Biblio

This paper deals with the developing model of a honeynet that depends on the Internet of things (IoT). Due to significant of industrial services, such model helps enhancement of information security detection in industrial domain, the model is designed to detect adversaries whom attempt to attack industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. The model consists of hardware and software aspects, designed to focus on ICS services that managed remotely via SCADA systems. In order to prove the work of the model, a few of security tools are used such as Shodan, Nmap and others. These tools have been applied locally inside LAN and globally via internet to get proving results. Ultimately, results contain a list of protocols and ports that represent industry control services. To clarify outputs, it contains tcp/udp ports 623, 102, 1025 and 161 which represent respectively IPMI, S7comm, KAMSTRAP and SNMP services.

With the development of smart grid, information and energy integrate deeply. For remote monitoring and cluster management, SCADA system of wind farm should be connected to Internet. However, communication security and operation risk put forward a challenge to data network of the wind farm. To address this problem, an active security defense strategy combined whitelist and security situation assessment is proposed. Firstly, the whitelist is designed by analyzing the legitimate packet of Modbus on communication of SCADA servers and PLCs. Then Knowledge Automation is applied to establish the Decision Requirements Diagram (DRD) for wind farm security. The D-S evidence theory is adopted to assess operation situation of wind farm and it together with whitelist offer the security decision for wind turbine. This strategy helps to eliminate the wind farm owners' security concerns of data networking, and improves the integrity of the cyber security defense for wind farm.

Supervisory control and data acquisition (SCADA) systems are the key driver for critical infrastructures and industrial facilities. Cyber-attacks to SCADA networks may cause equipment damage or even fatalities. Identifying risks in SCADA networks is critical to ensuring the normal operation of these industrial systems. In this paper we propose a Bayesian network-based cyber-security risk assessment model to dynamically and quantitatively assess the security risk level in SCADA networks. The major distinction of our work is that the proposed risk assessment method can learn model parameters from historical data and then improve assessment accuracy by incrementally learning from online observations. Furthermore, our method is able to assess the risk caused by unknown attacks. The simulation results demonstrate that the proposed approach is effective for SCADA security risk assessment.

In order to ensure the security of electric power supervisory control and data acquisition (SCADA) system, this paper proposes a dynamic awareness security protection model based on security policy, the design idea of which regards safety construction protection as a dynamic analysis process and the security policy should adapt to the network dynamics. According to the current situation of the power SCADA system, the related security technology and the investigation results of system security threat, the paper analyzes the security requirements and puts forward the construction ideas of security protection based on policy protection detection response (P2DR) policy model. The dynamic awareness security protection model proposed in this paper is an effective and useful tool for protecting the security of power-SCADA system.

Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects makes adding new security mechanisms in an efficient manner far from trivial. In this paper we study an anomaly detection based approach that enables detecting zero-day malicious threats and benign malconfigurations and mishaps. The approach builds on an existing platform (Bro) that lends itself to modular addition of new protocol parsers and event handling mechanisms. As an example we have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector with mixed results. The detection accuracy and false positive rate, as well as real-time response was adequate for 3 of our 4 created attacks. We also discovered some additional work that needs to be done to an existing protocol parser to extend its reach.

Honeypots are a common tool to set intrusion alarms and to study attacks against computer systems. In order to be convincing, honeypots attempt to resemble actual systems that are in active use. Recently, researchers have begun to develop honeypots for programmable logic controllers (PLCs). The tools of which we are aware have limited functionality compared to genuine devices. Particularly, they do not support running actual PLC programs. In order to improve upon the interactive capabilities of PLC honeypots we set out to develop a simulator for Siemens S7-300 series PLCs. Our current prototype XPOT supports PLC program compilation and interpretation, the proprietary S7comm protocol and SNMP. While the supported feature set is not yet comprehensive, it is possible to program it using standard IDEs such as Siemens' TIA portal. Additionally, we emulate the characteristics of the network stack of our reference PLC in order to resist OS fingerprinting attempts using tools such as Nmap. Initial experiments with students whom we trained in PLC programming indicate that XPOT may resist cursory inspection but still fails against knowledgeable and suspicious adversaries. We conclude that high-interactive PLC honeypots need to support a fairly complete feature set of the genuine, simulated PLC.

