A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the libssl library. The model was able to determine new requirements and generate test cases from the analysis

How to Quantify the Security Level of Embedded Systems? A Taxonomy of Security Metrics

Embedded Systems (ES) development has been historically focused on functionality rather than security, and today it still applies in many sectors and applications. However, there is an increasing number of security threats over ES, and a successful attack could have economical, physical or even human consequences, since many of them are used to control critical applications. A standardized and general accepted security testing framework is needed to provide guidance, common reporting forms and the possibility to compare the results along the time. This can be achieved by introducing security metrics into the evaluation or assessment process. If carefully designed and chosen, metrics could provide a quantitative, repeatable and reproducible value that would reflect the level of security protection of the ES. This paper analyzes the features that a good security metric should exhibit, introduces a taxonomy for classifying them, and finally, it carries out a literature survey on security metrics for the security evaluation of ES. In this review, more than 500 metrics were collected and analyzed. Then, they were reduced to 169 metrics that have the potential to be applied to ES security evaluation. As expected, the 77.5% of them is related exclusively to software, and only the 0.6% of them addresses exclusively hardware security. This work aims to lay the foundations for constructing a security evaluation methodology that uses metrics so as to quantify the security level of an ES

Short Messages Spam Filtering Combining Personality Recognition and Sentiment Analysis

Currently, short communication channels are growing up due to the huge increase in the number of smartphones and online social networks users. This growth attracts malicious campaigns, such as spam campaigns, that are a direct threat to the security and privacy of the users. While most researches are focused on automatic text classification, in this work we demonstrate the possibility of improving current short messages spam detection systems using a novel method. We combine personality recognition and sentiment analysis techniques to analyze Short Message Services (SMS) texts. We enrich a publicly available dataset adding these features, first separately and after in combination, of each message to the dataset, creating new datasets. We apply several combinations of the best SMS spam classifiers and filters to each dataset in order to compare the results of each one. Taking into account the experimental results we analyze the real inuence of each feature and the combination of both. At the end, the best results are improved in terms of accuracy, reaching to a 99.01% and the number of false positive is reduced

Null is Not Always Empty: Monitoring the Null Space for Field-Level Anomaly Detection in Industrial IoT Environments

Industrial environments have vastly changed sincethe conception of initial primitive and isolated networks. Thecurrent full interconnection paradigm, where connectivity be-tween different devices and the Internet has become a businessnecessity, has driven device interconnectivity towards buildingthe Industrial Internet of Things (IIoT), enabling added valueservices such as supply chain optimization or improved processcontrol. However, whereas interconnectivity has increased, IIoTsecurity practices has not evolved at the same pace, due partlyto inherited security practices from when industrial networkswhere not connected and the existence of basic hardware withno security functionalities. In this work, we present an AnomalyDetection System for industrial environments that monitorsphysical quantities to detect intrusions. It is based in the nullspace detection, which is at the same time, based on StochasticSubspace Identification (SSI). The approach is validated usingthe Tennessee-Eastman chemical process

Towards Large-Scale, Heterogeneous Anomaly Detection Systems in Industrial Networks: A Survey of Current Trends

Industrial Networks (INs) are widespread environments where heterogeneous devices collaborate to control and monitor physical processes. Some of the controlled processes belong to Critical Infrastructures (CIs), and, as such, IN protection is an active research field. Among different types of security solutions, IN Anomaly Detection Systems (ADSs) have received wide attention from the scientific community.While INs have grown in size and in complexity, requiring the development of novel, Big Data solutions for data processing, IN ADSs have not evolved at the same pace. In parallel, the development of BigData frameworks such asHadoop or Spark has led the way for applying Big Data Analytics to the field of cyber-security,mainly focusing on the Information Technology (IT) domain. However, due to the particularities of INs, it is not feasible to directly apply IT security mechanisms in INs, as IN ADSs face unique characteristics. In this work we introduce three main contributions. First, we survey the area of Big Data ADSs that could be applicable to INs and compare the surveyed works. Second, we develop a novel taxonomy to classify existing INbased ADSs. And, finally, we present a discussion of open problems in the field of Big Data ADSs for INs that can lead to further development

Implementation of a Reference Architecture for Cyber Physical Systems to support Condition Based Maintenance

This paper presents the implementation of a refer-ence architecture for Cyber Physical Systems (CPS) to supportCondition Based Maintenance (CBM) of industrial assets. The article focuses on describing how the MANTIS ReferenceArchitecture is implemented to support predictive maintenance of clutch-brake assets fleet, and includes the data analysis techniques and algorithms implemented at platform level to facilitate predictive maintenance activities. These technologiesare (1) Root Cause Analysis powered by Attribute Oriented Induction Clustering and (2) Remaining Useful Life powered by Time Series Forecasting. The work has been conducted in a real use case within the EU project MANTIS

Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems

Industrial Control Systems are used in a wide variety of industrial facilities, including critical infrastructures, becoming the main target of multiple security attacks. A malicious and successful attack against these infrastructures could cause serious economic and environmental consequences, including the loss of human lives. Static networks configurations and topologies, which characterize Industrial Control Systems, represent an advantage for attackers, allowing them to scan for vulnerable devices or services before carrying out the attack. Identifying active devices and services is often the first step for many attacks. This paper presents a proactive network reconnaissance defense mechanism based on the temporal randomization of network IP addresses, MAC addresses and port numbers. The obtained information distortion minimizes the knowledge acquired by the attackers, hindering any attack that relies on network addressing. The temporal randomization of network attributes is performed in an adaptive way, minimizing the overhead introduced in the network and avoiding any error and latency in communications. The implementation as well as the tests have been carried out in a laboratory with real industrial equipment, demonstrating the effectiveness of the presented solution

Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting

Industrial Control Systems are the set of specialized elements that monitor and control physical processes. Those systems are normally interconnected forming environments known as industrial networks. The particularities of these networks disallow the usage of traditional IT security mechanisms, while allowing other security strategies not suitable for IT networks. As industrial network traffic flows follow constant and repetitive patterns, whitelisting has been proved a viable approach for anomaly detection in industrial networks. In this paper, we present a network flow and related alert visualization system based on chord diagrams. The system represents the detected network flows within a time interval, highlighting the ones that do not comply the whitelisting rules. Moreover, it also depicts the network flows that, even if they are registered in the whitelist, have not been detected on the selected time interval (e.g. a host is down). Finally, the visualization system is tested w ith network data coming from a real industrial network

Estudio de modelado de perifericos para habilitar emulaciones de firmware embebido

Los sistemas embebidos aumentan cada vez más en número y con ello también lo hacen los ataques dirigidos a estos. Uno de los factores clave para reducir la superficie de ataque es descubrir y corregir vulnerabilidades en el firmware embebido. El análisis dinámico es uno de los métodos más empleados para estos fines. Escalar el análisis dinámico es necesario para acelerar este proceso, lo que conlleva crear emulaciones del firmware que permitan prescindir del coste de compra de hardware. Identificamos el modelado de periféricos como problema central para habilitar dichas emulaciones. Listamos las características deseables de un proceso de modelado de periféricos, los retos a tener en cuenta y los diferentes procesos que se han utilizado para resolverlos en diferentes escenarios