Yixiong Wu,Jianwei Zhuge,Tingting Yin,Tianyi Li,Junmin Zhu,Guannan Guo,Yue Liu,Jianju Hu

DOI: https://doi.org/10.5220/0010327902370248

2021-01-01

Abstract:The number of Internet-facing industrial control system(ICS) devices has risen rapidly due to remote control demand. Going beyond benefits in maintenance, this also exposes the fragile ICS devices to cyber-attackers. To characterize the security status of Internet-facing ICS devices, we analyze the exposed ICS devices and their vulnerabilities. Considering the ethic, we design and implement ICScope, a passive vulnerability assessment system based on device search engines. Firstly, ICScope extracts the ICS device information from the banners returned by multiple search engines. Then, ICScope filters out the possible ICS honeypots to guarantee accuracy. Finally, ICScope associates ICS vulnerabilities with each ICS device. Over the past year, our measurements cover more than 466,000 IPs. We first perform a comprehensive measurement of Internet-facing ICS devices from Dec 2019 to Jan 2020. We find that there are about 49.58% of Internet-facing ICS devices that can be identified are affected by one or more vulnerabilities. We also conduct three times experiments from Jun 2020 to Dec 2020 to monitor the security status of Internet-facing ICS devices. We observe a slowly decreasing trend in the number of vulnerable ICS devices during our experiment period.

Guannan Guo,Jianwei Zhuge,Mengmeng Yang,Gengqian Zhou,Yixiong Wu

DOI: https://doi.org/10.1109/IINTEC.2018.8695276

2018-01-01

Abstract:Industrial control systems (ICS) have become ubiquitous as cyber-physical systems are widely distributed in critical infrastructures. Yet as the ICS environment evolves and becomes ever more connected, an increasing number of devices are now exposed on the Internet, and the attacking surface and risk increase as well, an attacker who finds an ICS device can cause severe damage to real world easily. In this paper, we deploy high-interaction honeypots using real devices on the Internet to find who is searching the exposed ICS devices and study the discrepancies between different scanners. To gain a more accurate and bigger landscape, instead of performing our own large scale scanning world wide, we provide a survey of ICS devices on the Internet based on historical data collected from multiple data sources. By aggregating and analyzing, we are able to find an even greater number of both ICS devices and honeypots on the Internet compared with any single search engine. We hope to raise the issue of ICS security and inform work on exploring and securing ICS devices on the Internet.

Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9346835

2020-01-01

Abstract:With the development of information technology and Power Internet of Things, the increasing number of networked terminals presents new network security threats. Industrial control equipment and systems have vulnerabilities in hardware, software and firmware, and advanced persistent threat against ICS has become more complex and diverse. However, most of the research are aimed at the detection of single vulnerability, and lack attack mechanism analysis and threat assessment for attack chain. We proposed a threat assessment method based on vulnerability descriptive text and described the attributes of attack samples according to the classification results in attack targets, methods and consequences. We constructed attack graphs based on attack sample attributes and cyber-physical topology to quantitatively evaluate the feasibility and benefits of each attack path from vulnerability capabilities and the impact of devices in the physical world. Finally, we took the substation device status monitoring system as an example to verify the feasibility of this method.

Marcin Nawrocki,Thomas C. Schmidt,Matthias Wählisch,Matthias Wahlisch

DOI: https://doi.org/10.1109/noms47738.2020.9110256

2020-04-01

Abstract:Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure, but also the Internet ecosystem (e.g., DRDoS attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used (i) to create precise filters for potentially harmful non-industrial ICS traffic, and (ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks.

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Giovanni Barbieri,Mauro Conti,Nils Ole Tippenhauer,Federico Turrin

DOI: https://doi.org/10.1109/icccn52240.2021.9522219

2021-07-01

Abstract:Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify publicly open ports, they cannot identify legitimate use of insecure industrial traffic. In particular, source-based filtering in Network Address Translation or Firewalls prevent detection by active scanning, but do not ensure that insecure communication is not manipulated in transit. In this work, we compare Shodan-only analysis with largescale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging industrial traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging industrial traffic, and only 7% of hosts identified by Shodan actually exchange industrial traffic. Therefore, Shodan does not allow to understand the actual use of insecure industrial protocols on the Internet and the current security practices in ICS communications. We show that 75.6% of ICS hosts still rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.

