Biblio

Industrial control systems (ICSs) have become more complex due to their increasing connectivity, heterogeneity and, autonomy. As a result, cyber-threats against such systems have been significantly increased as well. Since a compromised industrial system can easily lead to hazardous safety and security consequences, it is crucial to develop security countermeasures to protect coexisting IT systems and industrial physical processes being involved in modern ICSs. Accordingly, in this study, we propose a deep learning-based semantic anomaly detection framework to model the complex behavior of ICSs. In contrast to the related work assuming only simpler security threats targeting individual controllers in an ICS, we address multi-PLC attacks that are harder to detect as requiring to observe the overall system state alongside single-PLC attacks. Using industrial simulation and emulation frameworks, we create a realistic setup representing both the production and networking aspects of industrial systems and conduct some potential attacks. Our experimental results indicate that our model can detect single-PLC attacks with 95% accuracy and multi-PLC attacks with 80% accuracy and nearly 1% false positive rate.

Conpot is a low-interaction SCADA honeypot system that mimics a Siemens S7-200 proprietary device on default deployments. Honeypots operating using standard configurations can be easily detected by adversaries using scanning tools such as Shodan. This study focuses on the capabilities of the Conpot honeypot, and how these competences can be used to lure attackers. In addition, the presented research establishes a framework that enables for the customized configuration, thereby enhancing its functionality to achieve a high degree of deceptiveness and realism when presented to the Shodan scanners. A comparison between the default and configured deployments is further conducted to prove the modified deployments' effectiveness. The resulting annotations can assist cybersecurity personnel to better acknowledge the effectiveness of the honeypot's artifacts and how they can be used deceptively. Lastly, it informs and educates cybersecurity audiences on how important it is to deploy honeypots with advanced deceptive configurations to bait cybercriminals.

In the industrial control system, in order to solve the problem that the installation of smart devices in a transparent environment are faced with the unknown attack problems, because most of the industrial control equipment to detect unknown risks, Therefore, by studying the security protection of the current industrial control system and the trust mechanism that should be widely used in the Internet of things, this paper presents the abnormal node detection mode based on comprehensive trust applied to the industrial control system scenarios. This model firstly proposes a model, which fuses direct and indirect trust values into current trust values through support algorithm and vector similarity algorithm, and then combines them with historical trust values, and gives the calculation method of each trust value. Finally, a method to determine abnormal nodes based on comprehensive trust degree is given to realize a detection process for all industrial control nodes. By analyzing the real data case provided by Melbourne Water, it is concluded that this model can improve the detection range and detection accuracy of abnormal nodes. It can accurately judge and effectively resist malicious behavior and also have a good resistance to aggression.

With an increasing number of adversarial attacks against Industrial Control Systems (ICS) networks, enhancing the security of such systems is invaluable. Although attack prevention strategies are often in place, protecting against all attacks, especially zero-day attacks, is becoming impossible. Intrusion Detection Systems (IDS) are needed to detect such attacks promptly. Machine learning-based detection systems, especially deep learning algorithms, have shown promising results and outperformed other approaches. In this paper, we study the efficacy of a deep learning approach, namely, Multi Layer Perceptron (MLP), in detecting abnormal behaviors in ICS network traffic. We focus on very common reconnaissance attacks in ICS networks. In such attacks, the adversary focuses on gathering information about the targeted network. To evaluate our approach, we compare MLP with isolation Forest (i Forest), a statistical machine learning approach. Our proposed deep learning approach achieves an accuracy of more than 99% while i Forest achieves only 75%. This helps to reinforce the promise of using deep learning techniques for anomaly detection.

Industrial Control Systems (ICS) are complex systems made up of many components with different tasks. For a safe and secure operation, each device needs to carry out its tasks correctly. To monitor a system and ensure the correct behavior of systems, anomaly detection is used.Models of expected behavior often rely only on cyber or physical features for anomaly detection. We propose an anomaly detection system that combines both types of features to create a dynamic fingerprint of an ICS. We present how a cyber-physical anomaly detection using sound on the physical layer can be designed, and which challenges need to be overcome for a successful implementation. We perform an initial evaluation for identifying actions of a 3D printer.

