4,147 research outputs found
Efficient Passive ICS Device Discovery and Identification by MAC Address Correlation
Owing to a growing number of attacks, the assessment of Industrial Control
Systems (ICSs) has gained in importance. An integral part of an assessment is
the creation of a detailed inventory of all connected devices, enabling
vulnerability evaluations. For this purpose, scans of networks are crucial.
Active scanning, which generates irregular traffic, is a method to get an
overview of connected and active devices. Since such additional traffic may
lead to an unexpected behavior of devices, active scanning methods should be
avoided in critical infrastructure networks. In such cases, passive network
monitoring offers an alternative, which is often used in conjunction with
complex deep-packet inspection techniques. There are very few publications on
lightweight passive scanning methodologies for industrial networks. In this
paper, we propose a lightweight passive network monitoring technique using an
efficient Media Access Control (MAC) address-based identification of industrial
devices. Based on an incomplete set of known MAC address to device
associations, the presented method can guess correct device and vendor
information. Proving the feasibility of the method, an implementation is also
introduced and evaluated regarding its efficiency. The feasibility of
predicting a specific device/vendor combination is demonstrated by having
similar devices in the database. In our ICS testbed, we reached a host
discovery rate of 100% at an identification rate of more than 66%,
outperforming the results of existing tools.Comment: http://dx.doi.org/10.14236/ewic/ICS2018.
CRITICAL INFRASTRUCTURE TESTBED FOR CYBER-SECURITY TRAINING AND RESEARCH (4)
Critical infrastructures encompass various sectors such as energy resources, manufacturing and governmental services, which tend to be dispersed over large geographic areas. With recent technological advancements over the last decade, they have developed to be increasingly dependent on Information and Communication Technology (ICT); where control systems and the use of sensor equipment help facilitate operation. In order to sustain the ever-increasing demands, it is essential that these systems can adapt by integrating various new and existing digital technologies. However, this results in an increased vulnerability to cyber-threats. In addition, the persistently evolving global state of ICT has resulted in the emergence of sophisticated cyber-threats. As dependence upon critical infrastructure systems continues to increase, so too does the urgency with which these systems need to be adequately protected. Unfortunately, the consequences of a successful cyber-attack can be dire, potentially resulting in the loss of life or a devastating effect on the operation of government services and the economy. Despite the seriousness of this problem, the development of new and innovative cyber-security methods are being hampered by the lack of access to real-world data for training, research and testing new design methodologies. As such, the project presented in this paper highlights an in-progress project, funded by UKAIS, for the development of an easily-replicable and affordable critical infrastructure testbed for cyber-security training and research
On Ladder Logic Bombs in Industrial Control Systems
In industrial control systems, devices such as Programmable Logic Controllers
(PLCs) are commonly used to directly interact with sensors and actuators, and
perform local automatic control. PLCs run software on two different layers: a)
firmware (i.e. the OS) and b) control logic (processing sensor readings to
determine control actions). In this work, we discuss ladder logic bombs, i.e.
malware written in ladder logic (or one of the other IEC 61131-3-compatible
languages). Such malware would be inserted by an attacker into existing control
logic on a PLC, and either persistently change the behavior, or wait for
specific trigger signals to activate malicious behaviour. For example, the LLB
could replace legitimate sensor readings with manipulated values. We see the
concept of LLBs as a generalization of attacks such as the Stuxnet attack. We
introduce LLBs on an abstract level, and then demonstrate several designs based
on real PLC devices in our lab. In particular, we also focus on stealthy LLBs,
i.e. LLBs that are hard to detect by human operators manually validating the
program running in PLCs. In addition to introducing vulnerabilities on the
logic layer, we also discuss countermeasures and we propose two detection
techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith
Towards a Versatile Cyber Physical Power System Testbed: Design and Operation Experience
The present trends in the area of smartgrids indicate that future transmission and distribution systems will heavily rely on digital and on communication technologies to operate. Indeed, the power systems are evolving progressively towards what is denoted as a cyber-physical system. This transition challenges the classical approaches for experimental testing and requires the development of testing platforms for cyber-physical systems able to capture the interactions between physical components, control and monitoring software and the communication infrastructure. This paper presents general considerations and requirements for a cyber-physical testing platform for power systems. The paper provides also examples of a testing platform specifying the characteristics of the major components and a summary of the experience matured in its setup and configuration. Finally, an example of an experiment on a notional smartgrid and the related results are reported.acceptedVersio
MiniCPS: A toolkit for security research on CPS Networks
In recent years, tremendous effort has been spent to modernizing
communication infrastructure in Cyber-Physical Systems (CPS) such as Industrial
Control Systems (ICS) and related Supervisory Control and Data Acquisition
(SCADA) systems. While a great amount of research has been conducted on network
security of office and home networks, recently the security of CPS and related
systems has gained a lot of attention. Unfortunately, real-world CPS are often
not open to security researchers, and as a result very few reference systems
and topologies are available. In this work, we present MiniCPS, a CPS
simulation toolbox intended to alleviate this problem. The goal of MiniCPS is
to create an extensible, reproducible research environment targeted to
communications and physical-layer interactions in CPS. MiniCPS builds on
Mininet to provide lightweight real-time network emulation, and extends Mininet
with tools to simulate typical CPS components such as programmable logic
controllers, which use industrial protocols (Ethernet/IP, Modbus/TCP). In
addition, MiniCPS defines a simple API to enable physical-layer interaction
simulation. In this work, we demonstrate applications of MiniCPS in two example
scenarios, and show how MiniCPS can be used to develop attacks and defenses
that are directly applicable to real systems.Comment: 8 pages, 6 figures, 1 code listin
A novel hybrid methodology to secure GOOSE messages against cyberattacks in smart grids
: IEC 61850 is emerging as a popular communication standard for smart grids. Standardized communication in smart grids has an unwanted consequence of higher vulnerability to cyber-attacks. Attackers exploit the standardized semantics of the communication protocols to launch different types of attacks such as false data injection (FDI) attacks. Hence, there is a need to develop a cybersecurity testbed and novel mitigation strategies to study the impact of attacks and mitigate them. This paper presents a testbed and methodology to simulate FDI attacks on IEC 61850 standard compliant Generic Object-Oriented Substation Events (GOOSE) protocol using real time digital simulator (RTDS) together with open-source tools such as Snort and Wireshark. Furthermore, a novel hybrid cybersecurity solution by the name of sequence content resolver is proposed to counter such attacks on the GOOSE protocol in smart grids. Utilizing the developed testbed FDI attacks in the form of replay and masquerade attacks on are launched and the impact of attacks on electrical side is studied. Finally, the proposed hybrid cybersecurity solution is implemented with the developed testbed and its effectiveness is demonstrated
Defending Against Firmware Cyber Attacks on Safety-Critical Systems
In the past, it was not possible to update the underlying software in many industrial control devices. Engineering
teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided
significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and
bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are
identified in existing devices; they can be distributed by physical media but are increasingly downloaded over
Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications,
which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections
explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the
code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where
the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack
on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions,
including firmware hashing, must be augmented by organizational measures to secure the supply chain within
individual plants, across companies and throughout safety-related industries
- …