Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge

Industrial Control Systems (ICSs) rely on insecure protocols and devices to monitor and operate critical infrastructure. Prior work has demonstrated that powerful attackers with detailed system knowledge can manipulate exchanged sensor data to deteriorate performance of the process, even leading to full shutdowns of plants. Identifying those attacks requires iterating over all possible sensor values, and running detailed system simulation or analysis to identify optimal attacks. That setup allows adversaries to identify attacks that are most impactful when applied on the system for the first time, before the system operators become aware of the manipulations. In this work, we investigate if constrained attackers without detailed system knowledge and simulators can identify comparable attacks. In particular, the attacker only requires abstract knowledge on general information flow in the plant, instead of precise algorithms, operating parameters, process models, or simulators. We propose an approach that allows single-shot attacks, i.e., near-optimal attacks that are reliably shutting down a system on the first try. The approach is applied and validated on two use cases, and demonstrated to achieve comparable results to prior work, which relied on detailed system information and simulations.Comment: This paper has been accepted at Applied Cryptography and Network Security (ACNS) 202

Towards Automated Identification and Assessment of Security Weaknesses in Smart Buildings

Smart buildings are equipped with computer systems that monitor and control diverse services such as air conditioning, indoor transportation, physical access control, and many others. Critical infrastructures like hospitals, airports, and data centers, leverage on such services to support their daily operations. However, the current popularity of smart buildings is founded on a decades-long history. Smart building systems have evolved from isolated networks using proprietary protocols to IT-integrated systems that use standardized communication protocols. They might even be connected to the Internet to allow remote building management. This transition has exposed smart buildings to a whole new set of security threats. For instance, there have been documented cases where attackers have managed to remotely disrupt the environmental conditions and physical access control of smart buildings. Due to the crucial role that smart buildings play in supporting organizations and the serious threat of cyber attacks against them, there is a pressing need to investigate how to improve their current security posture. The transfer of mature IT security solutions to smart building systems seems a natural approach to enhance their security, however, the fundamental differences between both domains often require significant adaptation effort or to develop completely new solutions. For this reason, in recent years, a growing body knowledge about smart buildings security has been developed. However, most of these solutions have focused on intrusion detection and little efforts have been made to prevent cyber attacks. An effective way to prevent cyber attacks against smart buildings is by preemptively handling security weaknesses in customized applications and configurations that run the system. Unfortunately, this is often overlooked by smart building administrators due to, e.g., lack of specialized tools, staff, and training. We identify not only a research gap regarding this important task, but also an urgent need to provide (semi-) automated tools that help overcome the limitations faced by smart building administrators. The implementation of these tools requires sophisticated methods that incorporate technical and business-related insights to handle weaknesses according to the organization’s best interest. In this thesis, we investigate how to implement the first stages of a vulnerability management process for smart building applications and configurations. Beyond just vulnerabilities, we consider the weaknesses that give rise to vulnerabilities. In particular, our contributions address the identification and assessment of security weaknesses for later remediation. These are two key activities to preemptively strengthen the security of smart buildings. The identification of weaknesses is the basis of any vulnerability management process as it provides the first insights about the current security state of a system. This is a challenging task because a deep understanding of the system’s inner workings is often needed to obtain meaningful findings. We propose two approaches to identify security weaknesses; one focused on smart building applications and another on smart building configurations. In the first case, we model the application as a graph data structure comprised of sensors, setpoints, actuators, and control function nodes. The relationships among these components reveal the architecture of the system, which can then be analyzed in the search for security weaknesses. In the second case, we look for component misconfigurations that can be observed in their behavior, i.e., the way they interact with other components in the system. Leveraging official documentation from the components’ manufacturers, we create a model of valid behavior for each of them, which is then compared with their actual behavior as observed in the network traffic. After identifying security weaknesses, we assess the sensitivity of the affected components, which is an important factor to prioritize weaknesses for later remediation. We propose a comprehensive approach to assess the sensitivity of smart building components based on technical and business-related features. The proposed methods are evaluated in real smart buildings and additional experiments are performed in testbeds and comparable simulated environments. These evaluations confirm the feasibility and effectivity of our (semi-) automated weakness identification and assessment approaches

BACGraph: Automatic Extraction of Object Relationships in the BACnet Protocol

This work presents BACGRAPH, a tool that extracts relationships among configuration parameters of Building Automation and Control Systems (BACSs) implemented using the BACnet protocol (ISO 16484-5). BACnet models these configuration parameters as object data structures comprised of multiple properties, some of which contain references to other objects. Given the regular exchange of objects among devices, we leverage these explicit references to build a graph of BACnet objects exclusively from network traffic. We tested BACGRAPH using traffic collected from a real building located at the University of Twente. After analyzing 66.8 hours of traffic, the resulting graph is comprised of 13,733 nodes and 3,169 edges. Such a graph improves the system visibility that BACS administrators have over their infrastructure, which is crucial for troubleshooting and security

Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge

Industrial Control Systems (ICSs) rely on insecure protocols and devices to monitor and operate critical infrastructure. Prior work has demonstrated that powerful attackers with detailed system knowledge can manipulate exchanged sensor data to deteriorate performance of the process, even leading to full shutdowns of plants. Identifying those attacks requires iterating over all possible sensor values, and running detailed system simulation or analysis to identify optimal attacks. That setup allows adversaries to identify attacks that are most impactful when applied on the system for the first time, before the system operators become aware of the manipulations. In this work, we investigate if constrained attackers without detailed system knowledge and simulators can identify comparable attacks. In particular, the attacker only requires abstract knowledge on general information flow in the plant, instead of precise algorithms, operating parameters, process models, or simulators. We propose an approach that allows single-shot attacks, i.e., near-optimal attacks that are reliably shutting down a system on the first try. The approach is applied and validated on two use cases, and demonstrated to achieve comparable results to prior work, which relied on detailed system information and simulations