Understanding indicators of compromise against cyber-attacks in industrial control systems: a security perspective

Numerous sophisticated and nation-state attacks on Industrial Control Systems (ICSs) have increased in recent years, exemplified by Stuxnet and Ukrainian Power Grid. Measures to be taken post-incident are crucial to reduce damage, restore control, and identify attack actors involved. By monitoring Indicators of Compromise (IOCs), the incident responder can detect malicious activity triggers and respond quickly to a similar intrusion at an earlier stage. However, in order to implement IOCs in critical infrastructures, we need to understand their contexts and requirements. Unfortunately, there is no survey paper in the literature on IOC in the ICS environment and only limited information is provided in research articles. In this paper, we describe different standards for IOC representation and discuss the associated challenges that restrict security investigators from developing IOCs in the industrial sectors. We also discuss the potential IOCs against cyber-attacks in ICS systems. Furthermore, we conduct a critical analysis of existing works and available tools in this space. We evaluate the effectiveness of identified IOCs’ by mapping these indicators to the most frequently targeted attacks in the ICS environment. Finally we highlight the lessons to be learnt from the literature and the future problems in the domain along with the approaches that might be taken

PROACTIVE BIOMETRIC-ENABLED FORENSIC IMPRINTING SYSTEM

Insider threats are a significant security issue. The last decade has witnessed countless instances of data loss and exposure in which leaked data have become publicly available and easily accessible. Losing or disclosing sensitive data or confidential information may cause substantial financial and reputational damage to a company. Therefore, preventing or responding to such incidents has become a challenging task. Whilst more recent research has focused explicitly on the problem of insider misuse, it has tended to concentrate on the information itself—either through its protection or approaches to detecting leakage. Although digital forensics has become a de facto standard in the investigation of criminal activities, a fundamental problem is not being able to associate a specific person with particular electronic evidence, especially when stolen credentials and the Trojan defence are two commonly cited arguments. Thus, it is apparent that there is an urgent requirement to develop a more innovative and robust technique that can more inextricably link the use of information (e.g., images and documents) to the users who access and use them. Therefore, this research project investigates the role that transparent and multimodal biometrics could play in providing this link by leveraging individuals’ biometric information for the attribution of insider misuse identification. This thesis examines the existing literature in the domain of data loss prevention, detection, and proactive digital forensics, which includes traceability techniques. The aim is to develop the current state of the art, having identified a gap in the literature, which this research has attempted to investigate and provide a possible solution. Although most of the existing methods and tools used by investigators to conduct examinations of digital crime help significantly in collecting, analysing and presenting digital evidence, essential to this process is that investigators establish a link between the notable/stolen digital object and the identity of the individual who used it; as opposed to merely using an electronic record or a log that indicates that the user interacted with the object in question (evidence). Therefore, the proposed approach in this study seeks to provide a novel technique that enables capturing individual’s biometric identifiers/signals (e.g. face or keystroke dynamics) and embedding them into the digital objects users are interacting with. This is achieved by developing two modes—a centralised or decentralised manner. The centralised approach stores the mapped information alongside digital object identifiers in a centralised storage repository; the decentralised approach seeks to overcome the need for centralised storage by embedding all the necessary information within the digital object itself. Moreover, no explicit biometric information is stored, as only the correlation that points to those locations within the imprinted object is preserved. Comprehensive experiments conducted to assess the proposed approach show that it is highly possible to establish this correlation even when the original version of the examined object has undergone significant modification. In many scenarios, such as changing or removing part of an image or document, including words and sentences, it was possible to extract and reconstruct the correlated biometric information from a modified object with a high success rate. A reconstruction of the feature vector from unmodified images was possible using the generated imprints with 100% accuracy. This was achieved easily by reversing the imprinting processes. Under a modification attack, in which the imprinted object is manipulated, at least one imprinted feature vector was successfully retrieved from an average of 97 out of 100 images, even when the modification percentage was as high as 80%. For the decentralised approach, the initial experimental results showed that it was possible to retrieve the embedded biometric signals successfully, even when the file (i.e., image) had had 75% of its original status modified. The research has proposed and validated a number of approaches to the embedding of biometric data within digital objects to enable successful user attribution of information leakage attacks.Embassy of Saudi Arabia in Londo

Anomaly diagnosis in industrial control systems for digital forensics

Over several decades, Industrial Control Systems (ICS) have become more interconnected and highly programmable. An increasing number of sophisticated cyber-attacks have targeted ICS with a view to cause tangible damage. Despite the stringent functional safety requirements mandated within ICS environments, critical national infrastructure (CNI) sectors and ICS vendors have been slow to address the growing cyber threat. In contrast with the design of information technology (IT) systems, security of controls systems have not typically been an intrinsic design principle for ICS components, such as Programmable Logic Controllers (PLCs). These factors have motivated substantial research addressing anomaly detection in the context of ICS. However, detecting incidents alone does not assist with the response and recovery activities that are necessary for ICS operators to resume normal service. Understanding the provenance of anomalies has the potential to enable the proactive implementation of security controls, and reduce the risk of future attacks. Digital forensics provides solutions by dissecting and reconstructing evidence from an incident. However, this has typically been positioned from a post-incident perspective, which inhibits rapid triaging, and effective response and recovery, an essential requirement in critical ICS. This thesis focuses on anomaly diagnosis, which involves the analysis of and discrimination between different types of anomalous event, positioned at the intersection between anomaly detection and digital forensics. An anomaly diagnosis framework is proposed that includes mechanisms to aid ICS operators in the context of anomaly triaging and incident response. PLCs have a fundamental focus within this thesis due to their critical role and ubiquitous application in ICS. An examination of generalisable PLC data artefacts produced a taxonomy of artefact data types that focus on the device data generated and stored in PLC memory. Using the artefacts defined in this first stage, an anomaly contextualisation model is presented that differentiates between cyber-attack and system fault anomalies. Subsequently, an attack fingerprinting approach (PLCPrint) generates near real-time compositions of memory fingerprints within 200ms, by correlating the static and dynamic behaviour of PLC registers. This establishes attack type and technique provenance, and maintains the chain-of-evidence for digital forensic investigations. To evaluate the efficacy of the framework, a physical ICS testbed modelled on a water treatment system is implemented. Multiple PLC models are evaluated to demonstrate vendor neutrality of the framework. Furthermore, several generalised attack scenarios are conducted based on techniques identified from real PLC malware. The results indicate that PLC device artefacts are particularly powerful at detecting and contextualising an anomaly. In general, we achieve high F1 scores of at least 0.98 and 0.97 for anomaly detection and contextualisation, respectively, which are highly competitive with existing state-of-the-art literature. The performance of PLCPrint emphasises how PLC memory snapshots can precisely and rapidly provide provenance by classifying cyber-attacks with an accuracy of 0.97 in less than 400ms. The proposed framework offers a much needed novel approach through which ICS components can be rapidly triaged for effective response