Jing-yi WANG,Tian-chen ZHU,Jia-wei KANG,Bo LI

DOI: https://doi.org/10.12783/dtcse/cmee2017/20039

2018-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Facing the increasingly serious security problems in ICS, how to classify and generate threat intelligence effectively is of great importance in improving the safety of industrial control systems, helping them identify security threats and making corresponding preventions. In this paper, according to the classification of security events in the threat intelligence platform, we classify ICS security topic texts as information leakage, security vulnerabilities, network security, security suggestions, invasion, malware, or security events. Based on the OpenIOC framework, automatically analysis on the massive ICS security data can be done to generate the corresponding IOC file and obtain threat intelligence.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9346835

2020-01-01

Abstract:With the development of information technology and Power Internet of Things, the increasing number of networked terminals presents new network security threats. Industrial control equipment and systems have vulnerabilities in hardware, software and firmware, and advanced persistent threat against ICS has become more complex and diverse. However, most of the research are aimed at the detection of single vulnerability, and lack attack mechanism analysis and threat assessment for attack chain. We proposed a threat assessment method based on vulnerability descriptive text and described the attributes of attack samples according to the classification results in attack targets, methods and consequences. We constructed attack graphs based on attack sample attributes and cyber-physical topology to quantitatively evaluate the feasibility and benefits of each attack path from vulnerability capabilities and the impact of devices in the physical world. Finally, we took the substation device status monitoring system as an example to verify the feasibility of this method.

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Taejun Choi,Guangdong Bai,Ryan K L Ko,Naipeng Dong,Wenlu Zhang,Shunyao Wang

DOI: https://doi.org/10.48550/arXiv.2101.11866

2021-01-28

Abstract:Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS - especially at the communication channels between humanmachine interface (HMIs) and programmable logic controllers (PLCs) - are increasing at a rate which outstrips the rate of mitigation. In this paper, we introduce a vendor-agnostic analytics framework which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool. Using `digital twin' scenarios comprising industry-representative HMIs, PLCs and firewalls in our test lab, our framework's steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of `heuristic inference attacks', a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS. Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally, we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.

Cryptography and Security

Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Cheng Feng,Tingting Li,Zhanxing Zhu,Deeph Chana

DOI: https://doi.org/10.48550/arXiv.1709.06397

2017-09-19

Cryptography and Security

Abstract:Industrial control systems (ICS), which in many cases are components of critical national infrastructure, are increasingly being connected to other networks and the wider internet motivated by factors such as enhanced operational functionality and improved efficiency. However, set in this context, it is easy to see that the cyber attack surface of these systems is expanding, making it more important than ever that innovative solutions for securing ICS be developed and that the limitations of these solutions are well understood. The development of anomaly based intrusion detection techniques has provided capability for protecting ICS from the serious physical damage that cyber breaches are capable of delivering to them by monitoring sensor and control signals for abnormal activity. Recently, the use of so-called stealthy attacks has been demonstrated where the injection of false sensor measurements can be used to mimic normal control system signals, thereby defeating anomaly detectors whilst still delivering attack objectives. In this paper we define a deep learning-based framework which allows an attacker to conduct stealthy attacks with minimal a-priori knowledge of the target ICS. Specifically, we show that by intercepting the sensor and/or control signals in an ICS for a period of time, a malicious program is able to automatically learn to generate high-quality stealthy attacks which can achieve specific attack goals whilst bypassing a black box anomaly detector. Furthermore, we demonstrate the effectiveness of our framework for conducting stealthy attacks using two real-world ICS case studies. We contend that our results motivate greater attention on this area by the security community as we demonstrate that currently assumed barriers for the successful execution of such attacks are relaxed.

