Biblio

With the advent of ease of access to the internet and an increase in digital literacy among citizens, digitization of the banking sector has throttled. Countries are now aiming for a cashless society. The introduction of a Unified Payment Interface (UPI) by the National Payments Corporation of India (NPCI) in April 2016 is a game-changer for cashless models. UPI payment model is currently considered the world’s most advanced payment system, and we see many countries adopting this cashless payment mode. With the increase in its popularity, there arises the increased need to strengthen the security posture of the payment solution. In this work, we explore the privacy challenges in the existing data flow of UPI models and propose approaches to preserve the privacy of customers using the Unified Payments Interface.

Currently, the Dark Web is one key platform for the online trading of illegal products and services. Analysing the .onion sites hosting marketplaces is of interest for law enforcement and security researchers. This paper presents a study on 123k listings obtained from 6 different Dark Web markets. While most of current works leverage existing datasets, these are outdated and might not contain new products, e.g., those related to the 2020 COVID pandemic. Thus, we build a custom focused crawler to collect the data. Being able to conduct analyses on current data is of considerable importance as these marketplaces continue to change and grow, both in terms of products offered and users. Also, there are several anti-crawling mechanisms being improved, making this task more difficult and, consequently, reducing the amount of data obtained in recent years on these marketplaces. We conduct a data analysis evaluating multiple characteristics regarding the products, sellers, and markets. These characteristics include, among others, the number of sales, existing categories in the markets, the origin of the products and the sellers. Our study sheds light on the products and services being offered in these markets nowadays. Moreover, we have conducted a case study on one particular productive and dynamic drug market, i.e., Cannazon. Our initial goal was to understand its evolution over time, analyzing the variation of products in stock and their price longitudinally. We realized, though, that during the period of study the market suffered a DDoS attack which damaged its reputation and affected users' trust on it, which was a potential reason which lead to the subsequent closure of the market by its operators. Consequently, our study provides insights regarding the last days of operation of such a productive market, and showcases the effectiveness of a potential intervention approach by means of disrupting the service and fostering mistrust.

The security and reliability of power grid dispatching system is the basis of the stable development of the whole social economy. With the development of information, computer science and technology, communication technology, and network technology, using more advanced intelligent technology to improve the performance of security and reliability of power grid dispatching system has important research value and practical significance. In order to provide valuable references for relevant researchers and for the construction of future power system related applications. This paper summarizes the latest technical status of attribute encryption and hierarchical identity encryption methods, and introduces the access control method based on attribute and hierarchical identity encryption, the construction method of attribute encryption scheme, revocable CP-ABE scheme and its application in power grid data security access control. Combined with multi authorization center encryption, third-party trusted entity and optimized encryption algorithm, the parallel access control algorithm of hierarchical identity and attribute encryption and its application in power grid data security access control are introduced.

Cloud computing solutions enable Cyber-Physical Systems (CPSs) to utilize significant computational resources and implement sophisticated control algorithms even if limited computation capabilities are locally available for these systems. However, such a control architecture suffers from an important concern related to the privacy of sensor measurements and the computed control inputs within the cloud. This paper proposes a solution that allows implementing a set-theoretic model predictive controller on the cloud while preserving this privacy. This is achieved by exploiting the offline computations of the robust one-step controllable sets used by the controller and two affine transformations of the sensor measurements and control optimization problem. It is shown that the transformed and original control problems are equivalent (i.e., the optimal control input can be recovered from the transformed one) and that privacy is preserved if the control algorithm is executed on the cloud. Moreover, we show how the actuator can take advantage of the set-theoretic nature of the controller to verify, through simple set-membership tests, if the control input received from the cloud is admissible. The correctness of the proposed solution is verified by means of a simulation experiment involving a dual-tank water system.