Industrial Control System (ICS) communication transmits monitoring and control data between industrial processes and the control station. ICS systems cover various domains of critical infrastructure such as the power plants, water and gas distribution, or aerospace traffic control. Security of ICS systems is usually implemented on the perimeter of the network using ICS enabled firewalls or Intrusion Detection Systems (IDSs). These techniques are helpful against external attacks, however, they are not able to effectively detect internal threats originating from a compromised device with malicious software. In order to mitigate or eliminate internal threats against the ICS system, we need to monitor ICS traffic and detect suspicious data transmissions that differ from common operational communication. In our research, we obtain ICS monitoring data using standardized IPFIX flows extended with meta data extracted from ICS protocol headers. Unlike other anomaly detection approaches, we focus on modelling the semantics of ICS communication obtained from the IPFIX flows that describes typical conversational patterns. This paper presents a technique for modelling ICS conversations using frequency prefix trees and Deterministic Probabilistic Automata (DPA). As demonstrated on the attack scenarios, these models are efficient to detect common cyber attacks like the command injection, packet manipulation, network scanning, or lost connection. An important advantage of our approach is that the proposed technique can be easily integrated into common security information and event management (SIEM) systems with Netflow/IPFIX support. Our experiments are performed on IEC 60870-5-104 (aka IEC 104) control communication that is widely used for the substation control in smart grids.

As a decoy for hackers, honeypots have been proved to be a very valuable tool for collecting real data. However, due to closed source and vendor-specific firmware, there are significant limitations in cost for researchers to design an easy-to-use and high-interaction honeypot for industrial control systems (ICSs). To solve this problem, it’s necessary to find a cost-effective solution. In this paper, we propose a novel honeypot architecture termed HoneyVP to support a semi-virtual and semi-physical honeypot design and implementation to enable high cost performance. Specially, we first analyze cyber-attacks on ICS devices in view of different interaction levels. Then, in order to deal with these attacks, our HoneyVP architecture clearly defines three basic independent and cooperative components, namely, the virtual component, the physical component, and the coordinator. Finally, a local-remote cooperative ICS honeypot system is implemented to validate its feasibility and effectiveness. Our experimental results show the advantages of using the proposed architecture compared with the previous honeypot solutions. HoneyVP provides a cost-effective solution for ICS security researchers, making ICS honeypots more attractive and making it possible to capture physical interactions.

Cyber-attacks on our Nation's Critical Infrastructure are growing. In this research, a Cyber Threat Intelligence (CTI) framework is proposed, developed, and tested. The results of the research, using 5 different simulated attacks on a dataset from an Industrial Control System (ICS) testbed, are presented with the extracted IOCs. The Bagging Decision Trees model showed the highest performance of testing accuracy (94.24%), precision (0.95), recall (0.93), and F1-score (0.94) among the 9 different machine learning models studied.

The paper gives an overview of the ICS security and focuses on Control Systems. Use of internet had security challenges which led to the development of ICS which is designed to be dependable and safe. PCS, DCS and SCADA all are subsets of ICS. The paper gives a description of the developments in the ICS security and covers the most interesting work done by researchers. The paper also provides research information about the parameters on which a remotely executed cyber-attack depends.

In this work a data provenance system for grid-oriented applications is presented. The proposed Keyless Infrastructure Security Solution (KISS) provides mechanisms to store and maintain digital data fingerprints that can later be used to validate and assert data provenance using a time-based, hash tree mechanism. The developed solution has been designed to satisfy the stringent requirements of the modern power grid including execution time and storage necessities. Its applicability has been tested using a lab-scale, proof-of-concept deployment that secures an energy management system against the attack sequence observed on the 2016 Ukrainian power grid cyberattack. The results demonstrate a strong potential for enabling data provenance in a wide array of applications, including speed-sensitive applications such as those found in control room environments.

With the advancement of network technology, more electronic devices have begun to connect to the Internet. The era of IoE (Internet of Everything) is coming. However, the number of serious incidents of cyberattacks on important facilities has gradually increased at the same time. Security becomes an important issue when setting up plenty of network devices in an environment. Thus, we propose an innovative mechanism of the Moving Target Defense (MTD) to solve the problems happening to other MTD mechanisms in the past. This method applies Dynamic Host Configuration Protocol (DHCP) to dynamically change the IPv4 address of information equipment in the medical environment. In other words, each of the nodes performs IP-Hopping and effectively avoids malicious attacks. Communication between devices relies on DNS lookup. The mechanism avoids problems such as time synchronization and IP conflict. Also, it greatly reduces the costs of large-scale deployment. All of these problems are encountered by other MTD mechanisms in the past. Not only can the mechanism be applied to the medical and information equipment, it can also be applied to various devices connected to the Internet, including Industrial Control System (ICS). The mechanism is implemented in existing technologies and prevents other problems, which makes it easy to build a system.

The numerous attacks on ICS systems have made severe threats to critical infrastructure. Extensive studies have focussed on the risk assessment of discovering vulnerabilities. However, to identify Zero-day vulnerabilities is challenging because they are unknown to defenders. Here we sought to measure ICS system zero-day risk by building an enhanced attack graph for expected attack path exploiting zero-day vulnerability. In this study, we define the security metrics of Zero-day vulnerability for an ICS. Then we created a Zero-day attack graph to guide how to harden the system by measuring attack paths that exploiting zero-day vulnerabilities. Our studies identify the vulnerability assessment method on ICS systems considering Zero-day Vulnerability by zero-day attack graph. Together, our work is essential to ICS systems security. By assessing unknown vulnerability risk to close the imbalance between attackers and defenders.

The purpose of this paper is threefold. First, it makes the case for incorporating cybersecurity principles into undergraduate Engineering Technology Education and for incorporating Industrial Control Systems (ICS) principles into undergraduate Information Technology (IT)/Cybersecurity Education. Specifically, the paper highlights the knowledge/skill gap between engineers and IT/Cybersecurity professionals with respect to the cybersecurity of the ICS. Secondly, it identifies several areas where traditional IT systems and ICS intercept. This interception not only implies that ICS are susceptible to the same cyber threats as traditional IT/IS but also to threats that are unique to ICS. Subsequently, the paper identifies several areas where cybersecurity principles can be applied to ICS. By incorporating cybersecurity principles into Engineering Technology Education, the paper hopes to provide IT/Cybersecurity and Engineering Students with (a) the theoretical knowledge of the cybersecurity issues associated with administering and operating ICS and (b) the applied technical skills necessary to manage and mitigate the cyber risks against these systems. Overall, the paper holds the promise of contributing to the ongoing effort aimed at bridging the knowledge/skill gap with respect to securing ICS against cyber threats and attacks.

With the rapid development of the Industrial Internet, the network security risks faced by industrial control systems (ICSs) are becoming more and more intense. How to do a good job in the security protection of industrial control systems is extremely urgent. For traditional network security, industrial control systems have some unique characteristics, which results in traditional intrusion detection systems that cannot be directly reused on it. Aiming at the industrial control system, this paper constructs all attack paths from the hacker's perspective through the attack tree model, and uses the LSTM algorithm to identify and classify the attack behavior, and then further classify the attack event by extracting atomic actions. Finally, through the constructed attack tree model, the results are reversed and predicted. The results show that the model has a good effect on attack recognition, and can effectively analyze the hacker attack path and predict the next attack target.

Industrial control systems (ICSs) are used in various infrastructures and industrial plants for realizing their control operation and ensuring their safety. Concerns about the cybersecurity of industrial control systems have raised due to the increased number of cyber-attack incidents on critical infrastructures in the light of the advancement in the cyber activity of ICSs. Nevertheless, the operation of the industrial control systems is bind to vital aspects in life, which are safety, economy, and security. This paper presents a semi-supervised, hybrid attack detection approach for industrial control systems by combining Isolation Forest and Convolutional Neural Network (CNN) models. The proposed framework is developed using the normal operational data, and it is composed of a feature extraction model implemented using a One-Dimensional Convolutional Neural Network (1D-CNN) and an isolation forest model for the detection. The two models are trained independently such that the feature extraction model aims to extract useful features from the continuous-time signals that are then used along with the binary actuator signals to train the isolation forest-based detection model. The proposed approach is applied to a down-scaled industrial control system, which is a water treatment plant known as the Secure Water Treatment (SWaT) testbed. The performance of the proposed method is compared with the other works using the same testbed, and it shows an improvement in terms of the detection capability.

