A prototype security hardened field device for SCADA systems.

This thesis describes the development of a prototype security hardened field device (such as a remote terminal unit) based on commodity hardware and implementing a previously developed security architecture. This security architecture has not been implemented in the past due to the difficulty of providing an operating system which meets the architecture\u27s isolation requirements. Recent developments in both hardware and software have made such an operating system possible, opening the door to the implementation and development of this new security architecture in physical devices attached to supervisory control and data acquisition (SCADA) systems. A prototype is developed using commodity hardware selected for similarity to existing industrial systems and making use of the new OKL4 operating system. Results of prototype development are promising, showing performance values which are adequate for a broad range for industrial applications

Dynamic Honeypot Configuration for Programmable Logic Controller Emulation

Attacks on industrial control systems and critical infrastructure are on the rise. Important systems and devices like programmable logic controllers are at risk due to outdated technology and ad hoc security measures. To mitigate the threat, honeypots are deployed to gather data on malicious intrusions and exploitation techniques. While virtual honeypots mitigate the unreasonable cost of hardware-replicated honeypots, these systems often suffer from a lack of authenticity due to proprietary hardware and network protocols. In addition, virtual honeynets utilizing a proxy to a live device suffer from performance bottlenecks and limited scalability. This research develops an enhanced, application layer emulator capable of alleviating honeynet scalability and honeypot inauthenticity limitations. The proposed emulator combines protocol-agnostic replay with dynamic updating via a proxy. The result is a software tool which can be readily integrated into existing honeypot frameworks for improved performance. The proposed emulator is evaluated on traffic reduction on the back-end proxy device, application layer task accuracy, and byte-level traffic accuracy. Experiments show the emulator is able to successfully reduce the load on the proxy device by up to 98% for some protocols. The emulator also provides equal or greater accuracy over a design which does not use a proxy. At the byte level, traffic variation is statistically equivalent while task success rates increase by 14% to 90% depending on the protocol. Finally, of the proposed proxy synchronization algorithms, templock and its minimal variant are found to provide the best overall performance

Bridging OPC UA and DPWS for Industrial SOA

Two web-service based specifications, OPC Unified Architecture (OPC UA) and Devices Profile for Web Services (DPWS), have been proposed by various researchers and organizations as possible enabling technologies for an event-driven Service Oriented Architecture for monitoring and control in manufacturing applications. This paper aims to propose and demonstrate an approach for bridging these two technologies in a way that is applicable in existing industrial applications. A merger between OPC UA and DPWS that effectively combines their complementary strengths could help pave the path toward future industrial event-driven SOA applications, with the inherent modularity, agility, and interoperability envisioned by researchers today. A representation of DPWS devices, services, operations and events in the OPC UA data model is proposed, and a DPWS Module is developed for Ignition, a commercially available HMI/SCADA and MES platform with integrated OPC UA Server. The module discovers DPWS devices in a local network, creates the representation in the address space, and handles subscriptions, input and output parameter values, and invoking operations. A Complex Event Processing component based on Microsoft’s StreamInsight is also integrated with the system, input and output adapters exposing web service interfaces. The system prototype developed will be used as the base for a use case demonstrator in the European Commission’s Framework Package 7 Project, “Architecture for Service-Oriented Process Monitoring and Control (IMC AESOP).” The project aims to develop a system of systems approach for monitoring and control, based on SOA for very large-scale systems in the process industries

Tools for modelling and simulating the Smart Grid

The Smart Grid (SG) is a Cyber-Physical System (CPS) considered a critical infrastructure divided into cyber (software) and physical (hardware) counterparts that complement each other. It is responsible for timely power provision wrapped by Information and Communication Technologies (ICT) for handling bi-directional energy flows in electric power grids. Enacting control and performance over the massive infrastructure of the SG requires convenient analysis methods. Modelling and simulation (M&S) is a performance evaluation technique used to study virtually any system by testing designs and artificially creating 'what-if' scenarios for system reasoning and advanced analysis. M&S avoids stressing the actual physical infrastructure and systems in production by addressing the problem in a purely computational perspective. Present work compiles a non-exhaustive list of tools for M&S of interest when tackling SG capabilities. Our contribution is to delineate available options for modellers when considering power systems in combination with ICT. We also show the auxiliary tools and details of most relevant solutions pointing out major features and combinations over the years

Towards Robotic Laboratory Automation Plug & Play: The "LAPP" Framework

Increasing the level of automation in pharmaceutical laboratories and production facilities plays a crucial role in delivering medicine to patients. However, the particular requirements of this field make it challenging to adapt cutting-edge technologies present in other industries. This article provides an overview of relevant approaches and how they can be utilized in the pharmaceutical industry, especially in development laboratories. Recent advancements include the application of flexible mobile manipulators capable of handling complex tasks. However, integrating devices from many different vendors into an end-to-end automation system is complicated due to the diversity of interfaces. Therefore, various approaches for standardization are considered in this article, and a concept is proposed for taking them a step further. This concept enables a mobile manipulator with a vision system to "learn" the pose of each device and - utilizing a barcode - fetch interface information from a universal cloud database. This information includes control and communication protocol definitions and a representation of robot actions needed to operate the device. In order to define the movements in relation to the device, devices have to feature - besides the barcode - a fiducial marker as standard. The concept will be elaborated following appropriate research activities in follow-up papers

Service-oriented architecture for device lifecycle support in industrial automation

Dissertação para obtenção do Grau de Doutor em Engenharia Electrotécnica e de Computadores Especialidade: Robótica e Manufactura IntegradaThis thesis addresses the device lifecycle support thematic in the scope of service oriented industrial automation domain. This domain is known for its plethora of heterogeneous equipment encompassing distinct functions, form factors, network interfaces, or I/O specifications supported by dissimilar software and hardware platforms. There is then an evident and crescent need to take every device into account and improve the agility performance during setup, control, management, monitoring and diagnosis phases. Service-oriented Architecture (SOA) paradigm is currently a widely endorsed approach for both business and enterprise systems integration. SOA concepts and technology are continuously spreading along the layers of the enterprise organization envisioning a unified interoperability solution. SOA promotes discoverability, loose coupling, abstraction, autonomy and composition of services relying on open web standards – features that can provide an important contribution to the industrial automation domain. The present work seized industrial automation device level requirements, constraints and needs to determine how and where can SOA be employed to solve some of the existent difficulties. Supported by these outcomes, a reference architecture shaped by distributed, adaptive and composable modules is proposed. This architecture will assist and ease the role of systems integrators during reengineering-related interventions throughout system lifecycle. In a converging direction, the present work also proposes a serviceoriented device model to support previous architecture vision and goals by including embedded added-value in terms of service-oriented peer-to-peer discovery and identification, configuration, management, as well as agile customization of device resources. In this context, the implementation and validation work proved not simply the feasibility and fitness of the proposed solution to two distinct test-benches but also its relevance to the expanding domain of SOA applications to support device lifecycle in the industrial automation domain

A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research

With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on 2021-01-2

Physical Resource Management and Access Mediation Within the Cloud Computing Paradigm

Cloud computing has seen a surge over the past decade as corporations and institutions have sought to leverage the economies-of-scale achievable through this new computing paradigm. However, the rapid adoptions of cloud computing technologies that implement the existing cloud computing paradigm threaten to undermine the long-term utility of the cloud model of computing. In this thesis we address how to accommodate the variety of access requirements and diverse hardware platforms of cloud computing users by developing extensions to the existing cloud computing paradigm that afford consumer-driven access requirements and integration of new physical hardware platforms

Network Slicing in 5G Connected Data Network for Smart Grid Communications Using Programmable Data Plane

Due to the technological advancements in communications, contemporary smartgrids have started to adopt Fifth Generation (5G) mobile networks for communications. Communication between Supervisory Control and Data Acquisition (SCADA) systems and Remote Terminal Units (RTUs) in smart grid environment utilizes the IEC 60870-5-104 protocol. It is a Transmission Control Protocol/Internet Protocol (TCP/IP) based protocol where data is transmitted in unencrypted form. Smart grids adopting 5G networking for communications are not isolated appropriately. Therefore, smart grids are still insecure against cyberattacks. With respect to recent developments in data plane programming, new networking paradigms can be realized including progressive ways of isolating smart grid traffic from normal traffic in a data plane. The aim of the thesis is to explore the usage of data plane programming to isolate and secure smart grid traffic into a network slice in 5G networks. This thesis successfully develops a flexible and efficient 5G network slicing solution based on P4 (Programming Protocol-Independent Packet Processors) language framework. Slice isolation is achieved with varied packet rates in slices as well as blocking devices from one slice communicating to the devices in another slice. The network slicing solution enables 5G equipped RTUs to be connected with SCADA in the Data Network in an isolated manner. A P4-based packet tagging solution is also presented where smart grid packets are tagged with specific Differentiated Services Code Point (DSCP) in the Internet Protocol (IP) headers to aid network slicing. DSCP values in the IP headers are used by the P4-based slicing solution to classify smart grid packets appropriately and push them into network slices. Both the network slicing and the DSCP tagging solutions are implemented with P4 software switch known as the Behavioral Model version 2 (BMv2). The network slicing performance is assessed in an experimental 5G testbed, which is powered by an opensourced 5G core. Basestation and User Equipment (UE) elements for connecting the RTU are simulated using appropriate software. The network slices are examined carefully in this thesis as well as their ability to provide Quality of Service (QoS) for the services hosted in the slices

Cyber Security of Critical Infrastructures

Critical infrastructures are vital assets for public safety, economic welfare, and the national security of countries. The vulnerabilities of critical infrastructures have increased with the widespread use of information technologies. As Critical National Infrastructures are becoming more vulnerable to cyber-attacks, their protection becomes a significant issue for organizations as well as nations. The risks to continued operations, from failing to upgrade aging infrastructure or not meeting mandated regulatory regimes, are considered highly significant, given the demonstrable impact of such circumstances. Due to the rapid increase of sophisticated cyber threats targeting critical infrastructures with significant destructive effects, the cybersecurity of critical infrastructures has become an agenda item for academics, practitioners, and policy makers. A holistic view which covers technical, policy, human, and behavioural aspects is essential to handle cyber security of critical infrastructures effectively. Moreover, the ability to attribute crimes to criminals is a vital element of avoiding impunity in cyberspace. In this book, both research and practical aspects of cyber security considerations in critical infrastructures are presented. Aligned with the interdisciplinary nature of cyber security, authors from academia, government, and industry have contributed 13 chapters. The issues that are discussed and analysed include cybersecurity training, maturity assessment frameworks, malware analysis techniques, ransomware attacks, security solutions for industrial control systems, and privacy preservation methods