Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9346835

2020-01-01

Abstract:With the development of information technology and Power Internet of Things, the increasing number of networked terminals presents new network security threats. Industrial control equipment and systems have vulnerabilities in hardware, software and firmware, and advanced persistent threat against ICS has become more complex and diverse. However, most of the research are aimed at the detection of single vulnerability, and lack attack mechanism analysis and threat assessment for attack chain. We proposed a threat assessment method based on vulnerability descriptive text and described the attributes of attack samples according to the classification results in attack targets, methods and consequences. We constructed attack graphs based on attack sample attributes and cyber-physical topology to quantitatively evaluate the feasibility and benefits of each attack path from vulnerability capabilities and the impact of devices in the physical world. Finally, we took the substation device status monitoring system as an example to verify the feasibility of this method.

Ming Wan,Minglei Hao,Yang Li,Jianming Zhao,Ying Li

DOI: https://doi.org/10.1145/3586102.3586127

2022-01-01

Abstract:Due to the rapid development of industrial automation, ICSs (Industrial Control Systems) gradually expose their potential security vulnerabilities, and are facing more and more serious security risks. Although different industrial security technologies have been developed to strengthen industrial security protection, they always struggle for their own because of their standalone and non-related functions, and their actual defense effects are not encouraging. This paper first summarizes some intrinsic security vulnerabilities in ICSs, and analyzes the main causes to generate each class of vulnerabilities. Furthermore, five popular security technologies which have been successfully applied in today's ICSs are introduced, and their advantages and shortages are also compared by explaining each working mechanism. In order to take full advantage of various industrial security technologies, this paper proposes one novel cooperative defense model based P2DR (Policy, Protection, Detection and Response), which establishes the dynamical defense process to integrate five different industrial security technologies. Under the guidance of security policies, this model can comprehensively utilize the resources of various industrial security technologies to learn and judge current security status of the whole system, and effectively adjust the optimum deployment to provide the strongest protection with the lowest risk. Finally, one applicable case based on the proposed model is designed to verify the feasibility of cooperative defense in ICSs.

Jiajun Shen,Dongqin Feng

DOI: https://doi.org/10.1155/2016/4147251

2016-01-01

Journal of Control Science and Engineering

Abstract:With the development of industrial informatization, the industrial control network has gradually become much accessible for attackers. A series of vulnerabilities will therefore be exposed, especially the vulnerability of exclusive industrial communication protocols (ICPs), which has not yet been attached with enough emphasis. In this paper, stochastic game theory is applied on the vulnerability analysis of clock synchronization protocol (CSP), one of the pivotal ICPs. The stochastic game model is built strictly according to the protocol with both Man-in-the-Middle (MIM) attack and dependability failures being taken into account. The situation of multiple attack routes is considered for depicting the practical attack scenarios, and the introduction of time aspect characterizes the success probabilities of attackers actions. The vulnerability analysis is then realized through determining the optimal strategies of attacker under different states of system, respectively.

Heng Zhang,Yinchu Wang,Yawen Xue,Ruilong Deng,Hongran Li,Jian Zhang

DOI: https://doi.org/10.23919/ccc63176.2024.10662787

2024-01-01

Abstract:Industrial network control systems (INCSs) are easy to be targeted by attackers due to their high economic value. Most of the existing defense methods are deployed at the network boundary, which causes high-security risks to INCS once an attacker enters the system. In addition, many existing intrusion detection systems (IDSs) build detection models based on historical data. When INCS lacks sufficient historical data, it is difficult to build detection models with high accuracy. In this paper, we propose a trust assessment model for INCS based on Fourier series fitting employing concept of zero trust to assess the real-time trust of INCS. The model alerts when INCS has low trust. We test two data injection attacks in the experiment to prove the effectiveness of our approach.

