Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

DECEPTION BASED TECHNIQUES AGAINST RANSOMWARES: A SYSTEMATIC REVIEW

Ransomware is the most prevalent emerging business risk nowadays. It seriously affects business continuity and operations. According to Deloitte Cyber Security Landscape 2022, up to 4000 ransomware attacks occur daily, while the average number of days an organization takes to identify a breach is 191. Sophisticated cyber-attacks such as ransomware typically must go through multiple consecutive phases (initial foothold, network propagation, and action on objectives) before accomplishing its final objective. This study analyzed decoy-based solutions as an approach (detection, prevention, or mitigation) to overcome ransomware. A systematic literature review was conducted, in which the result has shown that deception-based techniques have given effective and significant performance against ransomware with minimal resources. It is also identified that contrary to general belief, deception techniques mainly involved in passive approaches (i.e., prevention, detection) possess other active capabilities such as ransomware traceback and obstruction (thwarting), file decryption, and decryption key recovery. Based on the literature review, several evaluation methods are also analyzed to measure the effectiveness of these deception-based techniques during the implementation process

Arp Spoofing Detection via Wireshark and Veracode

In current scenario, static and DHCP both has addressing schemes which also protect large number of end users without any burden on administrator. Also performance study need real network[1] and the final result shows that end user take not more than one millisecond to register himself or herself for protected ARP cache. Lastly server can hinder any external attacker in only a moment

Security Aspects of Internet of Things aided Smart Grids: a Bibliometric Survey

The integration of sensors and communication technology in power systems, known as the smart grid, is an emerging topic in science and technology. One of the critical issues in the smart grid is its increased vulnerability to cyber threats. As such, various types of threats and defense mechanisms are proposed in literature. This paper offers a bibliometric survey of research papers focused on the security aspects of Internet of Things (IoT) aided smart grids. To the best of the authors' knowledge, this is the very first bibliometric survey paper in this specific field. A bibliometric analysis of all journal articles is performed and the findings are sorted by dates, authorship, and key concepts. Furthermore, this paper also summarizes the types of cyber threats facing the smart grid, the various security mechanisms proposed in literature, as well as the research gaps in the field of smart grid security.Comment: The paper is published in Elsevier's Internet of Things journal. 25 pages + 20 pages of reference

Cross-validation based man-in-the-middle attack protection

A thesis submitted to the University of Bedfordshire, in fulfilment of the requirements for the degree of Master of Science by researchIn recent years, computer network has widely used in almost all areas of our social life. It has been profoundly changing the way of our living. However, various network attacks have become an increasingly problem at the same time. In local area networks, Man-in-the-Middle attack, as one kind of ARP attack, is the most common attack. This research implemented a cross-validation based Man-in-the-Middle attack protection method (CVP). This approach enables a host to check whether another host that responds the initialising host with an ARP reply packet is genuine. It then allows the ARP cache table of the initialising hosts to be updated with the MAC address and IP address pairs of the genuine host and to place the MAC address of inauthentic hosts into a blacklist. This research introduced ARP and ICMP firstly, including the structure of ARP and ICMP packets, and their workflows. Secondly, this research discussed the types of ARP attacks and the existing ARP attacks protection methods, including their principles, applicable environment, advantages and disadvantages. Then, this research proposed and implemented a cross-validation based Man-in-the-Middle attack protection method. Simulations and experiments were performed to examine the effect of CVP method. The results show the effectiveness of the proposed cross-validation based method in protecting network from Man-in-the-Middle attack. Compared with the existing Man-in-the-Middle attack protection methods, CVP requires no extra devices and administration, leading to more secure local area networks and low cost. It also has made a “tabu” to attackers. That is, it places the MAC address of attackers into a blacklist. So they will be identified immediately if they try to attack the network again

SDN as a defence mechanism : a comprehensive survey

Investing in cybersecurity is increasingly considered a significant area and aspect a business or organisation should seriously consider. Some of these security solutions are network-based and provide many levels of protection. However, traditional networks are seen to be vendor-specific and are limited, enabling minor to no network flexibility or customisation. Implementing SDN to combat cyberattacks is a workable option for resolving this traditional network constraint. Less attention has been paid to how SDN has been utilised to address security concerns, with most surveys concentrating on the security challenges the SDN paradigm faces. This study aims to provide a comprehensive overview of the state-of-the-art on how SDN has been used to combat attacks between 2017 and 2022 by highlighting the specifics of each literature, its advantages, limitations, and potential areas for further study. This work introduces a taxonomy highlighting SDN’s fundamental traits and contributions as a defence mechanism (SaaDM).peer-reviewe

Framework for Industrial Control System Honeypot Network Traffic Generation

Defending critical infrastructure assets is an important but extremely difficult and expensive task. Historically, decoys have been used very effectively to distract attackers and in some cases convince an attacker to reveal their attack strategy. Several researchers have proposed the use of honeypots to protect programmable logic controllers, specifically those used to support critical infrastructure. However, most of these honeypot designs are static systems that wait for a would-be attacker. To be effective, honeypot decoys need to be as realistic as possible. This paper introduces a proof-of-concept honeypot network traffic generator that mimics genuine control systems. Experiments are conducted using a Siemens APOGEE building automation system for single and dual subnet instantiations. Results indicate that the proposed traffic generator is capable of honeypot integration, traffic matching and routing within the decoy building automation network

Cyber Deception for Critical Infrastructure Resiliency

The high connectivity of modern cyber networks and devices has brought many improvements to the functionality and efficiency of networked systems. Unfortunately, these benefits have come with many new entry points for attackers, making systems much more vulnerable to intrusions. Thus, it is critically important to protect cyber infrastructure against cyber attacks. The static nature of cyber infrastructure leads to adversaries performing reconnaissance activities and identifying potential threats. Threats related to software vulnerabilities can be mitigated upon discovering a vulnerability and-, developing and releasing a patch to remove the vulnerability. Unfortunately, the period between discovering a vulnerability and applying a patch is long, often lasting five months or more. These delays pose significant risks to the organization while many cyber networks are operational. This concern necessitates the development of an active defense system capable of thwarting cyber reconnaissance missions and mitigating the progression of the attacker through the network. Thus, my research investigates how to develop an efficient defense system to address these challenges. First, we proposed the framework to show how the defender can use the network of decoys along with the real network to introduce mistrust. However, another research problem, the defender’s choice of whether to save resources or spend more (number of decoys) resources in a resource-constrained system, needs to be addressed. We developed a Dynamic Deception System (DDS) that can assess various attacker types based on the attacker’s knowledge, aggression, and stealthiness level to decide whether the defender should spend or save resources. In our DDS, we leveraged Software Defined Networking (SDN) to differentiate the malicious traffic from the benign traffic to deter the cyber reconnaissance mission and redirect malicious traffic to the deception server. Experiments conducted on the prototype implementation of our DDS confirmed that the defender could decide whether to spend or save resources based on the attacker types and thwarted cyber reconnaissance mission. Next, we addressed the challenge of efficiently placing network decoys by predicting the most likely attack path in Multi-Stage Attacks (MSAs). MSAs are cyber security threats where the attack campaign is performed through several attack stages and adversarial lateral movement is one of the critical stages. Adversaries can laterally move into the network without raising an alert. To prevent lateral movement, we proposed an approach that combines reactive (graph analysis) and proactive (cyber deception technology) defense. The proposed approach is realized through two phases. The first phase predicts the most likely attack path based on Intrusion Detection System (IDS) alerts and network trace. The second phase determines the optimal deployment of decoy nodes along the predicted path. We employ transition probabilities in a Hidden Markov Model to predict the path. In the second phase, we utilize the predicted attack path to deploy decoy nodes. The evaluation results show that our approach can predict the most likely attack paths and thwart adversarial lateral movement