LiS: Lightweight Signature Schemes for continuous message authentication in cyber-physical systems

Agency for Science, Technology and Research (A*STAR) RIE 202

A Dynamic Strategy for Cyber-Attack Detection in Large-scale Power Systems via Output Clustering

In this paper we are concerned with reliable operation of the electric power grid in presence of malicious cyber-attacks on measurement signals. We use the continuously changing operating conditions of the power systems to introduce an active defense method based on dynamic clustering. Our detection strategy uses a moving-target approach where information about the system's varying operating point is first used to form dynamic clusters of measurements based on their dynamic response to disturbances. Then, similarity checks can be performed within each cluster to detect stealthy cyber-attacks. The proposed method is effective even when the attacker has extensive knowledge of the system parameters, model and detection policy at some point in time

The Cousins of Stuxnet: Duqu, Flame, and Gauss

Stuxnet was the first targeted malware that received worldwide attention forcausing physical damage in an industrial infrastructure seemingly isolated from the onlineworld. Stuxnet was a powerful targeted cyber-attack, and soon other malware samples were discovered that belong to this family. In this paper, we will first present our analysis of Duqu, an information-collecting malware sharing striking similarities with Stuxnet. Wedescribe our contributions in the investigation ranging from the original detection of Duquvia finding the dropper file to the design of a Duqu detector toolkit. We then continue with the analysis of the Flame advanced information-gathering malware. Flame is unique in thesense that it used advanced cryptographic techniques to masquerade as a legitimate proxyfor the Windows Update service. We also present the newest member of the family, called Gauss, whose unique feature is that one of its modules is encrypted such that it can onlybe decrypted on its target system; hence, the research community has not yet been able to analyze this module. For this particular malware, we designed a Gauss detector serviceand we are currently collecting intelligence information to be able to break its very specialencryption mechanism. Besides explaining the operation of these pieces of malware, wealso examine if and how they could have been detected by vigilant system administrators manually or in a semi-automated manner using available tools. Finally, we discuss lessonsthat the community can learn from these incidents. We focus on technical issues, and avoidspeculations on the origin of these threats and other geopolitical questions