Security Evaluation of Substation Network Architectures

In recent years, security of industrial control systems has been the main research focus due to the potential cyber-attacks that can impact the physical operations. As a result of these risks, there has been an urgent need to establish a stronger security protection against these threats. Conventional firewalls with stateful rules can be implemented in the critical cyberinfrastructure environment which might require constant updates. Despite the ongoing effort to maintain the rules, the protection mechanism does not restrict malicious data flows and it poses the greater risk of potential intrusion occurrence. The contributions of this thesis are motivated by the aforementioned issues which include a systematic investigation of attack-related scenarios within a substation network in a reliable sense. The proposed work is two-fold: (i) system architecture evaluation and (ii) construction of attack tree for a substation network. Cyber-system reliability remains one of the important factors in determining the system bottleneck for investment planning and maintenance. It determines the longevity of the system operational period with or without any disruption. First, a complete enumeration of existing implementation is exhaustively identified with existing communication architectures (bidirectional) and new ones with strictly unidirectional. A detailed modeling of the extended 10 system architectures has been evaluated. Next, attack tree modeling for potential substation threats is formulated. This quantifies the potential risks for possible attack scenarios within a network or from the external networks. The analytical models proposed in this thesis can serve as a fundamental development that can be further researched

Interface díodo

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2013Com o constante crescimento dos serviços online, as interações realizadas por utilizadores ou servidores que se encontram numa rede com baixo nível de segurança (e.g. Internet) com utilizadores ou serviços que se encontram num domínio de alto nível de segurança (e.g. servidor de e-mail) têm vindo a aumentar. Além desta interação entre redes com diferentes níveis de segurança, dentro do datacenter da mesma organização existem interações entre entidades que operam com níveis de segurança distintos, sem que se considerem verdadeiramente inseguros. Por outro lado, devido aos protocolos existentes, muitas das interações são caraterizadas por trocas de dados em ambos os sentidos da ligação (e.g. Transmission Control Protocol). Não obstante, existem serviços cuja lógica aplicacional (e-mail, sistemas de votação online, etc.), embora assentem sobre estes protocolos bidirecionais, não justifica a necessidade de tráfego nos dois sentidos em simultâneo, tratando-se, muitas vezes, de informações confidenciais restritas a certos utilizadores. Nesta dissertação apresentamos a Interface Díodo, um dispositivo de rede tolerante a faltas Bizantinas, que restringe a passagem de tráfego a um sentido da ligação, bloqueando a informação no sentido oposto. O serviço fornecido pode ser utilizado por vários clientes em simultâneo para diferentes serviços finais. Definimos uma arquitetura, um protótipo e os respetivos resultados obtidos, independentemente do protocolo de transporte (unidirecional ou bidirecional). Com a Interface Díodo é possível a troca de dados entre uma rede com um nível de segurança inferior para um nível de segurança superior, ou vice-versa, mas nunca nos dois sentidos. Se o fluxo de tráfego acontecer de uma rede insegura para uma rede segura, garante-se a confidencialidade dos dados no domínio superior segurança. No sentido oposto, garante-se a integridade dos dados no domínio superior de segurança.Online services provided in the business world are increasing the probability of interactions between servers and users on insecure network (e.g. Internet) and services and users in high security domains (e.g. e-mail server). Besides these interactions between insecure and secure networks, there are interactions that happen inside datacenters made by entities operating in different kind of security domains, without any of them being completely insecure. On the other hand, due to the way current protocols operate, there are interactions characterized by data exchanged in both directions (e.g. Transmission Control Protocol). Some services, such as e-mail or online voting systems, while using these protocols, do not justify the need for traffic in both directions, specially in sensitive information that should remain in one place and only accessed by specific users. In this report we introduce the Diode Interface, a network device that allows the traffic in a connection to flow just in one direction, blocking any sort of information coming from the opposite side. The service provided can be used by several clients sending data to different final services simultaneously. We define an architecture, prototype and obtained results, regardless of transport protocol (unidirectional or bidirecional) which transfer data between a network and the diode. With the Diode Interface it is possible the data exchange between a low security network and high security network or vice versa, but never in both directions at the same time. Allowing traffic only to flows from a low security domain to a high security domain, one guarantees the confidentiality of critical data. Allowing the traffic to flow from the high security level to low security level one guarantees data integrity that is in the high security domain

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed