Defending Against Firmware Cyber Attacks on Safety-Critical Systems

In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are identified in existing devices; they can be distributed by physical media but are increasingly downloaded over Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications, which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions, including firmware hashing, must be augmented by organizational measures to secure the supply chain within individual plants, across companies and throughout safety-related industries

Continuous cohomology and homology of profinite groups

We develop cohomological and homological theories for a profinite group G with coefficients in the Pontryagin dual categories of pro-discrete and ind-profinite G-modules, respectively. The standard results of group (co)homology hold for this theory: we prove versions of the Universal Coefficient Theorem, the Lyndon-Hochschild-Serre spectral sequence and Shapiro's Lemma

Statistical Mechanics of the Hyper Vertex Cover Problem

We introduce and study a new optimization problem called Hyper Vertex Cover. This problem is a generalization of the standard vertex cover to hypergraphs: one seeks a configuration of particles with minimal density such that every hyperedge of the hypergraph contains at least one particle. It can also be used in important practical tasks, such as the Group Testing procedures where one wants to detect defective items in a large group by pool testing. Using a Statistical Mechanics approach based on the cavity method, we study the phase diagram of the HVC problem, in the case of random regualr hypergraphs. Depending on the values of the variables and tests degrees different situations can occur: The HVC problem can be either in a replica symmetric phase, or in a one-step replica symmetry breaking one. In these two cases, we give explicit results on the minimal density of particles, and the structure of the phase space. These problems are thus in some sense simpler than the original vertex cover problem, where the need for a full replica symmetry breaking has prevented the derivation of exact results so far. Finally, we show that decimation procedures based on the belief propagation and the survey propagation algorithms provide very efficient strategies to solve large individual instances of the hyper vertex cover problem.Comment: Submitted to PR

Building Regression Models with the Forward Search

We give an example of the use of the forward search in building a regression model. The standard backwards elimination of variables is supplemented by forward plots of added variable t statistics that exhibit the effect of each observation on the process of model building. Attention is also paid to the effect of individual observations on selection of a transformation. Variable selection using AIC is mentioned, as is the analysis of multivariate data

Anomaly diagnosis in industrial control systems for digital forensics

Over several decades, Industrial Control Systems (ICS) have become more interconnected and highly programmable. An increasing number of sophisticated cyber-attacks have targeted ICS with a view to cause tangible damage. Despite the stringent functional safety requirements mandated within ICS environments, critical national infrastructure (CNI) sectors and ICS vendors have been slow to address the growing cyber threat. In contrast with the design of information technology (IT) systems, security of controls systems have not typically been an intrinsic design principle for ICS components, such as Programmable Logic Controllers (PLCs). These factors have motivated substantial research addressing anomaly detection in the context of ICS. However, detecting incidents alone does not assist with the response and recovery activities that are necessary for ICS operators to resume normal service. Understanding the provenance of anomalies has the potential to enable the proactive implementation of security controls, and reduce the risk of future attacks. Digital forensics provides solutions by dissecting and reconstructing evidence from an incident. However, this has typically been positioned from a post-incident perspective, which inhibits rapid triaging, and effective response and recovery, an essential requirement in critical ICS. This thesis focuses on anomaly diagnosis, which involves the analysis of and discrimination between different types of anomalous event, positioned at the intersection between anomaly detection and digital forensics. An anomaly diagnosis framework is proposed that includes mechanisms to aid ICS operators in the context of anomaly triaging and incident response. PLCs have a fundamental focus within this thesis due to their critical role and ubiquitous application in ICS. An examination of generalisable PLC data artefacts produced a taxonomy of artefact data types that focus on the device data generated and stored in PLC memory. Using the artefacts defined in this first stage, an anomaly contextualisation model is presented that differentiates between cyber-attack and system fault anomalies. Subsequently, an attack fingerprinting approach (PLCPrint) generates near real-time compositions of memory fingerprints within 200ms, by correlating the static and dynamic behaviour of PLC registers. This establishes attack type and technique provenance, and maintains the chain-of-evidence for digital forensic investigations. To evaluate the efficacy of the framework, a physical ICS testbed modelled on a water treatment system is implemented. Multiple PLC models are evaluated to demonstrate vendor neutrality of the framework. Furthermore, several generalised attack scenarios are conducted based on techniques identified from real PLC malware. The results indicate that PLC device artefacts are particularly powerful at detecting and contextualising an anomaly. In general, we achieve high F1 scores of at least 0.98 and 0.97 for anomaly detection and contextualisation, respectively, which are highly competitive with existing state-of-the-art literature. The performance of PLCPrint emphasises how PLC memory snapshots can precisely and rapidly provide provenance by classifying cyber-attacks with an accuracy of 0.97 in less than 400ms. The proposed framework offers a much needed novel approach through which ICS components can be rapidly triaged for effective response

Driver response to take-over requests in real traffic

Existing research on control-transitions from automateddriving (AD) to manual driving mainly stems from studiesin virtual settings. There is a need for studies conducted in realsettings to better understand the impacts of increasing vehicleautomation on traffic safety. This study aims specifically to understandhow drivers respond to take-over requests (TORs) in realtraffic by investigating the associations between 1) where driverslook when receiving the TOR, 2) repeated exposure to TORs, and3) the drivers’ response process. In total, thirty participants wereexposed to four TORs after about 5–6 min of driving with AD onpublic roads. While in AD, participants could choose to engage innon-driving-related tasks (NDRTs).When they received the TOR,for 38% of TORs, participants were already looking on path. Forthose TORs where drivers looked off path at the time of the TOR,the off-path glance was most commonly towards an NDRT item.Then, for 72% of TORs (independent on gaze direction), driversstarted their response process to the TOR by looking towardsthe instrument cluster before placing their hands on the steeringwheel and their foot on the accelerator pedal, and deactivatingautomation. Both timing and order of these actions varied amongparticipants, but all participants deactivated AD within 10 s fromthe TOR. The drivers’ gaze direction at the TOR had a strongerassociation with the response process than the repeated exposureto TORs did. Drivers can respond to TORs in real traffic. However,the response should be considered as a sequence of actions thatrequires a certain amount of time

Counterpropagating frequency mixing with terahertz waves in diamond

Frequency conversion by means of Kerr-nonlinearity is one of the most common and exploited nonlinear optical processes in the UV, visible, IR and Mid-IR spectral regions. Here we show that wave mixing of an optical field and a Terahertz wave can be achieved in diamond, resulting in the frequency conversion of the THz radiation either by sum- or difference-frequency generation. In the latter case, we show that this process is phase-matched and most efficient in a counter-propagating geometry

CCD-based imaging and 3D space--time mapping of terahertz fields via Kerr frequency conversion

We investigate the spatially and temporally resolved four-wave mixing of terahertz (THz) fields and optical pulses in large-bandgap dielectrics, such as diamond. We show that it is possible to perform beam profiling and space–time resolved mapping of THz fields by encoding the spatial information into an optical signal, which can then be recorded by a standard CCD camera

Quantum Measurement and Entropy Production

We study the time evolution of a quantum system without classical counterpart, undergoing a process of entropy increase due to the environment influence. We show that if the environment-induced decoherence is interpreted in terms of wave-function collapses, a symbolic sequence can be generated. We prove that the Kolmogorov-Sinai entropy of this sequence coincides with rate of von Neumann entropy increase.Comment: 5 pages, 2 figure

Comparison of Internal Adaptation of Bulk-fill and Increment-fill Resin Composite Materials

Objectives: To evaluate 1) the internal adaptation of a light-activated incremental-fill and bulk-fill resin-based composite (RBC) materials by measuring the gap between the restorative material and the tooth structure and 2) the aging effect on internal adaptation. Methods and Materials: Seventy teeth with class I cavity preparations were randomly distributed into five groups; four groups were restored with bulk-fill RBCs: Tetric EvoCeram Bulk Fill (TEC), SonicFill (SF), QuiXX Posterior Restorative (QX), and X-tra fil (XF); the fifth group was restored with incremental-fill Filtek Supreme Ultra Universal Restorative (FSU). One-half of the specimens of each group were thermocycled. Each tooth was sectioned, digital images were recorded, and the dimensions of any existing gaps were measured. Data were analyzed using analysis of variance (α=0.05). Results: FSU had the smallest gap measurement values compared with the bulk-fill materials except QX and TEC (p≤0.008). FSU had the smallest sum of all gap category values compared with the bulk-fill materials, except QX (p≤0.021). The highest gap incidence and size values were found at the composite/adhesive interface. All aged groups had greater gap values in regard to the gap measurement and the sum of all gap categories compared with non-aged groups. Significance: The incrementally placed material FSU had the highest internal adaptation to the cavity surface, while the four bulk-fill materials showed varied results. Thermocycling influenced the existing gap area magnitudes. The findings suggest that the incremental-fill technique produces better internal adaptation than the bulk-fill technique