Municipal Wastewater Management

Taking the papers’ collection of this Special Issue as a whole, it is clear that “Municipal Wastewater Management” is an ongoing field of research with the ability to incorporate current environmental and human health challenges. The use of municipal sewage to monitor COVID-19 virus circulation in communities and the estimation of possible outbreaks, even before clinical cases have been identified, is a fact that justifies this. In light of the Coronavirus pandemic, the interest of the impact that research on municipal wastewater management can have on improving humans’ health and protecting the environment is being rethought. In respect to this, there is an essential need for scientific publications that present varieties of case studies and discuss best practices, so as wastewater treatment plants to be seen not only as sites of pollutants removal but also as places where energy is efficiently used and environmental sustainability is being practiced, in close relation to the needs of the community. Viewed in this way, the papers’ collected in this Special Issue are looking forward to reach a broad readership that can gain awareness and understanding of their topics and be stimulated into future research and collaborations that would improve all stakeholders engagement in promoting a sustainable municipal wastewater management

Decision making process in keystroke dynamics

Computer system intrusion often happens nowadays. Various methods have been introduced to reduce and prevent these intrusions, however no method was 100% proven to be effective. Therefore, to improve the computer’s security, this writing will explain the application of KD in the application system. The effectiveness of KD could not guarantee one hundred percent to prevent the computer intrusion, but it can be used as a second level of security after the login page in the application system. The pattern and time taken while typing by an individual is the core for the second level of security check after the login page. This writing will elaborate and conclude past studies related to KD on the aspects of decisionmaking process. Various methods of processing KD data that have been used are listed and the results of the study are compared. The results of this writing are expected to help new researchers in the process of evaluating KD data

PICSEL: Portable ICS Extensible Lab

Trabalho de projeto de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020Critical infrastructures such as electric power grids, nuclear plants, oil and gas refineries, transportations systems or pharmaceutical industries, play an increasingly important role in our lives due to technological advancement and the precision industry. Traditionally, most of these infrastructures, also called industrial control systems (ICS), are large-scale cyber-physical systems (CPS) which all use supervisory control and data acquisition (SCADA). Over recent years, malicious actors have realized the importance and impact of these infrastructures. Combining this with the deprivation of security features in ICS resulted in a large quantity of high value targets just waiting to be exploited. Since these systems are based on equipment with a really long lifetime and, in most of the cases, have an extremely high availability requirement, its important to, somehow, gather information and perform security tests in order to protect these infrastructures, without compromising a live operation. Normally these infrastructures are very complex and often have a remarkable diversity of equipment, communication protocols and transmission technologies. This thesis presents a portable testbed, PICSEL, which was designed and developed to achieve the following goals: to be a portable testbed testing existing exploits and new security solutions whilst exploring new vulnerabilities within the equipment or the environment. Several requirements were considered in the design of the testbed: for instance, choosing the equipment that allowed for more environment configurations; choosing power supplies that support additional equipment; and designing a static electrical diagram based on each device’s requirements. With these requirements, the testbed must be able to support different types of equipment and architectures, allowing for applications in multiple industries, inside which it can be easily reconfigured. The thesis describes the testbed architecture and discusses the design decisions, presenting two test scenarios that were studied and implemented using PICSEL. In each of these test scenarios, different attacks were performed validating each of the PICSEL goals. Testing known vulnerabilities, testing exploits in the wild and exporting information from PICSEL equipment to an external tool were very important steps to validate the results. Therefore, this thesis provides proof of concept confirming the key value of a modular and reconfigurable testbed, PICSEL

Ubiquitous Control of a CNC Machine: Proof of Concept for Industrial IoT Applications

In this paper, an integrated system to control and manage a state-of-the-art industrial computer numerical control (CNC) machine (Studer S33) using a commercially available tablet (Samsung Galaxy Tablet S2) is presented as a proof of concept (PoC) for the ubiquitous control of industrial machines. As a PoC, the proposed system provides useful insights to support the further development of full-fledged systems for Industrial Internet of Things (IIoT) applications. The proposed system allows for the quasi-decentralisation of the control architecture of conventional programmable logic controller (PLC)-based industrial control systems (ICSs) through data and information exchange over the transmission control protocol and the internet protocol (TCP/IP) suite using multiple agents. Based on the TCP/IP suite, a network device (Samsung Galaxy Tablet S2) and a process field net (PROFINET) device (Siemens Simatic S7-1200) are interfaced using a single-board computer (Raspberry Pi 4). An override system mainly comprising emergency stop and acknowledge buttons is also configured using the single-board computer. The input signals from the override system are transmitted to the PROFINET device (i.e., the industrial control unit (ICU)) over TCP/IP. A fully functional working prototype is realised as a PoC for an integrated system designated for the wireless and ubiquitous control of the CNC machine. The working prototype as an entity mainly comprises a mobile (handheld) touch-sensitive human-machine interface (HMI), a shielded single-board computer, and an override system, all fitted into a compact case with physical dimensions of 300 mm by 180 mm by 175 mm. To avert potential cyber attacks or threats to a reasonable extent and to guarantee the security of the PoC, a multi-factor authentication (MFA) including an administrative password and an IP address is implemented to control the access to the web-based ubiquitous HMI proffered by the PoC

