Pub Date : 2024-11-19DOI: 10.1016/j.ijcip.2024.100725
Filipe Apolinário , Nelson Escravana , Éric Hervé , Miguel L. Pardal , Miguel Correia
Critical infrastructures (CIs) are often targets of cyber-attacks, requiring accurate process specifications to identify and defend against incidents. However, discrepancies between these specifications and real-world CI conditions arise due to the costly process of manual specification by experts.
This paper introduces FingerCI, a method for automatically generating CI process specifications through network traffic analysis and physical behavior modeling. By defining a Specification Language that integrates with existing systems, FingerCI extracts industrial process specifications without infrastructure changes or downtime. The specifications include a behavior model that validates physical correctness.
We evaluated FingerCI on a digital twin of an airport baggage handling system, achieving 99.98% fitness to observed behavior. Our method improves cybersecurity and fault detection with high accuracy.
关键基础设施(CI)通常是网络攻击的目标,需要准确的流程规范来识别和防御事件。本文介绍了 FingerCI,一种通过网络流量分析和物理行为建模自动生成 CI 流程规范的方法。通过定义一种与现有系统集成的规范语言,FingerCI 可以提取工业流程规范,而无需更改基础设施或停机。我们在一个机场行李处理系统的数字孪生系统上对 FingerCI 进行了评估,结果显示其与观察行为的吻合度高达 99.98%。我们的方法提高了网络安全和故障检测的准确性。
{"title":"FingerCI: Writing industrial process specifications from network traffic","authors":"Filipe Apolinário , Nelson Escravana , Éric Hervé , Miguel L. Pardal , Miguel Correia","doi":"10.1016/j.ijcip.2024.100725","DOIUrl":"10.1016/j.ijcip.2024.100725","url":null,"abstract":"<div><div>Critical infrastructures (CIs) are often targets of cyber-attacks, requiring accurate process specifications to identify and defend against incidents. However, discrepancies between these specifications and real-world CI conditions arise due to the costly process of manual specification by experts.</div><div>This paper introduces <span>FingerCI</span>, a method for automatically generating CI process specifications through network traffic analysis and physical behavior modeling. By defining a Specification Language that integrates with existing systems, <span>FingerCI</span> extracts industrial process specifications without infrastructure changes or downtime. The specifications include a behavior model that validates physical correctness.</div><div>We evaluated <span>FingerCI</span> on a digital twin of an airport baggage handling system, achieving 99.98% fitness to observed behavior. Our method improves cybersecurity and fault detection with high accuracy.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100725"},"PeriodicalIF":4.1,"publicationDate":"2024-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142703044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-13DOI: 10.1016/j.ijcip.2024.100724
Shah Khalid Khan , Nirajan Shiwakoti , Abebe Diro , Alemayehu Molla , Iqbal Gondal , Matthew Warren
Space Cybersecurity (SC) is becoming critical due to the essential role of space in global critical infrastructure – enabling communication, safe air travel, maritime trade, weather monitoring, environmental surveillance, financial services, and defence systems. Simultaneously, involving diverse stakeholders in space operations further amplifies this criticality. Similarly, previous research has identified isolated vulnerabilities in SC and proposed individual solutions to mitigate them. While such studies have provided useful insights, they do not offer a comprehensive analysis of space cyber-attack vectors and a critical evaluation of the effectiveness of mitigation strategies. This study addresses this problem by holistically examining the scope of potential space cyber-attack vectors, encompassing the ground, space, user, cloud, communication channels, and supply chain segments. Furthermore, the study evaluates the effectiveness of legacy security controls and frameworks and outlines SC-vector-aligned counterstrategies and mitigation techniques to tackle the unique SC threats. Based on the analysis, the study proposes future research directions to develop and test advanced technological solutions and regulatory and operational frameworks to establish international standards policies and foster stakeholder collaboration. The study contributes a multi-disciplinary foundation and roadmap that researchers, technology developers, and decision-makers can draw on in shaping a robust and sustainable SC framework.
{"title":"Space cybersecurity challenges, mitigation techniques, anticipated readiness, and future directions","authors":"Shah Khalid Khan , Nirajan Shiwakoti , Abebe Diro , Alemayehu Molla , Iqbal Gondal , Matthew Warren","doi":"10.1016/j.ijcip.2024.100724","DOIUrl":"10.1016/j.ijcip.2024.100724","url":null,"abstract":"<div><div>Space Cybersecurity (SC) is becoming critical due to the essential role of space in global critical infrastructure – enabling communication, safe air travel, maritime trade, weather monitoring, environmental surveillance, financial services, and defence systems. Simultaneously, involving diverse stakeholders in space operations further amplifies this criticality. Similarly, previous research has identified isolated vulnerabilities in SC and proposed individual solutions to mitigate them. While such studies have provided useful insights, they do not offer a comprehensive analysis of space cyber-attack vectors and a critical evaluation of the effectiveness of mitigation strategies. This study addresses this problem by holistically examining the scope of potential space cyber-attack vectors, encompassing the ground, space, user, cloud, communication channels, and supply chain segments. Furthermore, the study evaluates the effectiveness of legacy security controls and frameworks and outlines SC-vector-aligned counterstrategies and mitigation techniques to tackle the unique SC threats. Based on the analysis, the study proposes future research directions to develop and test advanced technological solutions and regulatory and operational frameworks to establish international standards policies and foster stakeholder collaboration. The study contributes a multi-disciplinary foundation and roadmap that researchers, technology developers, and decision-makers can draw on in shaping a robust and sustainable SC framework.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100724"},"PeriodicalIF":4.1,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142703046","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-02DOI: 10.1016/j.ijcip.2024.100723
Matthew R. Oster , Ilya Amburg , Samrat Chatterjee , Daniel A. Eisenberg , Dennis G. Thomas , Feng Pan , Auroop R. Ganguly
Resilient operation of interdependent infrastructures against compound hazard events is essential for maintaining societal well-being. To address consequence assessment challenges in this problem space, we propose a novel tri-level optimization model applied to a proof-of-concept case study with fuel distribution and transportation networks – encompassing one realistic network; one fictitious, yet realistic network; as well as networks drawn from three synthetic distributions. Mathematically, our approach takes the form of a defender-attacker-defender (DAD) model—a multi-agent tri-level optimization, comprised of a defender, attacker, and an operator acting in sequence. Here, our notional operator may choose proxy actions to operate an interdependent system comprised of fuel terminals and gas stations (functioning as supplies) and a transportation network with traffic flow (functioning as demand) to minimize unmet demand at gas stations. A notional attacker aims to hypothetically disrupt normal operations by reducing supply at the supply terminals, and the notional defender aims to identify best proxy defense policy options which include hardening supply terminals or allowing alternative distribution methods such as trucking reserve supplies. We solve our DAD formulation at a metropolitan scale and present practical defense policy insights against hypothetical compound hazards. We demonstrate the generalizability of our framework by presenting results for a realistic network; a fictitious, yet realistic network; as well as for three networks drawn from synthetic distributions. We also analyze the sensitivity of outputs on budget constraints through a detailed case study. Additionally, we demonstrate the scalability of the framework by investigating runtime performance as a function of the network size. Steps for future research are also discussed.
相互依存的基础设施在复合灾害事件面前的弹性运行对于维护社会福祉至关重要。为了应对这一问题领域中的后果评估挑战,我们提出了一种新颖的三层优化模型,并将其应用于燃料配送和运输网络的概念验证案例研究--包括一个现实网络、一个虚构但现实的网络以及来自三个合成分布的网络。在数学上,我们的方法采用了防御者-攻击者-防御者(DAD)模型的形式--一种多代理三层优化,由依次行动的防御者、攻击者和操作者组成。在这里,我们假想的操作者可以选择代理行动来操作一个相互依存的系统,该系统由燃料终端和加油站(作为供应)以及交通流量(作为需求)组成,目的是最大限度地减少加油站未满足的需求。假想攻击者的目标是通过减少供应终端的供应来破坏正常运营,而假想防御者的目标是确定最佳代理防御政策选项,包括加固供应终端或允许采用卡车运输储备物资等替代配送方式。我们解决了大都市规模的 DAD 问题,并针对假设的复合危害提出了实用的防御政策见解。通过展示一个现实网络、一个虚构但现实的网络以及三个合成分布网络的结果,我们证明了我们的框架的通用性。我们还通过详细的案例研究分析了输出对预算限制的敏感性。此外,我们还通过研究运行时性能与网络规模的函数关系,证明了该框架的可扩展性。我们还讨论了未来的研究步骤。
{"title":"A tri-level optimization model for interdependent infrastructure network resilience against compound hazard events","authors":"Matthew R. Oster , Ilya Amburg , Samrat Chatterjee , Daniel A. Eisenberg , Dennis G. Thomas , Feng Pan , Auroop R. Ganguly","doi":"10.1016/j.ijcip.2024.100723","DOIUrl":"10.1016/j.ijcip.2024.100723","url":null,"abstract":"<div><div>Resilient operation of interdependent infrastructures against compound hazard events is essential for maintaining societal well-being. To address consequence assessment challenges in this problem space, we propose a novel tri-level optimization model applied to a proof-of-concept case study with fuel distribution and transportation networks – encompassing one realistic network; one fictitious, yet realistic network; as well as networks drawn from three synthetic distributions. Mathematically, our approach takes the form of a defender-attacker-defender (DAD) model—a multi-agent