Industrial Control Systems Security Research Articles

A novel generative adversarial network-based fuzzing cases generation method for industrial control system protocols

With the interconnection and networking of industrial control systems (ICS), security vulnerabilities in ICS protocols have become a major source of threats to these systems. In order to discover these vulnerabilities and maintain ICS security, generative adversarial network-based fuzz testing (Fuzzing) has been introduced as a popular method to discover vulnerabilities in industrial control system protocols (ICSPs). However, the current approach based on generative adversarial network fuzz testing suffers from problems in terms of compatibility and repetitive generation of test examples, and low acceptance rate. To address these issues, this paper proposes a fuzzing approach based on the synergy of Wasserstein Generative Intelligent Networks (WGAN) and Variation Autoencoder (VAE). In addition, we design an intelligent fuzz framework, WGGFuzz, to efficiently generate a large number of test cases while ensuring the accuracy of the testing results for efficiently generating a large number of test cases in a short period of time. The framework, which does not incorporate ICSPs applicable to a wide range of, shows through experiments that WGGFuzz can be able to achieve 91% in terms of TCRR, 1.41 in terms of ATE, and better performance in terms of DGD.

Enhancing Data Preservation and Security in Industrial Control Systems through Integrated IOTA Implementation

Within the domain of industrial control systems, safeguarding data integrity stands as a pivotal endeavor, especially in light of the burgeoning menace posed by malicious tampering and potential data loss. Traditional data storage paradigms, tethered to physical hard disks, are fraught with inherent susceptibilities, underscoring the pressing need for the deployment of resilient preservation frameworks. This study delves into the transformative potential offered by distributed ledger technology (DLT), with a specific focus on IOTA, within the expansive landscape of the Internet of Things (IoT). Through a meticulous examination of the intricacies inherent to data transmission protocols, we present a novel paradigm aimed at fortifying data security. Our approach advocates for the strategic placement of IOTA nodes on lower-level devices, thereby streamlining the transmission pathway and curtailing vulnerabilities. This concerted effort ensures the seamless preservation of data confidentiality and integrity from inception to storage, bolstering trust in the convergence of IoT and DLT technologies. By embracing proactive measures, organizations can navigate the labyrinthine terrain of data management, effectively mitigate risks, and cultivate an environment conducive to innovation and progress.

Feasibility of Using Seq-GAN Model in Vulnerability Detection of Industrial Control Protocols

Continuous improvement of internet technology has driven the continuous progress and improvement of industrial control systems, and provided more support for security vulnerability detection in this field. Combining the GAN model, the detection model based on Seq-GAN in industrial control protocol vulnerabilities constructed in this article provides more options for further improving the security of industrial control systems, and can detect and analyse security vulnerabilities in industrial control protocols more efficiently and accurately. By comparing the performance of different models for security vulnerability detection, the Seq-GAN model has smaller prediction errors, can also obtain higher G-mean and F1-score values, and has sufficient reliability. At the same time, it can also improve the efficiency of vulnerability detection in industrial control systems, and can achieve better comprehensive detection performance. Therefore, the application of the Seq-GAN model in industrial control protocol vulnerability detection can provide more support for improving security detection in this field.

Enhancing Industrial Control System Security: An Isolation Forest-based Anomaly Detection Model for Mitigating Cyber Threats

Enhancing Industrial Control System Security: An Isolation Forest-based Anomaly Detection Model for Mitigating Cyber Threats

Risk assessment for industrial control systems based on asymmetric connection cloud and Choquet integral