Dalin He,Huanyu Wang,Tuo Deng,Jishi Liu,Junnian Wang

DOI: https://doi.org/10.1016/j.cose.2024.104135

IF: 5.105

2024-09-27

Computers & Security

Abstract:The widespread deployment of IIoT edge devices makes them attractive victims for malicious activities. Consequently, how to implement trustworthy operations becomes a realistic topic in embedded systems. While most current physical systems for detecting malicious activities primarily focus on identifying known intrusion codes at the block level, they ignore that even an unnoticeable injected function can result in system-wide loss of security. In this paper, we propose a framework called CNDSW built on deep-learning side-channel analysis for function-level industrial control flow integrity monitoring. By collaboratively utilizing correlation analysis and deep-learning techniques, the dual window sliding monitoring mechanism in the proposed CNDSW framework demonstrates a real-time code intrusion tracking capacity on embedded controllers with a 99% detection accuracy on average. Instead of focusing on known block-level intrusions, we experimentally show that our model is feasible to detect function-level code intrusions without knowing the potential threat type. Besides, we further explore how different configurations of the CNDSW framework can help the monitoring process with different emphases and to which extent the model can concurrently detect multiple code intrusion activities. All our experiments are conducted on 32-bit ARM Cortex-M4 and 8-bit RISC MCUs across five different control flow programs, providing a comprehensive evaluation of the framework's capabilities.

computer science, information systems

Yukun LIU,Jianwei ZHUGE,Yixiong WU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017112703

2018-01-01

Abstract:Industrial Control System (ICS) is widely used in critical infrastructure projects related to the national economy and people's livelihood such as power generation,transmission and distribution,petrochemical industry,water treatment and transmission.Large-scale attack on ICS is a huge threat to critical infrastructure.At present,the proposed ransomware worm for ICS is limited by the isolation characteristics of industrial control network,and it is difficult to spread on a large scale.Based on the observed actual development scene of ICS,in order to solve the problem of high isolation for ICS,a novel ransomware worm threat model with a new attack path was proposed.Firstly,the engineer station was taken as the primary infection target.Then,the engineer station was used as the springboard to attack the industrial control devices in the internal network.Finally,the worm infection and ransom were realized.Based on the proposed threat model,ICSGhost,which was a ransomware worm prototype,was implemented.In the closed experimental environment,ICSGhost can realize worm infection for ICS with a predetermined attack path.At the same time,for the ransomware worm threat,the defense plan was discussed.The experimental results show that such threat exists,and because its propagation path is based on the actual development scene of ICS,it is difficult to detect and guard against.

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Nastaran Mahmoudyar,Yaser Baseri,Ali A. Ghorbani,Mahdi Daghmehchi Firoozjaei

DOI: https://doi.org/10.1016/j.ijcip.2021.100487

IF: 3.683

2022-03-01

International Journal of Critical Infrastructure Protection

Abstract:Industrial control systems (ICSs) and critical infrastructure are targeted by sophisticated cyber incidents launched by skillful and persistent attackers. Due to political, public image, or industrial competition reasons, most incidents are not publicly reported. Therefore, their consequences and threats are not as known as well as those in information technology (IT) systems. This paper aims to provide a foundation for cyber risk assessment for operational technology (OT) systems. To this end, we review the adversarial tactics and techniques employed by attackers to launch ICS cyberattacks and analyze the attack mechanisms of six significant ICS cyber incidents in the energy and power industries, namely Stuxnet, BlackEnergy, Crashoverride, Triton, Irongate, and Havex. We introduce an evaluation framework to evaluate the threat level of the ICS cyber incidents based on their sophistication and incident consequences. Finally, we rate the analyzed ICS cyber incidents based on their threat scores. Our evaluation rates Stuxnet as the most sophisticated and high-threat ICS malware and Irongate the lowest. We hope our evaluation can shed light on the design of protection solutions for OT systems.

engineering, multidisciplinary,computer science, information systems

Muye Li,Yibin Huang,Heng Pan

DOI: https://doi.org/10.1109/iaeac47372.2019.8997670

2019-12-01

Abstract:In recent years, safety incidents of industrial control systems (ICS) have occurred frequently. On the one hand, the gradual adaptation of standards, general communication protocols and software and hardware systems to ICS reduces the attack difficulty of ICS. On the other hand, more and more vulnerability researchers focus on ICS which is becoming the focus of network attackers. This paper analyses the vulnerability and security risks of the current ICS architecture, network environment, communication protocols and supporting software. With the help of the concept of Cyber Kill Chain, the two stages of network attack in ICS are elaborated in detail. Combining with Havex and Stuxnet virus, the mechanism of network intrusion attack in ICS is analyzed comprehensively and thoroughly, which provides effective technical support for the research of ICS network attack defense.

