The impact of cybersecurity on industrial processes. Understand the risks and how to mitigate the consequences

La ciberseguretat s'està convertint en un tema cada dia més important que les empreses no poden ignorar, sobretot perquè actualment la majoria d'atacs han evolucionat fins al punt de fer que l'antivirus i el tallafocs siguin insuficients per garantir la protecció de la pròpia organització, estimulant els responsables en la ciberseguretat a invertir. cada cop més per estar al dia amb les amenaces cada cop més complexes. S'ha arribat a un punt en què els atacants, donada la creixent dificultat per dur a terme ciberatacs a les xarxes informàtiques, han començat a plantejar-se la possibilitat d'orientar-se envers empreses manufactureres en els entorns on són més vulnerables, maquinària i xarxes industrials. Actualment aquestes han perdut la protecció per la segregació que tenien en els darrers anys, degut a la introducció massiva de l'IoT i als nous paradigmes de la indústria 4.0 que estan imposant l'obertura cap a sistemes externs com el núvol i una estreta integració amb els sistemes empresarials. Això és molt perillós perquè fins i tot s'ha exposat maquinària fràgil que podria perdre la disponibilitat fins i tot amb atacs simples o accions aparentment inofensives, basades en versions obsoletes de programari i sistemes operatius, que es comuniquen entre entre sí amb protocols de comunicació clars, sense autenticació, ni criptografia. Aquest projecte es posiciona en aquesta àrea i tracta de la seguretat d'una línia de panells de recent compra que s'ha d'inserir en una de les instal·lacions de producció de Fincantieri, respectant totes les polítiques de ciberseguretat corporativa, bones pràctiques, limitant l'augment al mínim de la superfície d'atac després de la seva inserció. Les activitats s'han centrat en l'anàlisi dels riscos potencials als quals podria estar exposat aquest sistema i la definició dels correctius. Tenint en compte l'entorn en el qual operem, no sempre és possible actuar sobre l'origen del problema i sovint s'han de trobar mesures alternatives.La ciberseguridad se está convirtiendo día a día en un tema cada vez más importante que las empresas no pueden ignorar, sobre todo porque hoy en día la mayoría de los ataques han evolucionado hasta el punto de hacer que los antivirus y firewall sean insuficientes para garantizar la protección de la propia organización, estimulando a los responsables en la ciberseguridad a invertir más y más para mantenerse al día con las amenazas cada vez más complejas. Se ha llegado a un punto en el que los atacantes, ante la creciente dificultad para realizar ciberataques en redes IT, han comenzado a apuntar las empresas manufactureras en los entornos donde son más vulnerables, maquinaria y redes industriales. Hoy en día estas redes han perdido la protección por la segregación que tenían en los últimos años, debido a la introducción masiva de IoT y los nuevos paradigmas de Industria 4.0 que están imponiendo la apertura hacia sistemas externos como la nube y una estrecha integración con los sistemas de negocios. Esto es muy peligroso porque incluso se ha expuesto maquinaria frágil que podría perder disponibilidad también con simples ataques o acciones aparentemente inofensivas, basadas en versiones obsoletas de software y sistemas operativos, que se comunican entre sí con protocolos de comunicación claros, sin autenticación ni criptografía. Este proyecto se posiciona en esta área y trata de la seguridad de una línea de paneles recientemente comprada que debe insertarse en uno de los sitios de producción de Fincantieri, respetando todas las políticas corporativas de ciberseguridad, las mejores prácticas, limitando al mínimo el aumento de la superficie de ataque para la empresa tras su inserción. Las actividades se centraron en el análisis de los riesgos a los que podría estar expuesto dicho sistema y la definición de remediación. Teniendo en cuenta el entorno en el que operamos, no siempre es posible actuar sobre el origen del problema y muchas veces se deben encontrar alternativas.Cybersecurity is becoming an increasingly important topic day after day that cannot be ignored anymore by companies, especially since nowadays most attacks have evolved to the point of making antivirus and firewalls insufficient to guarantee the protection of organizations, pushing who is deputed to cybersecurity to invest more and more to keep up with the increasingly complex threats. Security has reached a level that attackers, given the increasing difficulty in carrying out cyber-attacks in IT networks, have begun to consider the possibility of targeting manufacturing companies in environments where they are most vulnerable: industrial systems and networks. Nowadays these networks have lost the protection due to segregation they had in the past years because of the massive introduction of IoT and the new paradigms of Industry 4.0 that are imposing the opening towards external systems such as the cloud and a tight integration with the corporate systems. This is very dangerous because even fragile machinery that could lose availability even with simple attacks or apparently harmless actions has been exposed. These assets are often based on obsolete versions of software and operating systems that communicate each other with clear text communication protocols, without any authentication or cryptography. This project is positioned in this area and deals with securing a recently purchased panel line that has been inserted in one of Fincantieri's production sites, respecting all corporate cybersecurity policies, best practices, limiting the increase of the attack surface due to its insertion in the company to the minimum. The activities focused on the analysis of the potential risks to which this system could be exposed and the definition of remediation. Considering the environment in which it has been operated, it is not always possible to act on the source of the problem and alternative measures must often be found that limit the criticalities highlighted