Once industrial control systems are targeted by cyber-attacks, the consequences can be severe, including asset loss, environmental pollution, and public security risks. Risk assessment is an important way to ensure that industrial control systems operate efficiently, steadily and safely. The purpose of this paper is to develop a risk assessment model for industrial control systems based on asymmetric connection cloud and Choquet integral, which fully takes into account the fact that values of risk indicators are often fuzzy, random, asymmetrically distributed in finite intervals, and there are interactions among different indicators. To do so, we first establish a risk assessment index system to ensure the full reflection of availability, integrity, and confidentiality in the results of risk assessment for industrial control systems. Then we establish classification standards for each evaluation indicator based on the importance of assets, vulnerabilities, and threats in evaluating the risk of industrial control systems. Next we develop a risk assessment model based on asymmetric connection cloud and Choquet integral to determine the risk level of industrial control systems. In the following, an example is provided to demonstrate the feasibility and reliability of this proposed model. The experimental results have demonstrated a high level of credibility in assessing cyber-attacks by the proposed model, indicating its potential for analyzing the current security and risk posture of industrial control systems.

Industrial Control Systems Security Validation Based on MITRE Adversarial Tactics, Techniques, and Common Knowledge Framework

Industrial Control Systems (ICSs) have become the cornerstone of critical sectors like energy, transportation, and manufacturing. However, the burgeoning interconnectivity of ICSs has also introduced heightened risks from cyber threats. The urgency for robust ICS security validation has never been more pronounced. This paper provides an in-depth exploration of using the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to validate ICS security. Although originally conceived for enterprise Information Technology (IT), the MITRE ATT&CK framework’s adaptability makes it uniquely suited to address ICS-specific security challenges, offering a methodological approach to identifying vulnerabilities and bolstering defence mechanisms. By zeroing in on two pivotal attack scenarios within ICSs and harnessing a suite of security tools, this research identifies potential weak points and proposes solutions to rectify them. Delving into Indicators of Compromise (IOCs), investigating suitable tools, and capturing indicators, this study serves as a critical resource for organisations aiming to fortify their ICS security. Through this lens, we offer tangible recommendations and insights, pushing the envelope in the domain of ICS security validation.

Graph Attention Network and Informer for Multivariate Time Series Anomaly Detection.

Time series anomaly detection is very important to ensure the security of industrial control systems (ICSs). Many algorithms have performed well in anomaly detection. However, the performance of most of these algorithms decreases sharply with the increase in feature dimension. This paper proposes an anomaly detection scheme based on Graph Attention Network (GAT) and Informer. GAT learns sequential characteristics effectively, and Informer performs excellently in long time series prediction. In addition, long-time forecasting loss and short-time forecasting loss are used to detect multivariate time series anomalies. Short-time forecasting is used to predict the next time value, and long-time forecasting is employed to assist the short-time prediction. We conduct a large number of experiments on industrial control system datasets SWaT and WADI. Compared with most advanced methods, we achieve competitive results, especially on higher-dimensional datasets. Moreover, the proposed method can accurately locate anomalies and realize interpretability.

Techniques for Enhancing Security in Industrial Control Systems

Increasingly Industrial Control Systems (ICS) systems are being connected to the Internet to minimise the operational costs and provide additional flexibility. These control systems such as the ones used in power grids, manufacturing and utilities operate continually and have long lifespans measured in decades rather than years as in the case of Information Technology (IT) systems. Such industrial control systems require uninterrupted and safe operation. However, they can be vulnerable to a variety of attacks, as successful attacks on critical control infrastructures could have devastating consequences to the safety of human lives as well as a nation’s security and prosperity. Furthermore, there can be a range of attacks that can target ICS and it is not easy to secure these systems against all known attacks let alone unknown ones. In this paper, we propose a software enabled security architecture using Software Defined Networking (SDN) and Network Function Virtualisation (NFV) that can enhance the capability to secure industrial control systems. We have designed such an SDN/NFV enabled security architecture and developed a Control System Security Application (CSSA) in SDN Controller for enhancing security in ICS by achieving real time situational awareness and dynamic policy-driven decision making across the network infrastructure. In particular, CSSA can be used for establishing secure path for end-to-end communication between devices and also deal against certain specific attacks namely denial of service attacks, from unpatched vulnerable control system components and securing the communication flows from the legacy devices that do not support any security functionality. We also discuss how CSSA provides reliable paths for safety critical messages in control systems. We discuss the prototype implementation of the proposed architecture and the results obtained from our analysis.