Sachin Sen,Lei Song

DOI: https://doi.org/10.1109/ieacon51066.2021.9654520

2021-11-22

Abstract:Behind the great success of the current internet, Open Systems Interconnect (OSI) and Transport Control Protocol/Internet Protocol (TCP/IP) standards play the most important role. Whereas, due to a lack of standard architectures, industrial internet is lagging behind. This makes industrial internet applications experience increased security risks due to their integration with the information technology and exposure to the public internet. In this research, we propose a layered architecture for industrial internet of things (IIoT) based networked industrial control systems (n-ICS). Layer-wise functionality of this architecture could be useful in identifying necessary security protocols for each layer. Subsequently, this might assist in allocating resources towards the secure operation of industrial applications. To validate the proposed architecture, we modelled a water flow control system, where we demonstrated a data deception attack on its operation at the physical layer. This demonstration validates that from within the close proximity of networked control systems, threat actors can launch possible attacks to deceive physical industrial applications. Our proposed system includes a network communication architecture and a corresponding security architecture aligning with the network architecture. This will facilitate the design of security suites and/or the allocation of security resources on the basis of layered network functionalities.

Constantine Doumanidis,Prashant Hari Narayan Rajput,Michail Maniatakos

DOI: https://doi.org/10.48550/arXiv.2202.10075

2023-04-21

Abstract:Industrial Control Systems (ICS) have played a catalytic role in enabling the 4th Industrial Revolution. ICS devices like Programmable Logic Controllers (PLCs), automate, monitor, and control critical processes in industrial, energy, and commercial environments. The convergence of traditional Operational Technology (OT) with Information Technology (IT) has opened a new and unique threat landscape. This has inspired defense research that focuses heavily on Machine Learning (ML) based anomaly detection methods that run on external IT hardware, which means an increase in costs and the further expansion of the threat landscape. To remove this requirement, we introduce the ICS machine learning inference framework (ICSML) which enables executing ML model inference natively on the PLC. ICSML is implemented in IEC 61131-3 code and provides several optimizations to bypass the limitations imposed by the domain-specific languages. Therefore, it works on every PLC without the need for vendor support. ICSML provides a complete set of components for creating full ML models similarly to established ML frameworks. We run a series of benchmarks studying memory and performance, and compare our solution to the TFLite inference framework. At the same time, we develop domain-specific model optimizations to improve the efficiency of ICSML. To demonstrate the abilities of ICSML, we evaluate a case study of a real defense for process-aware attacks targeting a desalination plant.

Machine Learning,Cryptography and Security,Systems and Control

Wei Yang,Chao Liu,Hongwei Yan,Yu Yao,F. Yan,M. Li,X. Hou,Y. Long

DOI: https://doi.org/10.1051/e3sconf/202452201039

2024-05-07

E3S Web of Conferences

Abstract:With the development of digitalization, industrial control network have more connections and open to external network, which breaks their "isolation" from Internet and makes them more vulnerable to be attacked especially by malicious code. To model and analyze the impact of different containment strategies for attacks by malicious code in the industrial control network, the SUIQMR model is established to simulate malicious code propagation. Since the industrial control network is often coupled with Internet, industrial control coupling network is also considered in the SUIQMR model and the containment strategies of quarantine,benign worms and honeypot are added into the model to evaluate their effect against malicious code propagation.The simulation results show the effectiveness of our model.

Mary Nankya,Robin Chataut,Robert Akl

DOI: https://doi.org/10.3390/s23218840

IF: 3.9

2023-10-31

Sensors

Abstract:Industrial Control Systems (ICS), which include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC), play a crucial role in managing and regulating industrial processes. However, ensuring the security of these systems is of utmost importance due to the potentially severe consequences of cyber attacks. This article presents an overview of ICS security, covering its components, protocols, industrial applications, and performance aspects. It also highlights the typical threats and vulnerabilities faced by these systems. Moreover, the article identifies key factors that influence the design decisions concerning control, communication, reliability, and redundancy properties of ICS, as these are critical in determining the security needs of the system. The article outlines existing security countermeasures, including network segmentation, access control, patch management, and security monitoring. Furthermore, the article explores the integration of machine learning techniques to enhance the cybersecurity of ICS. Machine learning offers several advantages, such as anomaly detection, threat intelligence analysis, and predictive maintenance. However, combining machine learning with other security measures is essential to establish a comprehensive defense strategy for ICS. The article also addresses the challenges associated with existing measures and provides recommendations for improving ICS security. This paper becomes a valuable reference for researchers aiming to make meaningful contributions within the constantly evolving ICS domain by providing an in-depth examination of the present state, challenges, and potential future advancements.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chunjie Zhou,Bowen Hu,Yang Shi,Yu-Chu Tian,Xuan Li,Yue Zhao

