A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs

Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing

Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and controlling a country's Critical Infrastructures (CI) such as electrical power grids, gas, water supply, and transportation services. These systems used to be mostly isolated and secure, but this is no longer true due to the use of wider and interconnected communication networks to reap benefits such as scalability, reliability, usability, and integration. This architectural change together with the critical importance of these systems made them desirable cyber-attack targets. Just as in other Information Technology (IT) systems, standards and best practices have been developed to provide guidance for SCADA developers to increase the security of their systems against cyber-attacks.With the assistance of EFACEC, this work provides an analysis of a SCADA system under current standards, client requisites, and testing of vulnerabilities in an actual prototype system. Our aim is to provide guidance by example on how to evaluate and improve the security of SCADA systems, using a basic prototype of EFACEC's ScateX# SCADA system, following both a theoretical and practical approach. For the theoretical approach, a list of the most commonly adopted ICS (Industrial Control Systems) and IT standards is compiled, and then sets of a generic client's cybersecurity requisites are analyzed and confronted with the prototype's specifications. A study of the system's architecture is also performed to identify vulnerabilities and non-compliances with both the client's requisites and the standards and, for the identified vulnerabilities, corrective and mitigation measures are suggested. For the practical approach, a threat model was developed to help identify desirable assets on SCADA systems and possible attack vectors that could allow access to such assets. Penetration tests were performed on the prototype in order to validate the attack vectors, to evaluate compliance, and to provide evidence of the effectiveness of the corrective measures

Advanced security aspects on Industrial Control Network.

Security threats are one of the main problems of this computer-based era. All systems making use of information and communication technologies (ICT) are prone to failures and vulnerabilities that can be exploited by malicious software and agents. In the latest years, Industrial Critical Installations started to use massively network interconnections as well, and what it is worst they came in contact with the public network, i.e. with Internet. Industrial networks are responsible for process and manufacturing operations of almost every scale, and as a result the successful penetration of a control system network can be used to directly impact those processes. Consequences could potentially range from relatively benign disruptions, such as the disruption of the operation (taking a facility offline), the alteration of an operational process (changing the formula of a chemical process), all the way to deliberate acts of sabotage that are intended to cause harm. The interconnectivity of Industrial Control Systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This presents presents an innovative approach to Intrusion Detection in SCADA systems based on the concept of Critical State Analysis and State Proximity. The theoretical framework is supported by tests conducted with an Intrusion Detection System prototype implementing the proposed detection approach

Advanced security aspects on Industrial Control Network.

Security threats are one of the main problems of this computer-based era. All systems making use of information and communication technologies (ICT) are prone to failures and vulnerabilities that can be exploited by malicious software and agents. In the latest years, Industrial Critical Installations started to use massively network interconnections as well, and what it is worst they came in contact with the public network, i.e. with Internet. Industrial networks are responsible for process and manufacturing operations of almost every scale, and as a result the successful penetration of a control system network can be used to directly impact those processes. Consequences could potentially range from relatively benign disruptions, such as the disruption of the operation (taking a facility offline), the alteration of an operational process (changing the formula of a chemical process), all the way to deliberate acts of sabotage that are intended to cause harm. The interconnectivity of Industrial Control Systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This presents presents an innovative approach to Intrusion Detection in SCADA systems based on the concept of Critical State Analysis and State Proximity. The theoretical framework is supported by tests conducted with an Intrusion Detection System prototype implementing the proposed detection approach

