620 research outputs found

    Cyber-security of Cyber-Physical Systems (CPS)

    Get PDF
    This master's thesis reports on security of a Cyber-Physical System (CPS) in the department of industrial engineering at UiT campus Narvik. The CPS targets connecting distinctive robots in the laboratory in the department of industrial engineering. The ultimate objective of the department is to propose such a system for the industry. The thesis focuses on the network architecture of the CPS and the availability principle of security. This report states three research questions that are aimed to be answered. The questions are: what a secure CPS architecture for the purpose of the existing system is, how far the current state of system is from the defined secure architecture, and how to reach the proposed architecture. Among the three question, the first questions has absorbed the most attention of this project. The reason is that a secure and robust architecture would provide a touchstone that makes answering the second and third questions easier. In order to answer the questions, Cisco SAFE for IoT threat defense for manufacturing approach is chosen. The architectural approach of Cisco SAFE for IoT, with similarities to the Cisco SAFE for secure campus networks, provides a secure network architecture based on business flows/use cases and defining related security capabilities. This approach supplies examples of scenarios, business flows, and security capabilities that encouraged selecting it. It should be noted that Cisco suggests its proprietary technologies for security capabilities. According to the need of the project owners and the fact that allocating funds are not favorable for them, all the suggested security capabilities are intended to be open-source, replacing the costly Cisco-proprietary suggestions. Utilizing the approach and the computer networking fundamentals resulted in the proposed secure network architecture. The proposed architecture is used as a touchstone to evaluate the existing state of the CPS in the department of industrial engineering. Following that, the required security measures are presented to approach the system to the proposed architecture. Attempting to apply the method of Cisco SAFE, the identities using the system and their specific activities are presented as the business flow. Based on the defined business flow, the required security capabilities are selected. Finally, utilizing the provided examples of Cisco SAFE documentations, a complete network architecture is generated. The architecture consists of five zones that include the main components, security capabilities, and networking devices (such as switches and access points). Investigating the current state of the CPS and evaluating it by the proposed architecture and the computer networking fundamentals, helped identifying six important shortcomings. Developing on the noted shortcomings, and identification of open-source alternatives for the Cisco-proprietary technologies, nine security measures are proposed. The goal is to perform all the security measures. Thus, the implementations and solutions for each security measure is noted at the end of the presented results. The security measures that require purchasing a device were not considered in this project. The reasons for this decision are the time-consuming process of selecting an option among different alternatives, and the prior need for grasping the features of the network with the proposed security capabilities; features such as amount and type of traffic inside the network, and possible incidents detected using an Intrusion Detection Prevention System. The attempts to construct a secure cyber-physical system is an everlasting procedure. New threats, best practices, guidelines, and standards are introduced on a daily basis. Moreover, business needs could vary from time to time. Therefore, the selected security life-cycle is required and encouraged to be used in order to supply a robust lasting cyber-physical system

    Demilitarized Zone: An Exceptional Layer of Network Security to Mitigate DDoS Attack

    Get PDF
    In today’s era of digitalization, everything is accessible remotely through smaller devices than ever. This brings a lot of concerns, security being at the top of the list for the organizations providing services to the public. The organization has to provide updated services every single time and at the same point, has to make sure that an intruder cannot get through the core of the organization which is the inside private network or LAN. If an organization provides mail and web services to their customers on daily basis, putting their servers within the local area network opens up the vulnerability to be directly accessible by an outsider from the untrusted network like the internet which will then just be the matter of skills and powerful machines to manipulate the whole system. Thus, the organization has to make some changes to their networks like creating the Demilitarized Zone or DMZ. DMZ provides an extra layer between the inside and outside network making it difficult to get access to the trusted network. The concept is, all the public-facing servers which provide distinguished services to the customers should be kept outside of LAN and within the DMZ. So, every time when the remote user requests for the service through the internet, it will be rerouted directly to the DMZ rather than LAN. The approach presented is to check whether the network with DMZ can sustain the DDoS attack generated using the python script better than the network without DMZ or not. The network is emulated using GNS3 to keep the host system isolated from the attacking vectors. Kali Linux virtual machine is used to resemble the attacker. Results are analyzed using Wireshark