This paper examines multiple machine learning models to find the model that best indicates anomalous activity in an industrial control system that is under a software-based attack. The researched machine learning models are Random Forest, Gradient Boosting Machine, Artificial Neural Network, and Recurrent Neural Network classifiers built-in Python and tested against the HIL-based Augmented ICS dataset. Although the results showed that Random Forest, Gradient Boosting Machine, Artificial Neural Network, and Long Short-Term Memory classification models have great potential for anomaly detection in industrial control systems, we found that Random Forest with tuned hyperparameters slightly outperformed the other models.

To reduce cost and ease maintenance, industrial control systems (ICS) have adopted Ethernetbased interconnections that integrate operational technology (OT) systems with information technology (IT) networks. This integration has made these critical systems vulnerable to attack. Security solutions tailored to ICS environments are an active area of research. Anomalybased network intrusion detection systems are well-suited for these environments. Often these systems must be optimized for their specific environment. In prior work, we introduced a method for assessing the impact of various anomaly-based network IDS settings on security. This paper reviews the experimental outcomes when we applied our method to a full-scale ICS test bed using actual attacks. Our method provides new and valuable data to operators enabling more informed decisions about IDS configurations.

This article is focused on industrial networks and their security. An industrial network typically works with older devices that do not provide security at the level of today's requirements. Even protocols often do not support security at a sufficient level. It is necessary to deal with these security issues due to digitization. It is therefore required to provide other techniques that will help with security. For this reason, it is possible to deploy additional elements that will provide additional security and ensure the monitoring of the network, such as the Intrusion Detection System. These systems recognize identified signatures and anomalies. Methods of detecting security incidents by detecting anomalies in network traffic are described. The proposed methods are focused on detecting DoS attacks in the industrial Modbus protocol and operations performed outside the standard interval in the Distributed Network Protocol 3. The functionality of the performed methods is tested in the IDS system Zeek.

Modern industrial control systems (ICS) act as victims of cyber attacks more often in last years. These cyber attacks often can not be detected by classical information security methods. Moreover, the consequences of cyber attack's impact can be catastrophic. Since cyber attacks leads to appearance of anomalies in the ICS and technological equipment controlled by it, the task of intrusion detection for ICS can be reformulated as the task of industrial process anomaly detection. This paper considers the applicability of generative adversarial networks (GANs) in the field of industrial processes anomaly detection. Existing approaches for GANs usage in the field of information security (such as anomaly detection in network traffic) were described. It is proposed to use the BiGAN architecture in order to detect anomalies in the industrial processes. The proposed approach has been tested on Secure Water Treatment Dataset (SWaT). The obtained results indicate the prospects of using the examined method in practice.

Cyber-Physical Systems (CPS) are monitored and controlled by Supervisory Control and Data Acquisition (SCADA) systems that use advanced computing, sensors, control systems, and communication networks. At first, CPS and SCADA systems were protected and secured by isolation. However, with recent industrial technology advances, the increased connectivity of CPSs and SCADA systems to enterprise networks has uncovered them to new cybersecurity threats and made them a primary target for cyber-attacks with the potential of causing catastrophic economic, social, and environmental damage. Recent research focuses on new methodologies for risk modeling and assessment using game theory and reinforcement learning. This paperwork proposes to frame CPS security on two different levels, strategic and battlefield, by meeting ideas from game theory and Multi-Agent Reinforcement Learning (MARL). The strategic level is modeled as imperfect information, extensive form game. Here, the human administrator and the malware author decide on the strategies of defense and attack, respectively. At the battlefield level, strategies are implemented by machine learning agents that derive optimal policies for run-time decisions. The outcomes of these policies manifest as the utility at a higher level, where we aim to reach a Nash Equilibrium (NE) in favor of the defender. We simulate the scenario of a virus spreading in the context of a CPS network. We present experiments using the MiniCPS simulator and the OpenAI Gym toolkit and discuss the results.

Blockchain technology has brought a huge paradigm shift in multiple industries, by integrating distributed ledger, smart contracts and consensus protocol under the same roof. Notable applications of blockchain include cryptocurrencies and large-scale multi-party transaction management systems. The latter fits very well into the domain of manufacturing and supply chain management for Integrated Circuits (IC), which, despite several advanced technologies, is vulnerable to malicious practices, such as overproduction, IP piracy and deleterious design modification to gain unfair advantages. To combat these threats, researchers have proposed several ideas like hardware metering, design obfuscation, split manufacturing and watermarking. In this paper, we show, how these issues can be complementarily dealt with using blockchain technology coupled with identity-based encryption and physical unclonable functions, for improved resilience against certain adversarial motives. As part of our proposed blockchain protocol, titled `BLIC', we propose an authentication mechanism to secure both active and passive IC transactions, and a composite consensus protocol designed for IC supply chains. We also present studies on the security, scalability, privacy and anonymity of the BLIC protocol.

Detecting process-based attacks on industrial control systems (ICS) is challenging. These cyber-attacks are designed to disrupt the industrial process by changing the state of a system, while keeping the system's behaviour close to the expected behaviour. Such anomalous behaviour can be effectively detected by an event-driven approach. Petri Net (PN) model identification has proved to be an effective method for event-driven system analysis and anomaly detection. However, PN identification-based anomaly detection methods require ICS device logs to be converted into event logs (sequence of events). Therefore, in this paper we present a formalised method for pre-processing and transforming ICS device logs into event logs. The proposed approach outperforms the previous methods of device logs processing in terms of anomaly detection. We have demonstrated the results using two published datasets.

Industrial Control systems traditionally achieved security by using proprietary protocols to communicate in an isolated environment from the outside. This paradigm is changed with the advent of the Industrial Internet of Things that foresees flexible and interconnected systems. In this contribution, a device acting as a connection between the operational technology network and information technology network is proposed. The device is an intrusion detection system related to legacy systems that is able to collect and reporting data to and from industrial IoT devices. It is based on the common signature based intrusion detection system developed in the information technology domain, however, to cope with the constraints of the operation technology domain, it exploits anomaly based features. Specifically, it is able to analyze the traffic on the network at application layer by mean of deep packet inspection, parsing the information carried by the proprietary protocols. At a later stage, it collect and aggregate data from and to IoT domain. A simple set up is considered to prove the effectiveness of the approach.

In view of the problem that the intrusion detection method based on One-Class Support Vector Machine (OCSVM) could not detect the outliers within the industrial data, which results in the decision function deviating from the training sample, an anomaly intrusion detection algorithm based on Robust Incremental Principal Component Analysis (RIPCA) -OCSVM is proposed in this paper. The method uses RIPCA algorithm to remove outliers in industrial data sets and realize dimensionality reduction. In combination with the advantages of OCSVM on the single classification problem, an anomaly detection model is established, and the Improved Particle Swarm Optimization (IPSO) is used for model parameter optimization. The simulation results show that the method can efficiently and accurately identify attacks or abnormal behaviors while meeting the real-time requirements of the industrial control system (ICS).

With the proposal of the national industrial 4.0 strategy, the integration of industrial control network and Internet technology is getting higher and higher. At the same time, the closeness of industrial control networks has been broken to a certain extent, making the problem of industrial control network security increasingly serious. S7 protocol is a private protocol of Siemens Company in Germany, which is widely used in the communication process of industrial control network. In this paper, an industrial control intrusion detection model based on S7 protocol is proposed. Traditional protocol parsing technology cannot resolve private industrial control protocols, so, this model uses deep analysis algorithm to realize the analysis of S7 data packets. At the same time, in order to overcome the complexity and portability of static white list configuration, this model dynamically builds a white list through white list self-learning algorithm. Finally, a composite intrusion detection method combining white list detection and abnormal behavior detection is used to detect anomalies. The experiment proves that the method can effectively detect the abnormal S7 protocol packet in the industrial control network.