DOI: https://doi.org/10.1109/jproc.2020.3034595

IF: 20.6

2021-04-01

Proceedings of the IEEE

Abstract:With the rapid development of functional requirements in the emerging Industry 4.0 era, modern industrial control systems (ICSs) are no longer isolated islands, making them more vulnerable to various cyberattack threats. Cyberattacks on ICSs may have disruptive consequences, such as significant social and economic losses. To proactively address the security issue of ICSs, this article presents a unified architectural approach from the perspectives of cyberthreats on ICSs, security-related ICS technologies, and methods for ICSs. It incorporates secure networks, secure control systems, secure physical processes, and their interactions seamlessly into a unified framework. To increase the resistance of ICSs against intrusions, the network security in our architectural approach is to secure the data in motion through the integration of secure network architecture, secure industrial network protocols, and secure end-to-end communications. The protection of control systems in our architectural approach is risk-based and hierarchical and encompasses prevention- and tolerance-centric defenses. It provides a layer-by-layer defense so that an acceptable level of cybersecurity risk is achieved and maintained. Aiming to maintain the stable operation of physical ICS processes, the secure control in our architectural approach implements a security process against process-aware attacks through a resilient safety control scheme. The global and systematic architectural approach presented in this article for the ICS cybersecurity will help facilitate the design and implementation of cyberattack-resilient ICSs in the networked world. For further development of ICS security technologies, emerging challenges are identified and discussed to motivate future research efforts.

engineering, electrical & electronic

Sridhar Adepu,Ferdinand Brasser,Luis Garcia,Michael Rodler,Lucas Davi,Ahmad-Reza Sadeghi,Saman Zonouz

DOI: https://doi.org/10.1109/iccps48487.2020.00011

2020-04-01

Abstract:Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have developed plenty of solutions to thwart them. Unfortunately, many of these solutions cannot be easily applied to safety-critical cyber-physical systems. Further, the attack surface of ICS is quite different from what can be commonly assumed in classical IT systems. We present Scadman, a novel control-logic aware anomaly detection system for distributed cyber-physical systems. By observing the system-wide behavior, the correctness of individual controllers (like programmable logic controllers–PLCs) in ICS can be verified. This allows Scadman to detect a wide range of attacks, including malware attacks, code-reuse and dataonly attacks, as well as sensor attacks. We implemented and evaluated Scadman based on a real-world water treatment testbed for ICS security research and training. Our results show that we can detect a wide range of attacks–including attacks that have previously been undetectable by typical state estimation techniques–while causing no false-positive warning for nominal threshold values.

Zahra Jadidi,Yi Lu

DOI: https://doi.org/10.1109/access.2021.3133260

IF: 3.9

2021-01-01

IEEE Access

Abstract:An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.

Colman McGuan,Chansu Yu,Qin Lin

DOI: https://doi.org/10.48550/arXiv.2308.16769

2023-08-31

Cryptography and Security

Abstract:The protection of Industrial Control Systems (ICS) that are employed in public critical infrastructures is of utmost importance due to catastrophic physical damages cyberattacks may cause. The research community requires testbeds for validation and comparing various intrusion detection algorithms to protect ICS. However, there exist high barriers to entry for research and education in the ICS cybersecurity domain due to expensive hardware, software, and inherent dangers of manipulating real-world systems. To close the gap, built upon recently developed 3D high-fidelity simulators, we further showcase our integrated framework to automatically launch cyberattacks, collect data, train machine learning models, and evaluate for practical chemical and manufacturing processes. On our testbed, we validate our proposed intrusion detection model called Minimal Threshold and Window SVM (MinTWin SVM) that utilizes unsupervised machine learning via a one-class SVM in combination with a sliding window and classification threshold. Results show that MinTWin SVM minimizes false positives and is responsive to physical process anomalies. Furthermore, we incorporate our framework with ICS cybersecurity education by using our dataset in an undergraduate machine learning course where students gain hands-on experience in practicing machine learning theory with a practical ICS dataset. All of our implementations have been open-sourced.