Scrutinizing Security in Industrial Control Systems: An Architectural Vulnerabilities and Communication Network Perspective

Scrutinizing Security in Industrial Control Systems: An Architectural Vulnerabilities and Communication Network Perspective

Dynamic Data Abstraction-Based Anomaly Detection for Industrial Control Systems

Industrial control systems (ICS) are critical networks directly linked to the value of core national and societal assets, yet they are increasingly becoming primary targets for numerous cyberattacks today. The ICS network, a fusion of operational technology (OT) and information technology (IT) networks, possesses a broad attack vector, and attacks targeting ICS often take the form of advanced persistent threats (APTs) exploiting zero-day vulnerabilities. However, most existing ICS security techniques have been adaptations of security technologies for IT networks, and security measures tailored to the characteristics of ICS data are currently insufficient. To mitigate cyber threats to ICS networks, this paper proposes an anomaly detection technique based on dynamic data abstraction. The proposed method abstracts ICS data collected in real time using a dynamic data abstraction technique based on noise reduction. The abstracted data are then used to optimize both the update rate and the detection accuracy of the anomaly detection model through model adaptation and incremental learning processes. The proposed approach updates the model by quickly reflecting data on new attack patterns and their distributions, effectively shortening the dwell time in response to APTs utilizing zero-day vulnerabilities. We demonstrate the attack response performance and detection accuracy of the proposed dynamic data abstraction-based anomaly detection technique through experiments using the SWaT dataset generated from a testbed of an actual ICS process. The experiments show that the proposed model achieves high accuracy with a small number of abstracted data while rapidly learning new attack pattern data in real-time without compromising accuracy. The proposed technique can effectively respond to cyberattacks targeting ICS by quickly learning and reflecting trends in attack patterns that exploit zero-day vulnerabilities.

Threat Attribution and Reasoning for Industrial Control System Asset

Due to the widespread use of the industrial internet of things, the industrial control system has steadily transformed into an intelligent and informational one. To increase the industrial control system's security, based on industrial control system assets, this paper provides a method of threat modeling, attributing, and reasoning. First, this method characterizes the asset threat of an industrial control system by constructing an asset security ontology based on the asset structure. Second, this approach makes use of machine learning to identify assets and attribute the attacker's attack path. Subsequently, inference rules are devised to replicate the attacker's attack path, thereby reducing the response time of security personnel to threats and strengthening the semantic relationship between asset security within industrial control systems. Finally, the process is used in the simulation environment and real case scenario based on the power grid, where the assets and attacks are mapped. The actual attack path is deduced, and it demonstrates the approach's effectiveness.

Industrial cyber-physical systems protection: A methodological review

Ubiquitous utilization of Information and Communication Technologies in modern manufacturing plants has transformed them into Cyber-Physical Systems (CPSs), making them susceptible to cyber-attacks, which can have huge economic and social impact.In this paper, we focus on the security issues that may affect the Industrial Control System (ICS) supervising an industrial establishment. The purpose of this work is to provide readers with an up-to-date view of the methodologies that current literature suggests as the most appropriate to defend an ICS against cyber-attacks. We firstly provide a classification of existing attacks according to the methodology used by the attacker. Subsequently, we propose a classification of defensive countermeasures in Model and Artificial Intelligence-based approaches by analyzing most recent research contributions. Furthermore, we describe the most used datasets in literature that are available to researchers and practitioners. We conclude the paper by discussing today's open issues, which need to be addressed to cope with the increasing complexity of ICS security.