Vulnerability discovery in power line communications

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2015A comunicação em powerline é uma forma de transmissão de dados através da rede elétrica. Esta é usada para a passagem de corrente e transmissão de dados, utilizando assim a mesma infra-estrutura para duas funcionalidades, ambas essenciais nos dias de hoje. Existem ligações de banda estreita e larga em comunicação por powerline, dependendo da frequência da onda elétrica. Devido à baixa frequência e à distância entre pontos, em redes industriais existem apenas ligações de banda estreita, providenciando velocidades até 500kB/s. Em redes caseiras a frequência da onda elétrica é alta, permitindo comunicação em powerline com velocidades de banda larga (várias centenas de MB/s). Esta forma de comunicação tem dois principais usos: redes domésticas e redes industriais. Em redes domésticas, a comunicação em powerline é utilizada para estender uma ligação Internet já existente, através dos fios elétricos de uma casa. O objectivo é obter conectividade em qualquer ponto de uma casa sem recorrer a repetidores, redes sem fios, ou à instalação de novos cabos. Para este efeito são utilizados adaptadores de powerline, que são ligados às tomadas elétricas. O router que serve de ligação à internet é conectado através de um cabo Ethernet a um destes adaptadores. Note-se que este é um router comum, obtido através de uma instalação de internet típica. Ao estar ligado ao adaptador de powerline, o router transmite dados através da rede elétrica. Outros adaptadores de powerline podem então ser ligados a outras tomadas da mesma casa, e a estes podem ser ligados computadores, impressoras, ou quaisquer outros equipamentos que se deseje que tenham uma ligação à rede, obtendo sinal tal como a partir de uma ligação directa ao router. Assim, a partir de qualquer tomada é possível obter ligação à Internet para qualquer computador ou dispositivo caseiro. As redes industriais são compostas por vários elementos que formam a distribuição de serviços num país, como é o caso da rede elétrica, gás e água, entre outras utilizações. Neste ambiente, a comunicação em powerline permite que a rede elétrica já existente seja utilizada para a passagem de informação, como leituras de contadores ou o envio de alarmes. Os principais utilizadores da comunicação em powerline são as companhias elétricas, que com esta forma de comunicação podem usar a sua infra-estrutura para fornecer electricidade e obterem leituras automáticas de contadores inteligentes (contadores com poder de processamento e ligações de rede). Com estas leituras actualizadas em tempo real, as companhias el´ectricas conseguem ter um controlo elevado sobre o equilíbrio necessário entre a produção e o consumo de electricidade. Se este equilíbrio não for mantido, podem ocorrer picos de tensão ou quebras na distribuição elétrica, caso haja electricidade na rede a mais ou menos (respectivamente). Os picos de tensão são capazes de danificar equipamentos ao ponto de ficarem irreparáveis. As quebras na distribuição causam a paragem do funcionamento de alguns elementos ligados à rede elétrica. Esta situação pode também ser perigosa, visto que, por exemplo, comboios elétricos requerem um fornecimento continuado de corrente para o seu correcto funcionamento. Na rede elétrica a corrente é transmitida através de uma onda sinusoidal. A modelação desta onda é o que permite a comunicação em powerline. Às várias amplitudes de onda podem ser atribuídos valores lógicos - por exemplo, podemos atribuir `a amplitude mínima da onda o valor lógico 0 e à amplitude máxima o valor lógico 1. Outras configurações mais complexas são possíveis. A onda elétrica é modulada de modo a que se consigam ler os valores pretendidos na amplitude da onda, atingindo assim a passagem de informação na mesma infra-estrutura que providencia electricidade. As companhias que produzem dispositivos para powerline juntaram-se em alianças, de modo a que todos os dispositivos produzidos pelos membros sejam padronizados e compatíveis entre si. Estes standards podem ser de acesso livre ou apenas para membros da aliança. A maioria destes protocolos inclui