Practical Encryption Gateways to Integrate Legacy Industrial Machinery

Future industrial networks will consist of a mixture of old and new components, due to the very long life-cycles of industrial machines on the one hand and the need to change in the face of trends like Industry 4.0 or the industrial Internet of things on the other. These networks will be very heterogeneous and will serve legacy as well as new use cases in parallel. This will result in an increased demand for network security and precisely within this domain, this thesis tries to answer one specific question: how to make it possible for legacy industrial machines to run securely in those future heterogeneous industrial networks. The need for such a solution arises from the fact, that legacy machines are very outdated and hence vulnerable systems, when assessing them from an IT security standpoint. For various reasons, they cannot be easily replaced or upgraded and with the opening up of industrial networks to the Internet, they become prime attack targets. The only way to provide security for them, is by protecting their network traffic. The concept of encryption gateways forms the basis of our solution. These are special network devices, that are put between the legacy machine and the network. The gateways encrypt data traffic from the machine before it is put on the network and decrypt traffic coming from the network accordingly. This results in a separation of the machine from the network by virtue of only decrypting and passing through traffic from other authenticated gateways. In effect, they protect communication data in transit and shield the legacy machines from potential attackers within the rest of the network, while at the same time retaining their functionality. Additionally, through the specific placement of gateways inside the network, fine-grained security policies become possible. This approach can reduce the attack surface of the industrial network as a whole considerably. As a concept, this idea is straight forward and not new. Yet, the devil is in the details and no solution specifically tailored to the needs of the industrial environment and its legacy components existed prior to this work. Therefore, we present in this thesis concrete building blocks in the direction of a generally applicable encryption gateway solution that allows to securely integrate legacy industrial machinery and respects industrial requirements. This not only entails works in the direction of network security, but also includes works in the direction of guaranteeing the availability of the communication links that are protected by the gateways, works to simplify the usability of the gateways as well as the management of industrial data flows by the gateways

Industry 4.0: a systematic review of legacy manufacturing system digital retrofitting

Industry 4.0 technologies and digitalised processes are essential for implementing smart manufacturing within vertically and horizontally integrated production environments. These technologies offer new ways to generate revenue from data-driven services and enable predictive maintenance based on real-time data analytics. They also provide autonomous manufacturing scheduling and resource allocation facilitated by cloud computing technologies and the industrial Internet of Things (IoT). Although the fourth industrial revolution has been underway for more than a decade, the manufacturing sector is still grappling with the process of upgrading manufacturing systems and processes to Industry 4.0-conforming technologies and standards. Small and medium enterprises (SMEs) in particular, cannot always afford to replace their legacy systems with state-of-the-art machines but must look for financially viable alternatives. One such alternative is retrofitting, whereby old manufacturing systems are upgraded with sensors and IoT components to integrate them into a digital workflows across an enterprise. Unfortunately, to date, the scope and systematic process of legacy system retrofitting, and integration are not well understood and currently represent a large gap in the literature. In this article, the authors present an in-depth systematic review of case studies and available literature on legacy system retrofitting. A total of 32 papers met the selection criteria and were particularly relevant to the topic. Three digital retrofitting approaches are identified and compared. The results include insights common technologies used in retrofitting, hardware and software components typically required, and suitable communication protocols for establishing interoperability across the enterprise. These form an initial basis for a theoretical decision-making framework and associated retrofitting guide tool to be developed

