Moving target defense for securing smart grid communications: Architectural design, implementation and evaluation

Supervisory Control And Data Acquisition (SCADA) communications are often subjected to various kinds of sophisticated cyber-attacks which can have a serious impact on the Critical Infrastructure such as the power grid. Most of the time, the success of the attack is based on the static characteristics of the system, thereby enabling an easier profiling of the target system(s) by the adversary and consequently exploiting their limited resources. In this thesis, a novel approach to mitigate such static vulnerabilities is proposed by implementing a Moving Target Defense (MTD) strategy in a power grid SCADA environment, which leverages the existing communication network with an end-to-end IP Hopping technique among the trusted peer devices. This offers a proactive L3 layer network defense, minimizing IP-specific threats and thwarting worm propagation, APTs, etc., which utilize the cyber kill chain for attacking the system through the SCADA network. The main contribution of this thesis is to show how MTD concepts provide proactive defense against targeted cyber-attacks, and a dynamic attack surface to adversaries without compromising the availability of a SCADA system. Specifically, the thesis presents a brief overview of the different type of MTD designs, the proposed MTD architecture and its implementation with IP hopping technique over a Control Center–Substation network link along with a 3-way handshake protocol for synchronization on the Iowa State’s Power Cyber testbed. The thesis further investigates the delay and throughput characteristics of the entire system with and without the MTD to choose the best hopping rate for the given link. It also includes additional contributions for making the testbed scenarios more realistic to real world scenarios with multi-hop, multi-path WAN. Using that and studying a specific attack model, the thesis analyses the best ranges of IP address for different hopping rate and different number of interfaces. Finally, the thesis describes two case studies to explore and identify potential weaknesses of the proposed mechanism, and also experimentally validate the proposed mitigation alterations to resolve the discovered vulnerabilities. As part of future work, we plan to extend this work by optimizing the MTD algorithm to be more resilient by incorporating other techniques like network port mutation to further increase the attack complexity and cost

Digital twins in cyber effects modelling of IoT/CPS points of low resilience

The exponential increase of data volume and velocity have necessitated a tighter linkage of physical and cyber components in modern Cyber–physical systems (CPS) to achieve faster response times and autonomous component reconfiguration. To attain this degree of efficiency, the integration of virtual and physical components reinforced by artificial intelligence also promises to improve the resilience of these systems against organised and often skillful adversaries. The ability to visualise, validate, and illustrate the benefits of this integration, while taking into account improvements in cyber modelling and simulation tools and procedures, is critical to that adoption. Using Cyber Modelling and Simulation (M&S) this study evaluates the scale and complexity required to achieve an acceptable level of cyber resilience testing in an IoT-enabled critical national infrastructure (CNI). This research focuses on the benefits and challenges of integrating cyber modelling and simulation (M&S) with digital twins and threat source characterisation methodologies towards a cost-effective security and resilience assessment. Using our dedicated DT environment, we show how adversaries can utilise cyber–physical systems as a point of entry to a broader network in a scenario where they are trying to attack a port

A channel model and coding for vehicle to vehicle communication based on a developed V-SCME

Over the recent years, VANET communication has attracted a lot of attention due to its potential in facilitating the implementation of 'Intelligent Transport System'. Vehicular applications need to be completely tested before deploying them in the real world. In this context, VANET simulations would be preferred in order to evaluate and validate the proposed model, these simulations are considered inexpensive compared to the real world (hardware) tests. The development of a more realistic simulation environment for VANET is critical in ensuring high performance. Any environment required for simulating VANET, needs to be more realistic and include a precise representation of vehicle movements, as well as passing signals among different vehicles. In order to achieve efficient results that reflect the reality, a high computational power during the simulation is needed which consumes a lot of time. The existing simulation tools could not simulate the exact physical conditions of the real world, so results can be viewed as unsatisfactory when compared with real world experiments. This thesis describes two approaches to improve such vehicle to vehicle communication. The first one is based on the development of an already existing approach, the Spatial Channel Model Extended (SCME) for cellular communication which is a verified, validated and well-established communication channel model. The new developed model, is called Vehicular - Spatial Channel Model Extended (V-SCME) and can be utilised for Vehicle to Vehicle communication. V-SCME is a statistical channel model which was specifically developed and configured to satisfy the requirements of the highly dynamic network topology such as vehicle to vehicle communication. V-SCME provides a precise channel coefficients library for vehicle to vehicle communication for use by the research community, so as to reduce the overall simulation time. The second approach is to apply V-BLAST (MIMO) coding which can be implemented with vehicle to vehicle communication and improve its performance over the V-SCME. The V- SCME channel model with V-BLAST coding system was used to improve vehicle to vehicle physical layer performance, which is a novel contribution. Based on analysis and simulations, it was found that the developed channel model V-SCME is a good solution to satisfy the requirements of vehicle to vehicle communication, where it has considered a lot of parameters in order to obtain more realistic results compared with the real world tests. In addition, V-BLAST (MIMO) coding with the V-SCME has shown an improvement in the bit error rate. The obtained results were intensively compared with other types of MIMO coding

Threat modeling in smart firefighting systems: aligning MITRE ATT&CK Matrix and NIST security controls

Industrial automation technologies are envisioned as multi-device systems that are constantly interacting with one another and with enterprise systems. In these industrial systems, the industrial internet of things (IIoT) significantly improves system efficiency, scalability, ease of control, and monitoring. These benefits have been achieved at the cost of greater security risks, thus making the system vulnerable to cyberattacks. Historically, industrial networks and systems lacked security features like authentication and encryption due to intended isolation over the Internet. Lately, remote access to these IIoT systems has made an attempt of holistic security alarmingly critical. In this research paper, a threat modeling framework for smart cyber–physical system (CPS) is proposed to get insight of the potential security risks. To carry out this research, the smart firefighting use case based on the MITRE ATT&CK matrix was investigated. The matrix analysis provided structure for attacks detection and mitigation, while system requirement collection (SRC) was applied to gather generic assets’ information related to hardware, software and network. With the help of SRC and MITRE ATT&CK, a threat list for the smart firefighting system was generated. Conclusively, the generated threat list was mapped on the national institute of standards and technology (NIST) security and privacy controls. The results show that these mapped controls can be well-utilized for protection and mitigation of threats in smart firefighting system. In future, critical cyber–physical systems can be modeled upon use case specific threats and can be secured by utilizing the presented framework

Context-based Access Control and Attack Modelling and Analysis

In dieser Arbeit haben wir architekturelle Sicherheitsanalysen entwickelt, um Zugriffsverletzungen und Angriffspfade zu ermitteln. Durch die fortschreitende Digitalisierung und die zunehmende Vernetzung steigt die Bedeutung der IT-Sicherheit. Die Sicherheit eines Systems besteht aus mehreren verschiedenen Eigenschaften wie Vertraulichkeit oder Integrität. In unserer Arbeit konzentrieren wir uns auf die Vertraulichkeit. Ein vertrauliches System teilt nur die benötigten Daten mit autorisierten Entitäten. Unbefugte oder böswillige Personen erhalten keinen Zugang zu vertraulichen Daten. Die Entwicklung eines vertraulichen Systems ist jedoch schwierig, da viele verschiedene Eigenschaften Einfluss auf die Vertraulichkeit haben. Ein wichtiger Einflussfaktor ist die Zugangskontrolle. Zugriffskontrollrichtlinien definieren für jedes Element innerhalb eines Systems, unter welchen Bedingungen der Zugriff gewährt werden kann. Diese Zugriffskontrollrichtlinien berücksichtigen oft den Kontext für den Zugriff. Der Kontext kann z.B. die Zeit oder der Standort von Personen sein. Durch die Berücksichtigung steigt die Komplexität der Spezifikation der Zugriffskontrolle. Dies kann zu einer Fehlspezifikation führen. Daher ist es wichtig, die Auswirkungen einer Zugriffskontrollrichtlinie zu ermitteln. Aufgrund der Komplexität ist es jedoch schwierig, die Auswirkungen zu bestimmen, da die Analyse auch den Kontext berücksichtigen muss. Neben Zugriffskontrollrichtlinien können auch Schwachstellen die Vertraulichkeit des Systems beeinflussen. Schwachstellen können von Angreifer:innen ausgenutzt werden, um Zugang zu geschützten Entitäten im System zu erhalten. Sie ermöglichen es den Angreifer:innen also, die Zugangskontrollrichtlinien zu umgehen. Schwachstellen ermöglichen nicht nur den direkten Zugang zu Entitäten, sondern ermöglichen Angreifer:innen auch die Berechtigung anderer Personen zuerlangen. Diese Berechtigung kann dann von Angreifer:innen verwendet werden, um sich bei anderen Elementen Zugang zu verschaffen. Schwachstellen hängen jedoch auch von Zugangskontrollsystemen ab, da für einige Schwachstellen eine Berechtigung erforderlich ist. So können beispielsweise einige Schwachstellen nur von berechtigten Personen ausgenutzt werden. Um die Auswirkungen einer Schwachstelle abschätzen zu können, muss eine Analyse daher auch die Eigenschaften der Zugangskontrolle berücksichtigen. Darüber hinaus ist der Kontext der Angreifer:innen wichtig, da einige Schwachstellen nur dann ausgenutzt werden können, wenn der Angreifer:innen zuvor andere Entitäten im System kompromittiert haben. Daher wird bei Angriffen eine verkettete Liste kompromittierter Entitäten erstellt. Diese Liste wird auch als Angriffspfad bezeichnet. Sie besteht aus einer Kette von Schwachstellen, die die mehrfache Ausnutzung von Schwachstellen und Zugangskontrollrichtlinien durch Angreifer:innen darstellen. Die automatische Ableitung dieser möglichen Angriffspfade kann verwendet werden, um die Auswirkungen auf die Vertraulichkeit abzuschätzen, da sie den Expert:innen eine Rückmeldung darüber gibt, welche Elemente kompromittiert werden können. Bestehende Ansätze zur Abschätzung der Sicherheit oder der Auswirkungen von Zugangskontrollrichtlinien oder Schwachstellen konzentrieren sich oft nur auf eine der beiden Eigenschaften. Ansätze, die beide Eigenschaften berücksichtigen, sind in der Anwendungsdomäne oft sehr begrenzt, z.B. lösen sie es nur für eine Anwendungsdomäne wie Microsoft Active Directory oder sie berücksichtigen nur ein begrenztes Zugangskontrollmodell. Darüber hinaus arbeiten die meisten Ansätze mit einer Netzwerktopologie. Dies kann zwar bei der Modellierung hilfreich sein, doch berücksichtigt eine Netzwerktopologie in der Regel keine weiteren Eigenschaften wie Bereitstellung von Diensten auf Servern oder die Nutzung von Komponenten. Software-Architekturmodelle können diese Informationen jedoch liefern. Darüber hinaus ermöglicht die Verwendung von Modellen, ein System bereits während der Entwicklung oder während eines Ausfalls zu analysieren. Daher hilft es bei der Verwirklichung von Security by Design. Im Einzelnen sind unsere Beiträge: Wir haben ein Metamodell für die Zugriffskontrolle entwickelt, um kontextbasierte Zugriffskontrollrichtlinien in der Software-Architektur zu spezifizieren. Zusätzlich haben wir ein Schwachstellen-Metamodell entwickelt, um Schwachstellen in Software-Architekturen zu spezifizieren. Die Zugriffskontrollrichtlinien können in einer szenariobasierten Zugriffskontrollanalyse analysiert werden, um Zugriffsverletzungen zu identifizieren. Wir haben zwei Angriffsanalysen entwickelt. Beide können Angriffspfade auf einem Architekturmodell generieren und Schwachstellen und Zugangskontrollrichtlinien verwenden. Die eine Analyse betrachtet die Angriffsausbreitung von einem bestimmten Startpunkt in der Software-Architektur. Die andere findet Angriffspfade, die zu einem bestimmten Architekturelement führen. Wir haben unsere Sicherheitsanalysen anhand verschiedener Evaluierungsszenarien evaluiert. Diese Szenarien wurden auf der Grundlage von Evaluierungsfällen aus verwandten Arbeiten oder realen Sicherheitsvorfällen erstellt. Für die erste Analyse haben wir die Genauigkeit bei der Identifizierung von Zugriffsverletzungen untersucht. Unsere Ergebnisse deuten auf eine hohe Genauigkeit hin. Für die beiden Angriffsanalysen untersuchten wir die Genauigkeit hinsichtlich der gefundenen kompromittierten Elemente, die Aufwandsreduzierung bei der Verwendung unserer Analysen und die Skalierbarkeit. Unsere Ergebnisse deuten auf eine hohe Genauigkeit und eine Aufwandsreduzierung hin. Allerdings ist die Skalierbarkeit für beide Ansätze nicht ideal. Für kleinere Software-Architekturen ist sie jedoch akzeptabel. Der von uns entwickelte Ansatz kann Software-Architekt:innen dabei helfen, sicherere Systeme zu entwerfen. Der Ansatz kann die Auswirkungen von Zugriffskontrollrichtlinien anhand von Zugriffsverletzungen und für Schwachstellen zusammen mit Zugriffskontrollrichtlinien anhand von Angriffspfaden aufzeigen. Durch die Verwendung von Software-Architekturmodellen kann unser Ansatz dieses Feedback bereits während des Entwurfs der Software liefern. Dies kann helfen, nach "Security by Design" zu entwickeln