    Demilitarized network to secure the data stored in industrial networks

    Get PDF
    Currently, the data and variables of a control system are the most important elements to be safeguarded in an industrial network, so it is vitally important to ensure their safety. This paper presents the design and simulation of a demilitarized network (DMZ) using firewalls to control access to all the information that is stored in the servers of the industrial network of the Hermanos DĂ­az Refinery in Santiago de Cuba, Cuba. In addition, the characteristics, configurations, methods, and rules of DMZs and firewalls are shown, select the configuration with three multi-legged firewalls as the most appropriate for our application, since it allows efficient exchange of data guaranteeing security and avoiding the violation of the control system. Finally, the simulation of the proposed network is carried out

    Implementation of IS Security Standards on Pharmaceutical Manufacturing

    Get PDF
    This thesis addresses the issue of Information Systems (IS) security in pharmaceutical manufacturing which is closely related to the ISA 99 standard. The ISA 99 'Security for industrial Automation and Control Systems' standard is focused on the work for securing process automation systems from IS security threats. The main thought behind the ISA 99 standard is that a high level of IS security in computerized manufacturing environments cannot be achieved through just one project but needs long-term dedication. Therefore the ISA 99 standard suggests the implementation of an IS security program as the best way to reduce IS security risks to process automation systems and to sustain risk reduction over time. The overall objective of the study was to suggest an IS security program suitable for the pharmaceutical manufacturing at the AstraZeneca manufacturing and supply site in SödertÀlje, Sweden. The suggested IS security program can briefly be described as a long-term strategy for how to perform IS security activities in the manufacturing at the SödertÀlje site. The security program defines both technical and organizational requirements and recommendations. According to the ISA 99 standard, working with IS security in the process automation systems environment require both technical, cultural and organizational perspectives. The suggested security program therefore recommends the forming of a special group for working with IS security in the manufacturing within Sweden Operations. This group includes employees from different departments such as IS security, IS/IT, process automation systems managers, engineering, operators and managers in production areas as well as quality assurance personnel. The purpose with the group is to make the IS security work more effective through reducing bureaucracy, increasing communication and sharing of knowledge and business perspectives. The security program also presents IS security policies for the production at the SödertÀlje site. A security policy is a written document or directive that defines how the organization defines and operates IS security in the process automation systems environment. The security policy ensures both management support and understanding of roles and responsibilities for IS security in the process automation systems environment

    Secure Data Transfer Guidance for Industrial Control and SCADA Systems

    Full text link

    Cybersecurity of Industrial Cyber-Physical Systems: A Review

    Get PDF
    Industrial cyber-physical systems (ICPSs) manage critical infrastructures by controlling the processes based on the "physics" data gathered by edge sensor networks. Recent innovations in ubiquitous computing and communication technologies have prompted the rapid integration of highly interconnected systems to ICPSs. Hence, the "security by obscurity" principle provided by air-gapping is no longer followed. As the interconnectivity in ICPSs increases, so does the attack surface. Industrial vulnerability assessment reports have shown that a variety of new vulnerabilities have occurred due to this transition while the most common ones are related to weak boundary protection. Although there are existing surveys in this context, very little is mentioned regarding these reports. This paper bridges this gap by defining and reviewing ICPSs from a cybersecurity perspective. In particular, multi-dimensional adaptive attack taxonomy is presented and utilized for evaluating real-life ICPS cyber incidents. We also identify the general shortcomings and highlight the points that cause a gap in existing literature while defining future research directions.Comment: 32 pages, 10 figure

    Machine Learning based Anomaly Detection for Cybersecurity Monitoring of Critical Infrastructures