Feilong Zuo,Zhengxiong Luo,Junze Yu,Ting Chen,Zichen Xu,Aiguo Cui,Yu Jiang

DOI: https://doi.org/10.1109/tcad.2022.3201471

IF: 2.9

2022-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Industrial control system (ICS) employs complex multistate protocols to realize high-reliability communication and intelligent control over automation equipment. ICS has been widely used in various embedded fields, such as autonomous vehicle systems, power automation systems, etc. However, in recent years, many attacks have been performed on ICS, especially its protocols, such as the hijacks over Jeep Uconnect and Tesla Autopilot autonomous systems, also the Stuxnet and DragonFly viruses over national infrastructures. It is important to guarantee the security of ICS protocols. In this article, we present Charon, an efficient fuzzing platform for the vulnerability detection of ICS protocol implementations. In Charon, we propose an innovative fuzzing strategy that leverages state guidance to maximize cross-state code coverage instead of focusing on isolated states during the fuzzing of ICS protocols. Moreover, we devise a novel feedback collection method that employs program status inferring to avoid the restart of the ICS protocol at each iteration, allowing for continuous fuzzing. We evaluate Charon on several popular ICS protocol implementations, including real-time publish subscribe, IEC61850-MMS, MQTT, etc. Compared with typical fuzzers, such as American fuzzy lop, Polar, AFLNET, Boofuzz, and Peach, it averagely improves branch coverage by 234.2%, 194.4%, 215.9%, 52.58%, and 35.18%, respectively. Moreover, it has already confirmed 21 previously unknown vulnerabilities (e.g., stack buffer overflow) among these ICS protocols, most of which are security critical and corresponding patches from vendors have been released accordingly.

Muye Li,Yibin Huang,Heng Pan

DOI: https://doi.org/10.1109/iaeac47372.2019.8997670

2019-12-01

Abstract:In recent years, safety incidents of industrial control systems (ICS) have occurred frequently. On the one hand, the gradual adaptation of standards, general communication protocols and software and hardware systems to ICS reduces the attack difficulty of ICS. On the other hand, more and more vulnerability researchers focus on ICS which is becoming the focus of network attackers. This paper analyses the vulnerability and security risks of the current ICS architecture, network environment, communication protocols and supporting software. With the help of the concept of Cyber Kill Chain, the two stages of network attack in ICS are elaborated in detail. Combining with Havex and Stuxnet virus, the mechanism of network intrusion attack in ICS is analyzed comprehensively and thoroughly, which provides effective technical support for the research of ICS network attack defense.

Zhengxiong Luo,Feilong Zuo,Yuheng Shen,Xun Jiao,Wanli Chang,Yu Jiang

DOI: https://doi.org/10.1109/dac18072.2020.9218603

2020-01-01

Abstract:Industrial Control System (ICS) protocols play an essential role in building communications among system components. Recently, many severe vulnerabilities, such as Stuxnet and DragonFly, exposed in ICS protocols have affected a wide distribution of devices. Therefore, it is of vital importance to ensure their correctness. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complexity and diversity of the protocols.In this paper, we propose to equip the traditional protocol fuzzing with coverage-guided packet crack and generation. We collect the coverage information during the testing procedure, save those valuable packets that trigger new path coverage and crack them into pieces, based on which, we can construct higher-quality new packets for further testing. For evaluation, we build Peach * on top of Peach, which is one of the most widely used protocol fuzzers, and conduct experiments on several ICS protocols such as Modbus and DNP3. Results show that, compared with the original Peach, Peach * achieves the same code coverage and bug detection numbers at the speed of 1.2X-25X. It also gains final increase with 8.35%-36.84% more paths within 24 hours and has exposed 9 previously unknown vulnerabilities.

Mohammed Asiri,Neetesh Saxena,Rigel Gjomemo,Pete Burnap

DOI: https://doi.org/10.1145/3587255

2023-03-15

ACM Transactions on Cyber-Physical Systems

Abstract:Numerous sophisticated and nation-state attacks on Industrial Control Systems (ICSs) have increased in recent years, exemplified by Stuxnet and Ukrainian Power Grid. Measures to be taken post-incident are crucial to reduce damage, restore control, and identify attack actors involved. By monitoring Indicators of Compromise (IOCs), the incident responder can detect malicious activity triggers and respond quickly to a similar intrusion at an earlier stage. However, in order to implement IOCs in critical infrastructures, we need to understand their contexts and requirements. Unfortunately, there is no survey paper in the literature on IOC in the ICS environment and only limited information is provided in research articles. In this paper, we describe different standards for IOC representation and discuss the associated challenges that restrict security investigators from developing IOCs in the industrial sectors. We also discuss the potential IOCs against cyber-attacks in ICS systems. Furthermore, we conduct a critical analysis of existing works and available tools in this space. We evaluate the effectiveness of identified IOCs' by mapping these indicators to the most frequently targeted attacks in the ICS environment. Finally we highlight the lessons to be learnt from the literature and the future problems in the domain along with the approaches that might be taken.

Joao M. Ceron,Justyna J. Chromik,Jair Santanna,Aiko Pras

DOI: https://doi.org/10.48550/arXiv.2011.02019

2020-11-04

Abstract:On a regular basis, we read in the news about cyber-attacks on critical infrastructures, such as power plants. Such infrastructures rely on the so-called Industrial Control Systems (ICS) / Supervisory Control And Data Acquisition (SCADA) networks. By hacking the devices in such systems and networks, attackers may take over the control of critical infrastructures, with potentially devastating consequences. This report focusses on critical infrastructures in the Netherlands and investigates three main questions: 1) How many ICS/SCADA devices located in the Netherlands can be easily found by potential attackers?, 2) How many of these devices are vulnerable to cyber-attacks?, and 3) What measures should be taken to prevent these devices from being hacked?

