Application of active device authentication mechanisms in the human-machine interface of SCADA networks

Supervisory Control and Data Acquisition (SCADA) systems are a type of Industrial Con- trol System (ICS) that both monitor and control the critical infrastructure that delivers man- ufactured goods, water, and energy. These systems are responsible for supervising everything from natural gas valves to electric substations. For the past half century, SCADA and ICS networks have been proprietary, closed systems, entirely contained within a private network. Their security was derived from air gap networking, physically isolating these systems from the Internet. However, system operators are increasingly opting to connect their control systems to Internet or corporate intranet networks in order to substantially reduce operating costs and improve reporting capabilities. This architecture change has given rise to a new and poorly understood class of risk. In this work, we examine how a security concept known as Active Device Authentication can be applied to the SCADA system threat model. As our contribution, we develop a software tool known as Gatekeeper that wraps Active Device Authentication capabilities around exist- ing, weaker authentication mechanisms present in off-the-shelf HMI software written in Java. This work aims to provide the reader with a stronger understanding of the concept of Active Device Authentication, and how it can be deployed into legacy, proprietary, or mission-critical environments to enable additional security controls without risk of impacting the underlying systems’ reliability

Implementation of Multilayer cybersecurity based on Intrusion Detection System

Cyber security has become a high priority in Industrial Sector/Automation. Here the dependable operation is to ensure the stable, secure and reliable in power system delivery. By using the Intrusion Detection System framework Obscurity progress can be easily removed. Access control mechanism mainly used to launching the anomalous attacks. This framework provides a hierarchical approach for; integrated security system and comprising distributed IDSs. In a novel SCADA-IDS with whitelists and behavior-based protocol analysis is proposed and it is exemplified in order to detect known and unknown cyber-attacks from inside or outside SCADA systems. Finally, our proposed SCADA-IDS is implemented and it is successfully validated through a series of scenarios performed in a SCADA-specific test bed developed to replicate cyber-attacks against a substation LAN. From the perspective of SCADA system operators, the lack of openly available test dataset is a bottleneck, to compare the performance and accuracy of proposed solutions. However, for the research in the community to progress, such a large dataset would be valuable. The propose system will to creating a new dataset to mitigate vulnerable attack from cyber-crime to save the higher level records and system. DOI: 10.17762/ijritcc2321-8169.150520

Anomaly detection in SCADA systems: a network based approach

Supervisory Control and Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities, such as water treatment facilities. Historically, these networks were composed by special-purpose embedded devices communicating through proprietary protocols. However, modern deployments commonly make use of commercial off-the-shelf devices and standard communication protocols, such as TCP/IP. Furthermore, these networks are becoming increasingly interconnected, allowing communication with corporate networks and even the Internet. As a result, SCADA networks become vulnerable to cyber attacks, being exposed to the same threats that plague traditional IT systems.\ud \ud In our view, measurements play an essential role in validating results in network research; therefore, our first objective is to understand how SCADA networks are utilized in practice. To this end, we provide the first comprehensive analysis of real-world SCADA traffic. We analyze five network packet traces collected at four different critical infrastructures: two water treatment facilities, one gas utility, and one electricity and gas utility. We show, for instance, that exiting network traffic models developed for traditional IT networks cannot be directly applied to SCADA network traffic. \ud \ud We also confirm two SCADA traffic characteristics: the stable connection matrix and the traffic periodicity, and propose two intrusion detection approaches that exploit them. In order to exploit the stable connection matrix, we investigate the use of whitelists at the flow level. We show that flow whitelists have a manageable size, considering the number of hosts in the network, and that it is possible to overcome the main sources of instability in the whitelists. In order to exploit the traffic periodicity, we focus our attention to connections used to retrieve data from devices in the field network. We propose PeriodAnalyzer, an approach that uses deep packet inspection to automatically identify the different messages and the frequency at which they are issued. Once such normal behavior is learned, PeriodAnalyzer can be used to detect data injection and Denial of Service attacks

Evaluation of Traditional Security Solutions in the SCADA Environment

Supervisory Control and Data Acquisition (SCADA) systems control and monitor the electric power grid, water treatment facilities, oil and gas pipelines, railways, and other Critical Infrastructure (CI). In recent years, organizations that own and operate these systems have increasingly interconnected them with their enterprise network to take advantage of cost savings and operational benefits. This trend, however, has introduced myriad vulnerabilities associated with the networking environment. As a result, the once isolated systems are now susceptible to a wide range of threats that previously did not exist. To help address the associated risks, security professionals seek to incorporate mitigation solutions designed for traditional networking and Information Technology (IT) systems. Unfortunately, the operating parameters and security principles associated with traditional IT systems do not readily translate to the SCADA environment. Security solutions for IT systems focus primarily on protecting the confidentiality of system and user data. Alternatively, SCADA systems must adhere to strict safety and reliability requirements and rely extensively on system availability. Mitigation strategies designed for traditional IT systems must first be evaluated prior to deployment on a SCADA system or risk adverse operational impacts such as a catastrophic oil spill, poisoning a water supply, or the shutdown of an electrical grid. This research evaluates the suitability of deploying a Host-Based Intrusion Detection System (IDS) to the Department of Defense SCADA fuels system. The impacts of the Host Intrusion Prevention System (HIPS) installed on the SCADA network\u27s Human Machine Interface (HMI) is evaluated. Testing revealed that the HIPS agent interferes with the HMI\u27s system services during startup. Once corrected, the HMI and connected SCADA network inherit the protections of the HIPS security agent and defenses associated with the Host-Based Security System

Software Defined Networking Firewall for Industry 4.0 Manufacturing Systems

[EN] Purpose: In order to leverage automation control data, Industry 4.0 manufacturing systems require industrial devices to be connected to the network. Potentially, this can increase the risk of cyberattacks, which can compromise connected industrial devices to acquire production data or gain control over the production process. Search engines such as Sentient Hyper-Optimized Data Access Network (SHODAN) can be perverted by attackers to acquire network information that can be later used for intrusion. To prevent this, cybersecurity standards propose network architectures divided into several networks segments based on system functionalities. In this architecture, Firewalls limit the exposure of industrial control devices in order to minimize security risks. This paper presents a novel Software Defined Networking (SDN) Firewall that automatically applies this standard architecture without compromising network flexibility. Design/methodology/approach: The proposed SDN Firewall changes filtering rules in order to implement the different network segments according to application level access control policies. The Firewall applies two filtering techniques described in this paper: temporal filtering and spatial filtering, so that only applications in a white list can connect to industrial control devices. Network administrators need only to configure this application-oriented white lists to comply with security standards for ICS. This simplifies to a great extent network management tasks. Authors have developed a prototype implementation based on the OPC UA Standard and conducted security tests in order to test the viability of the proposal. Findings: Network segmentation and segregation are effective counter-measures against network scanning attacks. The proposed SDN Firewall effectively configures a flat network into virtual LAN segments according to security standard guidelines. Research limitations/implications: The prototype implementation still needs to implement several features to exploit the full potential of the proposal. Next steps for development are discussed in a separate section. Practical implications: The proposed SDN Firewall has similar security features to commercially available application Firewalls, but SDN Firewalls offer additional security features. First, SDN technology provides improved performance, since SDN low-level processing functions are much more efficient. Second, with SDN, security functions are rooted in the network instead of being centralized in particular network elements. Finally, SDN provides a more flexible and dynamic, zero configuration framework for secure manufacturing systems by automating the rollout of security standard-based network architectures. Social implications: SDN Firewalls can facilitate the deployment of secure Industry 4.0 manufacturing systems, since they provide ICS networks with many of the needed security capabilities without compromising flexibility. Originality/value: The paper proposes a novel SDN Firewall specifically designed to secure ICS networks. A prototype implementation of the proposed SDN Firewall has been tested in laboratory conditions. The prototype implementation complements the security features of the OPC UA communication standard to provide a holistic security framework for ICS networks.This research has been partially funded by the European Commission, under Grant Agreement 723710.Tsuchiya, A.; Fraile Gil, F.; Koshijima, I.; Ortiz Bas, Á.; Poler, R. (2018). Software Defined Networking Firewall for Industry 4.0 Manufacturing Systems. Journal of Industrial Engineering and Management. 11(2):318-332. https://doi.org/10.3926/jiem.2534S31833211

Towards Cyber Security for Low-Carbon Transportation: Overview, Challenges and Future Directions

In recent years, low-carbon transportation has become an indispensable part as sustainable development strategies of various countries, and plays a very important responsibility in promoting low-carbon cities. However, the security of low-carbon transportation has been threatened from various ways. For example, denial of service attacks pose a great threat to the electric vehicles and vehicle-to-grid networks. To minimize these threats, several methods have been proposed to defense against them. Yet, these methods are only for certain types of scenarios or attacks. Therefore, this review addresses security aspect from holistic view, provides the overview, challenges and future directions of cyber security technologies in low-carbon transportation. Firstly, based on the concept and importance of low-carbon transportation, this review positions the low-carbon transportation services. Then, with the perspective of network architecture and communication mode, this review classifies its typical attack risks. The corresponding defense technologies and relevant security suggestions are further reviewed from perspective of data security, network management security and network application security. Finally, in view of the long term development of low-carbon transportation, future research directions have been concerned.Comment: 34 pages, 6 figures, accepted by journal Renewable and Sustainable Energy Review

Evaluation of Anomaly Detection for Wide-Area Protection Using Cyber Federation Testbed

Cyber physical security research for smart grid is currently one of the nation’s top R&D priorities. The existing vulnerabilities in the legacy grid infrastructure make it particularly susceptible to countless cyber-attacks. There is a growing emphasis towards building interconnected, sophisticated federated testbeds to perform realistic experiments by allowing the integration of geographically-dispersed resources in the dynamic cyber-physical environment. In this paper, we present a cyber (network) based federation testbed to validate the performance of an anomaly detector in context of a Wide Area Protection (WAP) security. Specifically, we have utilized the resources available at the Iowa State University Power Cyber (ISU PCL) Laboratory to emulate the substation and local center networks; and the US Army Research Laboratory (ARL); to emulate the regional control center network. Initially, we describe a hardware-in-the loop based experimental setup for implementing data integrity attacks on an IEEE 39 bus system. We then perform network packet analysis focusing on latency and bandwidth as well as evaluate the performance of a decision tree based anomaly detector in measuring its ability to identify different attacks. Our experimental results reveal the computed wide area network latency; bandwidth requirement for minimum packet loss; and successful performance of the anomaly detector. Our studies also highlight the conceptual architecture necessary for developing the federated testbed, inspired by the NASPI network

Machine Learning based Anomaly Detection for Cybersecurity Monitoring of Critical Infrastructures

openManaging critical infrastructures requires to increasingly rely on Information and Communi- cation Technologies. The last past years showed an incredible increase in the sophistication of attacks. For this reason, it is necessary to develop new algorithms for monitoring these infrastructures. In this scenario, Machine Learning can represent a very useful ally. After a brief introduction on the issue of cybersecurity in Industrial Control Systems and an overview of the state of the art regarding Machine Learning based cybersecurity monitoring, the present work proposes three approaches that target different layers of the control network architecture. The first one focuses on covert channels based on the DNS protocol, which can be used to establish a command and control channel, allowing attackers to send malicious commands. The second one focuses on the field layer of electrical power systems, proposing a physics-based anomaly detection algorithm for Distributed Energy Resources. The third one proposed a first attempt to integrate physical and cyber security systems, in order to face complex threats. All these three approaches are supported by promising results, which gives hope to practical applications in the next future.openXXXIV CICLO - SCIENZE E TECNOLOGIE PER L'INGEGNERIA ELETTRONICA E DELLE TELECOMUNICAZIONI - Elettromagnetismo, elettronica, telecomunicazioniGaggero, GIOVANNI BATTIST