xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED

Determining Enclosure Breach Electromagnetically

A structure breach may be determined. A sensor, provided in the structure, may be driven with a constant frequency signal. The sensor may comprise a first conductive element and a second conductive element. The first conductive element may be substantially parallel with the second conductive element. A standing wave pattern may be induced on the sensor by the constant frequency signal reflecting off a termination point of the sensor. A least one characteristic of the sensor caused by the voltage standing wave pattern may be measured. A breach occurrence in the structure may be determined when the measured at least one characteristic varies from a previously determined value by a predetermined amount. The first conductive element and the second conductive element may be sandwiched between two layers comprising the structure. The structure may comprise a shipping container floor. The detected breach may comprise an opening greater than nine square inches.Georgia Tech Research Corporatio

Time is of the Essence: Machine Learning-based Intrusion Detection in Industrial Time Series Data

The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial IT-security is needed. In this work, emulated industrial network data is transformed into a time series and analysed with three different algorithms. The data contains labeled attacks, so the performance can be evaluated. Matrix Profiles perform well with almost no parameterisation needed. Seasonal Autoregressive Integrated Moving Average performs well in the presence of noise, requiring parameterisation effort. Long Short Term Memory-based neural networks perform mediocre while requiring a high training- and parameterisation effort.Comment: Extended version of a publication in the 2018 IEEE International Conference on Data Mining Workshops (ICDMW

Impact Assessment of Hypothesized Cyberattacks on Interconnected Bulk Power Systems

The first-ever Ukraine cyberattack on power grid has proven its devastation by hacking into their critical cyber assets. With administrative privileges accessing substation networks/local control centers, one intelligent way of coordinated cyberattacks is to execute a series of disruptive switching executions on multiple substations using compromised supervisory control and data acquisition (SCADA) systems. These actions can cause significant impacts to an interconnected power grid. Unlike the previous power blackouts, such high-impact initiating events can aggravate operating conditions, initiating instability that may lead to system-wide cascading failure. A systemic evaluation of "nightmare" scenarios is highly desirable for asset owners to manage and prioritize the maintenance and investment in protecting their cyberinfrastructure. This survey paper is a conceptual expansion of real-time monitoring, anomaly detection, impact analyses, and mitigation (RAIM) framework that emphasizes on the resulting impacts, both on steady-state and dynamic aspects of power system stability. Hypothetically, we associate the combinatorial analyses of steady state on substations/components outages and dynamics of the sequential switching orders as part of the permutation. The expanded framework includes (1) critical/noncritical combination verification, (2) cascade confirmation, and (3) combination re-evaluation. This paper ends with a discussion of the open issues for metrics and future design pertaining the impact quantification of cyber-related contingencies

Self-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine

One way to detect and thwart a network attack is to compare each incoming packet with predefined patterns, also called an attack pattern database, and raise an alert upon detecting a match. This article presents a novel pattern-matching engine that exploits a memory-based, programmable state machine to achieve deterministic processing rates that are independent of packet and pattern characteristics. Our engine is a self-addressable memory-based finite state machine (SAMFSM), whose current state coding exhibits all its possible next states. Moreover, it is fully reconfigurable in that new attack patterns can be updated easily. A methodology was developed to program the memory and logic. Specifically, we merge non-equivalent states by introducing super characters on their inputs to further enhance memory efficiency without adding labels. SAM-FSM is one of the most storage-efficient machines and reduces the memory requirement by 60 times. Experimental results are presented to demonstrate the validity of SAM-FSM

Intensity based interrogation of optical fibre sensors for industrial automation and intrusion detection systems

In this study, the use of optical fibre sensors for intrusion detection and industrial automation systems has been demonstrated, with a particular focus on low cost, intensity-based, interrogation techniques. The use of optical fibre sensors for intrusion detection systems to secure residential, commercial, and industrial premises against potential security breaches has been extensively reviewed in this thesis. Fibre Bragg grating (FBG) sensing is one form of optical fibre sensing that has been underutilised in applications such as in-ground, in-fence, and window and door monitoring, and addressing that opportunity has been a major goal of this thesis. Both security and industrial sensor systems must include some centralised intelligence (electronic controller) and ideally both automation and security sensor systems would be controlled and monitored by the same centralised system. Optical fibre sensor systems that could be used for either application have been designed, developed, and tested in this study, and optoelectronic interfaces for integrating these sensors with electronic controllers have been demonstrated. The versatility of FBG sensors means that they are also ideal for certain mainstream industrial applications. Two novel transducers have been developed in this work; a highly sensitive low pressure FBG diaphragm transducer and a FBG load cell transducer. Both have been designed to allow interrogation of the optical signal could occur within the housing of the individual sensors themselves. This is achieved in a simple and low cost manner that enables the output of the transducers to be easily connected to standard electronic controllers, such as programmable logic controllers. Furthermore, some of the nonlinear characteristics of FBG sensors have been explored with the aim of developing transducers that are inherently decoupled from strain and temperature interference. One of the major advantages of optical fibre sensors is their ability to be both time division and wavelength division multiplexed. The intensity-based interrogation techniques used here complement this attribute and are a major consideration when developing the transducers and optoelectronic circuits. A time division multiplexing technique, using transmit-reflect detection and incorporating a dual bus, has also been developed. This system architecture enables all the different optical fibre transducers on the network to have the same Bragg wavelength and hence the number of spare replacement transducers required is minimal. Moreover, sensors can be replaced in an online control system without disrupting the network. In addition, by analysing both the transmitted and reflected signals, problems associated with optical power fluctuations are eliminated and the intensity of the sensor signals is increased through differential amplification. Overall, the research addresses the limitations of conventional electrical sensors, such as susceptibility to corrosive damage in wet and corrosive environments, and risk of causing an explosion in hazardous environments, as well as the limitations of current stand-alone optical fibre sensor systems. This thesis supports more alert, reliable, affordable, and coordinated, control and monitoring systems in an on-line environment

An analysis of security issues in building automation systems

The purpose of Building Automation Systems (BAS) is to centralise the management of a wide range of building services, through the use of integrated protocol and communication media. Through the use of IP-based communication and encapsulated protocols, BAS are increasingly being connected to corporate networks and also being remotely accessed for management purposes, both for convenience and emergency purposes. These protocols, however, were not designed with security as a primary requirement, thus the majority of systems operate with sub-standard or non-existent security implementations, relying on security through obscurity. Research has been undertaken into addressing the shortfalls of security implementations in BAS, however defining the threats against BAS, and detection of these threats is an area that is particularly lacking. This paper presents an overview of the current security measures in BAS, outlining key issues, and methods that can be improved to protect cyber physical systems against the increasing threat of cyber terrorism and hacktivism. Future research aims to further evaluate and improve the detection systems used in BAS through first defining the threats and then applying and evaluating machine learning algorithms for traffic classification and IDS profiling capable of operating on resource constrained BAS