Cognitive Machine Individualism in a Symbiotic Cybersecurity Policy Framework for the Preservation of Internet of Things Integrity: A Quantitative Study

This quantitative study examined the complex nature of modern cyber threats to propose the establishment of cyber as an interdisciplinary field of public policy initiated through the creation of a symbiotic cybersecurity policy framework. For the public good (and maintaining ideological balance), there must be recognition that public policies are at a transition point where the digital public square is a tangible reality that is more than a collection of technological widgets. The academic contribution of this research project is the fusion of humanistic principles with Internet of Things (IoT) technologies that alters our perception of the machine from an instrument of human engineering into a thinking peer to elevate cyber from technical esoterism into an interdisciplinary field of public policy. The contribution to the US national cybersecurity policy body of knowledge is a unified policy framework (manifested in the symbiotic cybersecurity policy triad) that could transform cybersecurity policies from network-based to entity-based. A correlation archival data design was used with the frequency of malicious software attacks as the dependent variable and diversity of intrusion techniques as the independent variable for RQ1. For RQ2, the frequency of detection events was the dependent variable and diversity of intrusion techniques was the independent variable. Self-determination Theory is the theoretical framework as the cognitive machine can recognize, self-endorse, and maintain its own identity based on a sense of self-motivation that is progressively shaped by the machine’s ability to learn. The transformation of cyber policies from technical esoterism into an interdisciplinary field of public policy starts with the recognition that the cognitive machine is an independent consumer of, advisor into, and influenced by public policy theories, philosophical constructs, and societal initiatives

Cybersecurity Challenges of Power Transformers

The rise of cyber threats on critical infrastructure and its potential for devastating consequences, has significantly increased. The dependency of new power grid technology on information, data analytic and communication systems make the entire electricity network vulnerable to cyber threats. Power transformers play a critical role within the power grid and are now commonly enhanced through factory add-ons or intelligent monitoring systems added later to improve the condition monitoring of critical and long lead time assets such as transformers. However, the increased connectivity of those power transformers opens the door to more cyber attacks. Therefore, the need to detect and prevent cyber threats is becoming critical. The first step towards that would be a deeper understanding of the potential cyber-attacks landscape against power transformers. Much of the existing literature pays attention to smart equipment within electricity distribution networks, and most methods proposed are based on model-based detection algorithms. Moreover, only a few of these works address the security vulnerabilities of power elements, especially transformers within the transmission network. To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks.Comment: 11 page

TEDDI: Tamper Event Detection on Distributed Cyber-Physical Systems

Edge devices, or embedded devices installed along the periphery of a power grid SCADA network, pose a significant threat to the grid, as they give attackers a convenient entry point to access and cause damage to other essential equipment in substations and control centers. Grid defenders would like to protect these edge devices from being accessed and tampered with, but they are hindered by the grid defender\u27s dilemma; more specifically, the range and nature of tamper events faced by the grid (particularly distributed events), the prioritization of grid availability, the high costs of improper responses, and the resource constraints of both grid networks and the defenders that run them makes prior work in the tamper and intrusion protection fields infeasible to apply. In this thesis, we give a detailed description of the grid defender\u27s dilemma, and introduce TEDDI (Tamper Event Detection on Distributed Infrastructure), a distributed, sensor-based tamper protection system built to solve this dilemma. TEDDI\u27s distributed architecture and use of a factor graph fusion algorithm gives grid defenders the power to detect and differentiate between tamper events, and also gives defenders the flexibility to tailor specific responses for each event. We also propose the TEDDI Generation Tool, which allows us to capture the defender\u27s intuition about tamper events, and assists defenders in constructing a custom TEDDI system for their network. To evaluate TEDDI, we collected and constructed twelve different tamper scenarios, and show how TEDDI can detect all of these events and solve the grid defender\u27s dilemma. In our experiments, TEDDI demonstrated an event detection accuracy level of over 99% at both the information and decision point levels, and could process a 99-node factor graph in under 233 microseconds. We also analyzed the time and resources needed to use TEDDI, and show how it requires less up-front configuration effort than current tamper protection solutions

On-device Security and Privacy Mechanisms for Resource-limited Devices: A Bottom-up Approach