Actuator malfunctions may have disastrous con-sequences for systems not designed to mitigate them. We focus on the loss of control authority over actuators, where some actuators are uncontrolled but remain fully capable. To counter-act the undesirable outputs of these malfunctioning actuators, we use real-time measurements and redundant actuators. In this setting, a system that can still reach its target is deemed resilient. To quantify the resilience of a system, we compare the shortest time for the undamaged system to reach the target with the worst-case shortest time for the malfunctioning system to reach the same target, i.e., when the malfunction makes that time the longest. Contrary to prior work on driftless linear systems, the absence of analytical expression for time-optimal controls of general linear systems prevents an exact calculation of quantitative resilience. Instead, relying on Lyapunov theory we derive analytical bounds on the nominal and malfunctioning reach times in order to bound quantitative resilience. We illustrate our work on a temperature control system.

Cybersecurity is without doubt becoming a societal challenge. It even starts to affect sectors that were not considered to be at risk in the past because of their relative isolation. One of these sectors is aviation in general, and specifically air traffic management. Nowadays, the cyber security is one of the essential issues of current Air Traffic Systems. Compliance with the basic principles of cyber security is mandated by European Union law as well as the national law. Therefore, EUROCONTROL as the provider of several tools or services (ARTAS, EAD, SDDS, etc.), is regularly conducting various activities, such as the cyber-security assessments, penetration testing, supply chain risk assessment, in order to maintain and improve persistence of the products against the cyber-attacks.

Since the provision of digital services in our days (e.g. container management, transport of COVID vaccinations or LNG) in most economic sectors (e.g. maritime, health, energy) involve national, EU and non-EU stakeholders compose complex Supply Chain Services (SCS). The security of the SCS is most important and it emphasized in the NIS 2 directive [3] and it is a shared responsibility of all stakeholders involved that will need to be compliant with a scheme. In this paper we present an overview of the proposed Cybersecurity Certification Scheme for Supply Chain Services (EUSCS) as proposed by the European Commission (EC) project CYRENE [1]. The EUSCS scheme covers all the three assurance levels defined in the Cybersecurity Act (CSA) [2] taking into consideration the criticality of SCS according to the NIS 2 directive [3], the ENISA Threat Landscape for Supply Chain Attacks [4] and the CYRENE extended online Information Security Management System (ISMS) that allows all SCS stakeholders to provide and access all information needed for certification purposes making the transition from current national schemes in the EU easier.

Bitcoin is a famously decentralized cryptocurrency. Bitcoin is excellent because it is a digital currency that provides convenience and security in transactions. Transaction security in Bitcoin uses a consensus involving a distributed system, the security of this system generates a hash sequence with a Proof of Work (PoW) mechanism. However, in its implementation, various attacks appear that are used to generate profits from the existing system. Attackers can use various types of methods to get an unfair portion of the mining income. Such attacks are commonly referred to as Mining attacks. Among which the famous is the Selfish Mining attack. In this study, we simulate the effect of changing decision matrix, attacker region, attacker hash rate on selfish miner attacks by using the opensource NS3 platform. The experiment aims to see the effect of using 1%, 10%, and 20% decision matrices with different attacker regions and different attacker hash rates on Bitcoin selfish mining income. The result of this study shows that regional North America and Europe have the advantage in doing selfish mining attacks. This advantage is also supported by increasing the decision matrix from 1%, 10%, 20%. The highest attacker income, when using decision matrix 20% in North America using 16 nodes on 0.3 hash rate with income 129 BTC. For the hash rate, the best result for a selfish mining attack is between 27% to 30% hash rate.

At the same time as Big Data technologies are being constantly refined, the legislation relating to data privacy is changing. The invalidation by the Court of Justice of the European Union on October 6, 2015, of the agreement known as “Safe Harbor”, negotiated by the European Commission on behalf of the European Union with the United States has two consequences. The first is to announce its replacement by a new, still fragile, program, the “Privacy Shield”, which isn't yet definitive and which could also later be repealed by the Court of Justice of the European Union. For example, we are expecting to hear the opinion in mid-April 2016 of the group of data protection authorities for the various states of the European Union, known as G29. The second is to mobilize the Big Data community to take control of the question of data privacy management and to put in place an adequate internal program.

