Ming Wan,Minglei Hao,Yang Li,Jianming Zhao,Ying Li

DOI: https://doi.org/10.1145/3586102.3586127

2022-01-01

Abstract:Due to the rapid development of industrial automation, ICSs (Industrial Control Systems) gradually expose their potential security vulnerabilities, and are facing more and more serious security risks. Although different industrial security technologies have been developed to strengthen industrial security protection, they always struggle for their own because of their standalone and non-related functions, and their actual defense effects are not encouraging. This paper first summarizes some intrinsic security vulnerabilities in ICSs, and analyzes the main causes to generate each class of vulnerabilities. Furthermore, five popular security technologies which have been successfully applied in today's ICSs are introduced, and their advantages and shortages are also compared by explaining each working mechanism. In order to take full advantage of various industrial security technologies, this paper proposes one novel cooperative defense model based P2DR (Policy, Protection, Detection and Response), which establishes the dynamical defense process to integrate five different industrial security technologies. Under the guidance of security policies, this model can comprehensively utilize the resources of various industrial security technologies to learn and judge current security status of the whole system, and effectively adjust the optimum deployment to provide the strongest protection with the lowest risk. Finally, one applicable case based on the proposed model is designed to verify the feasibility of cooperative defense in ICSs.

Divine S. Afenu,Mohammed Asiri,Neetesh Saxena

DOI: https://doi.org/10.3390/electronics13050917

IF: 2.9

2024-02-29

Electronics

Abstract:Industrial Control Systems (ICSs) have become the cornerstone of critical sectors like energy, transportation, and manufacturing. However, the burgeoning interconnectivity of ICSs has also introduced heightened risks from cyber threats. The urgency for robust ICS security validation has never been more pronounced. This paper provides an in-depth exploration of using the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to validate ICS security. Although originally conceived for enterprise Information Technology (IT), the MITRE ATT&CK framework's adaptability makes it uniquely suited to address ICS-specific security challenges, offering a methodological approach to identifying vulnerabilities and bolstering defence mechanisms. By zeroing in on two pivotal attack scenarios within ICSs and harnessing a suite of security tools, this research identifies potential weak points and proposes solutions to rectify them. Delving into Indicators of Compromise (IOCs), investigating suitable tools, and capturing indicators, this study serves as a critical resource for organisations aiming to fortify their ICS security. Through this lens, we offer tangible recommendations and insights, pushing the envelope in the domain of ICS security validation.

engineering, electrical & electronic,computer science, information systems,physics, applied

Mohammed Asiri,Neetesh Saxena,Rigel Gjomemo,Pete Burnap

DOI: https://doi.org/10.1145/3587255

2023-03-15

ACM Transactions on Cyber-Physical Systems

Abstract:Numerous sophisticated and nation-state attacks on Industrial Control Systems (ICSs) have increased in recent years, exemplified by Stuxnet and Ukrainian Power Grid. Measures to be taken post-incident are crucial to reduce damage, restore control, and identify attack actors involved. By monitoring Indicators of Compromise (IOCs), the incident responder can detect malicious activity triggers and respond quickly to a similar intrusion at an earlier stage. However, in order to implement IOCs in critical infrastructures, we need to understand their contexts and requirements. Unfortunately, there is no survey paper in the literature on IOC in the ICS environment and only limited information is provided in research articles. In this paper, we describe different standards for IOC representation and discuss the associated challenges that restrict security investigators from developing IOCs in the industrial sectors. We also discuss the potential IOCs against cyber-attacks in ICS systems. Furthermore, we conduct a critical analysis of existing works and available tools in this space. We evaluate the effectiveness of identified IOCs' by mapping these indicators to the most frequently targeted attacks in the ICS environment. Finally we highlight the lessons to be learnt from the literature and the future problems in the domain along with the approaches that might be taken.

