On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Formally designing and implementing cyber security mechanisms in industrial control networks.

This dissertation describes progress in the state-of-the-art for developing and deploying formally verified cyber security devices in industrial control networks. It begins by detailing the unique struggles that are faced in industrial control networks and why concepts and technologies developed for securing traditional networks might not be appropriate. It uses these unique struggles and examples of contemporary cyber-attacks targeting control systems to argue that progress in securing control systems is best met with formal verification of systems, their specifications, and their security properties. This dissertation then presents a development process and identifies two technologies, TLA+ and seL4, that can be leveraged to produce a high-assurance embedded security device. The method presented in this dissertation takes an informal design of an embedded device that might be found in a control system and 1) formalizes the design within TLA+, 2) creates and mechanically checks a model built from the formal design, and 3) translates the TLA+ design into a component-based architecture of a native seL4 application. The later chapters of this dissertation describe an application of the process to a security preprocessor embedded device that was designed to add security mechanisms to the network communication of an existing control system. The device and its security properties are formally specified in TLA+ in chapter 4, mechanically checked in chapter 5, and finally its native seL4 architecture is implemented in chapter 6. Finally, the conclusions derived from the research are laid out, as well as some possibilities for expanding the presented method in the future

Application of NTRU Cryptographic Algorithm for securing SCADA communication

Supervisory Control and Data Acquisition (SCADA) system is a control system which is widely used in Critical Infrastructure System to monitor and control industrial processes autonomously. Most of the SCADA communication protocols are vulnerable to various types of cyber-related attacks. The currently used security standards for SCADA communication specify the use of asymmetric cryptographic algorithms like RSA or ECC for securing SCADA communications. There are certain performance issues with cryptographic solutions of these specifications when applied to SCADA system with real-time constraints and hardware limitations. To overcome this issue, in this thesis we propose the use of a faster and light-weighted NTRU cryptographic algorithm for authentication and data integrity in securing SCADA communication. Experimental research conducted on ARMv6 based Raspberry Pi and Intel Core machine shows that cryptographic operations of NTRU is two to thirty five times faster than the corresponding RSA or ECC. Usage of NTRU algorithm reduces computation and memory overhead significantly making it suitable for SCADA systems with real-time constraints and hardware limitations

Practical Encryption Gateways to Integrate Legacy Industrial Machinery

Future industrial networks will consist of a mixture of old and new components, due to the very long life-cycles of industrial machines on the one hand and the need to change in the face of trends like Industry 4.0 or the industrial Internet of things on the other. These networks will be very heterogeneous and will serve legacy as well as new use cases in parallel. This will result in an increased demand for network security and precisely within this domain, this thesis tries to answer one specific question: how to make it possible for legacy industrial machines to run securely in those future heterogeneous industrial networks. The need for such a solution arises from the fact, that legacy machines are very outdated and hence vulnerable systems, when assessing them from an IT security standpoint. For various reasons, they cannot be easily replaced or upgraded and with the opening up of industrial networks to the Internet, they become prime attack targets. The only way to provide security for them, is by protecting their network traffic. The concept of encryption gateways forms the basis of our solution. These are special network devices, that are put between the legacy machine and the network. The gateways encrypt data traffic from the machine before it is put on the network and decrypt traffic coming from the network accordingly. This results in a separation of the machine from the network by virtue of only decrypting and passing through traffic from other authenticated gateways. In effect, they protect communication data in transit and shield the legacy machines from potential attackers within the rest of the network, while at the same time retaining their functionality. Additionally, through the specific placement of gateways inside the network, fine-grained security policies become possible. This approach can reduce the attack surface of the industrial network as a whole considerably. As a concept, this idea is straight forward and not new. Yet, the devil is in the details and no solution specifically tailored to the needs of the industrial environment and its legacy components existed prior to this work. Therefore, we present in this thesis concrete building blocks in the direction of a generally applicable encryption gateway solution that allows to securely integrate legacy industrial machinery and respects industrial requirements. This not only entails works in the direction of network security, but also includes works in the direction of guaranteeing the availability of the communication links that are protected by the gateways, works to simplify the usability of the gateways as well as the management of industrial data flows by the gateways

