685 research outputs found
Characterizing Background Noise in ICS Traffic Through a Set of Low Interaction Honeypots
Full text linkIndustrial Control Systems (ICS) are nowadays interconnected with various networks and, ultimately, with the Internet. Due to this exposure, malicious actors are interested into compromising ICS — not only for advanced and targeted attacks, but also in the context of more frequent network scanning and mass exploiting of directly Internet-exposed devices. To understand the level of interest towards Internet-connected ICS, we deploy a scalable network of low-interaction ICS honeypots based on the popular conpot framework, integrated with an analysis pipeline, and we analyze the in-the-wild traffic directed through a set of ICS-specific protocols. We present the results of running our honeypots for several months, showing that, although most of the traffic is originated by known, legitimate network scanners, and follows patterns similar to those of well-known ICS network mapping scripts, we found several requests from unknown actors that do not follow this pattern and may hint at malicious traffic
Detecting Insecure Code Patterns in Industrial Robot Programs
No full textKey to modern smart manufacturing, industrial robots are complex and customizable machines that can be programmed in a variety of ways. In addition to the “teach by showing” paradigm, most vendors provide domain-specific programming languages to operate the robots with high precision. Besides movement instructions, such fully fledged programming languages provide access to low-level system resources like files and network. Although useful, these features create venues for unsafe programming patterns, which could lead to taint-style vulnerabilities or malware-like functionalities. In this paper, we analyze the programming languages of 8 leading industrial robot vendors, systematize their technical features, and discuss cases of vulnerable and malicious uses. We then describe the source-code analysis tool that we created to analyze robotic programs, and discover unsafe uses of programming primitives.We focused our proof-of-concept implementation on two popular languages (i.e., ABB’s RAPID and KUKA’s KRL), and evaluated it on a dataset of publicly available programs. Our results show that unsafe patterns are indeed found in real-world code, and that static source code analysis is an effective vetting mechanism, for example to prevent commissioning unsafe or malicious robotic programs. We conclude by discussing the remediation steps that can be adopted by developers and vendors to mitigate such issues in the medium and long term
Poster: Using Honeypots to Understand Attacks to Industrial Control Systems
Full text linkWe describe our ongoing efforts toward the development of an advanced honeypot that simulates a complex distributed control system (DCS) used in industrial settings such as chemical, oil and gas, water treatment, and food processing plants. Indeed, while anecdotally it is known that ICS are targets of attacks, the details of most incidents are not publicly released (with the exception of high profile cases such as Stuxnet or TRITON). Thus, we believe that, by deploying a honeypot that replicates a real-world deployment of a DCS, we will be able to
capture the attempts of attacks toward complex control systems and gain useful insights for the research community. We recently deployed the honeypot in the network of a multinational company that uses the DCS in the course of their business. As a long term goal, we aim to deploy the honeypot on multiple network vantage points, and to collect a repository of ICS attack techniques, as well as ICS malware, to be shared with the security community
There’s a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets
Full text linkCloud storage services are an efficient solution for a variety of use cases, allowing even non-skilled users to benefit from fast, reliable and easy-to-use storage. However, using public cloud services for storage comes with security and privacy concerns. In fact, manag- ing access control at scale is often particularly hard, as the size and complexity rapidly increases, especially when the role of access policies is underestimated, resulting in dangerous misconfigurations. In this paper, we investigate the usage of Amazon S3, one of the most popular cloud storage services, focusing on automatically analyzing and discovering misconfigurations that affect security and privacy. We developed a tool that automatically performs security checks of S3 buckets, without storing nor exposing any sensitive data. This tool is intended for developers, end-users, enterprises, and any other organization that makes extensive use of S3 buckets. We validate our tool by performing the first comprehensive, large- scale analysis of 240,461 buckets, obtaining insights on the most common mistakes in access control policies. The most concerning one is certainly the (unwanted) exposure of storage buckets: These can easily leak sensitive data, such as private keys, credentials and database dumps, or allow attackers to tamper with their resources. To raise awareness on the risks and help users to secure their storage services, we show how attackers could exploit unsecured S3 buckets to deface or deliver malicious content through websites that relies on S3 buckets. In fact, we identify 191 vulnerable websites. Finally, we propose a browser extension that prevents loading re- sources hosted in unsecured buckets, intended either for end-users, as a mitigation against vulnerable websites, and for developers and software testers, as a way to check for misconfigurations
Constrained Concealment Attacks against Reconstruction-based Anomaly Detectors in Industrial Control Systems
Full text linkRecently, reconstruction-based anomaly detection was proposed as an effective technique to detect attacks in dynamic industrial control networks. Unlike classical network anomaly detectors that observe the network traffic, reconstruction-based detectors operate on the measured sensor data, leveraging physical process models learned a priori.
In this work, we investigate different approaches to evade prior-work reconstruction-based anomaly detectors by manipulating sensor data so that the attack is concealed. We find that replay attacks (commonly assumed to be very strong) show bad performance (i.e., increasing the number of alarms) if the attacker is constrained to manipulate less than 95% of all features in the system, as hidden correlations between the features are not replicated well. To address this, we propose two novel attacks that manipulate a subset of the sensor readings, leveraging learned physical constraints of the system. Our attacks feature two different attacker models: A whitebox attacker, which uses an optimization approach with a detection oracle, and a blackbox attacker, which uses an autoencoder to translate anomalous data into normal data.
We evaluate our implementation on two different datasets from the water distribution domain, showing that the detector's Recall drops from 0.68 to 0.12 by manipulating 4 sensors out of 82 in WADI dataset. In addition, we show that our blackbox attacks are transferable to different detectors: They work against autoencoder-, LSTM-, and CNN-based detectors. Finally, we implement and demonstrate our attacks on a real industrial testbed to demonstrate their feasibility in real-time
La Vestale 'incesta'
No full textMarcello Salvadore: La Vestale incesta.
Dionysius of Halicarnassus, Pliny the Younger and Plutarch are the sources
of a detailed account of Vestalis incesta’s punishment: they say that she was
sentenced to death. Dionysius adds that there was no after death ritual.
Modern scholars generally accept what the three authors assert. In this article
the author surmises that the Vestalis incesta, together with the parricida, was
not condemned to death: both of them were sentenced to a particular kind
of banishment from the Society
An Experimental Security Analysis of an Industrial Robot Controller
Full text linkIndustrial robots, automated manufacturing, and efficient logistics processes are at the heart of the upcoming fourth industrial revolution. While there are seminal studies on the vulnerabilities of cyber-physical systems in the industry, as of today there has been no systematic analysis of the security of industrial robot controllers. We examine the standard architecture of an industrial robot and analyze a concrete deployment from a systems security standpoint. Then, we propose an attacker model and confront it with the minimal set of requirements that industrial robots should honor: precision in sensing the environment, correctness in execution of control logic, and safety for human operators. Following an experimental and practical approach, we then show how our modeled attacker can subvert such requirements through the exploitation of software vulnerabilities, leading to severe consequences that are unique to the robotics domain.
We conclude by discussing safety standards and security challenges in industrial robotics
- …