Shaharyar Khan,Stuart Madnick,Stuart E Madnick

DOI: https://doi.org/10.1109/tdsc.2021.3093214

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recent cyber-physical attacks, such as Stuxnet, Triton etc., have invoked an ominous realization about the vulnerability of critical infrastructure, including water, power and gas distribution systems. Traditional IT security-biased protection methods that focus on improving cyber hygiene are largely impotent in the face of targeted attacks by advanced cyber-adversaries. Thus, there is an urgent need to analyze the safety and security of critical infrastructure in a holistic fashion, leveraging the physics of the cyber-physical system. System-Theoretic Accident Model & Processes (STAMP) offers a powerful framework to analyze complex systems; hitherto, STAMP has been used extensively to perform safety analyses but an integrated safety and cybersecurity analysis of industrial control systems (ICS) has not been published. This paper uses the electrical generation and distribution system of an archetypal industrial facility to demonstrate the application of a STAMP-based method – called Cybersafety – to identify and mitigate cyber-vulnerabilities in ICS. The key contribution of this work is to differentiate the additional steps required to perform a holistic cybersecurity analysis for an ICS of significant size and complexity and to present the analysis in a structured format that can be emulated for larger systems with many interdependent subsystems.

computer science, information systems, software engineering, hardware & architecture

Navid Aftabi,Dan Li,Ph.D.,Thomas Sharkey,Ph.D

2024-01-31

Abstract:Industrial Control Systems (ICSs) are widely used in critical infrastructures that face various cyberattacks causing physical damage. With the increasing integration of the ICSs and information technology (IT), ensuring the security of ICSs is of paramount importance. In an ICS, cyberattacks exploit vulnerabilities to compromise sensors and controllers, aiming to cause physical damage. Maliciously accessing different components poses varying risks, highlighting the importance of identifying high-risk cyberattacks. This aids in designing effective detection schemes and mitigation strategies. This paper proposes an optimization-based cyber-risk assessment framework that integrates cyber and physical systems of ICSs. The framework models cyberattacks with varying expertise and knowledge by 1) maximizing physical impact in terms of failure time of the physical system, 2) quickly accessing the sensors and controllers in the cyber system while exploiting limited vulnerabilities, 3) avoiding detection in the physical system, and 4) complying with the cyber and physical restrictions. These objectives enable us to jointly model the interactions between the cyber and physical systems and study the critical cyberattacks that cause the highest impact on the physical system under certain resource constraints. Our framework serves as a tool to understand the vulnerabilities of an ICS with a holistic consideration of cyber and physical systems and their interactions and assess the risk of existing detection schemes by generating the worst-case attack strategies. We illustrate and verify the effectiveness of our proposed method in a numerical and a case study. The results show that a worst-case strategic attacker causes almost 19% further acceleration in the failure time of the physical system while remaining undetected compared to a random attacker.

Optimization and Control,Systems and Control

Venkata S. Koganti,Mohammad Ashrafuzzaman,Ananth A. Jillepalli,Frederick T. Sheldon

DOI: https://doi.org/10.1109/malware.2017.8323960

2017-10-01

Abstract:Industrial Control Systems (ICS), at the heart of critical infrastructures, have been developing into more and more powerful tools over the years with the incorporation of networking and cyber, among other, technologies. As with great power comes great risks, ICS's inherited risks and vulnerabilities not only from the cyber domain but also gave rise to unique security risks and vulnerabilities. Security management, i.e., identifying vulnerabilities, assessing threats, preventing and tolerating malicious and harmful activities, mitigating and recovering from attacks, etc., for ICS's have been identified as a key, if not the key, area for the protection of critical infrastructures. The importance of a test-bed mimicking a real-life ICS and having capabilities to support ICS security management is paramount. In this paper, after briefly surveying the vulnerabilities in ICS and surveying the existing ICS test-beds, we describe the implementation of a virtual ICS testbed controlling the distribution breaker system of a power grid. We also describe simulating two cyber attacks using the testbed.