mecanismos de segurança. No entanto, alguns destes mecanismos já foram demonstrados como sendo inseguros, permitindo (por exemplo) que atacantes controlem a rede ou os dispositivos em si. Este trabalho ´e orientado à procura de vulnerabilidades de segurança em protocolos de powerline. Apresentamos um resumo de alguns dos protocolos usados actualmente, e efectuamos uma descrição mais aprofundada do protocolo HomePlug. Este é o protocolo escolhido para análise neste trabalho, visto ser amplamente usado em ambientes caseiros e por existir um fácil acesso a adaptores HomePlug. Identificámos uma vulnerabilidade de desenho presente num dos mecanismos de troca de chaves criptográficas, que permite a um atacante que escute a rede durante a execução do protocolo obter as principais chaves de rede, conseguindo assim completo acesso à rede e à informação trocada nesta. Para provar na práctica esta vulnerabilidade, precisamos de escutar a rede elétrica. Dado que não sabemos construir um dispositivo que ouça a transmissão de dados na rede elétrica, optámos por modificar um adaptador já existente que corre uma versão minimalista de Linux. Efetuámos com sucesso actualizações ao firmware do adaptador, de modo a conseguirmos acesso remoto com privilégios de administrador. Por acedermos ao adaptador conseguimos roubar informações e chaves criptográficas, o que só por si é uma contribuição apesar de não ser o objectivo deste trabalho. Acesso a um novo elemento da rede permite-nos fazer novos ataques, e como tal apresentamos várias possibilidades de ataque à rede e a dispositivos utilizando adaptadores de powerline. Neste adaptador analisámos a execução do protocolo vulnerável, corremos um analisador de tráfego, colocámos binários, device drivers, e explicamos como modificar o núcleo e o bootloader. Infelizmente, nenhum dos testes realizados serviu para provar na práctica a vulnerabilidade. Apesar de concluirmos que alguma informação do HomePlug chega a user level, as mensagens específicas do HomePlug continuam encobertas, fora do nosso alcance. Algumas possibilidades ainda estão em aberto para obter estas mensagens são descritas, sendo uma possível continuação deste trabalho.Powerline communication (PLC) is a form of data transfer, where the electric infrastructure is used for both power supply and network connection. PLC can be employed in industrial or home environments. In home environments, powerline is used to extend the internet connectivity through the house’s electric infrastructure. Powerline adapters are connected to a house’s power sockets, and these adapters provide connectivity throughout the house. A router is linked to one of the adapters to establish the connection, and other adapters are used to decode the powerline signal. These adapters provide an easy manner to extend a home network without the use of various routers, Wi-Fi, repeaters or new cables.In industrial environments, PLC is used (for example) to provide real time data about the electric consumption in the electric grid, allowing fine control of the required/used electricity. With this control, electric suppliers produce electricity more efficiently, reducing production costs and prices for the final consumers. Device manufacturers created alliances to standardize their products, developing protocols and guidelines to this effect. We present a summary of some of these standards. These protocols include security measures in their specifications (like cryptography), but some protocols have already been proven unsafe. In this work, we study the HomePlug protocol which is commonly used to extend connectivity inside homes. We describe a design vulnerability present in the HomePlug, in one of the cryptographic key exchange mechanisms. An attacker who listens to the medium can steal the critical network keys. To prove this vulnerability, we created a malicious adaptor by updating it with malicious firmware. Although we ran a large battery of tests in the adaptor, we were unable to prove the vulnerability. Nevertheless, we provide an insight on a series of attacks that can be done using a malicious adaptor as an attack point, which can be used in the future to extend this work