Self evaluation report

Overview -- The NSF SIIUCRC program -- Capsule Pipeline Research Center (CPRC) at the University of Missouri-Columbia -- Most significant technical achievements -- Economic impacts -- Educational achievements -- Plan for commercialization of CLP -- Outside evaluation of CPRC -- Overall assessment -- Future plan -- Conclusion -- Appendices. ASCE task committee ; Coal log pipeline pilot plant ; CPRC publication list ; Article on coal log compaction machine design in ASME journal, Mechanical engineering ; Paper on pipeline education

Protecting an Industrial AC Drive Application against Cyber Sabotage

Vuonna 2010 havaittua, erittäin kehittynyttä tietokonevirusta nimeltä Stuxnet on kuvailtu myös ensimmäiseksi kybersodan aseeksi, koska eri lähteiden mukaan se tuhosi vähintään 1 000 uraania rikastavaa kaasusentrifugia Iranissa. Tämä kybersabotaasi suoritettiin tunkeutumalla teolliseen ohjausjärjestelmään, kytkemällä sentrifugeja ohjaavien taajuusmuuttajien suojatoiminnot pois päältä ja pyörittämällä niitä niin suurilla nopeuksilla, että keskipakoisvoimat aiheuttivat roottoreiden repeämisen. Dekantterit ovat toisenlaisia sentrifugeja, joita käytetään erottamaan kiinteät aineet nestemäisistä useilla eri teollisuudenaloilla, kuten esimerkiksi vedenkäsittelyssä ja kaivostoiminnassa. Dekantterisentrifugit, eli tarkemmin kiinteärumpuiset, ruuvipurkuiset lingot, käyvät usein epätahtikoneilla ja taajuusmuuttajilla. Olettaen, että Stuxnet-tapauksen kaltainen tuho voidaan estää sopivilla turvajärjestelmillä, toimenpiteitä dekantterilingon suojelemiseksi tutkittiin käyttäen kirjallisuutta ja nykyistä tietoturva- ja henkilöturvaominaisuustarjontaa seuraavilta uudenaikaisilta taajuusmuuttajilta, joissa on Ethernet-pohjainen kenttäväyläyhteys: ABB ACS880-01, Rockwell Allen-Bradley PowerFlex 755 ja Siemens SINAMICS S110. Rajoitetun arvioinnin tuloksena taajuusmuuttajien pahin kyberturvallisuuteen liittyvä haavoittuvuus on tyypillinen monille kenttäväyliä käyttäville automaatiolaitteille: täysivaltainen asetusten muutos on mahdollista oletusarvoisesti ilman minkäänlaista käyttäjähallintaa. Kuitenkin toiminnallisen turvallisuuden asetukset voidaan suojata salasanalla, joten standardoitu turvafunktio nimeltä turvallisesti rajoitettu nopeus on toteuttamiskelpoinen ratkaisu dekantterilingon suojelemiseksi kybersabotaasilta. Liitteenä olevaa tarkistuslistaa seuraamalla dekanttereissa käytettävät taajuusmuuttajat voidaan konfiguroida mahdollisimman hyvin kyberturvallisuuden kannalta.Discovered in 2010, the highly advanced computer virus called Stuxnet, also described as the first weapon of cyber warfare, reportedly destroyed at least 1,000 gas centrifuges enriching uranium in Iran. This kind of act of cyber sabotage was conducted by compromising the industrial control system, disabling protection functions of AC drives running the centrifuges, and making them spin at such high speeds that centrifugal forces caused their rotors to rupture. Decanters are another type of centrifuges used to separate solids from liquids in many industries including water treatment and mining for example. Also known as solid-bowl, scroll-discharge centrifuges, decanters are commonly powered by induction motors and AC drives. Assuming havoc similar to the Stuxnet case can be prevented with suitable safety systems, a review was conducted on the protection methods for decanter centrifuges based on literature and the current security and safety features of the following modern AC drives with Ethernet-based fieldbus connectivity: ABB ACS880-01, Rockwell Allen-Bradley PowerFlex 755, and Siemens SINAMICS S110. As a result of the limited assessment, the worst vulnerability related to cybersecurity of the AC drives is typical to many automation devices using fieldbuses: total configuration is possible remotely without any authentication by default. However, the functional safety configuration can be protected by means of a password, therefore allowing a standardized safety function called safely-limited speed (SLS) to become a viable solution for protecting the decanter centrifuge against cyber sabotage. By following the supplied checklist, it is possible to configure AC drives used with decanters optimally in terms of cybersecurity

