40 research outputs found
A Survey on Industrial Control System Testbeds and Datasets for Security Research
The increasing digitization and interconnection of legacy Industrial Control
Systems (ICSs) open new vulnerability surfaces, exposing such systems to
malicious attackers. Furthermore, since ICSs are often employed in critical
infrastructures (e.g., nuclear plants) and manufacturing companies (e.g.,
chemical industries), attacks can lead to devastating physical damages. In
dealing with this security requirement, the research community focuses on
developing new security mechanisms such as Intrusion Detection Systems (IDSs),
facilitated by leveraging modern machine learning techniques. However, these
algorithms require a testing platform and a considerable amount of data to be
trained and tested accurately. To satisfy this prerequisite, Academia,
Industry, and Government are increasingly proposing testbed (i.e., scaled-down
versions of ICSs or simulations) to test the performances of the IDSs.
Furthermore, to enable researchers to cross-validate security systems (e.g.,
security-by-design concepts or anomaly detectors), several datasets have been
collected from testbeds and shared with the community. In this paper, we
provide a deep and comprehensive overview of ICSs, presenting the architecture
design, the employed devices, and the security protocols implemented. We then
collect, compare, and describe testbeds and datasets in the literature,
highlighting key challenges and design guidelines to keep in mind in the design
phases. Furthermore, we enrich our work by reporting the best performing IDS
algorithms tested on every dataset to create a baseline in state of the art for
this field. Finally, driven by knowledge accumulated during this survey's
development, we report advice and good practices on the development, the
choice, and the utilization of testbeds, datasets, and IDSs
EVScout2.0: Electric Vehicle Profiling Through Charging Profile
EVs (Electric Vehicles) represent a green alternative to traditional
fuel-powered vehicles. To enforce their widespread use, both the technical
development and the security of users shall be guaranteed. Privacy of users
represents one of the possible threats impairing EVs adoption. In particular,
recent works showed the feasibility of identifying EVs based on the current
exchanged during the charging phase. In fact, while the resource negotiation
phase runs over secure communication protocols, the signal exchanged during the
actual charging contains features peculiar to each EV. A suitable feature
extractor can hence associate such features to each EV, in what is commonly
known as profiling. In this paper, we propose EVScout2.0, an extended and
improved version of our previously proposed framework to profile EVs based on
their charging behavior. By exploiting the current and pilot signals exchanged
during the charging phase, our scheme is able to extract features peculiar for
each EV, allowing hence for their profiling. We implemented and tested
EVScout2.0 over a set of real-world measurements considering over 7500 charging
sessions from a total of 137 EVs. In particular, numerical results show the
superiority of EVScout2.0 with respect to the previous version. EVScout2.0 can
profile EVs, attaining a maximum of 0.88 recall and 0.88 precision. To the best
of the authors' knowledge, these results set a new benchmark for upcoming
privacy research for large datasets of EVs
Hyperloop: A Cybersecurity Perspective
Hyperloop is among the most prominent future transportation systems. First
introduced by Elon Musk, Hyperloop concept involves novel technologies to allow
traveling at a maximum speed of 1220km/h, while guaranteeing sustainability.
Due to the system's performance requirements and the critical infrastructure it
represents, its safety and security need to be carefully considered. In
cyber-physical systems, cyberattacks could lead to safety issues with
catastrophic consequences, both on the population and the surrounding
environment. Therefore, the cybersecurity of all the components and links in
Hyperloop represents a fundamental challenge. To this day, no research
investigated the cyber security of the technology used for Hyperloop.
In this paper, we propose the first analysis of the cybersecurity challenges
raised by Hyperloop technology. We base our analysis on the related works on
Hyperloop, distilling the common features which will be likely to be present in
the system. Furthermore, we provide an analysis of possible directions on the
Hyperloop infrastructure management, together with their security concerns.
Finally, we discuss possible countermeasures and future directions for the
security of the future Hyperloop design.Comment: 9 pages, 4 figures, 1 tabl
Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis
Modern Industrial Control Systems (ICSs) allow
remote communication through the Internet using industrial
protocols that were not designed to work with external networks.