tri-level optimization, comprised of a defender, attacker, and an operator acting in sequence. Here, our notional operator may choose proxy actions to operate an interdependent system comprised of fuel terminals and gas stations (functioning as supplies) and a transportation network with traffic flow (functioning as demand) to minimize unmet demand at gas stations. A notional attacker aims to hypothetically disrupt normal operations by reducing supply at the supply terminals, and the notional defender aims to identify best proxy defense policy options which include hardening supply terminals or allowing alternative distribution methods such as trucking reserve supplies. We solve our DAD formulation at a metropolitan scale and present practical defense policy insights against hypothetical compound hazards. We demonstrate the generalizability of our framework by presenting results for a realistic network; a fictitious, yet realistic network; as well as for three networks drawn from synthetic distributions. We also analyze the sensitivity of outputs on budget constraints through a detailed case study. Additionally, we demonstrate the scalability of the framework by investigating runtime performance as a function of the network size. Steps for future research are also discussed.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100723"},"PeriodicalIF":4.1,"publicationDate":"2024-11-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142593026","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-23DOI: 10.1016/j.ijcip.2024.100721
Cristina Alcaraz, Javier Lopez
Industry 5.0 is the current industrial paradigm that inherits the technological diversity of its predecessor, Industry 4.0, but includes three priority goals: (i) resilience, (ii) sustainability and (iii) human-centeredness. Through these three goals, Industry 5.0 pursues a more far-reaching digital transformation in industrial ecosystems with high protection guarantees. However, the deployment of innovative information technologies for this new digital transformation also requires considering their implicit vulnerabilities and threats in order to avoid any negative impacts on the three Industry 5.0 goals, and to prioritize cybersecurity aspects so as to ensure acceptable protection levels. This paper, therefore, proposes a detection framework composed of a Digital Twin (DT) and machine learning algorithms for online protection, supporting the resilience that Industry 5.0 seeks. To validate the approach, this work includes several practical studies on a real industrial control testbed to demonstrate the feasibility and accuracy of the framework, taking into account a set of malicious perturbations in several critical sections of the system. The results highlight the effectiveness of the DT in complementing the anomaly detection processes, especially for advanced and stealthy threats.
{"title":"Digital Twin-assisted anomaly detection for industrial scenarios","authors":"Cristina Alcaraz, Javier Lopez","doi":"10.1016/j.ijcip.2024.100721","DOIUrl":"10.1016/j.ijcip.2024.100721","url":null,"abstract":"<div><div>Industry 5.0 is the current industrial paradigm that inherits the technological diversity of its predecessor, Industry 4.0, but includes three priority goals: (i) <em>resilience</em>, (ii) <em>sustainability</em> and (iii) <em>human-centeredness</em>. Through these three goals, Industry 5.0 pursues a more far-reaching digital transformation in industrial ecosystems with high protection guarantees. However, the deployment of innovative information technologies for this new digital transformation also requires considering their implicit vulnerabilities and threats in order to avoid any negative impacts on the three Industry 5.0 goals, and to prioritize cybersecurity aspects so as to ensure acceptable protection levels. This paper, therefore, proposes a detection framework composed of a Digital Twin (DT) and machine learning algorithms for online protection, supporting the resilience that Industry 5.0 seeks. To validate the approach, this work includes several practical studies on a real industrial control testbed to demonstrate the feasibility and accuracy of the framework, taking into account a set of malicious perturbations in several critical sections of the system. The results highlight the effectiveness of the DT in complementing the anomaly detection processes, especially for advanced and stealthy threats.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100721"},"PeriodicalIF":4.1,"publicationDate":"2024-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142551975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The spread of broadband Internet and the availability of mobile communication services expand access to digital services for businesses and the public alike. However, at the same time, it aggravates the problem of ensuring digital space security, protection against cyber threats, and the fight against cybercrime. This research aims to calculate the index of a country's resilience to cyber-hacking for 143 countries, to divide these countries into groups based on this resilience (high, above-average, average, below-average, and low), compare these results with those obtained on the basis of National Cyber Security Index (NCSI), and to identify the impact of the Internet and mobile communication prevalence in a country on this level. The selection of the countries is based on the availability of statistical data for 2022 in the databases of the Surfshark VPN service, and the International Telecommunication Union. The integral index of a country's resilience to cyber-hacking is calculated through the multiplicative convolution (with weighted geometric mean) of the number of breached accounts, the Internet penetration probability (penetration into users’ data through the Internet), and the breach density per thousand users. The influence of active mobile broadband subscriptions (per 100 inhabitants), mobile broadband basket (% of Gross National Income Per Capita), mobile cellular subscriptions (per 100 inhabitants), and total fixed broadband subscriptions on the integral index of a country's resilience to cyber-hacking is investigated using multivariate adaptive regression spline. According to the calculations, France, Iceland, Montenegro, the United States, and the United Arab Emirates were the least resistant to cyber hacking in 2022. For countries with high, above-average, and below-average levels of resilience to cyber-hacking, the most relevant factor is the number of active mobile broadband subscriptions (per 100 inhabitants). For countries with an average level, it is total fixed broadband subscriptions.
{"title":"Impact of Internet and mobile communication on cyber resilience: A multivariate adaptive regression spline modeling approach","authors":"Serhiy Lyeonov , Wadim Strielkowski , Vitaliia Koibichuk , Serhii Drozd","doi":"10.1016/j.ijcip.2024.100722","DOIUrl":"10.1016/j.ijcip.2024.100722","url":null,"abstract":"<div><div>The spread of broadband Internet and the availability of mobile communication services expand access to digital services for businesses and the public alike. However, at the same time, it aggravates the problem of ensuring digital space security, protection against cyber threats, and the fight against cybercrime. This research aims to calculate the index of a country's resilience to cyber-hacking for 143 countries, to divide these countries into groups based on this resilience (high, above-average, average, below-average, and low), compare these results with those obtained on the basis of National Cyber Security Index (NCSI), and to identify the impact of the Internet and mobile communication prevalence in a country on this level. The selection of the countries is based on the availability of statistical data for 2022 in the databases of the Surfshark VPN service, and the International Telecommunication Union. The integral index of a country's resilience to cyber-hacking is calculated through the multiplicative convolution (with weighted geometric mean) of the number of breached accounts, the Internet penetration probability (penetration into users’ data through the Internet), and the breach density per thousand users. The influence of active mobile broadband subscriptions (per 100 inhabitants), mobile broadband basket (% of Gross National Income Per Capita), mobile cellular subscriptions (per 100 inhabitants), and total fixed broadband subscriptions on the integral index of a country's resilience to cyber-hacking is investigated using multivariate adaptive regression spline. According to the calculations, France, Iceland, Montenegro, the United States, and the United Arab Emirates were the least resistant to cyber hacking in 2022. For countries with high, above-average, and below-average levels of resilience to cyber-hacking, the most relevant factor is the number of active mobile broadband subscriptions (per 100 inhabitants). For countries with an average level, it is total fixed broadband subscriptions.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100722"},"PeriodicalIF":4.1,"publicationDate":"2024-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-09DOI: 10.1016/j.ijcip.2024.100720
M.S. Kavitha , G. Sumathy , B. Sarala , J. Jasmine Hephzipah , R. Dhanalakshmi , T.D. Subha
With the rise of smart industries, Industrial Control Systems (ICS) has to move from isolated settings to networked environments to meet the objectives of Industry 4.0. Because of the inherent interconnection of these services, systems of this type are more vulnerable to cybersecurity breaches. To protect ICSs from cyberattacks, intrusion detection systems equipped with Artificial Intelligence characteristics have been used to spot unusual system behavior. The main research problem focused on this work is to guarantee ICS security, a variety of security strategies and automated technologies have been established in past literary works. However, the main problems they face include a high proportion of incorrect predictions, longer execution times, more complex system designs, and decreased efficiency. Thus, developing and putting in place a Smart Invasion Recognition Tool (SIRT) to defend critical infrastructure systems against new cyberattacks is the main goal of this project. This system cleans and normalizes the supplied ICS data using a unique preprocessing technique called Variational Data Normalization (VDN). Furthermore, a novel hybrid technique called Frog Leap-based Ant Movement Optimization (FLAMO) is applied to choose the most important and necessary features from normalized industrial data. Furthermore, the methodology of Weighted Bi-directional Gated Recurrent Network (WeBi-GRN) is utilized to precisely distinguish between genuine and malicious samples from information collected by ICS. This work validates and evaluates the performance findings using many assessment indicators and a range of open-source ICS data. According to the study's findings, the proposed SIRT model accurately classifies the different types of assaults from the industrial data with 99 % accuracy.
