VIRTUAL PLC PLATFORM FOR SECURITY AND FORENSICS OF INDUSTRIAL CONTROL SYSTEMS

Industrial Control Systems (ICS) are vital in managing critical infrastructures, including nuclear power plants and electric grids. With the advent of the Industrial Internet of Things (IIoT), these systems have been integrated into broader networks, enhancing efficiency but also becoming targets for cyberattacks. Central to ICS are Programmable Logic Controllers (PLCs), which bridge the physical and cyber worlds and are often exploited by attackers. There\u27s a critical need for tools to analyze cyberattacks on PLCs, uncover vulnerabilities, and improve ICS security. Existing tools are hindered by the proprietary nature of PLC software, limiting scalability and efficiency. To overcome these challenges, I developed a Virtual PLC Platform (VPP) for forensic analyses of ICS attacks and vulnerability identification. The VPP employs the packet replay technique, using network traffic to create a PLC template. This template guides the virtual PLC in network communication, mimicking real PLCs. A Protocol Reverse Engineering Engine (PREE) module assists in reverse-engineering ICS protocols and discovering vulnerabilities. The VPP is automated, supporting PLCs from various vendors, and eliminates manual reverse engineering. This dissertation highlights the architecture and applications of the VPP in forensic analysis, reverse engineering, vulnerability discovery, and threat intelligence gathering, all crucial to bolstering the security and integrity of critical infrastructure

Safeguarding Critical Infrastructure: The Role of Forensic Intelligence in Mitigating Cyber Threats to Cyber- Physical Systems and Industrial Control Systems

Cyber-Physical Systems (CPS) and Industrial Control Systems (ICS) play a significant role in controlling critical infrastructure such as power grids, water treatment facilities, transportation networks, and manufacturing plants to name a few. These systems were originally intended to function within isolated environments, however with the rise of digital automation and the Industrial Internet of Things (IIoT), they are now connected to cloud computing environments and IT networks. Though this association upscales efficiency and automates processes, it also exposes the CPS and ICS to major cyber threats, such as ransomware, insider attacks, and Advanced Persistent Threats (APTs). Conventional security tools such as firewalls and antivirus software are inadequate to defend CPS and ICS against advanced intrusions, which makes Forensic intelligence vital. Forensic intelligence is an amalgamation of digital forensics, threat intelligence, and data driven analytics, which help entities such as industrial firms and business organizations to identify, evaluate, and mitigate cyberthreats in real time. It allows analysts to track the origins of attacks, uncover vulnerabilities, and strengthen security protocols. This paper illustrates the importance of forensic intelligence using real-world case studies, such as the Stuxnet, Triton, and Colonial Pipeline intrusions. Based on the findings, utilizing forensic intelligence would improve threat attribution accuracy, speed up detection and response times, minimizing system outages and maximize cost-benefit results for CPS/ICS security

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India

Stealthy Control Logic Attacks and Defense in Industrial Control Systems

Industrial control systems (ICS) play a crucial role in monitoring and managing critical infrastructure, including nuclear plants, oil and gas pipelines, and power grid stations. Programmable logic controllers (PLCs) are a fundamental component of ICS, directly interfacing with physical processes and implementing control logic programs that govern operations. Due to their significance in controlling critical infrastructure, PLCs often become prime targets for attackers seeking to disrupt these systems. Exploitable vulnerabilities in PLCs render them susceptible to such attacks. While many attacks on PLCs leave a large footprint in network traffic and are detectable by intrusion detection systems (IDS), this dissertation focuses on more stealthy and difficult-to-detect attacks. This dissertation explores various ways that PLCs can be vulnerable, starting with an empirical study of the authentication systems of different PLCs from various manufacturers to identify weaknesses. It examines how attackers can compromise a PLC\u27s control logic without sending harmful code through the network, instead utilizing existing code already stored in the PLC\u27s memory. Additionally, the research investigates network-based attacks that can bypass existing IDS without detection by exploiting PLC design features. A key focus is on identifying and analyzing the design features of PLCs that can be exploited to leverage attacks. Understanding these features highlights the vulnerabilities inherent in PLC designs that attackers can exploit to achieve their malicious goals. Furthermore, the dissertation proposes a detection framework capable of identifying control logic attacks by capturing and analyzing runtime data. Existing IDS can detect traditional attacks that inject malicious control logic, but attacks that manipulate data structures within the PLC\u27s memory rather than the control logic itself are harder to detect. This proposed framework addresses these challenges, providing a robust defense against both traditional and stealthy attack vectors. In conclusion, this work addresses areas not previously explored, focusing on stealthy attacks that leave minimal footprints in network traffic and proposing a detection scheme capable of identifying these sophisticated attacks. This research contributes significantly to enhancing the security of critical infrastructure managed by ICS