Survey on Application of Trusted Computing in Industrial Control Systems

The Fourth Industrial Revolution, also known as Industrial 4.0, has greatly accelerated inter-connectivity and smart automation in industrial control systems (ICSs), which has introduced new challenges to their security. With the fast growth of the Internet of Things and the advent of 5G/6G, the collaboration of Artificial Intelligence (Al) and the Internet of Things (loT) in ICSs has also introduced lots of security issues as it highly relies on advanced communication and networking techniques. Frequent ICS security incidents have demonstrated that attackers have the ability to stealthily breach the current system defenses and cause catastrophic effects to ICSs. Thankfully, trusted computing technology, which has been a popular research topic in the field of information security in recent years, offers distinct advantages when applied to ICSs. In this paper, we first analyze the vulnerabilities of ICSs and the limitations of existing protection technologies. Then, we introduce the concept of trusted computing and present a security framework for ICSs based on Trusted Computing 3.0. Finally, we discuss potential future research directions.

Smarter Evolution: Enhancing Evolutionary Black Box Fuzzing with Adaptive Models.

Smart production ecosystems are a valuable target for attackers. In particular, due to the high level of connectivity introduced by Industry 4.0, attackers can potentially attack individual components of production systems from the outside. One approach to strengthening the security of industrial control systems is to perform black box security tests such as network fuzzing. These are applicable, even if no information on the internals of the control system is available. However, most security testing strategies assume a gray box setting, in which some information on the internals are available. We propose a new approach to bridge the gap between these gray box strategies and the real-world black box setting in the domain of industrial control systems. This approach involves training an adaptive machine learning model that approximates the information that is missing in a black box setting. We propose three different approaches for the model, combine them with an evolutionary testing approach, and perform an evaluation using a System under Test with known vulnerabilities. Our evaluation shows that the model is indeed able to learn valuable information about a previously unknown system, and that more vulnerabilities can be uncovered with our approach. The model-based approach using a Decision Tree was able to find a significantly higher number of vulnerabilities than the two baseline fuzzers.

MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP

The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks.

Federated-SRUs: A Federated-Simple-Recurrent-Units-Based IDS for Accurate Detection of Cyber Attacks Against IoT-Augmented Industrial Control Systems

The security of Industrial Control Systems (ICS) against cyber-attacks is essential in modern era since ICSs are vital constituent of modern societies and smart cities. However, the augmentation of legacy ICS networks with smart computing and networking technologies (such as, IoT) have intensely enlarged the surface of attacks against these critical infrastructures. This augmentation makes these networks more vulnerable to cyber-attacks and despite the current security solutions, attackers still find ways to proliferate these networks. Intrusion Detection System (IDS) is one of the key security aspect to prevent these networks from contemporary cyber-attacks. Therefore, this paper proposes a new IDS model named Federated-SRUs (simple recurrent units) for the security of IoT-based ICSs. Specifically, the Federated-SRUs IDS model uses an improved simple recurrent units architecture to reduce computational cost and alleviate the gradient vanishing issue in recurrent networks. Then, it performs data aggregation through several communication rounds in federated architecture which allows multiple ICS networks and stakeholders to build a comprehensive IDS model in a privacy-preserving manner. The performance of Federated-SRUs IDS model is validated through experiments using real-world gas pipeline-based ICS network data, which indicates that it is able to accurately detect intrusions in real-time without compromising privacy and security. Experiments also verify that the Federated-SRUs model outperforms existing state-of-the-art approaches and thus can serve as a viable IDS method in IoT-based ICS networks.

Security-Enhanced Serial Communications

Industrial Control Systems (ICS) are widely used by critical infrastructure and are ubiquitous in numerous industries including telecommunications, petrochemical, and manufacturing. ICS are at a high risk of cyber attack given their internet accessibility, inherent lack of security, deployment timelines, and criticality. A unique challenge in ICS security is the prevalence of serial communication buses and other non-TCP/IP communications protocols. The communication protocols used within serial buses often lack authentication and integrity protections, leaving them vulnerable to spoofing and replay attacks. The bandwidth constraints and prevalence of legacy hardware in these systems prevent the use of modern message authentication and integrity techniques, such as those provided by Transport Layer Security (TLS). Our approach seeks to address the challenges of providing authentication to serial communications while keeping the existing serial communications bus in place and adding minimal hardware. Here we demonstrate the integration of field-programmable gate arrays (FPGAs) on the bus to inject message authentication codes into an out-of-band (OOB) communications channel, leveraging Power Line Communication (PLC) techniques. Our results show that simple solutions can be integrated into existing serial communications to provide necessary security features in critically important systems. The presented solution is inexpensive, scales well, is modular and extensible, and has low temporal overhead. Providing authenticated serial communications for critical infrastructure systems will improve their ability to resist cyber attacks.

ICSSIM — A framework for building industrial control systems security testbeds

With the advent of the smart industry, Industrial Control Systems (ICS) moved from isolated environments to connected platforms to meet Industry 4.0 targets. The inherent connectivity in these services exposes such systems to increased cybersecurity risks. To protect ICSs against cyberattacks, intrusion detection systems (IDS) empowered by machine learning are used to detect abnormal behavior of the systems. Operational ICSs are not safe environments to research IDSs due to the possibility of catastrophic risks. Therefore, realistic ICS testbeds enable researchers to analyze and validate their IDSs in a controlled environment. Although various ICS testbeds have been developed, researchers’ access to a low-cost, extendable, and customizable testbed that can accurately simulate ICSs and suits security research is still an important issue.In this paper, we present ICSSIM, a framework for building customized virtual ICS security testbeds in which various cyber threats and network attacks can be effectively and efficiently investigated. This framework contains base classes to simulate control system components and communications. Simulated components are deployable on actual hardware such as Raspberry Pis, containerized environments like Docker, and simulation environments such as GNS-3. ICSSIM also offers physical process modeling using software and hardware in the loop simulation. This framework reduces the time for developing ICS components and aims to produce extendable, versatile, reproducible, low-cost, and comprehensive ICS testbeds with realistic details and high fidelity. We demonstrate ICSSIM by creating a testbed and validating its functionality by showing how different cyberattacks can be applied.

PREIUD: An Industrial Control Protocols Reverse Engineering Tool Based on Unsupervised Learning and Deep Neural Network Methods

The security of industrial control systems relies on the communication and data exchange capabilities provided by industrial control protocols, which can be complex, and may even use encryption. Reverse engineering these protocols has become an important topic in industrial security research. In this paper, we present PREIUD, a reverse engineering tool for industrial control protocols, based on unsupervised learning and deep neural network methods. The reverse process is divided into stages. First, we use the bootstrap voting expert algorithm to infer the keyword segment boundaries of the protocols, considering the symmetry properties. Then, we employ a bidirectional long short-term memory conditional random field with an attention mechanism to classify the protocols and extract their format and semantic features. We manually constructed data sample sets for six commonly used industrial protocols, and used them to train and test our model, comparing its performance to two advanced protocol reverse tools, MSERA and Discoverer. Our results showed that PREIUD achieved an average accuracy improvement of 7.4% compared to MSERA, and 15.4% compared to Discoverer, while also maintaining a balance between computational conciseness and efficiency. Our approach represents a significant advancement in the field of industrial control protocol reverse engineering, and we believe it has practical implications for securing industrial control systems.

Controller Cyber-Attack Detection and Isolation

This article deals with the cyber security of industrial control systems. Methods for detecting and isolating process faults and cyber-attacks, consisting of elementary actions named "cybernetic faults" that penetrate the control system and destructively affect its operation, are analysed. FDI fault detection and isolation methods and the assessment of control loop performance methods developed in the automation community are used to diagnose these anomalies. An integration of both approaches is proposed, which consists of checking the correct functioning of the control algorithm based on its model and tracking changes in the values of selected control loop performance indicators to supervise the control circuit. A binary diagnostic matrix was used to isolate anomalies. The presented approach requires only standard operating data (process variable (PV), setpoint (SP), and control signal (CV). The proposed concept was tested using the example of a control system for superheaters in a steam line of a power unit boiler. Cyber-attacks targeting other parts of the process were also included in the study to test the proposed approach's applicability, effectiveness, and limitations and identify further research directions.