Vincenzo Giuliano,Valerio Formicola

DOI: https://doi.org/10.48550/arXiv.1909.01910

2019-09-04

Cryptography and Security

Abstract:Maintenance staff of Industrial Control Systems (ICS) is generally not aware about information technologies, and even less about cyber security problems. The scary impact of cyber attacks in the industrial world calls for tools to train defensive skills and test effective security measures. Cyber range offers this opportunity, but current research is lacking cost-effective solutions verticalized for the industrial domain. This work proposes ICSrange, a simulation-based cyber range platform for Industrial Control Systems. ICSrange adopts Commercial-Off-The-Shelf (COTS) technologies to virtualize an enterprise network connected to Industrial Control Systems. ICSrange is the outcome of a preliminary study intended to investigate challenges and opportunities to build a configurable and extensible cyber range with simulated industrial processes. Literature shows that testbeds based on realistic mock-ups are effectively employed to develop complex exploits like Advanced Persistent Threats (APTs), hence motivating their usage to train and test security in ICS. We prove the effectiveness of ICSrange through the execution of a multi-staged attack that breaches an enterprise network and progressively intrudes a simulated ICS with water tanks. The attack mimics lateral movements as observed in APTs.

Mary Nankya,Robin Chataut,Robert Akl

DOI: https://doi.org/10.3390/s23218840

IF: 3.9

2023-10-31

Sensors

Abstract:Industrial Control Systems (ICS), which include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC), play a crucial role in managing and regulating industrial processes. However, ensuring the security of these systems is of utmost importance due to the potentially severe consequences of cyber attacks. This article presents an overview of ICS security, covering its components, protocols, industrial applications, and performance aspects. It also highlights the typical threats and vulnerabilities faced by these systems. Moreover, the article identifies key factors that influence the design decisions concerning control, communication, reliability, and redundancy properties of ICS, as these are critical in determining the security needs of the system. The article outlines existing security countermeasures, including network segmentation, access control, patch management, and security monitoring. Furthermore, the article explores the integration of machine learning techniques to enhance the cybersecurity of ICS. Machine learning offers several advantages, such as anomaly detection, threat intelligence analysis, and predictive maintenance. However, combining machine learning with other security measures is essential to establish a comprehensive defense strategy for ICS. The article also addresses the challenges associated with existing measures and provides recommendations for improving ICS security. This paper becomes a valuable reference for researchers aiming to make meaningful contributions within the constantly evolving ICS domain by providing an in-depth examination of the present state, challenges, and potential future advancements.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Muhammad Rizwan Asghar,Qinwen Hu,Sherali Zeadally

DOI: https://doi.org/10.1016/j.comnet.2019.106946

IF: 5.493

2019-12-01

Computer Networks

Abstract:<p>Industrial Control Systems (ICSs) play an important role in today's industry by providing process automation, distributed control, and process monitoring. ICS was designed to be used in an isolated area or connected to other systems via specialised communication mechanisms or protocols. This setup allows manufacturers to manage their production processes with great flexibility and safety. However, this design does not meet today's business requirements to work with state-of-the-art technologies such as Internet-of-Things (IoT) and big data analytics. In order to fulfil industry requirements, many ICSs have been connected to enterprise networks that allow business users to access real-time data generated by power plants. At the same time, this new design opens up several cybersecurity challenges for ICSs.</p><p>We review possible cyber attacks on ICSs, identify typical threats and vulnerabilities, and we discuss unresolved security issues with existing ICS cybersecurity solutions. Then, we discuss how to secure ICSs (<em>e.g.,</em> using risk assessment methodologies) and other protection measures. We also identify open security research challenges for ICSs, and we present a classification of existing security solutions along with their strengths and weaknesses. Finally, we provide future research directions in ICS security.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Georgios Michail Makrakis,Constantinos Kolias,Georgios Kambourakis,Craig Rieger,Jacob Benjamin