{"title":"SIRT: A distinctive and smart invasion recognition tool (SIRT) for defending IoT integrated ICS from cyber-attacks","authors":"M.S. Kavitha , G. Sumathy , B. Sarala , J. Jasmine Hephzipah , R. Dhanalakshmi , T.D. Subha","doi":"10.1016/j.ijcip.2024.100720","DOIUrl":"10.1016/j.ijcip.2024.100720","url":null,"abstract":"<div><div>With the rise of smart industries, Industrial Control Systems (ICS) has to move from isolated settings to networked environments to meet the objectives of Industry 4.0. Because of the inherent interconnection of these services, systems of this type are more vulnerable to cybersecurity breaches. To protect ICSs from cyberattacks, intrusion detection systems equipped with Artificial Intelligence characteristics have been used to spot unusual system behavior. The main research problem focused on this work is to guarantee ICS security, a variety of security strategies and automated technologies have been established in past literary works. However, the main problems they face include a high proportion of incorrect predictions, longer execution times, more complex system designs, and decreased efficiency. Thus, developing and putting in place a Smart Invasion Recognition Tool (SIRT) to defend critical infrastructure systems against new cyberattacks is the main goal of this project. This system cleans and normalizes the supplied ICS data using a unique preprocessing technique called Variational Data Normalization (VDN). Furthermore, a novel hybrid technique called Frog Leap-based Ant Movement Optimization (FLAMO) is applied to choose the most important and necessary features from normalized industrial data. Furthermore, the methodology of Weighted Bi-directional Gated Recurrent Network (WeBi-GRN) is utilized to precisely distinguish between genuine and malicious samples from information collected by ICS. This work validates and evaluates the performance findings using many assessment indicators and a range of open-source ICS data. According to the study's findings, the proposed SIRT model accurately classifies the different types of assaults from the industrial data with 99 % accuracy.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100720"},"PeriodicalIF":4.1,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142526135","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-26DOI: 10.1016/j.ijcip.2024.100719
Muaan ur Rehman , Hayretdin Bahşi
Due to the tight coupling between the cyber and physical components, control systems are subjected to emerging cyberattacks. In addition to attacks based on networking and communication, control systems are also susceptible to process-aware attacks that target the business logic behind a physical process. Due to the increasing frequency of such attacks, the process-aware defence mechanisms that incorporate knowledge of the underlying physical model, has gained increased attention in current cyber–physical system security-related research. However, the rapid expansion of literature complicates the ability to thoroughly review and ascertain the state-of-the-art, as well as to identify existing research challenges and gaps. This paper investigates research on process-aware-based security monitoring for control systems and aims to establish a common understanding of currently used methods in this domain. A systematic literature review is performed to outline and classify the existing work and present the authors’ cybersecurity vision. From an extensive review of publications between February 1, 2009 and October 30, 2023, we analysed and categorized the existing research on process-aware security monitoring techniques for control systems. Furthermore, we identified process-aware attack categories posing threats to the physical process in critical infrastructures. We have further mapped these attacks to the MITRE ATT&CK matrix for Industrial Control Systems (ICS), detailing their tactics, techniques, and impacts.