Smart grid aims to improve control and monitoring routines to ensure reliable and efficient supply of electricity. The rapid advancements in information and communication technologies of Supervisory Control And Data Acquisition (SCADA) networks, however, have resulted in complex cyber physical systems. This added complexity has broadened the attack surface of power-related applications, amplifying their susceptibility to cyber threats. A particular class of system integrity attacks against the smart grid is False Data Injection (FDI). In a successful FDI attack, an adversary compromises the readings of grid sensors in such a way that errors introduced into estimates of state variables remain undetected. This paper presents an end-to-end case study of how to instantiate real FDI attacks to the Alternating Current (AC) –nonlinear– State Estimation (SE) process. The attack is realized through firmware modifications of the microprocessor-based remote terminal systems, falsifying the data transmitted to the SE routine, and proceeds regardless of perfect or imperfect knowledge of the current system state. The case study concludes with an investigation of an attack on the IEEE 14 bus system using load data from the New York Independent System Operator (NYISO).

Modern Industrial Control Systems (ICS) rely on enterprise to plant floor connectivity. Where the size, diversity, and therefore complexity of ICS increase, operational requirements, goals, and challenges defined by users across various sub-systems follow. Recent trends in Information Technology (IT) and Operational Technology (OT) convergence may cause operators to lose a comprehensive understanding of end-to-end data flow requirements. This presents a risk to system security and resilience. Sensors were once solely applied for operational process use, but now act as inputs supporting a diverse set of organisational requirements. If these are not fully understood, incomplete risk assessment, and inappropriate implementation of security controls could occur. In search of a solution, operators may turn to standards and guidelines. This paper reviews popular standards and guidelines, prior to the presentation of a case study and conceptual tool, highlighting the importance of data flows, critical data processing points, and system-to-user relationships. The proposed approach forms a basis for risk assessment and security control implementation, aiding the evolution of ICS security and resilience.

In this research paper, we present a function-based methodology to evaluate the resilience of gas pipeline systems under two different cyber-physical attack scenarios. The first attack scenario is the pressure integrity attack on the natural gas high-pressure transmission pipeline. Through simulations, we have analyzed the cyber attacks that propagate from cyber to the gas pipeline physical domain, the time before which the SCADA system should respond to such attacks, and finally, an attack which prevents the response of the system. We have used the combined results of simulations of a wireless mesh network for remote terminal units and of a gas pipeline simulation to measure the shortest Time to Criticality (TTC) parameter; the time for an event to reach the failure state. The second attack scenario describes how a failure of a cyber node controlling power grid functionality propagates from cyber to power to gas pipeline systems. We formulate this problem using a graph-theoretic approach and quantify the resilience of the networks by percentage of connected nodes and the length of the shortest path between them. The results show that parameters such as TTC, power distribution capacity of the power grid nodes and percentage of the type of cyber nodes compromised, regulate the efficiency and resilience of the power and gas networks. The analysis of such attack scenarios helps the gas pipeline system administrators design attack remediation algorithms and improve the response of the system to an attack.

With an immense number of threats pouring in from nation states and hacktivists as well as terrorists and cybercriminals, the requirement of a globally secure infrastructure becomes a major obligation. Most critical infrastructures were primarily designed to work isolated from the normal communication network, but due to the advent of the "Smart Grid" that uses advanced and intelligent approaches to control critical infrastructure, it is necessary for these cyber-physical systems to have access to the communication system. Consequently, such critical systems have become prime targets; hence security of critical infrastructure is currently one of the most challenging research problems. Performing an extensive security analysis involving experiments with cyber-attacks on a live industrial control system (ICS) is not possible. Therefore, researchers generally resort to test beds and complex simulations to answer questions related to SCADA systems. Since all conclusions are drawn from the test bed, it is necessary to perform validation against a physical model. This paper examines the fidelity of a virtual SCADA testbed to a physical test bed and allows for the study of the effects of cyber- attacks on both of the systems.

