Intrusion Detection System of industrial control networks using network telemetry

Industrial Control Systems (ICSs) are designed, implemented, and deployed in most major spheres of production, business, and entertainment. ICSs are commonly split into two subsystems - Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems - to achieve high safety, allow engineers to observe states of an ICS, and perform various configuration updates. Before wide adoption of the Internet, ICSs used air-gap security measures, where the ICS network was isolated from other networks, including the Internet, by a physical disconnect [1]. This level of security allowed ICS protocol designers to concentrate on the availability and safety of operation of physical systems while decreasing the need for many cyber security implementations. As the price of networking devices fell, and the Internet received global adoption, many businesses became interested in the benefits of attaching ICSs to wide and global area networks. However, since ICS network protocols were originally designed for an air-gapped environment, it did not include any of the security measures needed for a proper operation of a critical protocol that exposes its packets to the Internet. This dissertation designs, implements, and evaluates a telemetry based Intrusion Detection System (IDS). The designed IDS utilizes aggregation and analysis of the traffic telemetry features to classify the incoming packets as malicious or benign. An IDS that uses network telemetry was created, and it achieved a high classification accuracy, protecting nodes from malicious traffic. Such an IDS is not vulnerable to address or encryption spoofings, as it does not utilize the content of the packets to differentiate between malicious and benign traffic. The IDS uses features of timing and network sessions to determine whether the machine that sent a particular packet and its software is, in fact, a combination that is benign, as well as whether or not it resides on a network that is benign. The results of the experiments conducted for this dissertation establish that such system is possible to create and use in an environment of ICS networks. Several features are recognized and selected as means for fingerprinting the hardware and software characteristics of the SCADA system that can be used in pair with machine learning algorithms to allow for a high accuracy detection of intrusions into the ICS network. The results showed a classification accuracy of at least 95% is possible, and as the differences between machines increase, the accuracy increases too

Federated Agentless Detection of Endpoints Using Behavioral and Characteristic Modeling

During the past two decades computer networks and security have evolved that, even though we use the same TCP/IP stack, network traffic behaviors and security needs have significantly changed. To secure modern computer networks, complete and accurate data must be gathered in a structured manner pertaining to the network and endpoint behavior. Security operations teams struggle to keep up with the ever-increasing number of devices and network attacks daily. Often the security aspect of networks gets managed reactively instead of providing proactive protection. Data collected at the backbone are becoming inadequate during security incidents. Incident response teams require data that is reliably attributed to each individual endpoint over time. With the current state of dissociated data collected from networks using different tools it is challenging to correlate the necessary data to find origin and propagation of attacks within the network. Critical indicators of compromise may go undetected due to the drawbacks of current data collection systems leaving endpoints vulnerable to attacks. Proliferation of distributed organizations demand distributed federated security solutions. Without robust data collection systems that are capable of transcending architectural and computational challenges, it is becoming increasingly difficult to provide endpoint protection at scale. This research focuses on reliable agentless endpoint detection and traffic attribution in federated networks using behavioral and characteristic modeling for incident response

Mobile Firewall System For Distributed Denial Of Service Defense In Internet Of Things Networks

Internet of Things (IoT) has seen unprecedented growth in the consumer space over the past ten years. The majority of IoT device manufacturers do not, however, build their products with cybersecurity in mind. The goal of the mobile firewall system is to move mitigation of network-diffused attacks closer to their source. Attack detection and mitigation is enforced using a machine that physically traverses the area. This machine uses a suite of security tools to protect the network. Our system provides advantages over current network attack mitigation techniques. Mobile firewalls can be deployed when there is no access to the network gateway or when no gateway exists, such as in IoT mesh networks. The focus of this thesis is to refine an explicit implementation for the mobile firewall system and evaluate its effectiveness. Evaluation of the mobile firewall system is analyzed using three simulated distributed denial of service case studies. Mobility is shown to be a great benefit when defending against physically distant attackers – the system takes no more than 131 seconds to fully nullify a worst-case attack