DOI: https://doi.org/10.48550/arXiv.2109.03945

2021-09-08

Cryptography and Security

Abstract:Critical infrastructures (CI) and industrial organizations aggressively move towards integrating elements of modern Information Technology (IT) into their monolithic Operational Technology (OT) architectures. Yet, as OT systems progressively become more and more interconnected, they silently have turned into alluring targets for diverse groups of adversaries. Meanwhile, the inherent complexity of these systems, along with their advanced-in-age nature, prevents defenders from fully applying contemporary security controls in a timely manner. Forsooth, the combination of these hindering factors has led to some of the most severe cybersecurity incidents of the past years. This work contributes a full-fledged and up-to-date survey of the most prominent threats against Industrial Control Systems (ICS) along with the communication protocols and devices adopted in these environments. Our study highlights that threats against CI follow an upward spiral due to the mushrooming of commodity tools and techniques that can facilitate either the early or late stages of attacks. Furthermore, our survey exposes that existing vulnerabilities in the design and implementation of several of the OT-specific network protocols may easily grant adversaries the ability to decisively impact physical processes. We provide a categorization of such threats and the corresponding vulnerabilities based on various criteria. As far as we are aware, this is the first time an exhaustive and detailed survey of this kind is attempted.

Thomas Miller,Alexander Staves,Sam Maesschalck,Miriam Sturdee,Benjamin Green

DOI: https://doi.org/10.1016/j.ijcip.2021.100464

IF: 3.683

2021-12-01

International Journal of Critical Infrastructure Protection

Abstract:<p>Since the 1980s, we have observed a range of cyberattacks targeting Industrial Control Systems (ICS), some of which have impacted elements of critical national infrastructure (CNI). While there are access limitations on information surrounding ICS focused cyberattacks, particularly within a CNI context, this paper provides an extensive summary of those publicly reported. By identifying and analysing previous ICS focused cyberattacks, we document their evolution, affording cyber-security practitioners with a greater understanding of attack vectors, threat actors, impact, and targeted sectors and locations, critical to the continued development of holistic risk management strategies.</p>

engineering, multidisciplinary,computer science, information systems

He Wen

DOI: https://doi.org/10.48550/arXiv.2306.08631

2023-06-15

Abstract:Cyberattacks on industrial control systems (ICS) have been drawing attention in academia. However, this has not raised adequate concerns among some industrial practitioners. Therefore, it is necessary to identify the vulnerable locations and components in the ICS and investigate the attack scenarios and techniques. This study proposes a method to assess the risk of cyberattacks on ICS with an improved Common Vulnerability Scoring System (CVSS) and applies it to a continuous stirred tank reactor (CSTR) model. The results show the physical system levels of ICS have the highest severity once cyberattacked, and controllers, workstations, and human-machine interface are the crucial components in the cyberattack and defense.

Cryptography and Security,Artificial Intelligence

Nastaran Mahmoudyar,Yaser Baseri,Ali A. Ghorbani,Mahdi Daghmehchi Firoozjaei

DOI: https://doi.org/10.1016/j.ijcip.2021.100487

IF: 3.683

2022-03-01

International Journal of Critical Infrastructure Protection

Abstract:Industrial control systems (ICSs) and critical infrastructure are targeted by sophisticated cyber incidents launched by skillful and persistent attackers. Due to political, public image, or industrial competition reasons, most incidents are not publicly reported. Therefore, their consequences and threats are not as known as well as those in information technology (IT) systems. This paper aims to provide a foundation for cyber risk assessment for operational technology (OT) systems. To this end, we review the adversarial tactics and techniques employed by attackers to launch ICS cyberattacks and analyze the attack mechanisms of six significant ICS cyber incidents in the energy and power industries, namely Stuxnet, BlackEnergy, Crashoverride, Triton, Irongate, and Havex. We introduce an evaluation framework to evaluate the threat level of the ICS cyber incidents based on their sophistication and incident consequences. Finally, we rate the analyzed ICS cyber incidents based on their threat scores. Our evaluation rates Stuxnet as the most sophisticated and high-threat ICS malware and Irongate the lowest. We hope our evaluation can shed light on the design of protection solutions for OT systems.