This paper presents a supervisory control and data acquisition (SCADA) testbed recently built at the University of New Orleans. The testbed consists of models of three industrial physical processes: a gas pipeline, a power transmission and distribution system, and a wastewater treatment plant–these systems are fully-functional and implemented at small-scale. It utilizes real-world industrial equipment such as transformers, programmable logic controllers (PLC), aerators, etc., bringing it closer to modeling real-world SCADA systems. Sensors, actuators, and PLCs are deployed at each physical process system for local control and monitoring, and the PLCs are also connected to a computer running human-machine interface (HMI) software for monitoring the status of the physical processes. The testbed is a useful resource for cybersecurity research, forensic research, and education on different aspects of SCADA systems such as PLC programming, protocol analysis, and demonstration of cyber attacks.

A distributed detection method is proposed to detect single stage multi-point (SSMP) attacks on a Cyber Physical System (CPS). Such attacks aim at compromising two or more sensors or actuators at any one stage of a CPS and could totally compromise a controller and prevent it from detecting the attack. However, as demonstrated in this work, using the flow properties of water from one stage to the other, a neighboring controller was found effective in detecting such attacks. The method is based on physical invariants derived for each stage of the CPS from its design. The attack detection effectiveness of the method was evaluated experimentally against an operational water treatment testbed containing 42 sensors and actuators. Results from the experiments point to high effectiveness of the method in detecting a variety of SSMP attacks but also point to its limitations. Distributing the attack detection code among various controllers adds to the scalability of the proposed method.

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is highly periodic. However, it is sometimes multiplexed, due to multi-threaded scheduling. In previous work we introduced a Statechart model which includes multiple Deterministic Finite Automata (DFA), one per cyclic pattern. We demonstrated that Statechart-based anomaly detection is highly effective on multiplexed cyclic traffic when the individual cyclic patterns are known. The challenge is to construct the Statechart, by unsupervised learning, from a captured trace of the multiplexed traffic, especially when the same symbols (ICS messages) can appear in multiple cycles, or multiple times in a cycle. Previously we suggested a combinatorial approach for the Statechart construction, based on Euler cycles in the Discrete Time Markov Chain (DTMC) graph of the trace. This combinatorial approach worked well in simple scenarios, but produced a false-alarm rate that was excessive on more complex multiplexed traffic. In this paper we suggest a new Statechart construction method, based on spectral analysis. We use the Fourier transform to identify the dominant periods in the trace. Our algorithm then associates a set of symbols with each dominant period, identifies the order of the symbols within each period, and creates the cyclic DFAs and the Statechart. We evaluated our solution on long traces from two production ICS: one using the Siemens S7-0x72 protocol and the other using Modbus. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulate multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The resulting Statecharts model the traces with an overall median false-alarm rate as low as 0.16% on the synthetic datasets, and with zero false-alarms on production S7-0x72 traffic. Moreover, the spectral analysis Statecharts consistently out-performed the previous combinatorial Statecharts, exhibiting significantly lower false alarm rates and more compact model sizes.

In this paper, we propose a hierarchical monitoring intrusion detection system (HAMIDS) for industrial control systems (ICS). The HAMIDS framework detects the anomalies in both level 0 and level 1 of an industrial control plant. In addition, the framework aggregates the cyber-physical process data in one point for further analysis as part of the intrusion detection process. The novelty of this framework is its ability to detect anomalies that have a distributed impact on the cyber-physical process. The performance of the proposed framework evaluated as part of SWaT security showdown (S3) in which six international teams were invited to test the framework in a real industrial control system. The proposed framework outperformed other proposed academic IDS in term of detection of ICS threats during the S3 event, which was held from July 25-29, 2016 at Singapore University of Technology and Design.