    Get PDF
    openManaging critical infrastructures requires to increasingly rely on Information and Communi- cation Technologies. The last past years showed an incredible increase in the sophistication of attacks. For this reason, it is necessary to develop new algorithms for monitoring these infrastructures. In this scenario, Machine Learning can represent a very useful ally. After a brief introduction on the issue of cybersecurity in Industrial Control Systems and an overview of the state of the art regarding Machine Learning based cybersecurity monitoring, the present work proposes three approaches that target different layers of the control network architecture. The first one focuses on covert channels based on the DNS protocol, which can be used to establish a command and control channel, allowing attackers to send malicious commands. The second one focuses on the field layer of electrical power systems, proposing a physics-based anomaly detection algorithm for Distributed Energy Resources. The third one proposed a first attempt to integrate physical and cyber security systems, in order to face complex threats. All these three approaches are supported by promising results, which gives hope to practical applications in the next future.openXXXIV CICLO - SCIENZE E TECNOLOGIE PER L'INGEGNERIA ELETTRONICA E DELLE TELECOMUNICAZIONI - Elettromagnetismo, elettronica, telecomunicazioniGaggero, GIOVANNI BATTIST

    Control Systems Cyber Security:Defense in Depth Strategies

    Full text link

    The 38th Parallel: Penetrating the Line

    Get PDF
    In July 1953, the armistice ended the Korean War that lasted for three years and established the Demilitarized Zone on either side of the demarcation line as a buffer between the two countries to prevent further military confrontation. However, the two sides remain at odds for half a century, and, despite the armistice, a state of war still exists between the two Koreas. As Koreans have dreamed of a united nation, the division has been described as a ‘temporary’ term to Koreans, yet the process of it has been much more obscure. Half a century has passed by, and South Korea has become a nation in which all facets of economic, political, and cultural identity are delineated in opposition to North Korea. What the future was supposed to present to Koreans has shifted relentlessly creating a disparity between the individual and national dreams. With repetitive see-saw events of national tension and reconciliation, individuals find themselves in an ambivalent position between series of oppositions: people and state, real and unreal, unification and national division. Multiple narratives crossover, creating confusion of whether the ultimate dream of Korea is even appropriate. The thesis examines the two opposing conditions: the idealized dream of homogeneity, and the factual reality of heterogeneity. Four series of investigations are presented in this thesis: the condition, the cause, the response, and the location of the individual. First, the disparity between the two Koreas illustrates the external conditions of the situation. Then an investigation of the Korean identity is presented to analyze the cause of the condition. The indigenous identity of Korea and the desire to preserve it are presented as the creative forces behind the dichotomy of Korea. The ambivalence of the individual is understood as a response such conditions. The concept of ‘Han’ is employed as a possible vehicle of understanding Korean cultural despondency. Finally the design exploration of a very significant archaeological site in the Demilitarized Zone is undertaken in order to mediate the disparity between the Korean dream and reality for the individual. The design is intended to locate the individual within the Korean pathology. Playing on the previously studied Korean conditions, the design is an amplified display of the opposing conditions which will enable the individual to face the ambivalence of today’s Korea. The thesis does not suggest the solution or envision the end but aims to meditate and negotiate the present moment. It is not my intention to force either fantasy or reality as an absolute answer, but to create an understanding of both conditions in hopes that Koreans can start to break their ambivalence regarding their national reunification

    A Framework for Cyber Vulnerability Assessments of InfiniBand Networks

    Get PDF
    InfiniBand is a popular Input/Output interconnect technology used in High Performance Computing clusters. It is employed in over a quarter of the world’s 500 fastest computer systems. Although it was created to provide extremely low network latency with a high Quality of Service, the cybersecurity aspects of InfiniBand have yet to be thoroughly investigated. The InfiniBand Architecture was designed as a data center technology, logically separated from the Internet, so defensive mechanisms such as packet encryption were not implemented. Cyber communities do not appear to have taken an interest in InfiniBand, but that is likely to change as attackers branch out from traditional computing devices. This thesis considers the security implications of InfiniBand features and constructs a framework for conducting Cyber Vulnerability Assessments. Several attack primitives are tested and analyzed. Finally, new cyber tools and security devices for InfiniBand are proposed, and changes to existing products are recommended
    • 

    corecore