Advanced security aspects on Industrial Control Network.

Security threats are one of the main problems of this computer-based era. All systems making use of information and communication technologies (ICT) are prone to failures and vulnerabilities that can be exploited by malicious software and agents. In the latest years, Industrial Critical Installations started to use massively network interconnections as well, and what it is worst they came in contact with the public network, i.e. with Internet. Industrial networks are responsible for process and manufacturing operations of almost every scale, and as a result the successful penetration of a control system network can be used to directly impact those processes. Consequences could potentially range from relatively benign disruptions, such as the disruption of the operation (taking a facility offline), the alteration of an operational process (changing the formula of a chemical process), all the way to deliberate acts of sabotage that are intended to cause harm. The interconnectivity of Industrial Control Systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This presents presents an innovative approach to Intrusion Detection in SCADA systems based on the concept of Critical State Analysis and State Proximity. The theoretical framework is supported by tests conducted with an Intrusion Detection System prototype implementing the proposed detection approach

Intrusion Detection System of industrial control networks using network telemetry

Industrial Control Systems (ICSs) are designed, implemented, and deployed in most major spheres of production, business, and entertainment. ICSs are commonly split into two subsystems - Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems - to achieve high safety, allow engineers to observe states of an ICS, and perform various configuration updates. Before wide adoption of the Internet, ICSs used air-gap security measures, where the ICS network was isolated from other networks, including the Internet, by a physical disconnect [1]. This level of security allowed ICS protocol designers to concentrate on the availability and safety of operation of physical systems while decreasing the need for many cyber security implementations. As the price of networking devices fell, and the Internet received global adoption, many businesses became interested in the benefits of attaching ICSs to wide and global area networks. However, since ICS network protocols were originally designed for an air-gapped environment, it did not include any of the security measures needed for a proper operation of a critical protocol that exposes its packets to the Internet. This dissertation designs, implements, and evaluates a telemetry based Intrusion Detection System (IDS). The designed IDS utilizes aggregation and analysis of the traffic telemetry features to classify the incoming packets as malicious or benign. An IDS that uses network telemetry was created, and it achieved a high classification accuracy, protecting nodes from malicious traffic. Such an IDS is not vulnerable to address or encryption spoofings, as it does not utilize the content of the packets to differentiate between malicious and benign traffic. The IDS uses features of timing and network sessions to determine whether the machine that sent a particular packet and its software is, in fact, a combination that is benign, as well as whether or not it resides on a network that is benign. The results of the experiments conducted for this dissertation establish that such system is possible to create and use in an environment of ICS networks. Several features are recognized and selected as means for fingerprinting the hardware and software characteristics of the SCADA system that can be used in pair with machine learning algorithms to allow for a high accuracy detection of intrusions into the ICS network. The results showed a classification accuracy of at least 95% is possible, and as the differences between machines increase, the accuracy increases too

Exploring security controls for ICS/SCADA environments

Trabalho de projeto de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020Os Sistemas de Controlo Industriais (ICS) estão a começar a fundir-se com as soluções de IT, por forma a promover a interconectividade. Embora isto traga inúmeros benefícios de uma perspetiva de controlo, os ICS apresentam uma falta de mecanismos de segurança que consigam evitar possíveis ameaças informáticas, quando comparados aos comuns sistemas de informação [29], [64]. Dada a natureza crítica destes sistemas, e a ocorrências recentes de ciberataques desastrosos, a segurança ´e um tópico que deve ser incentivado. À luz deste problema, na presente dissertação apresentamos uma avaliação de possíveis aplicações e controlos de segurança a serem implantados nestes ambientes críticos e a implementação de uma solução de segurança extensível que dá resposta a certos ataques focados em sistemas industriais, capaz de ser implantada em qualquer rede industrial que permita a sua ligação. Com o auxilio de uma framework extensivel e portátil para testes de ICS, e outros ambientes industriais de testes, foi possível analisar diferentes cenários de ameaças, implantar mecanismos de segurança para os detetar e avaliar os resultados, com o intuito de fornecer uma ideia de como empregar estes mecanismos da melhor maneira possível num ambiente real de controlo industrial.Industrial Control Systems (ICS) are beginning to merge with IT solutions, in order to promote inter-connectivity. Although this brings countless benefits from a control perspective, ICS have been lacking in security mechanisms to ward off potential cyber threats, when compared to common information systems [29], [64]. Given the critical nature of these systems, and the recent occurrences of disastrous cyber-attacks, security is a topic that should be encouraged. In light of this problem, in this dissertation we present an assessment of possible security applications and controls that can be deployed in these critical environments and the implementation of an extensible security solution that responds to certain attacks focused on industrial systems, capable of being deployed in any industrial network that allows its connection. With the help of an extensible and portable framework for ICS testing, and other industrial testing environments, it was possible to analyze different threat scenarios, implement security mechanisms to detect them and evaluate the results in order to provide an idea on how to employ these mechanisms as best as possible in a real industrial control environment, without compromising it’s process

Network and System Management using IEC 62351-7 in IEC 61850 Substations: Design and Implementation

Substations are a prime target for threat agents aiming to disrupt the power grid’s operation. With the advent of the smart grid, the power infrastructure is increasingly being coupled with an Information and Communication Technologies (ICT) infrastructure needed to manage it, exposing it to potential cyberattacks. In order to secure the smart grid, the IEC 62351 specifies how to provide cybersecurity to such an environment. Among its specifications, IEC 62351-7 states to use Network and System Management (NSM) to monitor and manage the operation of power systems. In this research, we aim to design, implement, and study NSM in a digital substation as per the specifications of IEC 62351-7. The substation is one that conforms to the IEC 61850 standard, which defines how to design a substation leveraging ICT. Our contributions are as follows. We contribute to the design and implementation of NSM in a smart grid security co-simulation testbed. We design a methodology to elaborate cyberattacks targeting IEC 61850 substations specifically. We elaborate detection algorithms that leverage the NSM Data Objects (NSM DOs) of IEC 62351- 7 to detect the attacks designed using our method. We validate these experimentally using our testbed. From this work, we can provide an initial assessment of NSM within the context of digital substations