Firewall Policy Diagram: Novel Data Structures and Algorithms for Modeling, Analysis, and Comprehension of Network Firewalls

Firewalls, network devices, and the access control lists that manage traffic are very important components of modern networking from a security and regulatory perspective. When computers were first connected, they were communicating with trusted peers and nefarious intentions were neither recognized nor important. However, as the reach of networks expanded, systems could no longer be certain whether the peer could be trusted or that their intentions were good. Therefore, a couple of decades ago, near the widespread adoption of the Internet, a new network device became a very important part of the landscape, i.e., the firewall with the access control list (ACL) router. These devices became the sentries to an organization's internal network, still allowing some communication; however, in a controlled and audited manner. It was during this time that the widespread expansion of the firewall spawned significant research into the science of deterministically controlling access, as fast as possible. However, the success of the firewall in securing the enterprise led to an ever increasing complexity in the firewall as the networks became more inter-connected. Over time, the complexity has continued to increase, yielding a difficulty in understanding the allowed access of a particular device. As a result of this success, firewalls are one of the most important devices used in network security. They provide the protection between networks that only wish to communicate over an explicit set of channels, expressed through the protocols, traveling over the network. These explicit channels are described and implemented in a firewall using a set of rules, where the firewall implements the will of the organization through these rules, also called a firewall policy. In small test environments and networks, firewall policies may be easy to comprehend and understand; however, in real world organizations these devices and policies must be capable of handling large amounts of traffic traversing hundreds or thousands of rules in a particular policy. Added to that complexity is the tendency of a policy to grow substantially more complex over time; and the result is often unintended mistakes in comprehending the complex policy, possibly leading to security breaches. Therefore, the need for an organization to unerringly and deterministically understand what traffic is allowed through a firewall, while being presented with hundreds or thousands of rules and routes, is imperative. In addition to the local security policy represented in a firewall, the modern firewall and filtering router involve more than simply deciding if a packet should pass through a security policy. Routing decisions through multiple network interfaces involving vendor-specific constructs such as zones, domains, virtual routing tables, and multiple security policies have become the more common type of device found in the industry today. In the past, network devices were separated by functional area (ACL, router, switch, etc.). The more recent trend has been for these capabilities to converge and blend creating a device that goes far beyond the straight-forward access control list. This dissertation investigates the comprehension of traffic flow through these complex devices by focusing on the following research topics: - Expands on how a security policy may be processed by decoupling the original rules from the policy, and instead allow a holistic understanding of the solution space being represented. This means taking a set of constraints on access (i.e., firewall rules), synthesizing them into a model that represents an accept and deny space that can be quickly and accurately analyzed. - Introduces a new set of data structures and algorithms collectively referred to as a Firewall Policy Diagram (FPD). A structure that is capable of modeling Internet Protocol version 4 packet (IPv4) solution space in memory efficient, mathematically set-based entities. Using the FPD we are capable of answering difficult questions such as: what access is allowed by one policy over another, what is the difference in spaces, and how to efficiently parse the data structure that represents the large search space. The search space can be as large as 288; representing the total values available to the source IP address (232), destination IP address (232), destination port (216), and protocol (28). The fields represent the available bits of an IPv4 packet as defined by the Open Systems Interconnection (OSI) model. Notably, only the header fields that are necessary for this research are taken into account and not every available IPv4 header value. - Presents a concise, precise, and descriptive language called Firewall Policy Query Language (FPQL) as a mechanism to explore the space. FPQL is a Backus Normal Form (Backus-Naur Form) (BNF) compatible notation for a query language to do just that sort of exploration. It looks to translate concise representations of what the end user needs to know about the solution space, and extract the information from the underlying data structures. - Finally, this dissertation presents a behavioral model of the capabilities found in firewall type devices and a process for taking vendor-specific nuances to a common implementation. This includes understanding interfaces, routes, rules, translation, and policies; and modeling them in a consistent manner such that the many different vendor implementations may be compared to each other