Anomaly diagnosis in industrial control systems for digital forensics

Over several decades, Industrial Control Systems (ICS) have become more interconnected and highly programmable. An increasing number of sophisticated cyber-attacks have targeted ICS with a view to cause tangible damage. Despite the stringent functional safety requirements mandated within ICS environments, critical national infrastructure (CNI) sectors and ICS vendors have been slow to address the growing cyber threat. In contrast with the design of information technology (IT) systems, security of controls systems have not typically been an intrinsic design principle for ICS components, such as Programmable Logic Controllers (PLCs). These factors have motivated substantial research addressing anomaly detection in the context of ICS. However, detecting incidents alone does not assist with the response and recovery activities that are necessary for ICS operators to resume normal service. Understanding the provenance of anomalies has the potential to enable the proactive implementation of security controls, and reduce the risk of future attacks. Digital forensics provides solutions by dissecting and reconstructing evidence from an incident. However, this has typically been positioned from a post-incident perspective, which inhibits rapid triaging, and effective response and recovery, an essential requirement in critical ICS. This thesis focuses on anomaly diagnosis, which involves the analysis of and discrimination between different types of anomalous event, positioned at the intersection between anomaly detection and digital forensics. An anomaly diagnosis framework is proposed that includes mechanisms to aid ICS operators in the context of anomaly triaging and incident response. PLCs have a fundamental focus within this thesis due to their critical role and ubiquitous application in ICS. An examination of generalisable PLC data artefacts produced a taxonomy of artefact data types that focus on the device data generated and stored in PLC memory. Using the artefacts defined in this first stage, an anomaly contextualisation model is presented that differentiates between cyber-attack and system fault anomalies. Subsequently, an attack fingerprinting approach (PLCPrint) generates near real-time compositions of memory fingerprints within 200ms, by correlating the static and dynamic behaviour of PLC registers. This establishes attack type and technique provenance, and maintains the chain-of-evidence for digital forensic investigations. To evaluate the efficacy of the framework, a physical ICS testbed modelled on a water treatment system is implemented. Multiple PLC models are evaluated to demonstrate vendor neutrality of the framework. Furthermore, several generalised attack scenarios are conducted based on techniques identified from real PLC malware. The results indicate that PLC device artefacts are particularly powerful at detecting and contextualising an anomaly. In general, we achieve high F1 scores of at least 0.98 and 0.97 for anomaly detection and contextualisation, respectively, which are highly competitive with existing state-of-the-art literature. The performance of PLCPrint emphasises how PLC memory snapshots can precisely and rapidly provide provenance by classifying cyber-attacks with an accuracy of 0.97 in less than 400ms. The proposed framework offers a much needed novel approach through which ICS components can be rapidly triaged for effective response

Cyberthreats, Attacks and Intrusion Detection in Supervisory Control and Data Acquisition Networks

Supervisory Control and Data Acquisition (SCADA) systems are computer-based process control systems that interconnect and monitor remote physical processes. There have been many real world documented incidents and cyber-attacks affecting SCADA systems, which clearly illustrate critical infrastructure vulnerabilities. These reported incidents demonstrate that cyber-attacks against SCADA systems might produce a variety of financial damage and harmful events to humans and their environment. This dissertation documents four contributions towards increased security for SCADA systems. First, a set of cyber-attacks was developed. Second, each attack was executed against two fully functional SCADA systems in a laboratory environment; a gas pipeline and a water storage tank. Third, signature based intrusion detection system rules were developed and tested which can be used to generate alerts when the aforementioned attacks are executed against a SCADA system. Fourth, a set of features was developed for a decision tree based anomaly based intrusion detection system. The features were tested using the datasets developed for this work. This dissertation documents cyber-attacks on both serial based and Ethernet based SCADA networks. Four categories of attacks against SCADA systems are discussed: reconnaissance, malicious response injection, malicious command injection and denial of service. In order to evaluate performance of data mining and machine learning algorithms for intrusion detection systems in SCADA systems, a network dataset to be used for benchmarking intrusion detection systemswas generated. This network dataset includes different classes of attacks that simulate different attack scenarios on process control systems. This dissertation describes four SCADA network intrusion detection datasets; a full and abbreviated dataset for both the gas pipeline and water storage tank systems. Each feature in the dataset is captured from network flow records. This dataset groups two different categories of features that can be used as input to an intrusion detection system. First, network traffic features describe the communication patterns in a SCADA system. This research developed both signature based IDS and anomaly based IDS for the gas pipeline and water storage tank serial based SCADA systems. The performance of both types of IDS were evaluates by measuring detection rate and the prevalence of false positives