INTRUSION DETECTION OF A SIMULATED SCADA SYSTEM USING A DATA-DRIVEN MODELING APPROACH

Supervisory Control and Data Acquisition (SCADA) are large, geographically distributed systems that regulate help processes in industries such as nuclear power, transportation or manufacturing. SCADA is a combination of physical, sensing, and communications equipment that is used for monitoring, control and telemetry acquisition actions. Because SCADA often control the distribution of vital resources such as electricity and water, there is a need to protect these cyber-physical systems from those with possible malicious intent. To this end, an Intrusion Detection System (IDS) is utilized to monitor telemetry sources in order to detect unwanted activities and maintain overall system integrity. This dissertation presents the results in developing a behavior-based approach to intrusion detection using a simulated SCADA test bed. Empirical modeling techniques known as Auto Associative Kernel Regression (AAKR) and Auto Associative Multivariate State Estimation Technique (AAMSET) are used to learn the normal behavior of the test bed. The test bed was then subjected to repeated intrusion injection experiments using penetration testing software and exploit codes. Residuals generated from these experiments are then supplied to an anomaly detection algorithm known as the Sequential Probability Ratio Test (SPRT). This approach is considered novel in that the AAKR and AAMSET, combined with the SPRT, have not been utilized previously in industry for cybersecurity purposes. Also presented in this dissertation is a newly developed variable grouping algorithm that is based on the Auto Correlation Function (ACF) for a given set of input data. Variable grouping is needed for these modeling methods to arrive at a suitable set of predictors that return the lowest error in model performance. The developed behavior-based techniques were able to successfully detect many types of intrusions that include network reconnaissance, DoS, unauthorized access, and information theft. These methods would then be useful in detecting unwanted activities of intruders from both inside and outside of the monitored network. These developed methods would also serve to add an additional layer of security. When compared with two separate variable grouping methods, the newly developed grouping method presented in this dissertation was shown to extract similar groups or groups with lower average model prediction errors

Intrusion detection in IoT networks using machine learning

The exponential growth of Internet of Things (IoT) infrastructure has introduced significant security challenges due to the large-scale deployment of interconnected devices. IoT devices are present in every aspect of our modern life; they are essential components of Industry 4.0, smart cities, and critical infrastructures. Therefore, the detection of attacks on this platform becomes necessary through an Intrusion Detection Systems (IDS). These tools are dedicated hardware devices or software that monitors a network to detect and automatically alert the presence of malicious activity. This study aimed to assess the viability of Machine Learning Models for IDS within IoT infrastructures. Five classifiers, encompassing a spectrum from linear models like Logistic Regression, Decision Trees from Trees Algorithms, Gaussian Naïve Bayes from Probabilistic models, Random Forest from ensemble family and Multi-Layer Perceptron from Artificial Neural Networks, were analysed. These models were trained using supervised methods on a public IoT attacks dataset, with three tasks ranging from binary classification (determining if a sample was part of an attack) to multiclassification of 8 groups of attack categories and the multiclassification of 33 individual attacks. Various metrics were considered, from performance to execution times and all models were trained and tuned using cross-validation of 10 k-folds. On the three classification tasks, Random Forest was found to be the model with best performance, at expenses of time consumption. Gaussian Naïve Bayes was the fastest algorithm in all classification¿s tasks, but with a lower performance detecting attacks. Whereas Decision Trees shows a good balance between performance and processing speed. Classifying among 8 attack categories, most models showed vulnerabilities to specific attack types, especially those in minority classes due to dataset imbalances. In more granular 33 attack type classifications, all models generally faced challenges, but Random Forest remained the most reliable, despite vulnerabilities. In conclusion, Machine Learning algorithms proves to be effective for IDS in IoT infrastructure, with Random Forest model being the most robust, but with Decision Trees offering a good balance between speed and performance.Objectius de Desenvolupament Sostenible::9 - Indústria, Innovació i Infraestructur