Efficient Security Protocols for Constrained Devices

During the last decades, more and more devices have been connected to the Internet.Today, there are more devices connected to the Internet than humans.An increasingly more common type of devices are cyber-physical devices.A device that interacts with its environment is called a cyber-physical device.Sensors that measure their environment and actuators that alter the physical environment are both cyber-physical devices.Devices connected to the Internet risk being compromised by threat actors such as hackers.Cyber-physical devices have become a preferred target for threat actors since the consequence of an intrusion disrupting or destroying a cyber-physical system can be severe.Cyber attacks against power and energy infrastructure have caused significant disruptions in recent years.Many cyber-physical devices are categorized as constrained devices.A constrained device is characterized by one or more of the following limitations: limited memory, a less powerful CPU, or a limited communication interface.Many constrained devices are also powered by a battery or energy harvesting, which limits the available energy budget.Devices must be efficient to make the most of the limited resources.Mitigating cyber attacks is a complex task, requiring technical and organizational measures.Constrained cyber-physical devices require efficient security mechanisms to avoid overloading the systems limited resources.In this thesis, we present research on efficient security protocols for constrained cyber-physical devices.We have implemented and evaluated two state-of-the-art protocols, OSCORE and Group OSCORE.These protocols allow end-to-end protection of CoAP messages in the presence of untrusted proxies.Next, we have performed a formal protocol verification of WirelessHART, a protocol for communications in an industrial control systems setting.In our work, we present a novel attack against the protocol.We have developed a novel architecture for industrial control systems utilizing the Digital Twin concept.Using a state synchronization protocol, we propagate state changes between the digital and physical twins.The Digital Twin can then monitor and manage devices.We have also designed a protocol for secure ownership transfer of constrained wireless devices. Our protocol allows the owner of a wireless sensor network to transfer control of the devices to a new owner.With a formal protocol verification, we can guarantee the security of both the old and new owners.Lastly, we have developed an efficient Private Stream Aggregation (PSA) protocol.PSA allows devices to send encrypted measurements to an aggregator.The aggregator can combine the encrypted measurements and calculate the decrypted sum of the measurements.No party will learn the measurement except the device that generated it

ENABLING IOT AUTHENTICATION, PRIVACY AND SECURITY VIA BLOCKCHAIN

Although low-power and Internet-connected gadgets and sensors are increasingly integrated into our lives, the optimal design of these systems remains an issue. In particular, authentication, privacy, security, and performance are critical success factors. Furthermore, with emerging research areas such as autonomous cars, advanced manufacturing, smart cities, and building, usage of the Internet of Things (IoT) devices is expected to skyrocket. A single compromised node can be turned into a malicious one that brings down whole systems or causes disasters in safety-critical applications. This dissertation addresses the critical problems of (i) device management, (ii) data management, and (iii) service management in IoT systems. In particular, we propose an integrated platform solution for IoT device authentication, data privacy, and service security via blockchain-based smart contracts. We ensure IoT device authentication by blockchain-based IC traceability system, from its fabrication to its end-of-life, allowing both the supplier and a potential customer to verify an IC’s provenance. Results show that our proposed consortium blockchain framework implementation in Hyperledger Fabric for IC traceability achieves a throughput of 35 transactions per second (tps). To corroborate the blockchain information, we authenticate the IC securely and uniquely with an embedded Physically Unclonable Function (PUF). For reliable Weak PUF-based authentication, our proposed accelerated aging technique reduces the cumulative burn-in cost by ∼ 56%. We also propose a blockchain-based solution to integrate the privacy of data generated from the IoT devices by giving users control of their privacy. The smart contract controlled trust-base ensures that the users have private access to their IoT devices and data. We then propose a remote configuration of IC features via smart contracts, where an IC can be programmed repeatedly and securely. This programmability will enable users to upgrade IC features or rent upgraded IC features for a fixed period after users have purchased the IC. We tailor the hardware to meet the blockchain performance. Our on-die hardware module design enforces the hardware configuration’s secure execution and uses only 2,844 slices in the Xilinx Zedboard Zynq Evaluation board. The blockchain framework facilitates decentralized IoT, where interacting devices are empowered to execute digital contracts autonomously

Slender PUF Protocol: A lightweight, robust, and secure authentication by substring matching