Chunjie Zhou,Xuan Li,Shuanghua Yang,Yu-Chu Tian

DOI: https://doi.org/10.1109/tii.2019.2903224

IF: 12.3

2020-05-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial control systems (ICSs) in networked environments face severe cyber-security risks and challenges. A timely response to cyber-attacks is of paramount importance for mitigating risks. However, the security policy developed for an ICS may be conflicting with the ICS's safety policy, on which much attention has been paid for a long time in industrial control. An inappropriate enforcement of the security policy may deteriorate the ICS performance or even result in severe unexpected consequences. To tackle this problem, a risk-based security task scheduling approach is presented for ICSs with consideration of the safety policy. It ensures a timely response to cyber-attacks without compromising safety. More specifically, the approach reconciles security tasks and safety tasks according to a designed resolution policy, so as to acquire contradiction-free security and safety (S&S) tasks. Then, a real-time risk assessment method is developed to characterize the subtle change of the system risk with the implementation of the reconciled S&S tasks. After that, a task scheduling method is designed with the risk as the optimization objective, i.e., it searches the optimal task scheduling scheme by minimizing the risk posture. The resulting scheduling scheme ensures the smooth implementation of the S&S policy, which reflects the optimal recovery process against the risk. Finally, case studies on a hardware-in-the-loop testbed are conducted to demonstrate the effectiveness of the proposed approach.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Zeyu Yang,Liang He,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/TDSC.2024.3384146

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Stealthy attacks manipulate the operation of Industrial Control Systems (ICSs) without being undetected, allowing persistent manipulation of system operation and thus the potential to cause destructive damage. This paper introduces a new vulnerability of ICS that can be exploited to mount stealthy attacks without requiring any domain knowledge. This vulnerability is caused by a common practice in system monitoring, i.e., the SCADA monitors ICS operation at a much lower frequency than system execution, causing a loss of precision when the SCADA tries to cross-validate the issued control commands using the collected sensory data. Exploiting this vulnerability, an attack called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> is designed to stealthily manipulate the system operation by identifying and injecting malicious control commands that will not be concluded as abnormal by the SCADA. This paper further discusses a preferred ICS engineering practice and an attestation strategy to mitigate the above vulnerability and protect ICS from <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> . Both <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> and the proposed mitigations have been experimentally validated on two ICS platforms.

Shaharyar Khan,Stuart Madnick,Stuart E Madnick

DOI: https://doi.org/10.1109/tdsc.2021.3093214

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recent cyber-physical attacks, such as Stuxnet, Triton etc., have invoked an ominous realization about the vulnerability of critical infrastructure, including water, power and gas distribution systems. Traditional IT security-biased protection methods that focus on improving cyber hygiene are largely impotent in the face of targeted attacks by advanced cyber-adversaries. Thus, there is an urgent need to analyze the safety and security of critical infrastructure in a holistic fashion, leveraging the physics of the cyber-physical system. System-Theoretic Accident Model & Processes (STAMP) offers a powerful framework to analyze complex systems; hitherto, STAMP has been used extensively to perform safety analyses but an integrated safety and cybersecurity analysis of industrial control systems (ICS) has not been published. This paper uses the electrical generation and distribution system of an archetypal industrial facility to demonstrate the application of a STAMP-based method – called Cybersafety – to identify and mitigate cyber-vulnerabilities in ICS. The key contribution of this work is to differentiate the additional steps required to perform a holistic cybersecurity analysis for an ICS of significant size and complexity and to present the analysis in a structured format that can be emulated for larger systems with many interdependent subsystems.

computer science, information systems, software engineering, hardware & architecture

Giovanni Barbieri,Mauro Conti,Nils Ole Tippenhauer,Federico Turrin

DOI: https://doi.org/10.1109/icccn52240.2021.9522219

2021-07-01

Abstract:Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify publicly open ports, they cannot identify legitimate use of insecure industrial traffic. In particular, source-based filtering in Network Address Translation or Firewalls prevent detection by active scanning, but do not ensure that insecure communication is not manipulated in transit. In this work, we compare Shodan-only analysis with largescale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging industrial traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging industrial traffic, and only 7% of hosts identified by Shodan actually exchange industrial traffic. Therefore, Shodan does not allow to understand the actual use of insecure industrial protocols on the Internet and the current security practices in ICS communications. We show that 75.6% of ICS hosts still rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.