Reliability Analysis of Electric Power Systems Considering Cyber Security

The new generation of the electric power system is the modern smart grid which is essentially a cyber and physical system (CPS). Supervisory control and data acquisition (SCADA)/energy management system (EMS) is the key component of CPS, which is becoming the main target of both external and insider cyberattacks. Cybersecurity of the SCADA/EMS system is facing big challenges and influences the reliability of the electric power system. Characteristics of cyber threats will impact the system reliability. System reliability can be influenced by various cyber threats with different attack skill levels and attack paths. Additionally, the change of structure of the target system may also result in the change of the system reliability. However, very limited research is related to the reliability analysis of the electric power system considering cybersecurity issue. A large amount of mathematical methods can be used to quantify the cyber threats and simulation processes can be applied to build the reliability analysis model. For instance, to analyze the vulnerabilities of the SCADA/EMS system in the electric power system, Bayesian Networks (BNs) can be used to model the attack paths of cyberattacks on the exploited vulnerabilities. The mean time-to-compromise (MTTC) and mean time-to-failure (MTTF) based on the Common Vulnerability Scoring System (CVSS) can be applied to characterize the properties of cyberattacks. What’s more, simulation approaches like non-sequential or sequential Monte Carlo Simulation (MCS) is able to simulate the system reliability analysis and calculate the reliability indexes. In this thesis, reliability of the SCADA/EMS system in the electric power system considering different cybersecurity issues is analyzed. The Bayesian attack path models of cyberattacks on the SCADA/EMS components are built by Bayesian Networks (BNs), and cyberattacks are quantified by its mean time-to-compromise (MTTC) by applying a modified Semi-Markov Process (SMP) and MTTC models. Based on the IEEE Reliability Test System (RTS) 96, the system reliability is analyzed by calculating the electric power system reliability indexes like LOLP and EENS through MCS. What’s more, cyberattacks with different lurking strategies are considered and analyzed. According to the simulation results, it shows that the system reliability of the SCADA/EMS system in the electric power system considering cyber security is closely related to the MTTC of cyberattacks, which is influenced by the attack paths, attacking skill levels, and the complexity of the target structure. With the increase of the MTTC values of cyberattacks, LOLP values decrease, which means that the reliability of the system is better, and the system is safer. In addition, with the difficulty level of lurking strategies of cyberattacks getting higher and higher, though the LOLP values of scenarios don’t increase a lot, the EENS values of the corresponding scenarios increase dramatically, which indicates that the system reliability is more unpredictable, and the cyber security is worse. Finally, insider attacks are discussed and corresponding LOLP values and EENS values considering lurking behavior are estimated and compared. Both LOLP and EENS values dramatically increase owing to the insider attacks that result in the lower MTTCs. This indicates that insider attacks can lead to worse impact on system reliability than external cyber attacks. The results of this thesis may contribute to the establishment of perfect countermeasures against with cyber attacks on the electric power system

A Survey of Satellite Communications System Vulnerabilities

The U.S. military’s increasing reliance on commercial and military communications satellites to enable widely-dispersed, mobile forces to communicate makes these space assets increasingly vulnerable to attack by adversaries. Attacks on these satellites could cause military communications to become unavailable at critical moments during a conflict. This research dissected a typical satellite communications system in order to provide an understanding of the possible attacker entry points into the system, to determine the vulnerabilities associated with each of these access points, and to analyze the possible impacts of these vulnerabilities to U.S. military operations. By understanding these vulnerabilities of U.S. communications satellite systems, methods can be developed to mitigate these threats and protect future systems. This research concluded that the satellite antenna is the most vulnerable component of the satellite communications system’s space segment. The antenna makes the satellite vulnerable to intentional attacks such as: RF jamming, spoofing, meaconing, and deliberate physical attack. The most vulnerable Earth segment component was found to be the Earth station network, which incorporates both Earth station and NOC vulnerabilities. Earth segment vulnerabilities include RF jamming, deliberate physical attack, and Internet connection vulnerabilities. The most vulnerable user segment components were found to be the SSPs and PoPs. SSPs are subject to the vulnerabilities of the services offered, the vulnerabilities of Internet connectivity, and the vulnerabilities associated with operating the VSAT central hub. PoPs are susceptible to the vulnerabilities of the PoP routers, the vulnerabilities of Internet and Intranet connectivity, and the vulnerabilities associated with cellular network access

Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing

Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and controlling a country's Critical Infrastructures (CI) such as electrical power grids, gas, water supply, and transportation services. These systems used to be mostly isolated and secure, but this is no longer true due to the use of wider and interconnected communication networks to reap benefits such as scalability, reliability, usability, and integration. This architectural change together with the critical importance of these systems made them desirable cyber-attack targets. Just as in other Information Technology (IT) systems, standards and best practices have been developed to provide guidance for SCADA developers to increase the security of their systems against cyber-attacks.With the assistance of EFACEC, this work provides an analysis of a SCADA system under current standards, client requisites, and testing of vulnerabilities in an actual prototype system. Our aim is to provide guidance by example on how to evaluate and improve the security of SCADA systems, using a basic prototype of EFACEC's ScateX# SCADA system, following both a theoretical and practical approach. For the theoretical approach, a list of the most commonly adopted ICS (Industrial Control Systems) and IT standards is compiled, and then sets of a generic client's cybersecurity requisites are analyzed and confronted with the prototype's specifications. A study of the system's architecture is also performed to identify vulnerabilities and non-compliances with both the client's requisites and the standards and, for the identified vulnerabilities, corrective and mitigation measures are suggested. For the practical approach, a threat model was developed to help identify desirable assets on SCADA systems and possible attack vectors that could allow access to such assets. Penetration tests were performed on the prototype in order to validate the attack vectors, to evaluate compliance, and to provide evidence of the effectiveness of the corrective measures