QoS-aware architectures, technologies, and middleware for the cloud continuum

The recent trend of moving Cloud Computing capabilities to the Edge of the network is reshaping how applications and their middleware supports are designed, deployed, and operated. This new model envisions a continuum of virtual resources between the traditional cloud and the network edge, which is potentially more suitable to meet the heterogeneous Quality of Service (QoS) requirements of diverse application domains and next-generation applications. Several classes of advanced Internet of Things (IoT) applications, e.g., in the industrial manufacturing domain, are expected to serve a wide range of applications with heterogeneous QoS requirements and call for QoS management systems to guarantee/control performance indicators, even in the presence of real-world factors such as limited bandwidth and concurrent virtual resource utilization. The present dissertation proposes a comprehensive QoS-aware architecture that addresses the challenges of integrating cloud infrastructure with edge nodes in IoT applications. The architecture provides end-to-end QoS support by incorporating several components for managing physical and virtual resources. The proposed architecture features: i) a multilevel middleware for resolving the convergence between Operational Technology (OT) and Information Technology (IT), ii) an end-to-end QoS management approach compliant with the Time-Sensitive Networking (TSN) standard, iii) new approaches for virtualized network environments, such as running TSN-based applications under Ultra-low Latency (ULL) constraints in virtual and 5G environments, and iv) an accelerated and deterministic container overlay network architecture. Additionally, the QoS-aware architecture includes two novel middlewares: i) a middleware that transparently integrates multiple acceleration technologies in heterogeneous Edge contexts and ii) a QoS-aware middleware for Serverless platforms that leverages coordination of various QoS mechanisms and virtualized Function-as-a-Service (FaaS) invocation stack to manage end-to-end QoS metrics. Finally, all architecture components were tested and evaluated by leveraging realistic testbeds, demonstrating the efficacy of the proposed solutions

Protection of Active Distribution Networks and Their Cyber Physical Infrastructure

Today’s Smart Grid constitutes several smaller interconnected microgrids. However, the integration of converter-interfaced distributed generation (DG) in microgrids has raised several issues such as the fact that fault currents in these systems in islanded mode are way less than those in grid connected microgrids. Therefore, microgrid protection schemes require a fast, reliable and robust communication system, with backup, to automatically adjust relay settings for the appropriate current levels according to the microgrid’s operation mode. However, risks of communication link failures, cyber security threats and the high cost involved to avoid them are major challenges for the implementation of an economic adaptive protection scheme. This dissertation proposes an adaptive protection scheme for AC microgrids which is capable of surviving communication failures. The contribution is the use of an energy storage system as the main contributor to fault currents in the microgrid’s islanded mode when the communication link fails to detect the shift to the islanded mode. The design of an autonomous control algorithm for the energy storage’s AC/DC converter capable of operating when the microgrid is in both grid-connected and islanded mode. Utilizing a single mode of operation for the converter will eliminate the reliance on communicated control command signals to shift the controller between different modes. Also, the ability of the overall system to keep stable voltage and frequency levels during extreme cases such as the occurrence of a fault during a peak pulse load period. The results of the proposed protection scheme showed that the energy storage -inverter system is able to contribute enough fault current for a sufficient duration to cause the system protection devices to clear the fault in the event of communication loss. The proposed method was investigated under different fault types and showed excellent results of the proposed protection scheme. In addition, it was demonstrated in a case study that, whenever possible, the temporary disconnection of the pulse load during the fault period will allow the utilization of smaller energy storage device capacity to feed fault currents and thus reduce the overall expenditures. Also, in this dissertation we proposed a hybrid hardware-software co-simulation platform capable of modeling the relation between the cyber and physical parts to provide a protection scheme for the microgrid. The microgrid was simulated on MATLAB/Simulink SimPowerSystems to model the physical system dynamics, whereas all control logic was implemented on embedded microcontrollers communicating over a real network. This work suggested a protection methodology utilizing contemporary communication technologies between multi-agents to protect the microgrid

Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents

Critical infrastructures and industrial organizations aggressively move towards integrating elements of modern Information Technology (IT) into their monolithic Operational Technology (OT) architectures. Yet, as OT systems progressively become more and more interconnected, they silently have turned into alluring targets for diverse groups of adversaries. Meanwhile, the inherent complexity of these systems, along with their advanced-in-age nature, prevents defenders from fully applying contemporary security controls in a timely manner. Forsooth, the combination of these hindering factors has led to some of the most severe cybersecurity incidents of the past years. This work contributes a full-fledged and up-to-date survey of the most prominent threats and attacks against Industrial Control Systems and critical infrastructures, along with the communication protocols and devices adopted in these environments. Our study highlights that threats against critical infrastructure follow an upward spiral due to the mushrooming of commodity tools and techniques that can facilitate either the early or late stages of attacks. Furthermore, our survey exposes that existing vulnerabilities in the design and implementation of several of the OT-specific network protocols and devices may easily grant adversaries the ability to decisively impact physical processes. We provide a categorization of such threats and the corresponding vulnerabilities based on various criteria. The selection of the discussed incidents and identified vulnerabilities aims to provide a holistic view of the specific threats that target Industrial Control Systems and critical infrastructures. As far as we are aware, this is the first time an exhaustive and detailed survey of this kind is attempted

Co-design of Security Aware Power System Distribution Architecture as Cyber Physical System

The modern smart grid would involve deep integration between measurement nodes, communication systems, artificial intelligence, power electronics and distributed resources. On one hand, this type of integration can dramatically improve the grid performance and efficiency, but on the other, it can also introduce new types of vulnerabilities to the grid. To obtain the best performance, while minimizing the risk of vulnerabilities, the physical power system must be designed as a security aware system. In this dissertation, an interoperability and communication framework for microgrid control and Cyber Physical system enhancements is designed and implemented taking into account cyber and physical security aspects. The proposed data-centric interoperability layer provides a common data bus and a resilient control network for seamless integration of distributed energy resources. In addition, a synchronized measurement network and advanced metering infrastructure were developed to provide real-time monitoring for active distribution networks. A hybrid hardware/software testbed environment was developed to represent the smart grid as a cyber-physical system through hardware and software in the loop simulation methods. In addition it provides a flexible interface for remote integration and experimentation of attack scenarios. The work in this dissertation utilizes communication technologies to enhance the performance of the DC microgrids and distribution networks by extending the application of the GPS synchronization to the DC Networks. GPS synchronization allows the operation of distributed DC-DC converters as an interleaved converters system. Along with the GPS synchronization, carrier extraction synchronization technique was developed to improve the system’s security and reliability in the case of GPS signal spoofing or jamming. To improve the integration of the microgrid with the utility system, new synchronization and islanding detection algorithms were developed. The developed algorithms overcome the problem of SCADA and PMU based islanding detection methods such as communication failure and frequency stability. In addition, a real-time energy management system with online optimization was developed to manage the energy resources within the microgrid. The security and privacy were also addressed in both the cyber and physical levels. For the physical design, two techniques were developed to address the physical privacy issues by changing the current and electromagnetic signature. For the cyber level, a security mechanism for IEC 61850 GOOSE messages was developed to address the security shortcomings in the standard

Open source SCADA systems for small renewable power generation

Low cost monitoring and control is essential for small renewable power systems. While large renewable power systems can use existing commercial technology for monitoring and control, that is not cost-effective for small renewable generation. Such small assets require cost-effective, flexible, secure, and reliable real-time coordinated data monitoring and control systems. Supervisory control and data acquisition (SCADA) is the perfect technology for this task. The available commercial SCADA solutions are mostly pricey and economically unjustifiable for smaller applications. They also pose interoperability issues with the existing components which are often from multiple vendors. Therefore, an open source SCADA system represents the most flexible and the most cost-effective SCADA solution. This thesis has been done in two phases. The first phase demonstrates the design and dynamic simulation of a small hybrid power system with a renewable power generation system as a case study. In the second phase, after an extensive study of the proven commercial SCADA solutions and some open source SCADA packages, three different secure, reliable, low-cost open source SCADA options are developed using the most recent SCADA architecture, the Internet of Things. The implemented prototypes of the three open source SCADA systems were tested extensively with a small renewable power system (a solar PV system). The results show that the developed open source SCADA systems perform optimally and accurately, and could serve as viable options for smaller applications such as renewable generation that cannot afford commercial SCADA solutions

A Design Framework for Aggregation in a System of Digital Twins

Mechanical and Mechatronic Engineerin