Networking and Internet Architecture,Cryptography and Security

Simon Daniel Duque Anton,Daniel Fraunholz,Daniel Krohmer,Daniel Reti,Daniel Schneider,Hans Dieter Schotten

DOI: https://doi.org/10.1109/jiot.2021.3081741

IF: 10.6

2021-12-15

IEEE Internet of Things Journal

Abstract:Operational Technology (OT) networks and devices, i.e., all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitization of industry, an increasing number of devices and industrial networks are opened up to public networks. This is beneficial for the administration and organization of the industrial environments. However, it also increases the attack surface, providing possible points of entry for an attacker. Originally, breaking into production networks meant to break an information technology (IT)-perimeter first, such as a public Website, and then to move laterally to industrial control systems (ICSs) to influence the production environment. However, many OT-devices are connected directly to the Internet, which drastically increases the threat of compromise, especially since OT-devices contain several vulnerabilities. In this work, the presence of OT-devices in the Internet is analyzed from an attacker's perspective. Publicly available tools, such as the search engine Shodan and vulnerability databases, are employed to find commonly used OT-devices and map vulnerabilities to them. These findings are grouped according to the country of origin, manufacturer, and number as well as severity of vulnerability. More than 13000 devices were found, almost all contained at least one vulnerability. European and Northern American countries are by far the most affected ones.

computer science, information systems,telecommunications,engineering, electrical & electronic

Vincenzo Giuliano,Valerio Formicola

DOI: https://doi.org/10.48550/arXiv.1909.01910

2019-09-04

Cryptography and Security

Abstract:Maintenance staff of Industrial Control Systems (ICS) is generally not aware about information technologies, and even less about cyber security problems. The scary impact of cyber attacks in the industrial world calls for tools to train defensive skills and test effective security measures. Cyber range offers this opportunity, but current research is lacking cost-effective solutions verticalized for the industrial domain. This work proposes ICSrange, a simulation-based cyber range platform for Industrial Control Systems. ICSrange adopts Commercial-Off-The-Shelf (COTS) technologies to virtualize an enterprise network connected to Industrial Control Systems. ICSrange is the outcome of a preliminary study intended to investigate challenges and opportunities to build a configurable and extensible cyber range with simulated industrial processes. Literature shows that testbeds based on realistic mock-ups are effectively employed to develop complex exploits like Advanced Persistent Threats (APTs), hence motivating their usage to train and test security in ICS. We prove the effectiveness of ICSrange through the execution of a multi-staged attack that breaches an enterprise network and progressively intrudes a simulated ICS with water tanks. The attack mimics lateral movements as observed in APTs.

Mauro Conti,Denis Donadel,Federico Turrin

DOI: https://doi.org/10.48550/arXiv.2102.05631

2021-02-10

Cryptography and Security

Abstract:The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs.

Jacob Williams,Matthew Edwards,Joseph Gardiner

2024-10-23

Abstract:The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.

Cryptography and Security,Systems and Control

Zeyu Yang,Liang He,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/TDSC.2024.3384146

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Stealthy attacks manipulate the operation of Industrial Control Systems (ICSs) without being undetected, allowing persistent manipulation of system operation and thus the potential to cause destructive damage. This paper introduces a new vulnerability of ICS that can be exploited to mount stealthy attacks without requiring any domain knowledge. This vulnerability is caused by a common practice in system monitoring, i.e., the SCADA monitors ICS operation at a much lower frequency than system execution, causing a loss of precision when the SCADA tries to cross-validate the issued control commands using the collected sensory data. Exploiting this vulnerability, an attack called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> is designed to stealthily manipulate the system operation by identifying and injecting malicious control commands that will not be concluded as abnormal by the SCADA. This paper further discusses a preferred ICS engineering practice and an attestation strategy to mitigate the above vulnerability and protect ICS from <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> . Both <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> and the proposed mitigations have been experimentally validated on two ICS platforms.

Yang Li,Shihao Wu,Quan Pan

2023-08-07

Abstract:Along with the development of intelligent manufacturing, especially with the high connectivity of the industrial control system (ICS), the network security of ICS becomes more important. And in recent years, there has been much research on the security of the ICS network. However, in practical usage, there are many types of protocols, which means a high vulnerability in protocols. Therefore, in this paper, we give a complete review of the protocols that are usually used in ICS. Then, we give a comprehensive review on network security in terms of Defence in Depth (DiD), including data encryption, access control policy, intrusion detection system, software-defined network, etc. Through these works, we try to provide a new perspective on the exciting new developments in this field.

Cryptography and Security,Software Engineering

He Wen

DOI: https://doi.org/10.48550/arXiv.2306.08631

2023-06-15

Abstract:Cyberattacks on industrial control systems (ICS) have been drawing attention in academia. However, this has not raised adequate concerns among some industrial practitioners. Therefore, it is necessary to identify the vulnerable locations and components in the ICS and investigate the attack scenarios and techniques. This study proposes a method to assess the risk of cyberattacks on ICS with an improved Common Vulnerability Scoring System (CVSS) and applies it to a continuous stirred tank reactor (CSTR) model. The results show the physical system levels of ICS have the highest severity once cyberattacked, and controllers, workstations, and human-machine interface are the crucial components in the cyberattack and defense.

Cryptography and Security,Artificial Intelligence