Applying Lessons from Cyber Attacks on Ukrainian Infrastructures to Secure Gateways onto the Industrial Internet of Things

Previous generations of safety-related industrial control systems were ‘air gapped’. In other words, process control components including Programmable Logic Controllers (PLCs) and smart sensor/actuators were disconnected and isolated from local or wide area networks. This provided a degree of protection; attackers needed physical access to compromise control systems components. Over time this ‘air gap’ has gradually been eroded. Switches and gateways have subsequently interfaced industrial protocols, including Profibus and Modbus, so that data can be drawn from safety-related Operational Technology into enterprise information systems using TCP/IP. Senior management uses these links to monitor production processes and inform strategic planning. The Industrial Internet of Things represents another step in this evolution – enabling the coordination of physically distributed resources from a centralized location. The growing range and sophistication of these interconnections create additional security concerns for the operation and management of safety-critical systems. This paper uses lessons learned from recent attacks on Ukrainian critical infrastructures to guide a forensic analysis of an IIoT switch. The intention is to identify and mitigate vulnerabilities that would enable similar attacks to be replicated across Europe and North America

SCADA Security - Slowly Circling a Disaster Area

SCADA (Supervisory Control And Data Acquisition) networks control much of the industrialised nations production and supply complexes. Various government reports and investigations have highlighted the vulnerability of these systems. Many of these systems are on private networks which are increasingly being connected to systems that are accessible from other networks such as the Internet. SCADA systems have unique security and operational requirements. However, many of the most basic security measures are missing in these networks. This examines some of these issues and proposes some technologies that could help secure these networks from attack

Securing industrial control system environments: the missing piece

Cyberattacks on industrial control systems (ICSs) are no longer matters of anticipation. These systems are continually subject to malicious attacks without much resistance. Network breaches, data theft, denial of service, and command and control functions are examples of common attacks on ICSs. Despite available security solutions, safety, security, resilience, and performance require both private public sectors to step-up strategies to address increasing security concerns on ICSs. This paper reviews the ICS security risk landscape, including current security solution strategies in order to determine the gaps and limitations for effective mitigation. Notable issues point to a greater emphasis on technology security while discounting people and processes attributes. This is clearly incongruent with; emerging security risk trends, the biased security strategy of focusing more on supervisory control and data acquisition systems, and the emergence of more sector-specific solutions as against generic security solutions. Better solutions need to include approaches that follow similar patterns as the problem trend. These include security measures that are evolutionary by design in response to security risk dynamics. Solutions that recognize and include; people, process and technology security enhancement into asingle system, and addressing all three-entity vulnerabilities can provide a better solution for ICS environments

Integrating Open Source Protections into SCADA Networks

SCADA (Supervisory Control And Data Acquisition) networks control much of the industrialised nations production and supply complexes. Various government reports and investigations have highlighted the vulnerability of these systems. Many of these systems are on private networks which are increasingly being connected to systems that are accessible from other networks such as the Internet. There are a range of open source tools that now offer fonctionality that can be used to secure SCADA networks from intrusion or compromise. This paper explores some of the issues with current SCADA deployment trends from a network security perspective and then examines open source countermeasures that could be used to help mitigate some of these risks

Detection techniques in operational technology infrastructure

In previous decades, cyber-attacks have not been considered a threat to critical infrastructure. However, as the Information Technology (IT) and Operational Technology (OT) domains converge, the vulnerability of OT infrastructure is being exploited. Nation-states, cyber criminals and hacktivists are moving to benefit from economic and political gains. The OT network, i.e. Industrial Control System (ICS) is referred to within OT infrastructure as Supervisory Control and Data Acquisition (SCADA). SCADA systems were introduced primarily to optimise the data transfer within OT network infrastructure. The introduction of SCADA can be traced back to the 1960’s, a time where cyber-attacks were not considered. Hence SCADA networks and associated systems are highly vulnerable to cyber-attacks which can ultimately result in catastrophic events. Historically, when deployed, intrusion detection systems in converged IT/OT networks are deployed and monitor the IT side of the network. While academic research into OT specific intrusion detection is not a new direction, application to real systems are few and lack the contextual information required to make intrusion detection systems actionable. This paper provides an overview of cyber security in OT SCADA networks. Through evaluating the historical development of OT systems and protocols, a range of current issues caused by the IT/OT convergence is presented. A number of publicly disclosed SCADA vulnerabilities are outlined, in addition to approaches for detecting attacks in OT networks. The paper concludes with a discussion of what the future of interconnected OT systems should entail, and the potential risks of continuing with an insecure design philosophy

Cyber Security and Critical Infrastructures 2nd Volume

The second volume of the book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles, including an editorial that explains the current challenges, innovative solutions and real-world experiences that include critical infrastructure and 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems

Preliminaries of orthogonal layered defence using functional and assurance controls in industrial control systems

Industrial Control Systems (ICSs) are responsible for the automation of different processes and the overall control of systems that include highly sensitive potential targets such as nuclear facilities, energy-distribution, water-supply, and mass-transit systems. Given the increased complexity and rapid evolvement of their threat landscape, and the fact that these systems form part of the Critical National infrastructure (CNI), makes them an emerging domain of conflict, terrorist attacks, and a playground for cyberexploitation. Existing layered-defence approaches are increasingly criticised for their inability to adequately protect against resourceful and persistent adversaries. It is therefore essential that emerging techniques, such as orthogonality, be combined with existing security strategies to leverage defence advantages against adaptive and often asymmetrical attack vectors. The concept of orthogonality is relatively new and unexplored in an ICS environment and consists of having assurance control as well as functional control at each layer. Our work seeks to partially articulate a framework where multiple functional and assurance controls are introduced at each layer of ICS architectural design to further enhance security while maintaining critical real-time transfer of command and control traffic

Securing Industrial Control Systems: Components, Cyber Threats, and Machine Learning-Driven Defense Strategies

Article describes how Industrial Control Systems (ICS), which include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC), play a crucial role in managing and regulating industrial processes. This article presents an overview of ICS security, covering its components, protocols, industrial applications, and performance aspects

Improving the National Cyber-security by Finding Vulnerable Industrial Control Systems from the Internet

Teollisuusautomaatiojärjestelmiä, joita käytetään muun muassa voimantuotannon, sähkönjakelun ja jätevedenpuhdistuksen järjestelmissä, voidaan löytää julkisesta Internetistä. Tarve etähallinnalle ja keskittämiselle, sekä tuotteiden huono suunnittelu ja virheet järjestelmien käyttöönotossa, ovat altistaneet automaatiojärjestelmiä kenen tahansa ulottuville. Yhteiskunnalle tärkeiden kriittisen infrastruktuuriin kuuluvien järjestelmien turvalliseksi saattaminen on tärkeää kansalliselle kyberturvallisuudelle: ongelmat kriittisessä infrastruktuurissa voivat aiheuttaa voimakkaita häiriöitä eri puolilla yhteiskuntaa. Viime vuosina on havaittu kasvava määrä kyberhyökkäyksiä. Sekä rikolliset, että valtiolliset toimijat kehittävät kyberaseita ja myös teollisuusautomaatiojärjestelmiin on kohdistettu hyökkäyksiä. Vuonna 2010 Stuxnet haittaohjelma onnistui tunkeutumaan iranilaisen ydinpolttoaineenrikastamon järjestelmiin ja aiheuttamaan mittavaa fyysistä tuhoa. Tässä työssä esitellään konsepti, jonka avulla voidaan automaattisesti löytää haavoittuvia teollisuusautomaatiojärjestelmiä, ja raportoida löydökset viranomaisille jatkotoimenpiteitä varten. Työssä esitellään myös prototyyppi, jolla testattiin konseptin toimivuutta oikeilla suomalaisilla järjestelmillä Internetin yli: sormenjälkitietokannan ja porttiskannauksen avulla 2913 IP-osoitteesta löydettiin 91 mahdollista teollisuusautomaatiolaitetta. Epäiltyjä teollisuusautomaatiojärjestelmiä pystytään löytämään Internetistä, mutta löydettyjen järjestelmien kriittisyyden ja tärkeyden arvionti ilman tunkeutumista kohteeseen on vaikeaa. Konseptia tehostaisi huomattavasti automaattinen tietoturva-auditointi, jolla tärkeimmät ja haavoittuvaisimmat kohteet voitaisiin paikallistaa ja poistaa näkyviltä nopeasti. Auditointi ilman järjestelmien omistajien lupaa vaatisi kuitenkin muutoksia lainsäädäntöön.Industrial control systems (ICS), which are used to control critical elements of the society's maintenance such as power generation and electricity distribution, are exposed to the Internet as a result of insecure design, and installation faults. Securing critical industrial systems is important for national cyber-security; malfunctioning elements in the critical infrastructure can quickly cascade into wide range of problems in the society. In the recent years increasing amount of cyber-attacks have been observed, and nations and criminals are developing offensive cyber-capabilities; industrial systems are also targeted as was seen with the Stuxnet-malware in 2010 causing havoc in an Iranian uranium enrichment facility. In this thesis a concept is presented to automatically find and evaluate exposed ICSs and report vulnerable devices to authorities for remediation. A prototype of the concept is built to prove the viability of the concept and to get data from port scanning real ICS devices in the Internet. With the prototype, 91 ICS devices were found out of the assigned 2913 IP addresses. Traffic volume produced by the scanner was insignificant compared to overall Finnish Internet traffic. The concept, called KATSE, is viable but not without challenges: ICS devices can definitely be identified from the Internet but analyzing the actual importance and purpose of the devices is difficult. Currently the Finnish legislation does not allow system intrusions or unauthorized security auditing even by authorities. Automated security auditing for the found devices would be useful to find the most vulnerable devices first but such auditing would require a change in legislation