Modelling of the Electric Vehicle Charging Infrastructure as Cyber Physical Power Systems: A Review on Components, Standards, Vulnerabilities and Attacks

The increasing number of electric vehicles (EVs) has led to the growing need to establish EV charging infrastructures (EVCIs) with fast charging capabilities to reduce congestion at the EV charging stations (EVCS) and also provide alternative solutions for EV owners without residential charging facilities. The EV charging stations are broadly classified based on i) where the charging equipment is located - on-board and off-board charging stations, and ii) the type of current and power levels - AC and DC charging stations. The DC charging stations are further classified into fast and extreme fast charging stations. This article focuses mainly on several components that model the EVCI as a cyberphysical system (CPS)

Identifying and Mitigating Security Risks in Multi-Level Systems-of-Systems Environments

In recent years, organisations, governments, and cities have taken advantage of the many benefits and automated processes Information and Communication Technology (ICT) offers, evolving their existing systems and infrastructures into highly connected and complex Systems-of-Systems (SoS). These infrastructures endeavour to increase robustness and offer some resilience against single points of failure. The Internet, Wireless Sensor Networks, the Internet of Things, critical infrastructures, the human body, etc., can all be broadly categorised as SoS, as they encompass a wide range of differing systems that collaborate to fulfil objectives that the distinct systems could not fulfil on their own. ICT constructed SoS face the same dangers, limitations, and challenges as those of traditional cyber based networks, and while monitoring the security of small networks can be difficult, the dynamic nature, size, and complexity of SoS makes securing these infrastructures more taxing. Solutions that attempt to identify risks, vulnerabilities, and model the topologies of SoS have failed to evolve at the same pace as SoS adoption. This has resulted in attacks against these infrastructures gaining prevalence, as unidentified vulnerabilities and exploits provide unguarded opportunities for attackers to exploit. In addition, the new collaborative relations introduce new cyber interdependencies, unforeseen cascading failures, and increase complexity. This thesis presents an innovative approach to identifying, mitigating risks, and securing SoS environments. Our security framework incorporates a number of novel techniques, which allows us to calculate the security level of the entire SoS infrastructure using vulnerability analysis, node property aspects, topology data, and other factors, and to improve and mitigate risks without adding additional resources into the SoS infrastructure. Other risk factors we examine include risks associated with different properties, and the likelihood of violating access control requirements. Extending the principals of the framework, we also apply the approach to multi-level SoS, in order to improve both SoS security and the overall robustness of the network. In addition, the identified risks, vulnerabilities, and interdependent links are modelled by extending network modelling and attack graph generation methods. The proposed SeCurity Risk Analysis and Mitigation Framework and principal techniques have been researched, developed, implemented, and then evaluated via numerous experiments and case studies. The subsequent results accomplished ascertain that the framework can successfully observe SoS and produce an accurate security level for the entire SoS in all instances, visualising identified vulnerabilities, interdependencies, high risk nodes, data access violations, and security grades in a series of reports and undirected graphs. The framework’s evolutionary approach to mitigating risks and the robustness function which can determine the appropriateness of the SoS, revealed promising results, with the framework and principal techniques identifying SoS topologies, and quantifying their associated security levels. Distinguishing SoS that are either optimally structured (in terms of communication security), or cannot be evolved as the applied processes would negatively impede the security and robustness of the SoS. Likewise, the framework is capable via evolvement methods of identifying SoS communication configurations that improve communication security and assure data as it traverses across an unsecure and unencrypted SoS. Reporting enhanced SoS configurations that mitigate risks in a series of undirected graphs and reports that visualise and detail the SoS topology and its vulnerabilities. These reported candidates and optimal solutions improve the security and SoS robustness, and will support the maintenance of acceptable and tolerable low centrality factors, should these recommended configurations be applied to the evaluated SoS infrastructure