This doctoral dissertation introduces novel mechanisms to provide on-device security and privacy for resource-limited smart devices and their applications. These mechanisms aim to cover five fundamental contributions in the emerging Cyber-Physical Systems (CPS), Internet of Things (IoT), and Industrial IoT (IIoT) fields. First, we present a host-based fingerprinting solution for device identification that is complementary to other security services like device authentication and access control. Then, we design a kernel- and user-level detection framework that aims to discover compromised resource-limited devices based on behavioral analysis. Further we apply dynamic analysis of smart devices’ applications to uncover security and privacy risks in real-time. Then, we describe a solution to enable digital forensics analysis on data extracted from interconnected resource-limited devices that form a smart environment. Finally, we offer to researchers from industry and academia a collection of benchmark solutions for the evaluation of the discussed security mechanisms on different smart domains. For each contribution, this dissertation comprises specific novel tools and techniques that can be applied either independently or combined to enable a broader security services for the CPS, IoT, and IIoT domains

A Unified Wormhole Attack Detection Framework for Mobile Ad hoc Networks

The Internet is experiencing an evolution towards a ubiquitous network paradigm, via the so-called internet-of-things (IoT), where small wireless computing devices like sensors and actuators are integrated into daily activities. Simultaneously, infrastructure-less systems such as mobile ad hoc networks (MANET) are gaining popularity since they provide the possibility for devices in wireless sensor networks or vehicular ad hoc networks to share measured and monitored information without having to be connected to a base station. While MANETs offer many advantages, including self-configurability and application in rural areas which lack network infrastructure, they also present major challenges especially in regard to routing security. In a highly dynamic MANET, where nodes arbitrarily join and leave the network, it is difficult to ensure that nodes are trustworthy for multi-hop routing. Wormhole attacks belong to most severe routing threats because they are able to disrupt a major part of the network traffic, while concomitantly being extremely difficult to detect. This thesis presents a new unified wormhole attack detection framework which is effective for all known wormhole types, alongside incurring low false positive rates, network loads and computational time, for a variety of diverse MANET scenarios. The framework makes three original technical contributions: i) a new accurate wormhole detection algorithm based on packet traversal time and hop count analysis (TTHCA) which identifies infected routes, ii) an enhanced, dynamic traversal time per hop analysis (TTpHA) detection model which is adaptable to node radio range fluctuations, and iii) a method for automatically detecting time measurement tampering in both TTHCA and TTpHA. The thesis findings indicate that this new wormhole detection framework provides significant performance improvements compared to other existing solutions by accurately, efficiently and robustly detecting all wormhole variants under a wide range of network conditions

