Understanding indicators of compromise against cyber-attacks in industrial control systems: a security perspective

Numerous sophisticated and nation-state attacks on Industrial Control Systems (ICSs) have increased in recent years, exemplified by Stuxnet and Ukrainian Power Grid. Measures to be taken post-incident are crucial to reduce damage, restore control, and identify attack actors involved. By monitoring Indicators of Compromise (IOCs), the incident responder can detect malicious activity triggers and respond quickly to a similar intrusion at an earlier stage. However, in order to implement IOCs in critical infrastructures, we need to understand their contexts and requirements. Unfortunately, there is no survey paper in the literature on IOC in the ICS environment and only limited information is provided in research articles. In this paper, we describe different standards for IOC representation and discuss the associated challenges that restrict security investigators from developing IOCs in the industrial sectors. We also discuss the potential IOCs against cyber-attacks in ICS systems. Furthermore, we conduct a critical analysis of existing works and available tools in this space. We evaluate the effectiveness of identified IOCs’ by mapping these indicators to the most frequently targeted attacks in the ICS environment. Finally we highlight the lessons to be learnt from the literature and the future problems in the domain along with the approaches that might be taken

Leveraging Static Analysis Tools for Improving Usability of Memory Error Sanitization Compilers

Memory errors such as buffer overruns are notorious security vulnerabilities. There has been considerable interest in having a compiler to ensure the safety of compiled code either through static verification or through instrumented runtime checks. While certifying compilation has shown much promise, it has not been practical, leaving code instrumentation as the next best strategy for compilation. We term such compilers Memory Error Sanitization Compilers (MESCs). MESCs are available as part of GCC, LLVM and MSVC suites. Due to practical limitations, MESCs typically apply instrumentation indiscriminately to every memory access, and are consequently prohibitively expensive and practical to only small code bases. This work proposes a methodology that applies state-of-the-art static analysis techniques to eliminate unnecessary runtime checks, resulting in more efficient and scalable defenses. The methodology was implemented on LLVM\u27s Safecode, Integer Overflow, and Address Sanitizer passes, using static analysis of Frama-C and Codesurfer. The benchmarks demonstrate an improvement in runtime performance that makes incorporation of runtime checks a viable option for defenses

An Interoperation Framework for Context-aware Access Control

An access control system can be defined as a set of policies, models and enforcement mechanisms that are used to restrict access to data and resources of an organization. This dissertation presents an approach for modeling and enforcing a context-aware access control model based on Role Based Access Control (RBAC) and Description Logic. In this approach, languages from the Semantic Web and ontologies are used to represent access control policies and Description Logic reasoners are used to enforce those policies. To improve reasoning efficiency, a technique for ontology modularization is also presented. In addition, this dissertation presents two models for integration of policies belonging to different organizations in collaborative environments. The first model uses a Global as View approach to integrate local RBAC policies, which are treated as local data sources to be integrated. These policies are integrated in a repository, which provides a global view over them and serves as a mediator for queries regarding availability of resources and services in the local systems. We present a practical use for this model in the context of Grid Systems and the Globus toolkit. The second model deals with data represented in XML format when access to these data is specified using the Mandatory Access Control model (MAC). As the XML schemas are integrated into a common repository, the MAC policies associated with those data are also integrated in that common repository