We introduce Slender PUF protocol, an efficient and secure method to authenticate the responses generated from a Strong Physical Unclonable Function (PUF). The new method is lightweight, and suitable for energy constrained platforms such as ultra-low power embedded systems for use in identification and authentication applications. The proposed protocol does not follow the classic paradigm of exposing the full PUF responses (or a transformation of the full string of responses) on the communication channel. Instead, random subsets of the responses are revealed and sent for authentication. The response patterns are used for authenticating the prover device with a very high probability.We perform a thorough analysis of the method’s resiliency to various attacks which guides adjustment of our protocol parameters for an efficient and secure implementation. We demonstrate that Slender PUF protocol, if carefully designed, will be resilient against all known machine learning attacks. In addition, it has the great advantage of an inbuilt PUF error tolerance. Thus, Slender PUF protocol is lightweight and does not require costly additional error correction, fuzzy extractors, and hash modules suggested in most previously known PUF-based robust authentication techniques. The low overhead and practicality of the protocol are confirmed by a set of hardware implementation and evaluations

Operator authentication and accountability for SCADA servers when requests are forwarded by a middle layer

Due to their critical nature, the actions performed by operators on Industrial Control Systems (ICS) are subject to source authentication and accountability. When commands are not send directly by the user, but forwarded by middle servers, the compromise of those severs threatens the security of the whole architecture. This Master thesis provides a solution for that problem, guaranteeing authentication end-to-end while fulfilling cost and performance requirements. Based on an analysis of several potential solutions, digital signatures were assessed to be the most flexible and secure option. Moreover, the proposed solution relies on Microsoft's Active Directory, which manages credentials on the target architecture, for securely linking public keys with user identities. A prototype implementation of the proposed design is included, together with a limited performance evaluation. They have proven the validity of the design, that guarantees end-to-end authentication and accountability of command requests, while maintaining low implementation and maintenance costs and a negligible impact in latency per message

Secure Network-on-Chip Against Black Hole and Tampering Attacks

The Network-on-Chip (NoC) has become the communication heart of Multiprocessors-System-on-Chip (MPSoC). Therefore, it has been subject to a plethora of security threats to degrade the system performance or steal sensitive information. Due to the globalization of the modern semiconductor industry, many different parties take part in the hardware design of the system. As a result, the NoC could be infected with a malicious circuit, known as a Hardware Trojan (HT), to leave a back door for security breach purposes. HTs are smartly designed to be too small to be uncovered by offline circuit-level testing, so the system requires an online monitoring to detect and prevent the HT in runtime. This dissertation focuses on HTs inside the router of a NoC designed by a third party. It explores two HT-based threat models for the MPSoC, where the NoC experiences packet-loss and packet-tampering once the HT in the infected router is activated and is in the attacking state. Extensive experiments for each proposed architecture were conducted using a cycle-accurate simulator to demonstrate its effectiveness on the performance of the NoC-based system. The first threat model is the Black Hole Router (BHR) attack, where it silently discards the packets that are passing through without further announcement. The effect of the BHR is presented and analyzed to show the potency of the attack on a NoC-based system. A countermeasure protocol is proposed to detect the BHR at runtime and counteract the deliberate packet-dropping attack with a 26.9% area overhead, an average 21.31% performance overhead and a 22% energy consumption overhead. The protocol is extended to provide an efficient and power-gated scheme to enhance the NoC throughput and reduce the energy consumption by using end-to-end (e2e) approach. The power-gated e2e technique locates the BHR and avoids it with a 1% performance overhead and a 2% energy consumption overhead. The second threat model is a packet-integrity attack, where the HT tampers with the packet to apply a denial-of-service attack, steal sensitive information, gain unauthorized access, or misroute the packet to an unintended node. An authentic and secure NoC platform is proposed to detect and countermeasure the packet-tampering attack to maintain data-integrity and authenticity while keeping its secrecy with a 24.21% area overhead. The proposed NoC architecture is not only able to detect the attack, but also locates the infected router and isolates it from the network

Securing Critical Infrastructures

1noL'abstract è presente nell'allegato / the abstract is in the attachmentopen677. INGEGNERIA INFORMATInoopenCarelli, Albert