirements, such as cost and maintainability, and more specific ICS requirements, such as time and determinism. We propose the design of a virtual, high-interaction and server-based ICS honeypot to satisfy the requirements, and the deployment of a realistic, cost-effective, and maintainable ICS honeypot. An attacker model is introduced to complete the problem statement and requirements. Based on our design and the MiniCPS framework, we implemented a honeypot mimicking a water treatment testbed. To the best of our knowledge, the presented honeypot implementation is the first academic work targeting Ethernet/IP based ICS honeypots, the first ICS virtual honeypot that is high-interactive without the use of full virtualization technologies (such as a network of virtual machines), and the first ICS honeypot that can be managed with a Software-Defined Network (SDN) controller.

Outsourcing a huge amount of local data to remote cloud servers that has been become a significant trend for industries. Leveraging the considerable cloud storage space, industries can also put forward the outsourced data to cloud computing. How to collect the data for computing without loss of privacy and confidentiality is one of the crucial security problems. Searchable encryption technique has been proposed to protect the confidentiality of the outsourced data and the privacy of the corresponding data query. This technique, however, only supporting search functionality, may not be fully applicable to real-world cloud computing scenario whereby secure data search, share as well as computation are needed. This work presents a novel encrypted cloud-based data share and search system without loss of user privacy and data confidentiality. The new system enables users to make conjunctive keyword query over encrypted data, but also allows encrypted data to be efficiently and multiply shared among different users without the need of the "download-decrypt-then-encrypt" mode. As of independent interest, our system provides secure keyword update, so that users can freely and securely update data's keyword field. It is worth mentioning that all the above functionalities do not incur any expansion of ciphertext size, namely, the size of ciphertext remains constant during being searched, shared and keyword-updated. The system is proven secure and meanwhile, the efficiency analysis shows its great potential in being used in large-scale database.

Modern Industrial Control Systems (ICS) rely on enterprise to plant floor connectivity. Where the size, diversity, and therefore complexity of ICS increase, operational requirements, goals, and challenges defined by users across various sub-systems follow. Recent trends in Information Technology (IT) and Operational Technology (OT) convergence may cause operators to lose a comprehensive understanding of end-to-end data flow requirements. This presents a risk to system security and resilience. Sensors were once solely applied for operational process use, but now act as inputs supporting a diverse set of organisational requirements. If these are not fully understood, incomplete risk assessment, and inappropriate implementation of security controls could occur. In search of a solution, operators may turn to standards and guidelines. This paper reviews popular standards and guidelines, prior to the presentation of a case study and conceptual tool, highlighting the importance of data flows, critical data processing points, and system-to-user relationships. The proposed approach forms a basis for risk assessment and security control implementation, aiding the evolution of ICS security and resilience.

As information systems become increasingly interdependent, there is an increased need to share cybersecurity data across government agencies and companies, and within and across industrial sectors. This sharing includes threat, vulnerability and incident reporting data, among other data. For cyberattacks that include sociotechnical vectors, such as phishing or watering hole attacks, this increased sharing could expose customer and employee personal data to increased privacy risk. In the US, privacy risk arises when the government voluntarily receives data from companies without meaningful consent from individuals, or without a lawful procedure that protects an individual's right to due process. In this paper, we describe a study to examine the trade-off between the need for potentially sensitive data, which we call incident data usage, and the perceived privacy risk of sharing that data with the government. The study is comprised of two parts: a data usage estimate built from a survey of 76 security professionals with mean eight years' experience; and a privacy risk estimate that measures privacy risk using an ordinal likelihood scale and nominal data types in factorial vignettes. The privacy risk estimate also factors in data purposes with different levels of societal benefit, including terrorism, imminent threat of death, economic harm, and loss of intellectual property. The results show which data types are high-usage, low-risk versus those that are low-usage, high-risk. We discuss the implications of these results and recommend future work to improve privacy when data must be shared despite the increased risk to privacy.