Study on cybersecurity solutions for water supply infrastructure

Water supply infrastructure, a critical community lifeline, faces escalating cyber-physical threats in an increasingly digitized landscape. This thesis explored how water supply organizations could raise cybersecurity awareness and enhance resilience against converged threats, by applying methods based on traditional approaches (information technologies and operational technologies), alongside cybersecurity awareness training and digital twin technology, focused on the Kuopio Water supply network, a utility serving 124,000 residents(kuopio.fi). This study investigated the potential solutions from the AIQUSEC project. AIQUSEC project is a part of Nokia’s Veturi program, supported by Business Finland, in collaboration with SSH Communications Security and Savonia University of Applied Sciences. The primary purpose of this study was to provide solutions to enhance the security and safety of the water supply sector. Employing an exploratory research design, the study integrated qualitative case studies of cybersecurity attacks (e.g., Oldsmar 2021, Aliquippa 2023), a quantitative comparison of solutions (traditional measures, employee training, digital twins), and a literature review method from related sectors. The chosen structure flow provided the most refined methodologies to obtain insights into the project AIQUSEC. The study also brought in Digital twins as a transformative solution, achieving a better threat detection rate while reducing recovery costs. However, adoption barriers like cost and skill gaps persist. The study recommended a multi-layered approach: implementing gamified training, converging security frameworks, and scaling digital twin integration with cloud-based solutions. These strategies aligned with the EU’s NIS2 Directive and aimed to safeguard public health by ensuring the resilience of Kuopio’s 1,200-kilometer water network. This study provided solutions based on the AIQUSEC project and contributed to the broader discourse on cybersecurity in municipal water utilities

VIRTUEPOT: A High-Fidelity and High-Interaction Virtual Honeypot for Industrial Control Systems.

openIndustrial Control Systems (ICS) are essential for managing and controlling various industrial activities such as energy production, manufacturing, wastewater management, and transportation. However, as these systems become more interconnected and digitized, they face increasing cybersecurity threats. To address these issues, this research explores the use of honeypots as a proactive cybersecurity tool to protect Industrial Control Systems. A honeypot is an effective tool for studying attacks on ICS and developing defence methods to protect against these attacks. Currently, the ICS industry is facing a growing number of cyber threats, with attackers becoming more sophisticated. As a result, it has become more challenging to create honeypots that can effectively detect and respond to attacks, log interactions, and capture changes in the physical processes of ICS. Our research aims to gain valuable insights into attack patterns and behaviours using honeypots. By doing so, we can gather crucial information about the latest Tactics, Techniques, and Procedures (TTPs) used by attackers, as well as their technical knowledge and capabilities. In this thesis, we introduce VirtuePot, a honeypot that focuses on the physical interaction and design of ICS honeypots. VirtuePot simulates the behaviour and services of real Programmable Logic Controllers (PLCs) using dynamic service simulations. This includes advanced simulations of industrial processes, communication protocols, and command responses. We deployed VirtuePot both in the cloud (using DigitalOcean) and locally on-premise at the VSIX Internet Exchange Point, and collected data over 61 days. Our findings show that VirtuePot recorded a significant amount of ICS interactions from around the world. The log analysis revealed that the on-premise deployment at the VSIX Internet Exchange Point attracted more realistic attacks compared to the cloud (DigitalOcean) deployment. This indicates that attackers are actively targeting ICS systems, and the deployment location can impact the nature and realism of the attacks encountered. Keywords: Cyber-physical system (CPS);Honeypot; Programmable Logic Controller (PLC); Industrial Control Systems (ICS); SCADA;Industrial Control Systems (ICS) are essential for managing and controlling various industrial activities such as energy production, manufacturing, wastewater management, and transportation. However, as these systems become more interconnected and digitized, they face increasing cybersecurity threats. To address these issues, this research explores the use of honeypots as a proactive cybersecurity tool to protect Industrial Control Systems. A honeypot is an effective tool for studying attacks on ICS and developing defence methods to protect against these attacks. Currently, the ICS industry is facing a growing number of cyber threats, with attackers becoming more sophisticated. As a result, it has become more challenging to create honeypots that can effectively detect and respond to attacks, log interactions, and capture changes in the physical processes of ICS. Our research aims to gain valuable insights into attack patterns and behaviours using honeypots. By doing so, we can gather crucial information about the latest Tactics, Techniques, and Procedures (TTPs) used by attackers, as well as their technical knowledge and capabilities. In this thesis, we introduce VirtuePot, a honeypot that focuses on the physical interaction and design of ICS honeypots. VirtuePot simulates the behaviour and services of real Programmable Logic Controllers (PLCs) using dynamic service simulations. This includes advanced simulations of industrial processes, communication protocols, and command responses. We deployed VirtuePot both in the cloud (using DigitalOcean) and locally on-premise at the VSIX Internet Exchange Point, and collected data over 61 days. Our findings show that VirtuePot recorded a significant amount of ICS interactions from around the world. The log analysis revealed that the on-premise deployment at the VSIX Internet Exchange Point attracted more realistic attacks compared to the cloud (DigitalOcean) deployment. This indicates that attackers are actively targeting ICS systems, and the deployment location can impact the nature and realism of the attacks encountered. Keywords: Cyber-physical system (CPS);Honeypot; Programmable Logic Controller (PLC); Industrial Control Systems (ICS); SCADA