Pursuing cost-effective secure network micro-segmentation

Traditional network segmentation allows discrete trust levels to be defined for different network segments, using physical firewalls or routers that control north-south traffic flowing between different interfaces. This technique reduces the attack surface area should an attacker breach one of the perimeter defences. However, east-west traffic flowing between endpoints within the same network segment does not pass through a firewall, and an attacker may be able to move laterally between endpoints within that segment. Network micro-segmentation was designed to address the challenge of controlling east-west traffic, and various solutions have been released with differing levels of capabilities and feature sets. These approaches range from simple network switch Access Control List based segmentation to complex hypervisor based software-defined security segments defined down to the individual workload, container or process level, and enforced via policy based security controls for each segment. Several commercial solutions for network micro-segmentation exist, but these are primarily focused on physical and cloud data centres, and are often accompanied by significant capital outlay and resource requirements. Given these constraints, this research determines whether existing tools provided with operating systems can be re-purposed to implement micro-segmentation and restrict east-west traffic within one or more network segments for a small-to-medium sized corporate network. To this end, a proof-of-concept lab environment was built with a heterogeneous mix of Windows and Linux virtual servers and workstations deployed in an Active Directory domain. The use of Group Policy Objects to deploy IPsec Server and Domain Isolation for controlling traffic between endpoints is examined, in conjunction with IPsec Authenticated Header and Encapsulating Security Payload modes as an additional layer of security. The outcome of the research shows that revisiting existing tools can enable organisations to implement an additional, cost-effective secure layer of defence in their network

Self Organized Multi Agent Swarms (SOMAS) for Network Security Control

Computer network security is a very serious concern in many commercial, industrial, and military environments. This paper proposes a new computer network security approach defined by self-organized agent swarms (SOMAS) which provides a novel computer network security management framework based upon desired overall system behaviors. The SOMAS structure evolves based upon the partially observable Markov decision process (POMDP) formal model and the more complex Interactive-POMDP and Decentralized-POMDP models, which are augmented with a new F(*-POMDP) model. Example swarm specific and network based behaviors are formalized and simulated. This paper illustrates through various statistical testing techniques, the significance of this proposed SOMAS architecture, and the effectiveness of self-organization and entangled hierarchies

A Novel Method for Moving Laterally and Discovering Malicious Lateral Movements in Windows Operating Systems: A Case Study

Lateral movement is a pervasive threat because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research conducted investigating the prevention of lateral movement in enterprise systems. However, attackers use increasingly sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review outlines techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by advanced persistent threats and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel approach for moving laterally designed by other security researchers is reviewed and studied, an original process for detecting this method of lateral movement is proposed, and the application of the detection methodology is also expanded

Interactive visualization of event logs for cybersecurity

Hidden cyber threats revealed with new visualization software Eventpa

Lateral Movement in Windows Systems and Detecting the Undetected ShadowMove

Lateral Movement is a pervasive threat that exists because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research completed into preventing lateral movement in enterprise systems. However, attackers are using more sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review is conducted, outlining new techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by Advanced Persistent Threats, and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel method for moving laterally is introduced and studied, and an original method for detecting this method of lateral movement is proposed

A Semantic Wiki-based Platform for IT Service Management

The book researches the use of a semantic wiki in the area of IT Service Management within the IT department of an SME. An emphasis of the book lies in the design and prototypical implementation of tools for the integration of ITSM-relevant information into the semantic wiki, as well as tools for interactions between the wiki and external programs. The result of the book is a platform for agile, semantic wiki-based ITSM for IT administration teams of SMEs

A General Methodology to Optimize and Benchmark Edge Devices

The explosion of Internet Of Things (IoT), embedded and “smart” devices has also seen the addition of “general purpose” single board computers also referred to as “edge devices.” Determining if one of these generic devices meets the need of a new given task however can be challenging. Software generically written to be portable or plug and play may be too bloated to work properly without significant modification due to much tighter hardware resources. Previous work in this area has been focused on micro or chip-level benchmarking which is mainly useful for chip designers or low level system integrators. A higher or macro level method is needed to not only observe the behavior of these devices under a load but ensure they are appropriately configured for the new task, especially as they begin being integrated on platforms with higher cost of failure like self driving cars or drones. In this research we propose a macro level methodology that iteratively benchmarks and optimizes specific workloads on edge devices. With automation provided by Ansible, a multi stage 2k full factorial experiment and robust analysis process ensures the test workload is maximizing the use of available resources before establishing a final benchmark score. By framing the validation tests with a family of network security monitoring applications an end to end scenario fully exercises and validates the developed process. This also provides an additional vector for future research in the realm of network security. The analysis of the results show the developed process met its original design goals and intentions, with the added fact that the latest edge devices like the XAVIER, TX2 and RPi4 can easily perform as an edge network sensor