There is an increase in interest and necessity for an interoperable and efficient railway network across Europe, creating a key distribution problem between train and trackside entities’ key management centres (KMC). Train and trackside entities establish a secure session using symmetric keys (KMAC) loaded beforehand by their respective KMC using procedures that are not scalable and prone to operational mistakes. A single system would simplify the KMAC distribution between KMCs; nevertheless, it is difficult to place the responsibility for such a system for the whole European area within one central organization. A single system could also expose relationships between KMCs, revealing information, such as plans to use an alternative route or serve a new region, jeopardizing competitive advantage. This paper proposes a scalable and decentralised key management system that allows KMC to share cryptographic keys using transactions while keeping relationships anonymous. Using non-interactive proofs of knowledge and assigning each entity a private and public key, private key owners can issue valid transactions while all system actors can validate them. Our performance analysis shows that the proposed system is scalable when a proof of concept is implemented with settings close to the expected railway landscape in 2030.

With the continuous development of computer technology, the coverage of informatization solutions covers all walks of life and all fields of society. For colleges and universities, teaching and scientific research are the basic tasks of the school. The scientific research ability of the school will affect the level of teachers and the training of students. The establishment of a good scientific research environment has become a more important link in the development of universities. SR(Scientific research) data is a prerequisite for SR activities. High-quality SR management data services are conducive to ensuring the quality and safety of SRdata, and further assisting the smooth development of SR projects. Therefore, this article mainly conducts research and practice on cloud computing-based scientific research management data services in colleges and universities. First, analyze the current situation of SR data management in colleges and universities, and the results show that the popularity of SR data management in domestic universities is much lower than that of universities in Europe and the United States, and the data storage awareness of domestic researchers is relatively weak. Only 46% of schools have developed SR data management services, which is much lower than that of European and American schools. Second, analyze the effect of CC(cloud computing )on the management of SR data in colleges and universities. The results show that 47% of SR believe that CC is beneficial to the management of SR data in colleges and universities to reduce scientific research costs and improve efficiency, the rest believe that CC can speed up data storage and improve security by acting on SR data management in colleges and universities.

We propose TaintLock, a lightweight dynamic scan data authentication and encryption scheme that performs per-pattern authentication and encryption using taint and signature bits embedded within the test pattern. To prevent IP theft, we pair TaintLock with truly random logic locking (TRLL) to ensure resilience against both Oracle-guided and Oracle-free attacks, including scan deobfuscation attacks. TaintLock uses a substitution-permutation (SP) network to cryptographically authenticate each test pattern using embedded taint and signature bits. It further uses cryptographically generated keys to encrypt scan data for unauthenticated users dynamically. We show that it offers a low overhead, non-intrusive secure scan solution without impacting test coverage or test time while preventing IP theft.

Security evaluation can be performed using a variety of analysis methods, such as attack trees, attack graphs, threat propagation models, stochastic Petri nets, and so on. These methods analyze the effect of attacks on the system, and estimate security attributes from different perspectives. However, they require information from experts in the application domain for properly capturing the key elements of an attack scenario: i) the attack paths a system could be subject to, and ii) the different characteristics of the possible adversaries. For this reason, some recent works focused on the generation of low-level security models from a high-level description of the system, hiding the technical details from the modeler.In this paper we build on an existing ontology framework for security analysis, available in the ADVISE Meta tool, and we extend it in two directions: i) to cover the attack patterns available in the CAPEC database, a comprehensive dictionary of known patterns of attack, and ii) to capture all the adversaries’ profiles as defined in the Threat Agent Library (TAL), a reference library for defining the characteristics of external and internal threat agents ranging from industrial spies to untrained employees. The proposed extension supports a richer combination of adversaries’ profiles and attack paths, and provides guidance on how to further enrich the ontology based on taxonomies of attacks and adversaries.

