Framework for Evaluating the Readiness of Cyber First Responders Responsible for Critical Infrastructure Protection

First responders go through rigorous training and evaluation to ensure they are adequately prepared for an emergency. As an example, firefighters continually evaluate the readiness of their personnel using a defined set of criteria to measure performance for fire suppression and rescue procedures. From a cyber security standpoint, however, this same set of criteria and rigor is severely lacking for the professionals that must detect, respond to and recover from a cyber-based attack against the nation\u27s critical infrastructure. This research provides a framework for evaluating the readiness of cyber first responders responsible for critical infrastructure protection. The framework demonstrates the development of evaluation environment, criteria and scenarios that are modeled from NFPA 1410 standards concept that is used for assessing the readiness of firefighters. The utility of framework is exhibited during a military cyber training exercise and demonstrates the ability to evaluate the readiness of cyber first responders for industrial control systems when responding to the cyber-based attacks in the scenarios. Although successful, the results and analysis provide a context to develop a physical processes simulation tool, called Y-Box. The Y-Box creates more accessible, representational, realistic and evaluation-friendly environment to enhance the framework. The Y-Box demonstrates its application through the simulation of the first two stages in a wastewater treatment plant. Its performance test demonstrates its ability to interface with different types of signals from multiple programmable logic controllers with an acceptable range of error. The utility of simulation is extended with the development of potential attacks that can be used in a cyber exercise involving industrial control systems

Framework for Evaluating the Readiness of Cyber First Responders Responsible for Critical Infrastructure Protection

First responders go through rigorous training and evaluation to ensure they are adequately prepared for an emergency. As an example, firefighters continually evaluate the readiness of their personnel using a defined set of criteria to measure performance for fire suppression and rescue procedures. From a cyber security standpoint, however, this same set of criteria and rigor is severely lacking for the professionals that must detect, respond to and recover from a cyber-based attack against the nation\u27s critical infrastructure. This research provides a framework for evaluating the readiness of cyber first responders responsible for critical infrastructure protection. The framework demonstrates the development of evaluation environment, criteria and scenarios that are modeled from NFPA 1410 standards concept that is used for assessing the readiness of firefighters. The utility of framework is exhibited during a military cyber training exercise and demonstrates the ability to evaluate the readiness of cyber first responders for industrial control systems when responding to the cyber-based attacks in the scenarios. Although successful, the results and analysis provide a context to develop a physical processes simulation tool, called Y-Box. The Y-Box creates more accessible, representational, realistic and evaluation-friendly environment to enhance the framework. The Y-Box demonstrates its application through the simulation of the first two stages in a wastewater treatment plant. Its performance test demonstrates its ability to interface with different types of signals from multiple programmable logic controllers with an acceptable range of error. The utility of simulation is extended with the development of potential attacks that can be used in a cyber exercise involving industrial control systems

The THREAT-ARREST Cyber-Security Training Platform

Cyber security is always a main concern for critical infrastructures and nation-wide safety and sustainability. Thus, advanced cyber ranges and security training is becoming imperative for the involved organizations. This paper presets a cyber security training platform, called THREAT-ARREST. The various platform modules can analyze an organization’s system, identify the most critical threats, and tailor a training program to its personnel needs. Then, different training programmes are created based on the trainee types (i.e. administrator, simple operator, etc.), providing several teaching procedures and accomplishing diverse learning goals. One of the main novelties of THREAT-ARREST is the modelling of these programmes along with the runtime monitoring, management, and evaluation operations. The platform is generic. Nevertheless, its applicability in a smart energy case study is detailed

On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Defending Against Firmware Cyber Attacks on Safety-Critical Systems

In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are identified in existing devices; they can be distributed by physical media but are increasingly downloaded over Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications, which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions, including firmware hashing, must be augmented by organizational measures to secure the supply chain within individual plants, across companies and throughout safety-related industries