Huishan Song,Yanbin Yuan,Yuhe Wang,Jianbai Yang,Hang Luo,Shiming Li

DOI: https://doi.org/10.3390/s24227135

IF: 3.9

2024-11-07

Sensors

Abstract:With the rapid advancements in information technology and industrialization, the sustainability of industrial production has garnered significant attention. Industrial control systems (ICS), which encompass various facets of industrial production, are deeply integrated with the Internet, resulting in enhanced efficiency and quality. However, this integration also introduces challenges to the continuous operation of industrial processes. This paper presents a novel security assessment model for ICS, which is based on evidence-based reasoning and a library of belief rules. The model consolidates diverse information within ICS, enhancing the accuracy of assessments while addressing challenges such as uncertainty in ICS data. The proposed model employs evidential reasoning (ER) to fuse various influencing factors and derive security assessment values. Subsequently, a belief rule base is used to construct an assessment framework, grounded in expert-defined initial parameters. To mitigate the potential unreliability of expert knowledge, the chaotic mapping adaptive whale optimization algorithm is incorporated to enhance the model's accuracy in assessing the security posture of industrial control networks. Finally, the model's effectiveness in security assessment was validated through experimental results. Comparative analysis with other assessment models demonstrates that the proposed model exhibits superior performance in ICS security assessment.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Taejun Choi,Guangdong Bai,Ryan K L Ko,Naipeng Dong,Wenlu Zhang,Shunyao Wang

DOI: https://doi.org/10.48550/arXiv.2101.11866

2021-01-28

Abstract:Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS - especially at the communication channels between humanmachine interface (HMIs) and programmable logic controllers (PLCs) - are increasing at a rate which outstrips the rate of mitigation. In this paper, we introduce a vendor-agnostic analytics framework which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool. Using `digital twin' scenarios comprising industry-representative HMIs, PLCs and firewalls in our test lab, our framework's steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of `heuristic inference attacks', a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS. Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally, we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.

Cryptography and Security

Chun Lei Wang,Qing Miao,Lan Fang,Yi Qi Dai

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1936

2013-01-01

Advanced Materials Research

Abstract:industrial Control System (ICS) performs the tasks of supervisory control and data acquisition of critical infrastructures. With the widely application of computer and network techniques, ICS suffers serious security threats, and malicious codes are one of the most serious security problems. However, there is absent of analysis methods specific for ICS malicious code behaviors in current times. In this paper, a framework for ICS malicious code analysis is presented. Firstly, the ICS attack graph model is established based upon the hierarchical structure of industrial control system and the suffered security threats, which formalizes the attack process of ICS malicious code. Secondly, the runtime information of ICS malicious code is detected and collected for analyzing and assessing the attack behaviors and the resulted impacts. Finally, the ICS simulation environment for malicious code analysis is constructed based upon the framework and the experimental analysis of ICS malicious code is performed which preliminary validates the effectiveness of the proposed framework.

Xinchen Zhang,Zhihan Jiang,Yulong Ding,Edith C.H. Ngai,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.jfranklin.2024.107000

IF: 4.246

2024-09-01

Journal of the Franklin Institute

Abstract:As the Industrial Internet-of-Things (IIoT) evolves, a growing number of industrial control systems (ICSs) are connecting to the Internet, making them more vulnerable to malicious attacks. This paper addresses the detection of false data injection (FDI) attacks, a prevalent threat to open ICSs. We introduce an innovative anomaly detection technique using isomorphic analysis to safeguard ICSs against FDI attacks. Isomorphic analysis involves comparing transmitted signals with their expected values, which are derived from mathematical models or isomorphic components. For a comprehensive defense mechanism, we incorporate three specific detectors: the control signal detector, the actuating signal detector, and the sensor reading detector. Designed to detect FDI attacks across various parts of the ICS, these detectors ensure the integrity of all transmitted signals throughout the physical control system. While the control signal detector adopts a threshold method, the other two rely on statistical approaches. If an attack is detected, the detectors can correct tampered signals before they reach downstream components, enhancing the system’s overall resilience and fault tolerance. The effectiveness of these detectors is supported by rigorous mathematical proofs. Moreover, our experimental findings further reveal the superiority of the isomorphic strategy over prior work in terms of detection rate, detection time delay, and system resilience.