Security Monitoring in Production Areas

Teses de mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasSince the late 1960s, a different set of technologies has been designed and implemented in parallel to assist in automating industrial and manufacturing processes. These systems, created parallel to IT (Information Technologies), became known as OT (Operational Technologies). Unlike IT technologies, these were developed with a different set of requirements. With a focus on resilience to adverse environmental conditions – such as temperature, humidity, and electromagnetic interference – and a need for high availability and near-real-time performance, these technologies took a back seat to other requirements. Such as information integrity and confidentiality. However, the need to automate processes has developed. Today, it is not only industrial areas – such as heavy manufacturing, oil and gas industries, electrical networks, water distribution processes, or sewage treatment – that need to increase their efficiency. The production areas of a manufacturing company also benefit from these two types of technologies – IT and OT. Furthermore, it is on the shop floor – i.e., in a production area – that the two meet and merge and interconnect the two networks to become a blended system. Often the requirements for the operation of one technology are the weak point of the other. A good example is an increasing need for IT devices to connect to the Internet. On the other hand, OT devices that often have inherent difficulty with authentication and authorization processes are exposed to untrusted networks. In recent years, and aggravated by the socio-political changes in the world, incidents in industrial and production areas have become larger and more frequent. As the impact of incidents in these areas has the potential to be immense, companies and government organizations are increasingly willing to implement measures to defend them. For information security, this is fertile ground for developing new methodologies or experimenting and validating existing ones. This master’s work aims to apply a threat model in the context of a production area, thus obtaining a set of the most relevant threats. With the starting point of these threats, the applicability and value of two security monitoring solutions for production areas will be analyzed. In this dissertation’s first part, and after reviewing state-of-the-art with the result of identifying the most mentioned security measures for industrial and manufacturing areas, a contextualization of what a production area will be performed—followed by an example, based on what was observed in the course of this work. After giving this background, a threat model will be created using a STRIDE methodology for identifying and classifying potential threats and using the DREAD methodology for risk assessment. The presentation of an attack tree will show how the identified threats can be linked to achieving the goal of disrupting a production area. After this, a study will be made on which security measures mentioned initially best mitigate the threats identified. In the final part, the two solutions will be analyzed with the functionalities of detecting connected devices and their vulnerabilities and monitoring and identifying security events using network traffic observed in an actual production area. This observation aims to verify the practical value of these tools in mitigating the threats mentioned above. During this work, a set of lessons learned were identified, which are presented as recommendations in a separate chapter

Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents

Critical infrastructures and industrial organizations aggressively move towards integrating elements of modern Information Technology (IT) into their monolithic Operational Technology (OT) architectures. Yet, as OT systems progressively become more and more interconnected, they silently have turned into alluring targets for diverse groups of adversaries. Meanwhile, the inherent complexity of these systems, along with their advanced-in-age nature, prevents defenders from fully applying contemporary security controls in a timely manner. Forsooth, the combination of these hindering factors has led to some of the most severe cybersecurity incidents of the past years. This work contributes a full-fledged and up-to-date survey of the most prominent threats and attacks against Industrial Control Systems and critical infrastructures, along with the communication protocols and devices adopted in these environments. Our study highlights that threats against critical infrastructure follow an upward spiral due to the mushrooming of commodity tools and techniques that can facilitate either the early or late stages of attacks. Furthermore, our survey exposes that existing vulnerabilities in the design and implementation of several of the OT-specific network protocols and devices may easily grant adversaries the ability to decisively impact physical processes. We provide a categorization of such threats and the corresponding vulnerabilities based on various criteria. The selection of the discussed incidents and identified vulnerabilities aims to provide a holistic view of the specific threats that target Industrial Control Systems and critical infrastructures. As far as we are aware, this is the first time an exhaustive and detailed survey of this kind is attempted