To understand security issues related to this practice, prior work
usually relies on active scans by researchers or services such as
Shodan. While such scans can identify publicly open ports, they
cannot identify legitimate use of insecure industrial traffic. In
particular, source-based filtering in Network Address Translation
or Firewalls prevent detection by active scanning, but do not
ensure that insecure communication is not manipulated in transit.
In this work, we compare Shodan-only analysis with large-
scale traffic analysis at a local Internet Exchange Point (IXP),
based on sFlow sampling. This setup allows us to identify ICS
endpoints actually exchanging industrial traffic over the Internet.
Besides, we are able to detect scanning activities and what other
type of traffic is exchanged by the systems (i.e., IT traffic).
We find that Shodan only listed less than 2% of hosts that
we identified as exchanging industrial traffic, and only 7% of
hosts identified by Shodan actually exchange industrial traffic.
Therefore, Shodan does not allow to understand the actual use
of insecure industrial protocols on the Internet and the current
security practices in ICS communications. We show that 75.6%
of ICS hosts still rely on unencrypted communications without
integrity protection, leaving those critical systems vulnerable to
malicious attacks
A Statistical Analysis Framework for ICS Process Datasets
In recent years, several schemes have been proposed to detect anomalies and attacks on Cyber-Physical Systems (CPSs) such as Industrial Control Systems (ICSs). Based on the analysis of sensor data, unexpected or malicious behavior is detected. Those schemes often rely on (implicit) assumptions on temporally stable sensor data distributions and invariants between process values. Unfortunately, the proposed schemes often do not perform optimally, with Recall scores lower than 70% (e.g., missing 3 alarms every 10 anomalies) for some ICS datasets, with unclear root issues.
In this work, we propose a general framework to analyze whether a given ICS dataset has specific properties (stable sensor distributions in normal operations, potentially state-dependent), which then allows to determine whether certain Anomaly Detection approaches can be expected to perform well. We apply our framework to three datasets showing that the behavior of actuators and sensors are very different between Training set and Test set. In addition, we present high-level guides to consider when designing an Anomaly Detection System
Beware of Pickpockets: A Practical Attack against Blocking Cards
peer reviewedToday, we rely on contactless smart cards to perform several critical operations (e.g., payments and accessing buildings). Attacking smart cards can have severe consequences, such as losing money or leaking sensitive information. Although the security protections embedded in smart cards have evolved over the years, those with weak security properties are still commonly used. Among the different solutions, blocking cards are affordable devices to protect smart cards. These devices are placed close to the smart cards, generating a noisy jamming signal or shielding them. Whereas vendors claim the reliability of their blocking cards, no previous study has ever focused on evaluating their effectiveness. In this paper, we shed light on the security threats on smart cards in the presence of blocking cards, showing the possibility of being bypassed by an attacker. We analyze blocking cards by inspecting their emitted signal and assessing a vulnerability in their internal design.We propose a novel attack that bypasses the jamming signal emitted by a blocking card and reads the content of the smart card. We evaluate the effectiveness of 11 blocking cards when protecting a MIFARE Ultralight smart card and a MIFARE Classic card. Of these 11 cards, we managed to bypass 8 of them and successfully dump the content of a smart card despite the presence of the blocking card. Our findings highlight that the noise type implemented by the blocking cards highly affects the protection level achieved by them. Based on this observation, we propose a countermeasure that may lead to the design of effective blocking cards. To further improve security, we released the tool we developed to inspect the spectrum emitted by blocking cards and set up our attack
Cybersecurity of Modern Cyber-Physical Systems
Cyber-Physical Systems (CPSs) refer to those systems characterized by the interconnection of information technology and the physical process domains. These systems are nowadays employed in a wide range of applications, such as health monitoring, industrial control systems, and transportation. The recent digitalization and smartification of the processes required to integrate the Internet connection into CPSs, enabling functions like remote connection and cloud computing, but at the same opening new dangerous vulnerabilities surfaces. Indeed, recent events in history have shown many cyber-attacks and vulnerabilities discovered on CPSs. For this reason, there is still a need to contribute to securing such systems, both from the design and implementation points of view.
In this thesis, we analyze the cybersecurity of modern CPSs, identifying and highlighting the current vulnerabilities, the research gaps in terms of security, and the threats affecting them. Then, we propose novel security mechanisms to prevent potential cyber-attacks. This thesis is composed of three parts as follows.
In the first part of the thesis, we will focus on the security of Industrial Control Systems (ICSs). These systems are used to control and monitor critical infrastructures and industrial processes. As a first step, we gather all the knowledge in this field from the literature, and we provide a systematic analysis of the testing platform and the detection systems solutions operating on them. To motivate the necessity of improving the security of current industrial systems, we performed a measurement study highlighting the dramatic exposure of the communication protocols and services of more than industrial endpoints. Then, we developed and deployed an innovative ICS honeypot. While measuring the honeypot exposure, we noted that industrial systems are still highly targeted and interacted with by malicious actors over the internet on specific vulnerable industrial services.
In the second part of the thesis, we will look at the security of vehicular systems. Like ICSs, modern vehicles present vulnerabilities due to the adoption of legacy components, enabling the possibility of malicious exploits. To this end, we will focus on the internal communication bus of cars, we examine its vulnerabilities, the current solutions in the literature, and their limitations, and propose an innovative cryptographic key distribution system among the network nodes.
We will then focus on the emerging electric vehicle paradigm. We identified two possible cyber-attacks on this ecosystem. The first is based on a relay attack vulnerability, which implies charging illegitimate vehicle recharging fees. Instead, the second one consists of a privacy leakage from the current absorbed during the vehicle's recharging process.
In the third part of the thesis, we leverage the knowledge of our studies to investigate the security of CPS cross-domain applications.
In particular, we first present a survey on Power Side-Channel (PSC) exploits in the literature, focusing on existing attacks and countermeasures. Indeed, PSCs have been proven effective in reversing and profiling the functioning of many embedded devices (e.g., smart cards, vehicles, and laptops).
Then, we develop a novel framework to fingerprint Universal Serial Bus devices from their power consumption. This funding can be used, for instance, to securely authenticate a personal device and avoid malware delivery injection in critical applications (e.g., Stuxnet).
Finally, we present the first security analysis of the emerging Hyperloop transportation technology. Hyperloop merges the concepts of ICS since it consists of a critical, distributed, and sensing infrastructure, and the concept of vehicle, due to the pod communication management. As a result, Hyperloop inherits all the vulnerabilities and risks of the two systems.Cyber-Physical Systems (CPSs) refer to those systems characterized by the interconnection of information technology and the physical process domains. These systems are nowadays employed in a wide range of applications, such as health monitoring, industrial control systems, and transportation. The recent digitalization and smartification of the processes required to integrate the Internet connection into CPSs, enabling functions like remote connection and cloud computing, but at the same opening new dangerous vulnerabilities surfaces. Indeed, recent events in history have shown many cyber-attacks and vulnerabilities discovered on CPSs. For this reason, there is still a need to contribute to securing such systems, both from the design and implementation points of view.
In this thesis, we analyze the cybersecurity of modern CPSs, identifying and highlighting the current vulnerabilities, the research gaps in terms of security, and the threats affecting them. Then, we propose novel security mechanisms to prevent potential cyber-attacks. This thesis is composed of three parts as follows.
In the first part of the thesis, we will focus on the security of Industrial Control Systems (ICSs). These systems are used to control and monitor critical infrastructures and industrial processes. As a first step, we gather all the knowledge in this field from the literature, and we provide a systematic analysis of the testing platform and the detection systems solutions operating on them. To motivate the necessity of improving the security of current industrial systems, we performed a measurement study highlighting the dramatic exposure of the communication protocols and services of more than industrial endpoints. Then, we developed and deployed an innovative ICS honeypot. While measuring the honeypot exposure, we noted that industrial systems are still highly targeted and interacted with by malicious actors over the internet on specific vulnerable industrial services.
In the second part of the thesis, we will look at the security of vehicular systems. Like ICSs, modern vehicles present vulnerabilities due to the adoption of legacy components, enabling the possibility of malicious exploits. To this end, we will focus on the internal communication bus of cars, we examine its vulnerabilities, the current solutions in the literature, and their limitations, and propose an innovative cryptographic key distribution system among the network nodes.
We will then focus on the emerging electric vehicle paradigm. We identified two possible cyber-attacks on this ecosystem. The first is based on a relay attack vulnerability, which implies charging illegitimate vehicle recharging fees. Instead, the second one consists of a privacy leakage from the current absorbed during the vehicle's recharging process.
In the third part of the thesis, we leverage the knowledge of our studies to investigate the security of CPS cross-domain applications.
In particular, we first present a survey on Power Side-Channel (PSC) exploits in the literature, focusing on existing attacks and countermeasures. Indeed, PSCs have been proven effective in reversing and profiling the functioning of many embedded devices (e.g., smart cards, vehicles, and laptops).
Then, we develop a novel framework to fingerprint Universal Serial Bus devices from their power consumption. This funding can be used, for instance, to securely authenticate a personal device and avoid malware delivery injection in critical applications (e.g., Stuxnet).
Finally, we present the first security analysis of the emerging Hyperloop transportation technology. Hyperloop merges the concepts of ICS since it consists of a critical, distributed, and sensing infrastructure, and the concept of vehicle, due to the pod communication management. As a result, Hyperloop inherits all the vulnerabilities and risks of the two systems
EVExchange: A Relay Attack on Electric Vehicle Charging System
To support the increasing spread of Electric Vehicles (EVs), Charging
Stations (CSs) are being installed worldwide. The new generation of CSs employs
the Vehicle-To-Grid (V2G) paradigm by implementing novel standards such as the
ISO 15118. This standard enables high-level communication between the vehicle
and the charging column, helps manage the charge smartly, and simplifies the
payment phase. This novel charging paradigm, which connects the Smart Grid to
external networks (e.g., EVs and CSs), has not been thoroughly examined yet.
Therefore, it may lead to dangerous vulnerability surfaces and new research
challenges.
In this paper, we present EVExchange, the first attack to steal energy during
a charging session in a V2G communication: i.e., charging the attacker's car
while letting the victim pay for it. Furthermore, if reverse charging flow is
enabled, the attacker can even sell the energy available on the victim's car!
Thus, getting the economic profit of this selling, and leaving the victim with
a completely discharged battery. We developed a virtual and a physical testbed
in which we validate the attack and prove its effectiveness in stealing the
energy. To prevent the attack, we propose a lightweight modification of the ISO
15118 protocol to include a distance bounding algorithm. Finally, we validated
the countermeasure on our testbeds. Our results show that the proposed
countermeasure can identify all the relay attack attempts while being
transparent to the user.Comment: 20 pages, 6 figure
VLC Physical Layer Security through RIS-aided Jamming Receiver for 6G Wireless Networks
Visible Light Communication (VLC) is one the most promising enabling
technology for future 6G networks to overcome Radio-Frequency (RF)-based
communication limitations thanks to a broader bandwidth, higher data rate, and
greater efficiency. However, from the security perspective, VLCs suffer from
all known wireless communication security threats (e.g., eavesdropping and
integrity attacks). For this reason, security researchers are proposing
innovative Physical Layer Security (PLS) solutions to protect such
communication. Among the different solutions, the novel Reflective Intelligent
Surface (RIS) technology coupled with VLCs has been successfully demonstrated
in recent work to improve the VLC communication capacity. However, to date, the
literature still lacks analysis and solutions to show the PLS capability of
RIS-based VLC communication. In this paper, we combine watermarking and jamming
primitives through the Watermark Blind Physical Layer Security (WBPLSec)
algorithm to secure VLC communication at the physical layer. Our solution
leverages RIS technology to improve the security properties of the
communication. By using an optimization framework, we can calculate RIS phases
to maximize the WBPLSec jamming interference schema over a predefined area in
the room. In particular, compared to a scenario without RIS, our solution
improves the performance in terms of secrecy capacity without any assumption
about the adversary's location. We validate through numerical evaluations the
positive impact of RIS-aided solution to increase the secrecy capacity of the
legitimate jamming receiver in a VLC indoor scenario. Our results show that the
introduction of RIS technology extends the area where secure communication
occurs and that by increasing the number of RIS elements the outage probability
decreases