Laboratory Exercises to Accompany Industrial Control and Embedded Systems Security Curriculum Modules

The daily intrusion attempts and attacks on industrial control systems (ICS) and embedded systems (ES) underscore the criticality of the protection of our Critical Infrastructures (CIs). As recent as mid-July 2018, numerous reports on the infiltration of US utility control rooms by Russian hackers have been published. These successful infiltration and possible manipulation of the utility companies could easily translate to a devastating attack on our nation’s power grid and, consequently, our economy and well-being. Indeed, the need to secure the control and embedded systems which operate our CIs has never been so pronounced. In our attempt to address this critical need, we designed, developed and implemented ICS and ES security curriculum modules with pertinent hands-on laboratory exercises that can be freely adopted across the national setting. This paper describes in detail the modules and the accompanying exercises and proposes future enhancements and extensions to these pedagogical instruments. It highlights the interaction between control and embedded systems security with Presidential Policy Directive 8- the National Preparedness Plan (NPP), cyber risk management, incident handling. To establish the premise the laboratory exercises were developed. This paper outlines the description and content of the modules in the areas of (1) Industrial Control Systems (ICS) Security, (2) embedded systems (ES), and (3) guidelines, standards, and policy. The ICS security modules cover the predominant ICS protocols, ladder logic programming, Human Machine Interface (HMI), defensive techniques, ICS reconnaissance, vulnerability assessment, Intrusion detection, and penetration testing. The ES security modules include topics such as secure firmware programming and authentication mechanisms. In the guidelines, standards, and policy section, the topics covered by the modules include the NPP as it relates to CI protection, risk management, system protection and policy design, and managing operations and controls. An overview of the various hands-on exercises that accompany the course modules is also presented. Further, to evaluate the effectiveness of the pedagogical materials, an initial evaluation was conducted and the survey data were collected, analyzed, and presented. The paper concludes with future enhancements and directives on opportunities for module extensions and course adoption

Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things

It is critical to secure the Industrial Internet of Things (IIoT) devices because of potentially devastating consequences in case of an attack. Machine learning and big data analytics are the two powerful leverages for analyzing and securing the Internet of Things (IoT) technology. By extension, these techniques can help improve the security of the IIoT systems as well. In this paper, we first present common IIoT protocols and their associated vulnerabilities. Then, we run a cyber-vulnerability assessment and discuss the utilization of machine learning in countering these susceptibilities. Following that, a literature review of the available intrusion detection solutions using machine learning models is presented. Finally, we discuss our case study, which includes details of a real-world testbed that we have built to conduct cyber-attacks and to design an intrusion detection system (IDS). We deploy backdoor, command injection, and Structured Query Language (SQL) injection attacks against the system and demonstrate how a machine learning based anomaly detection system can perform well in detecting these attacks. We have evaluated the performance through representative metrics to have a fair point of view on the effectiveness of the methods

Anomaly Detection and Encrypted Programming Forensics for Automation Controllers

Securing the critical infrastructure of the United States is of utmost importance in ensuring the security of the nation. To secure this complex system a structured approach such as the NIST Cybersecurity framework is used, but systems are only as secure as the sum of their parts. Understanding the capabilities of the individual devices, developing tools to help detect misoperations, and providing forensic evidence for incidence response are all essential to mitigating risk. This thesis examines the SEL-3505 RTAC to demonstrate the importance of existing security capabilities as well as creating new processes and tools to support the NIST Framework. The research examines the potential pitfalls of having small-form factor devices in poorly secured and geographically disparate locations. Additionally, the research builds a data-collection framework to provide a proof of concept anomaly detection system for detecting network intrusions by recognizing the change in task time distribution. Statistical tests distinguish between normal and anomalous behaviour. The high true positive rates and low false positive rates show the merit of such an anomaly detection system. Finally, the work presents a network forensic process for recreating control logic from encrypted programming traffic

Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices

The Industrial Internet of Things (IIoT) has already become a part of our everyday life be it water supply, smart grid, or production, IIoT is everywhere. For example, factory operators want to know the current state of the production line. These new demands for data acquisition in modern plants require industrial components to be able to communicate. Nowadays, network communication in Industrial Control Systems (ICSs) is often implemented via an IP-based protocol. This intercommunication also brings a larger attack surface for hackers. If an IIoT device is influenced by attackers, the physical process could be affected. For example, a high network load could cause a high Central Processing Unit (CPU) load and influence the reaction time on the physical control side. In this paper, we introduce a dual Microcontroller Unit (MCU) setup to ensure a resilient controlling for IIoT devices like Programmable Logic Controllers (PLCs). We introduce a possible solution for the demand of secure architectures in the IIoT. Moreover, we provide a Proof of Concept (PoC) implementation with a benchmark and a comparison with a standard PLC

Advanced security aspects on Industrial Control Network.

Security threats are one of the main problems of this computer-based era. All systems making use of information and communication technologies (ICT) are prone to failures and vulnerabilities that can be exploited by malicious software and agents. In the latest years, Industrial Critical Installations started to use massively network interconnections as well, and what it is worst they came in contact with the public network, i.e. with Internet. Industrial networks are responsible for process and manufacturing operations of almost every scale, and as a result the successful penetration of a control system network can be used to directly impact those processes. Consequences could potentially range from relatively benign disruptions, such as the disruption of the operation (taking a facility offline), the alteration of an operational process (changing the formula of a chemical process), all the way to deliberate acts of sabotage that are intended to cause harm. The interconnectivity of Industrial Control Systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This presents presents an innovative approach to Intrusion Detection in SCADA systems based on the concept of Critical State Analysis and State Proximity. The theoretical framework is supported by tests conducted with an Intrusion Detection System prototype implementing the proposed detection approach

Advanced security aspects on Industrial Control Network.

Security threats are one of the main problems of this computer-based era. All systems making use of information and communication technologies (ICT) are prone to failures and vulnerabilities that can be exploited by malicious software and agents. In the latest years, Industrial Critical Installations started to use massively network interconnections as well, and what it is worst they came in contact with the public network, i.e. with Internet. Industrial networks are responsible for process and manufacturing operations of almost every scale, and as a result the successful penetration of a control system network can be used to directly impact those processes. Consequences could potentially range from relatively benign disruptions, such as the disruption of the operation (taking a facility offline), the alteration of an operational process (changing the formula of a chemical process), all the way to deliberate acts of sabotage that are intended to cause harm. The interconnectivity of Industrial Control Systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This presents presents an innovative approach to Intrusion Detection in SCADA systems based on the concept of Critical State Analysis and State Proximity. The theoretical framework is supported by tests conducted with an Intrusion Detection System prototype implementing the proposed detection approach