{"title":"Process-aware security monitoring in industrial control systems: A systematic review and future directions","authors":"Muaan ur Rehman , Hayretdin Bahşi","doi":"10.1016/j.ijcip.2024.100719","DOIUrl":"10.1016/j.ijcip.2024.100719","url":null,"abstract":"<div><div>Due to the tight coupling between the cyber and physical components, control systems are subjected to emerging cyberattacks. In addition to attacks based on networking and communication, control systems are also susceptible to process-aware attacks that target the business logic behind a physical process. Due to the increasing frequency of such attacks, the process-aware defence mechanisms that incorporate knowledge of the underlying physical model, has gained increased attention in current cyber–physical system security-related research. However, the rapid expansion of literature complicates the ability to thoroughly review and ascertain the state-of-the-art, as well as to identify existing research challenges and gaps. This paper investigates research on process-aware-based security monitoring for control systems and aims to establish a common understanding of currently used methods in this domain. A systematic literature review is performed to outline and classify the existing work and present the authors’ cybersecurity vision. From an extensive review of publications between February 1, 2009 and October 30, 2023, we analysed and categorized the existing research on process-aware security monitoring techniques for control systems. Furthermore, we identified process-aware attack categories posing threats to the physical process in critical infrastructures. We have further mapped these attacks to the MITRE ATT&CK matrix for Industrial Control Systems (ICS), detailing their tactics, techniques, and impacts.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100719"},"PeriodicalIF":4.1,"publicationDate":"2024-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142421445","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-05DOI: 10.1016/j.ijcip.2024.100718
Danish Vasan , Ebtesam Jubran S. Alqahtani , Mohammad Hammoudeh , Adel F. Ahmed
Securing Industrial Control Systems (ICS) against cyber threats is crucial for maintaining operational reliability and safety in critical infrastructure. Traditional Machine Learning (ML) approaches in ICS development require substantial domain expertise, posing challenges for non-experts. To address this gap, we propose and evaluate ICS-defender, a defense mechanism to enhance ICS security through Automated Machine Learning (AutoML) techniques. Our approach leverages sophisticated feature engineering and AutoML to automate model selection, training, aggregation, and optimization, thereby reducing the dependency on specialized knowledge. We evaluate ICS-defender against state-of-the-art AutoML frameworks using diverse datasets from power systems and electric vehicle chargers. Experimental results consistently demonstrate that ICS-defender outperforms existing frameworks in terms of accuracy and robustness, achieving average accuracies of 93.75%, 94.34%, and 87.12% for power systems attacks datasets and 94.23% for the electric vehicle charging station attacks dataset, surpassing baseline algorithms. This research contributes to advancing secure and resilient ICS, offering significant implications for broader applications and future enhancements in industrial cybersecurity.
{"title":"An AutoML-based security defender for industrial control systems","authors":"Danish Vasan , Ebtesam Jubran S. Alqahtani , Mohammad Hammoudeh , Adel F. Ahmed","doi":"10.1016/j.ijcip.2024.100718","DOIUrl":"10.1016/j.ijcip.2024.100718","url":null,"abstract":"<div><p>Securing Industrial Control Systems (ICS) against cyber threats is crucial for maintaining operational reliability and safety in critical infrastructure. Traditional Machine Learning (ML) approaches in ICS development require substantial domain expertise, posing challenges for non-experts. To address this gap, we propose and evaluate ICS-defender, a defense mechanism to enhance ICS security through Automated Machine Learning (AutoML) techniques. Our approach leverages sophisticated feature engineering and AutoML to automate model selection, training, aggregation, and optimization, thereby reducing the dependency on specialized knowledge. We evaluate ICS-defender against state-of-the-art AutoML frameworks using diverse datasets from power systems and electric vehicle chargers. Experimental results consistently demonstrate that ICS-defender outperforms existing frameworks in terms of accuracy and robustness, achieving average accuracies of 93.75%, 94.34%, and 87.12% for power systems attacks datasets and 94.23% for the electric vehicle charging station attacks dataset, surpassing baseline algorithms. This research contributes to advancing secure and resilient ICS, offering significant implications for broader applications and future enhancements in industrial cybersecurity.</p></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100718"},"PeriodicalIF":4.1,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142164704","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-02DOI: 10.1016/j.ijcip.2024.100717
Vittoria Cozza , Mila Dalla Preda , Ruggero Lanotte , Marco Lucchese , Massimo Merro , Nicola Zannone
Recently released scan data on Shodan reveals that thousands of Industrial Control Systems (ICSs) worldwide are directly accessible via the Internet and, thus, exposed to cyber-attacks aiming at financial gain, espionage, or disruption and/or sabotage. Executing sophisticated cyber–physical attacks aiming to manipulate industrial functionalities requires a deep understanding of the underlying physical process at the core of the target ICS, for instance, through unauthorized access to memory registers of Programmable Logic Controllers (PLCs). However, to date, countermeasures aiming at hindering the comprehension of physical processes remain largely unexplored.
In this work, we investigate the use of obfuscation strategies to complicate process comprehension of ICSs while preserving their runtime evolution. To this end, we propose a framework to design and evaluate obfuscation strategies for PLCs, involving PLC memory registers, PLC code (user program), and the introduction of extra (spurious) physical processes. Our framework categorizes obfuscation strategies based on two dimensions: the type of (spurious) registers employed in the obfuscation strategy and the dependence on the (genuine) physical process. To evaluate the efficacy of proposed obfuscation strategies, we introduce evaluation metrics to assess their potency and resilience, in terms of system invariants the attacker can derive, and their cost in terms of computational overhead due to runtime modifications of spurious PLC registers. We developed a prototype tool to automatize the devised obfuscation strategies and applied them to a non-trivial use case in the field of water tank systems. Our results show that code obfuscation can be effectively used to counter malicious process comprehension of ICSs achieved via scanning of PLC memory registers. To our knowledge, this is the first work using obfuscation as a technique to protect ICSs from such threats. The efficacy of the proposed obfuscation strategies predominantly depends on the intrinsic complexity of the interplay introduced between genuine and spurious registers.
{"title":"Obfuscation strategies for industrial control systems","authors":"Vittoria Cozza , Mila Dalla Preda , Ruggero Lanotte , Marco Lucchese , Massimo Merro , Nicola Zannone","doi":"10.1016/j.ijcip.2024.100717","DOIUrl":"10.1016/j.ijcip.2024.100717","url":null,"abstract":"<div><p>Recently released scan data on Shodan reveals that thousands of <em>Industrial Control Systems</em> (ICSs) worldwide are directly accessible via the Internet and, thus, exposed to cyber-attacks aiming at financial gain, espionage, or disruption and/or sabotage. Executing sophisticated cyber–physical attacks aiming to manipulate industrial functionalities requires a deep understanding of the underlying physical process at the core of the target ICS, for instance, through unauthorized access to memory registers of <em>Programmable Logic Controllers</em> (PLCs). However, to date, countermeasures aiming at hindering the comprehension of physical processes remain largely unexplored.</p><p>In this work, we investigate the use of <em>obfuscation strategies</em> to complicate <em>process comprehension</em> of ICSs while preserving their runtime evolution. To this end, we propose a framework to design and evaluate obfuscation strategies for PLCs, involving PLC memory registers, PLC code (user program), and the introduction of extra (spurious) physical processes. Our framework categorizes obfuscation strategies based on two dimensions: the <em>type of (spurious) registers</em> employed in the obfuscation strategy and the <em>dependence on the (genuine) physical process</em>. To evaluate the efficacy of proposed obfuscation strategies, we introduce <em>evaluation metrics</em> to assess their <em>potency</em> and <em>resilience</em>, in terms of <em>system invariants</em> the attacker can derive, and their <em>cost</em> in terms of computational overhead due to runtime modifications of spurious PLC registers. We developed a prototype tool to automatize the devised obfuscation strategies and applied them to a non-trivial use case in the field of water tank systems. Our results show that code obfuscation can be effectively used to counter malicious process comprehension of ICSs achieved via scanning of PLC memory registers. To our knowledge, this is the first work using obfuscation as a technique to protect ICSs from such threats. The efficacy of the proposed obfuscation strategies predominantly depends on the intrinsic complexity of the interplay introduced between genuine and spurious registers.</p></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"47 ","pages":"Article 100717"},"PeriodicalIF":4.1,"publicationDate":"2024-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S1874548224000581/pdfft?md5=34c2c309641d7172bea1f3fdf4abfc70&pid=1-s2.0-S1874548224000581-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142136032","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-01DOI: 10.1016/S1874-5482(24)00051-9
Roberto Setola
{"title":"It is the time, are you sufficiently resilient?","authors":"Roberto Setola","doi":"10.1016/S1874-5482(24)00051-9","DOIUrl":"10.1016/S1874-5482(24)00051-9","url":null,"abstract":"","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"46 ","pages":"Article 100710"},"PeriodicalIF":4.1,"publicationDate":"2024-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S1874548224000519/pdfft?md5=54538213fe2797447c3bade1b9566663&pid=1-s2.0-S1874548224000519-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142095883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号