automation & control systems,engineering, electrical & electronic, multidisciplinary,mathematics, interdisciplinary applications

Yixiong Wu,Jianwei Zhuge,Tingting Yin,Tianyi Li,Junmin Zhu,Guannan Guo,Yue Liu,Jianju Hu

DOI: https://doi.org/10.5220/0010327902370248

2021-01-01

Abstract:The number of Internet-facing industrial control system(ICS) devices has risen rapidly due to remote control demand. Going beyond benefits in maintenance, this also exposes the fragile ICS devices to cyber-attackers. To characterize the security status of Internet-facing ICS devices, we analyze the exposed ICS devices and their vulnerabilities. Considering the ethic, we design and implement ICScope, a passive vulnerability assessment system based on device search engines. Firstly, ICScope extracts the ICS device information from the banners returned by multiple search engines. Then, ICScope filters out the possible ICS honeypots to guarantee accuracy. Finally, ICScope associates ICS vulnerabilities with each ICS device. Over the past year, our measurements cover more than 466,000 IPs. We first perform a comprehensive measurement of Internet-facing ICS devices from Dec 2019 to Jan 2020. We find that there are about 49.58% of Internet-facing ICS devices that can be identified are affected by one or more vulnerabilities. We also conduct three times experiments from Jun 2020 to Dec 2020 to monitor the security status of Internet-facing ICS devices. We observe a slowly decreasing trend in the number of vulnerable ICS devices during our experiment period.

Muye Li,Yibin Huang,Heng Pan

DOI: https://doi.org/10.1109/iaeac47372.2019.8997670

2019-12-01

Abstract:In recent years, safety incidents of industrial control systems (ICS) have occurred frequently. On the one hand, the gradual adaptation of standards, general communication protocols and software and hardware systems to ICS reduces the attack difficulty of ICS. On the other hand, more and more vulnerability researchers focus on ICS which is becoming the focus of network attackers. This paper analyses the vulnerability and security risks of the current ICS architecture, network environment, communication protocols and supporting software. With the help of the concept of Cyber Kill Chain, the two stages of network attack in ICS are elaborated in detail. Combining with Havex and Stuxnet virus, the mechanism of network intrusion attack in ICS is analyzed comprehensively and thoroughly, which provides effective technical support for the research of ICS network attack defense.

Yaofang Zhang,Zibo Wang,Yingzhou Wang,Kuan Lin,Tongtong Li,Hongri Liu,Chao Li,Bailing Wang

DOI: https://doi.org/10.1007/s11227-023-05269-1

IF: 3.3

2023-04-22

The Journal of Supercomputing

Abstract:Although the expansion of attack types against industrial control systems is limited, the available means that violate the same security strategy emerge endlessly. However, the high availability and real-time requirements of industrial control systems restrict the application of some countermeasures that require massive resources. To solve this problem, this paper proposes a low learning-cost risk assessment model for similar scenarios, which enables the formulation of defense strategies for system risks in advance. To lay the foundation for this method, we firstly aggregate the attack means into limited attack types according to word clustering to address the classification challenge caused by unknown attacks. Then, similarity and statistical methods are combined to predict the next attack type. Subsequently, the hidden Markov model is used to map attack types and security states to obtain the forecasting results of the next security state. Based on this, the risk value is calculated through these prediction and forecasting results, and the system relevance and alert timeliness are considered in the assessment stage. We break the scenario limitations and verify the advantages of our model in a known scenario and another similar scenario with unknown attacks. The experimental results show that our model can deal with unknown attacks in similar scenarios and has excellent scenario migration ability. Meanwhile, the changing trend of the risk value is in consistence with the actual data, which also confirms that the assessment model can forecast the future risk situation of the system accurately and comprehensively.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture