1,720,971 research outputs found
Improving security in industrial internet of things: A distributed intrusion detection methodology
No full textThe interaction among networking, sensing, and control in the modern industry results in a variety of new devices used in many sectors such as health, energy distribution, and transportation. The on-going tendency of exploiting automation and data exchange in manufacturing technologies leads to the Industry 4.0. The fourth industrial revolution deals with Cyber-Physical Systems, the Internet of Things, cloud computing, and cognitive computing converging towards the Industrial Internet of Things. To be successful, this new era requires innovative paradigms to ensure the security of provided services and connected systems. In the industrial field, the problem gets more complex due to the need of protecting a large attack surface while guaranteeing the availability of the systems and the real-time response to the presence of threats. In this chapter, we perform an analysis of the existing industrial threats and we present a distributed intrusion detection methodology to deal with attacks affecting the Industrial Internet of Things scenarios
Amon: An automaton monitor for industrial cyber-physical security
No full textThe rapid evolution towards the Industry 4.0 improves the performances of Industrial Control Systems (ICSs). However, due to the unmanageable re-engineering cost of pre-existing industrial devices, insecure protocols continue to be used to manage these systems. In this scenario, legacy protocols, such as the Modbus/TCP, are still largely used to control a range of industrial processes alongside with modern technologies. Consequently, hybrid industrial infrastructures with both legacy and innovative devices require novel security and prevention methodologies. In this work, we present AMON (Automaton MONitor): an Intrusion Detection System (IDS) based on Deterministic Finite Automata (DFA) for Modbus/TCP traffic monitoring. AMON combines DFA with the Longest Repeating Subsequence (LRS) algorithm, commonly used in bioinformatics, to model the traffic and identify anomalies. In order to address the challenges presented in hybrid scenarios, we extend AMON to work with the Constrained Application Protocol (CoAP), used for the Industrial Internet of Things (IIoT). We show preliminary results in a simulated industrial network and discuss possible implementation of the developed detection system to secure hybrid industrial infrastructures
MimePot: A model-based honeypot for industrial control networks
No full textComplex and heterogeneous systems characterize the Industry 4.0. Due to the Information Technology (IT) convergence towards the Operational Technology (OT), the development of innovative cyber-physical security tools represents a milestone for the Industrial Control Systems (ICSs) protection. In this context, honeypots are systems used as decoys to detect and analyze malicious actions. However, industrial networks require specic honeypot development capabilities. In this work, we present MimePot, a cyber-physical honeypot conceived for industrial control networks. Compared to classic honeypots, MimePot offers a model-based approach: It is able to simulate physical processes to lure skilled attackers targeting industrial plants. Moreover, MimePot uses the Software Defined Networking (SDN) technology to provide a consistent future proof security approach. We demonstrate the usefulness of MimePot performing data integrity attacks against a water distribution system in a simulated environment
TAMBUS: A novel authentication method through covert channels for securing industrial networks
No full textNowadays, many companies still use old and insecure protocols in Industrial Control Systems (ICSs). An example of such protocols is Modbus, one of the most employed industrial protocols. Also, companies are moving to Modbus/TCP when there are TCP devices involved in the facility. While remaining insecure, this migration also disrupts the assumption of air-gapped industrial networks, opening more attack surface to previously isolated systems. Due to legacy and efficiency constraint, the replacement of Modbus/TCP with secure protocols is not possible, generating big security issues. In this paper, we present TAMBUS (Transmitter Authentication and packet integrity in Modbus/TCP). This method is the first that at the same time: is not implemented in a secure by obscurity design and keeps the Modbus/TCP protocol compatible with legacy devices. TAMBUS allows detecting attacks with high statistical confidence, by leveraging two covert channels as a mean of providing security: 1) Storage-based, that hides authentication messages into the Modbus/TCP protocol fields; 2) Timing-based, that considers the inter-arrival time of packets. We demonstrate the feasibility and effectiveness of our method through a prototype implementation and testing in an industrial testbed environment. Our experiments confirm that TAMBUS introduces only a small overhead, negligible in most application, and it preserves the regular functioning of industrial systems. In particular, considering the storage-based covert channel, TAMBUS introduces an error into transmitted values of only 1.19×10−5%, without traffic overhead. On the other hand, TAMBUS can transmit correct security information through the timing-based covert channel with an accuracy of more than 99.99%
A threat model method for ICS malware: The TRISIS case
No full textCyber-physical attacks against plants and Critical Infrastructures (CIs) are among the most significant concerns in the 21st century and can lead to devastating consequences. In particular, with the convergence between the Operational Technology (OT) network and the traditional IT network, malware threats for Industrial Control Systems (ICSs) are gradually increasing. In these scenarios, we need to identify potential cyber threats by developing innovative modeling techniques. However, existing malware-based cyber threats modeling techniques are not fully designed for industrial environment. In this paper, we present a threat modeling framework for Industrial Control Systems malware across two different levels: the Extraction Level and the Modeling Level. We evaluate the effectiveness of our model by analyzing the TRISIS cyber attack as a use case. A complex malware developed to cause operational disruption to industrial plants. Our solution outperforms existing malware threat modeling techniques for the ICS environment, and provides useful mitigation strategies to counter malicious activities
Covert channels-based stealth attacks in industry 4.0
No full textIndustry 4.0 advent opens several cyber-threats scenarios originally designed for classic information technology (IT), drawing the attention to serious risks for the modern industrial control networks. To cope with this problem, in this paper, we address the security issues related to covert channels applied to industrial networks, identifying the new vulnerability points when ITs converge with operational technologies such as edge computing infrastructures. Specifically, we define two signaling strategies where we exploit the Modbus/transmission control protocol (TCP) as target to set up a covert channel. Once the threat channel is established, passive and active offensive methodologies are further exploited by implementing and testing them on a real industrial Internet of Things testbed. The experimental results highlight the potential damage of such specific threats and the easy extrapolation of the attacks to other types of channels in order to show the new risks for the Industry 4.0. Related to this, we discuss some countermeasures offering an overview of possible mitigation and defensive measures
Covert Channel-Based Transmitter Authentication in Controller Area Networks
No full textIn recent years, the security of automotive Cyber-Physical Systems (CPSs) is facing urgent threats due to the widespread use of legacy in-vehicle communication systems. As a representative legacy bus system, the Controller Area Network (CAN) hosts Electronic Control Units (ECUs) that are crucial for the vehicles functioning. In this scenario, malicious actors can exploit the CAN vulnerabilities, such as the lack of built-in authentication and encryption schemes, to launch CAN bus attacks. In this paper, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs on the legacy CAN bus by exploiting the covert channels. TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication. TACAN consists of three different covert channels: 1) Inter-Arrival Time (IAT)-based, 2) Least Significant Bit (LSB)-based, and 3) hybrid covert channels. In order to validate TACAN, we implement the covert channels on the University of Washington (UW) EcoCAR (Chevrolet Camaro 2016) testbed. We further evaluate the bit error, throughput, and detection performance of TACAN through extensive experiments using the EcoCAR testbed and a publicly available dataset collected from Toyota Camry 2010
The Rise of ICS Malware: A Comparative Analysis
No full textCyber attacks against Industrial Control Systems are one of the major concerns for worldwide manufacturing companies. With the growth of emerging technologies, protecting large-scale Critical Infrastructures has become a considerable research topic in the past decade. Nowadays, software used to monitor Industrial Control Systems might be malicious and cause harm not only to physical processes but also to people working in industrial environments. To that end, integrating safety and security in Industrial Control Systems requires a well-developed understanding of malware-based cyber attacks. In this paper, we present a comparative analysis framework of ICS Malware in a bi-layered approach: A cyber threat intelligence layer based on the ICS cyber kill chain and a hybrid analysis layer based on a static and dynamic analysis of ICS malware. We evaluated our proposed method by experimenting five well-known ICS malware: Stuxnet, Havex, BlackEnergy2, CrashOverride, and TRISIS. Our comparative analysis results show different and similar strategies used by each ICS malware to disrupt the ICS environment
ALISI: A lightweight identification system based on Iroha
No full textGiven their ubiquity, modern Internet of Things (IoT) devices represent a dangerous attack surface for hackers. These devices are strongly heterogeneous by manufacturer, application field, geographic area of deployment, security requirements, and computational performances. This vulnerability problem is more important in the Industrial Internet of Things (IIoT) scenario, where systems are critical for plant processes, such as power grids and water distribution. In this paper, we present ALISI: A Lightweight Identification System based on Iroha, a blockchain-based identification platform conceived for IoT and IIoT systems. The blockchain technology provides a global identification standard, following a distributed approach in order to collaborate and share responsibilities and costs to gain first-class security features. Our scheme handles the performance issues typical of the blockchain systems using a hybrid on-chain and off-chain approach, achieving low response time and small load on the single device
- …