Healthcare systems protection: All-in-one cybersecurity approach

Cyber risks are increasingly widespread as healthcare organizations play a defining role in society. Several studies have revealed an increase in cybersecurity threats in the industry, which should concern us all. When it comes to cybersecurity, the consequences can be felt throughout the organization, from the smallest processes to the overall ability of the organization to function. Typically, a cyberattack results in the disclosure of confidential information that undermines your competitive advantage and overall trust. Healthcare as a critical sector has, like many other sectors, a late bet on its transformation to cybersecurity across the board. This dissertation reinforces this need by presenting a value-added solution that helps strengthen the internal processes of healthcare units, enabling their primary mission of saving lives while ensuring the confidentiality and security of patient and institutional data. The solution is presented as a technological composite that translates into a methodology and innovative artifact for integration, monitoring, and security of critical medical infrastructures based on operational use cases. The approach that involves people, processes, and technology is based on a model that foresees the evaluation of potential assets for integration and monitoring, as well as leveraging the efficiency in responding to security incidents with the formal development of a process and mechanisms for alert and resolution of exposure and attack scenarios. On a technical level, the artifact relies on the integration of a medical image archiving system (PACS) into a SIEM to validate application logs that are linked to rules to map anomalous behaviors that trigger the incident management process on an IHS platform with custom-developed features. The choice for integration in the validation prototype of the PACS system is based not only on its importance in the orchestration of activities in the organization of a health institution, but also with the recent recommendations of various cybersecurity agencies and organizations for the importance of their protection in response to the latest trends in cyberattacks. In line with the results obtained, this approach will have full applicability in a real operational context, following the latest practices and technologies in the sector.Os riscos cibernéticos estão cada vez mais difundidos à medida que as organizações de cuidados de saúde desempenham um papel determinante na sociedade. Vários estudos revelaram um aumento das ameaças de cibersegurança no setor, o que nos deve preocupar a todos. Quando se trata de cibersegurança, as consequências podem ser sentidas em toda a organização, desde os mais pequenos processos até à sua capacidade global de funcionamento. Normalmente, um ciberataque resulta na divulgação de informações confidenciais que colocam em causa a sua vantagem competitiva e a confiança geral. O healthcare como setor crítico apresenta, como muitos outros setores, uma aposta tardia na sua transformação para a cibersegurança de forma generalizada. Esta dissertação reforça esta necessidade apresentando uma solução de valor acrescentado que ajuda a potenciar os processos internos das unidades de saúde possibilitando a sua missão principal de salvar vidas, aumentando a garantia de confidencialidade e segurança dos dados dos pacientes e instituições. A solução apresenta-se como um compósito tecnológico que se traduz numa metodologia e artefacto de inovação para integração, monitorização e segurança de infraestruturas médicas críticas baseado em use cases de operação. A abordagem que envolve pessoas, processos e tecnologia assenta num modelo que prevê a avaliação de potenciais ativos para integração e monitorização, como conta alavancar a eficiência na resposta a incidentes de segurança com o desenvolvimento formal de um processo e mecanismos para alerta e resolução de cenários de exposição e ataque. O artefacto, a nível tecnológico, conta com a integração do sistema de arquivo de imagem médica (PACS) num SIEM para validação de logs aplicacionais que estão associados a regras que mapeiam comportamentos anómalos que originam o despoletar do processo de gestão de incidentes numa plataforma IHS com funcionalidades desenvolvidas à medida. A escolha para integração no protótipo de validação do sistema PACS tem por base não só a sua importância na orquestração de atividades na orgânica duma instituição de saúde, mas também com as recentes recomendações de várias agências e organizações de cibersegurança para a importância da sua proteção em resposta às últimas tendências de ciberataques. Em linha com os resultados auscultados, esta abordagem terá total aplicabilidade em contexto real de operação, seguindo as mais recentes práticas e tecnologias no sector

CARAMEL: results on a secure architecture for connected and autonomous vehicles detecting GPS spoofing attacks

The main goal of the H2020-CARAMEL project is to address the cybersecurity gaps introduced by the new technological domains adopted by modern vehicles applying, among others, advanced Artificial Intelligence and Machine Learning techniques. As a result, CARAMEL enhances the protection against threats related to automated driving, smart charging of Electric Vehicles, and communication among vehicles or between vehicles and the roadside infrastructure. This work focuses on the latter and presents the CARAMEL architecture aiming at assessing the integrity of the information transmitted by vehicles, as well as at improving the security and privacy of communication for connected and autonomous driving. The proposed architecture includes: (1) multi-radio access technology capabilities, with simultaneous 802.11p and LTE-Uu support, enabled by the connectivity infrastructure; (2) a MEC platform, where, among others, algorithms for detecting attacks are implemented; (3) an intelligent On-Board Unit with anti-hacking features inside the vehicle; (4) a Public Key Infrastructure that validates in real-time the integrity of vehicle’s data transmissions. As an indicative application, the interaction between the entities of the CARAMEL architecture is showcased in case of a GPS spoofing attack scenario. Adopted attack detection techniques exploit robust in-vehicle and cooperative approaches that do not rely on encrypted GPS signals, but only on measurements available in the CARAMEL architecture.This work was supported by the European Union’s H2020 research and innovation programme under the CARAMEL project (Grant agreement No. 833611). The work of Christian Vitale, Christos Laoudias and Georgios Ellinas was also supported by the European Union’s Horizon 2020 Research and Innovation Programme under Grant 739551 (KIOS CoE) and from the Republic of Cyprus through the Directorate General for European Programmes, Coordination, and Development. The work of Jordi Casademont and Pouria Sayyad Khodashenas was also supported by FEDER and Secretaria d’Universitats i Recerca del Departament d’Empresa i Coneixement de la Generalitat de Catalunya through projects Fem IoT and SGR 2017-00376 and by the ERDFPeer ReviewedPostprint (author's final draft

A Method for Detecting Abnormal Program Behavior on Embedded Devices

A potential threat to embedded systems is the execution of unknown or malicious software capable of triggering harmful system behavior, aimed at theft of sensitive data or causing damage to the system. Commercial off-the-shelf embedded devices, such as embedded medical equipment, are more vulnerable as these type of products cannot be amended conventionally or have limited resources to implement protection mechanisms. In this paper, we present a self-organizing map (SOM)-based approach to enhance embedded system security by detecting abnormal program behavior. The proposed method extracts features derived from processor's program counter and cycles per instruction, and then utilises the features to identify abnormal behavior using the SOM. Results achieved in our experiment show that the proposed method can identify unknown program behaviors not included in the training set with over 98.4% accuracy

Intrusion Detection System of industrial control networks using network telemetry

Industrial Control Systems (ICSs) are designed, implemented, and deployed in most major spheres of production, business, and entertainment. ICSs are commonly split into two subsystems - Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems - to achieve high safety, allow engineers to observe states of an ICS, and perform various configuration updates. Before wide adoption of the Internet, ICSs used air-gap security measures, where the ICS network was isolated from other networks, including the Internet, by a physical disconnect [1]. This level of security allowed ICS protocol designers to concentrate on the availability and safety of operation of physical systems while decreasing the need for many cyber security implementations. As the price of networking devices fell, and the Internet received global adoption, many businesses became interested in the benefits of attaching ICSs to wide and global area networks. However, since ICS network protocols were originally designed for an air-gapped environment, it did not include any of the security measures needed for a proper operation of a critical protocol that exposes its packets to the Internet. This dissertation designs, implements, and evaluates a telemetry based Intrusion Detection System (IDS). The designed IDS utilizes aggregation and analysis of the traffic telemetry features to classify the incoming packets as malicious or benign. An IDS that uses network telemetry was created, and it achieved a high classification accuracy, protecting nodes from malicious traffic. Such an IDS is not vulnerable to address or encryption spoofings, as it does not utilize the content of the packets to differentiate between malicious and benign traffic. The IDS uses features of timing and network sessions to determine whether the machine that sent a particular packet and its software is, in fact, a combination that is benign, as well as whether or not it resides on a network that is benign. The results of the experiments conducted for this dissertation establish that such system is possible to create and use in an environment of ICS networks. Several features are recognized and selected as means for fingerprinting the hardware and software characteristics of the SCADA system that can be used in pair with machine learning algorithms to allow for a high accuracy detection of intrusions into the ICS network. The results showed a classification accuracy of at least 95% is possible, and as the differences between machines increase, the accuracy increases too

LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed

Running off-site software middleboxes at third-party service providers has been a popular practice. However, routing large volumes of raw traffic, which may carry sensitive information, to a remote site for processing raises severe security concerns. Prior solutions often abstract away important factors pertinent to real-world deployment. In particular, they overlook the significance of metadata protection and stateful processing. Unprotected traffic metadata like low-level headers, size and count, can be exploited to learn supposedly encrypted application contents. Meanwhile, tracking the states of 100,000s of flows concurrently is often indispensable in production-level middleboxes deployed at real networks. We present LightBox, the first system that can drive off-site middleboxes at near-native speed with stateful processing and the most comprehensive protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox is the product of our systematic investigation of how to overcome the inherent limitations of secure enclaves using domain knowledge and customization. First, we introduce an elegant virtual network interface that allows convenient access to fully protected packets at line rate without leaving the enclave, as if from the trusted source network. Second, we provide complete flow state management for efficient stateful processing, by tailoring a set of data structures and algorithms optimized for the highly constrained enclave space. Extensive evaluations demonstrate that LightBox, with all security benefits, can achieve 10Gbps packet I/O, and that with case studies on three stateful middleboxes, it can operate at near-native speed.Comment: Accepted at ACM CCS 201