engineering, multidisciplinary,computer science, information systems

Yi-Wei Ma,Yi-Hao Tu,Chih-Ting Shen

DOI: https://doi.org/10.1016/j.ijcip.2024.100662

IF: 3.683

2024-02-11

International Journal of Critical Infrastructure Protection

Abstract:Industrial Control Systems (ICS) security happens often, which makes it hard for many organizations to keep a balance between operational efficiency, system efficiency, and security. A major concern is how to protect information security and make sure that ICS keep working. This study thus presents a defense-based system with adaptive cyber resilience (DSACR). DSACR will optimize the configuration with respect to the three indices of operational efficiency, performance, and security. Whenever an assault event happens, DSACR offers protective solutions depending on the threat level to optimize the security and running costs of recovering ICS. In terms of safety and operation, DSACR is superior to other approaches by 3% and 11%, respectively, as shown by the results of the experiments.

engineering, multidisciplinary,computer science, information systems

Martín Barrère,Chris Hankin,Demetrios G. Eliades,Nicolas Nicolau,Thomas Parisini

DOI: https://doi.org/10.48550/arXiv.1911.09404

2019-11-21

Cryptography and Security

Abstract:Over the last years, Industrial Control Systems (ICS) have become increasingly exposed to a wide range of cyber-physical threats. Efficient models and techniques able to capture their complex structure and identify critical cyber-physical components are therefore essential. AND/OR graphs have proven very useful in this context as they are able to semantically grasp intricate logical interdependencies among ICS components. However, identifying critical nodes in AND/OR graphs is an NP-complete problem. In addition, ICS settings normally involve various cyber and physical security measures that simultaneously protect multiple ICS components in overlapping manners, which makes this problem even harder. In this paper, we present an extended security metric based on AND/OR hypergraphs which efficiently identifies the set of critical ICS components and security measures that should be compromised, with minimum cost (effort) for an attacker, in order to disrupt the operation of vital ICS assets. Our approach relies on MAX-SAT techniques, which we have incorporated in META4ICS, a Java-based security metric analyser for ICS. We also provide a thorough performance evaluation that shows the feasibility of our method. Finally, we illustrate our methodology through a case study in which we analyse the security posture of a realistic Water Transport Network (WTN).

Chunjie Zhou,Bowen Hu,Yang Shi,Yu-Chu Tian,Xuan Li,Yue Zhao

DOI: https://doi.org/10.1109/jproc.2020.3034595

IF: 20.6

2021-04-01

Proceedings of the IEEE

Abstract:With the rapid development of functional requirements in the emerging Industry 4.0 era, modern industrial control systems (ICSs) are no longer isolated islands, making them more vulnerable to various cyberattack threats. Cyberattacks on ICSs may have disruptive consequences, such as significant social and economic losses. To proactively address the security issue of ICSs, this article presents a unified architectural approach from the perspectives of cyberthreats on ICSs, security-related ICS technologies, and methods for ICSs. It incorporates secure networks, secure control systems, secure physical processes, and their interactions seamlessly into a unified framework. To increase the resistance of ICSs against intrusions, the network security in our architectural approach is to secure the data in motion through the integration of secure network architecture, secure industrial network protocols, and secure end-to-end communications. The protection of control systems in our architectural approach is risk-based and hierarchical and encompasses prevention- and tolerance-centric defenses. It provides a layer-by-layer defense so that an acceptable level of cybersecurity risk is achieved and maintained. Aiming to maintain the stable operation of physical ICS processes, the secure control in our architectural approach implements a security process against process-aware attacks through a resilient safety control scheme. The global and systematic architectural approach presented in this article for the ICS cybersecurity will help facilitate the design and implementation of cyberattack-resilient ICSs in the networked world. For further development of ICS security technologies, emerging challenges are identified and discussed to motivate future research efforts.

engineering, electrical & electronic

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Mauro Conti,Denis Donadel,Federico Turrin

DOI: https://doi.org/10.48550/arXiv.2102.05631

2021-02-10

Cryptography and Security

Abstract:The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs.