Evaluating the Resiliency of Industrial Internet of Things Process Control Using Protocol Agnostic Attacks

Improving and defending our nation\u27s critical infrastructure has been a challenge for quite some time. A malfunctioning or stoppage of any one of these systems could result in hazardous conditions on its supporting populace leading to widespread damage, injury, and even death. The protection of such systems has been mandated by the Office of the President of the United States of America in Presidential Policy Directive Order 21. Current research now focuses on securing and improving the management and efficiency of Industrial Control Systems (ICS). IIoT promises a solution in enhancement of efficiency in ICS. However, the presence of IIoT can be a security concern, forcing ICS processes to rely on network based devices for process management. In this research, the attack surface of a testbed is evaluated using protocol-agnostic attacks and the SANS ICS Cyber Kill Chain. This highlights the widening of ICS attack surface due to reliance on IIoT, but also provides a solution which demonstrates one technique an ICS can use to securely rely on IIoT

POET: A Self-learning Framework for PROFINET Industrial Operations Behaviour

Since 2010, multiple cyber incidents on industrial infrastructure, such as Stuxnet and CrashOverride, have exposed the vulnerability of Industrial Control Systems (ICS) to cyber threats. The industrial systems are commissioned for longer duration amounting to decades, often resulting in non-compliance to technological advancements in industrial cybersecurity mechanisms. The unavailability of network infrastructure information makes designing the security policies or configuring the cybersecurity countermeasures such as Network Intrusion Detection Systems (NIDS) challenging. An empirical solution is to self-learn the network infrastructure information of an industrial system from its monitored network traffic to make the network transparent for downstream analyses tasks such as anomaly detection. In this work, a Python-based industrial communication paradigm-aware framework, named PROFINET Operations Enumeration and Tracking (POET), that enumerates different industrial operations executed in a deterministic order of a PROFINET-based industrial system is reported. The operation-driving industrial network protocol frames are dissected for enumeration of the operations. For the requirements of capturing the transitions between industrial operations triggered by the communication events, the Finite State Machines (FSM) are modelled to enumerate the PROFINET operations of the device, connection and system. POET extracts the network information from network traffic to instantiate appropriate FSM models (Device, Connection or System) and track the industrial operations. It successfully detects and reports the anomalies triggered by a network attack in a miniaturized PROFINET-based industrial system, executed through valid network protocol exchanges and resulting in invalid PROFINET operation transition for the device

PROFINET Real-time protection layer : performance analysis of cryptographic and protocol processing overhead

Recent times have seen an increasing demand for access to process-data from the field level through to the Internet. This vertical integration of industrial control systems into the IT infrastructure exhibits major drawbacks in the context of security. Such systems now suffer exposure to cyber security attacks well-known from the IT environment. Successful attacks on industrial control systems can lead to downtimes, malfunction of production machinery, cause financial damage and may present a hazard for human life and health. Current automation communication systems generally lack a comprehensive security concept. PROFINET is a widespread Industrial Ethernet standard, fulfilling general communication requirements on automation systems as well as explicit real-time requirements. We elaborate the challenges of protecting the realtime component of PROFINET. We specify the requirements and a concept for ensuring integrity and authenticity using a keyed-hash message authentication code (HMAC) in combination with the cryptographic hash algorithm SHA-3. With a proof of concept implementation of a PROFINET RT protection layer, the performance overhead for generation and transmission of this HMAC and other required data fields, e.g. to prevent replay attacks, could be analyzed. Based on these data the limitations of security technology on real-time systems were explored as was the optimization potential of hardware acceleration

Advancing Protocol Diversity in Network Security Monitoring

With information technology entering new fields and levels of deployment, e.g., in areas of energy, mobility, and production, network security monitoring needs to be able to cope with those environments and their evolution. However, state-of-the-art Network Security Monitors (NSMs) typically lack the necessary flexibility to handle the diversity of the packet-oriented layers below the abstraction of TCP/IP connections. In this work, we advance the software architecture of a network security monitor to facilitate the flexible integration of lower-layer protocol dissectors while maintaining required performance levels. We proceed in three steps: First, we identify the challenges for modular packet-level analysis, present a refined NSM architecture to address them and specify requirements for its implementation. Second, we evaluate the performance of data structures to be used for protocol dispatching, implement the proposed design into the popular open-source NSM Zeek and assess its impact on the monitor performance. Our experiments show that hash-based data structures for dispatching introduce a significant overhead while array-based approaches qualify for practical application. Finally, we demonstrate the benefits of the proposed architecture and implementation by migrating Zeek\u27s previously hard-coded stack of link and internet layer protocols to the new interface. Furthermore, we implement dissectors for non-IP based industrial communication protocols and leverage them to realize attack detection strategies from recent applied research. We integrate the proposed architecture into the Zeek open-source project and publish the implementation to support the scientific community as well as practitioners, promoting the transfer of research into practice

PLC Forensics Based on Control Program Logic Change Detection

Supervisory Control and Data Acquisition (SCADA) system is an industrial control automated system. It is built with multiple Programmable Logic Controllers (PLCs). PLC is a special form of microprocessor-based controller with proprietary operating system. Due to the unique architecture of PLC, traditional digital forensic tools are difficult to be applied. In this paper, we propose a program called Control Program Logic Change Detector (CPLCD), it works with a set of Detection Rules (DRs) to detect and record undesired incidents on interfering normal operations of PLC. In order to prove the feasibility of our solution, we set up two experiments for detecting two common PLC attacks. Moreover, we illustrate how CPLCD and network analyzer Wireshark could work together for performing digital forensic investigation on PLC

Securing industrial control system environments: the missing piece

Cyberattacks on industrial control systems (ICSs) are no longer matters of anticipation. These systems are continually subject to malicious attacks without much resistance. Network breaches, data theft, denial of service, and command and control functions are examples of common attacks on ICSs. Despite available security solutions, safety, security, resilience, and performance require both private public sectors to step-up strategies to address increasing security concerns on ICSs. This paper reviews the ICS security risk landscape, including current security solution strategies in order to determine the gaps and limitations for effective mitigation. Notable issues point to a greater emphasis on technology security while discounting people and processes attributes. This is clearly incongruent with; emerging security risk trends, the biased security strategy of focusing more on supervisory control and data acquisition systems, and the emergence of more sector-specific solutions as against generic security solutions. Better solutions need to include approaches that follow similar patterns as the problem trend. These include security measures that are evolutionary by design in response to security risk dynamics. Solutions that recognize and include; people, process and technology security enhancement into asingle system, and addressing all three-entity vulnerabilities can provide a better solution for ICS environments

Kommunikation und Bildverarbeitung in der Automation

In diesem Open Access-Tagungsband sind die besten Beiträge des 11. Jahreskolloquiums "Kommunikation in der Automation" (KommA 2020) und des 7. Jahreskolloquiums "Bildverarbeitung in der Automation" (BVAu 2020) enthalten. Die Kolloquien fanden am 28. und 29. Oktober 2020 statt und wurden erstmalig als digitale Webveranstaltung auf dem Innovation Campus Lemgo organisiert. Die vorgestellten neuesten Forschungsergebnisse auf den Gebieten der industriellen Kommunikationstechnik und Bildverarbeitung erweitern den aktuellen Stand der Forschung und Technik. Die in den Beiträgen enthaltenen anschauliche Anwendungsbeispiele aus dem Bereich der Automation setzen die Ergebnisse in den direkten Anwendungsbezug

A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs

Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents

Critical infrastructures and industrial organizations aggressively move towards integrating elements of modern Information Technology (IT) into their monolithic Operational Technology (OT) architectures. Yet, as OT systems progressively become more and more interconnected, they silently have turned into alluring targets for diverse groups of adversaries. Meanwhile, the inherent complexity of these systems, along with their advanced-in-age nature, prevents defenders from fully applying contemporary security controls in a timely manner. Forsooth, the combination of these hindering factors has led to some of the most severe cybersecurity incidents of the past years. This work contributes a full-fledged and up-to-date survey of the most prominent threats and attacks against Industrial Control Systems and critical infrastructures, along with the communication protocols and devices adopted in these environments. Our study highlights that threats against critical infrastructure follow an upward spiral due to the mushrooming of commodity tools and techniques that can facilitate either the early or late stages of attacks. Furthermore, our survey exposes that existing vulnerabilities in the design and implementation of several of the OT-specific network protocols and devices may easily grant adversaries the ability to decisively impact physical processes. We provide a categorization of such threats and the corresponding vulnerabilities based on various criteria. The selection of the discussed incidents and identified vulnerabilities aims to provide a holistic view of the specific threats that target Industrial Control Systems and critical infrastructures. As far as we are aware, this is the first time an exhaustive and detailed survey of this kind is attempted