When applied to short-term energy consumption forecasting, the federated learning framework allows for the creation of a predictive model without sharing raw data. There is a limit to the accuracy achieved by standard federated learning due to the heterogeneity of the individual clients' data, especially in the case of electricity data, where prediction of peak demand is a challenge. A set of clustering techniques has been explored in the literature to improve prediction quality while maintaining user privacy. These studies have mainly been conducted using sets of clients with similar attributes that may not reflect real-world consumer diversity. This paper explores, implements and compares these clustering techniques for privacy-preserving load forecasting on a representative electricity consumption dataset. The experimental results demonstrate the effects of electricity consumption heterogeneity on federated forecasting and a non-representative sample's impact on load forecasting.

SummaryIn this study, the propagation and resonance properties of shear-horizontal surface acoustic waves (SH SAWs) on a rotated Y-cut 90°X propagating Ca3TaGa3Si2O14 (CTGS) with a Au- or Al-interdigital transducer (IDT) were investigated theoretically and experimentally. It was found that not only a high-density Au-IDT but also a conventional Al-IDT enables the energy trapping of SH SAW in the vicinity of the surface. For both IDTs, the effective electromechanical coupling factor of about 1.2% and the zero temperature coefficient of frequency can be simultaneously obtained by adjusting the cut angle of CTGS and the electrode film thickness.

In this paper, we investigate a networked control problem in the presence of Denial-of-Service (DoS) attacks, which prevent transmissions over the communication network. The communication between the process and controller is also subject to bit rate constraints. For mitigating the influences of DoS attacks and bit rate constraints, we develop a variable bit rate (VBR) encoding-decoding protocol and quantized controller to stabilize the control system. We show that the system’s resilience against DoS under VBR is preserved comparing with those under constant bit rate (CBR) quantized control, with fewer bits transmitted especially when the attack levels are low. The proposed VBR quantized control framework in this paper is general enough such that the results of CBR quantized control under DoS and moreover the results of minimum bit rate in the absence of DoS can be recovered.

The security proposed for Vehicle-to-Everything (V2X) systems in the European Union is specified in the ETSI Cooperative Intelligent Transport System (C-ITS) standards, and related documents are based on the trusted PKI/CAs. The C-ITS trust model platform comprises an EU Root CA and additional Root CAs run in Europe by member state authorities or private organizations offering certificates to individual users. A new method is described in this paper where the security in V2X is based on the Distributed Public Keystore (DPK) platform developed for Ethereum blockchain. The V2X security is considered as one application of the DPK platform. The DPK stores and distributes the vehicles, RSUs, or other C-ITS role-players’ public keys. It establishes a generic key exchange/ agreement scheme that provides mutual key, entity authentication, and distributing a session key between two peers. V2X communication based on this scheme can establish an end-to-end (e2e) secure session and enables vehicle authentication without the need for a vehicle certificate signed by a trusted Certificate Authority.

Denial-of-Service (DoS) attacks in wide-area control loops of electric power systems can cause temporary halting of information flow between the generators, leading to closed-loop instability. One way to counteract this issue would be to recreate the missing state information at the impacted generators by using the model of the entire system. However, that not only violates privacy but is also impractical from a scalability point of view. In this paper, we propose to resolve this issue by using a model-free technique employing neural networks. Specifically, a long short-term memory network (LSTM) is used. Once an attack is detected and localized, the LSTM at the impacted generator(s) predicts the magnitudes of the corresponding missing states in a completely decentralized fashion using offline training and online data updates. These predicted states are thereafter used in conjunction with the healthy states to sustain the wide-area feedback until the attack is cleared. The approach is validated using the IEEE 68-bus, 16-machine power system.

Four-dimensional (4-D) antenna arrays formed by introducing time as the forth controlling variable are able to be used to regulate the radiation fields in space, time and frequency domains. Thus, 4-D antenna arrays are actually the excellent platform for achieving physical layer secure transmission. However, traditional direction modulation technique of 4-D antenna arrays always inevitably leads to higher sidelobe level of radiation pattern or less randomness. Regarding to the problem, this paper proposed a physical layer secure transmission technique based on 4-D antenna arrays, which combine the advantages of traditional phased arrays, and 4-D arrays for improving the physical layer security in wireless networks. This technique is able to reduce the radiated power at sidelobe region by optimizing the time sequences. Moreover, the signal distortion caused by time modulation can be compensated in the desired direction by pre-modulating transmitted signals.

This work describes a concept for extending the Network Time Security (NTS) protocol to enable implementation- independent communication between the NTS key establishment (NTS-KE) server and the connected time server(s). It Alls a specification gap left by RFC 8915 for securing the Network Time Protocol (NTP) and enables the centralized and public deployment of an NTS key management server that can support both secured NTP and secured PTP.

This work introduces methods that unlock a series of applications for decision trees and neural networks in power system optimization. Capturing constraints that were impossible to capture before in a scalable way, we use decision trees (or neural networks) to extract an accurate representation of the non-convex feasible region which is characterized by both algebraic and differential equations. Applying an exact transformation, we convert the information encoded in the decision trees and the neural networks to linear decision rules that we incorporate as conditional constraints in an optimization problem (MILP or MISOCP). Our approach introduces a framework to unify security considerations with electricity market operations, capturing not only steady-state but also dynamic stability constraints in power system optimization, and has the potential to eliminate redispatching costs, leading to savings of millions of euros per year.

With the increasing use of information and communication technology in electrical power grids, the security of energy supply is increasingly threatened by cyber-attacks. Traditional cyber-security measures, such as firewalls or intrusion detection/prevention systems, can be used as mitigation and prevention measures, but their effective use requires a deep understanding of the potential threat landscape and complex attack processes in energy information systems. Given the complexity and lack of detailed knowledge of coordinated, timed attacks in smart grid applications, we need information and insight into realistic attack scenarios in an appropriate and practical setting. In this paper, we present a man-in-the-middle-based attack scenario that intercepts process communication between control systems and field devices, employs false data injection techniques, and performs data corruption such as sending false commands to field devices. We demonstrate the applicability of the presented attack scenario in a physical smart grid laboratory environment and analyze the generated data under normal and attack conditions to extract domain-specific knowledge for detection mechanisms.

Summary form only given, as follows. The complete presentation was not made available for publication as part of the conference proceedings. What is “hardware” security? The network designer relies on the security of the router box. The software developer relies on the TPM (Trusted Platform Module). The circuit designer worries about side-channel attacks. At the same time, electronics shrink: sensor nodes, IOT devices, smart devices are becoming more and more available. Adding security and cryptography to these often very resource constraint devices is a challenge. This presentation will focus on Physically Unclonable Functions and True Random Number Generators, two roots of trust, and their security testing.

With the development of quantum computers, classical cryptography for secure communication is in danger of becoming obsolete. Quantum cryptography, however, can exploit the laws of quantum mechanics to guarantee unconditional security independently of the computational power of a potential eavesdropper. An example is quantum key distribution (QKD), which allows two parties to encrypt a message through a random secret key encoded in the degrees of freedom of quantum particles, typically photons.

Storing information in Blockchain has become in vogue in the Technical and Communication Industry with many major players jumping into the bandwagon. Two of the most prominent enablers for Blockchain are “Proof of Work” and “Proof of Stake”. Proof of work includes the members solving the complex problem without having a particular need for the solution (except as evidence, of course), which absorbs a large number of resources in turn. The proof of stake doesn’t require as many resources to enable Blockchain secure information store. Both methodologies have their advantages and their shortcomings. The article attempts to review the current literature and collate the results of the study to measure the performance of both the methodologies and to arrive at a consensus regarding either or both methodologies to implement Blockchain to store data. Post reviewing the performance aspects and security features of both Proofs of Stake and Proof of Work the reviewer attempts to arrive at a secure and better performing blended Blockchain methodology that has wide industry practical application.