Industrial Control System Devices Research Articles

MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP

The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks.

Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph

In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective. Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs.
 
 MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings.
 
 In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.

Walking under the ladder logic: PLC-VBS: a PLC control logic vulnerability scanning tool

Cyber security risk assessments provide a crucial starting point towards the understanding of existing risk exposure, via which suitable mitigation strategies can be formed. Risk is viewed as a product of threat, vulnerability and impact, and equal understanding of each of these elements is vitally important. This can be a challenge in Industrial Control System (ICS) environments, where adopted technologies are typically not only bespoke, but interact directly with the physical world. To date, existing vulnerability identification has focused on traditional vulnerability categories. While this approach provides risk assessors with a baseline understanding and the ability to hypothesize about potential resulting impacts, it is rather high level, operating at a level of abstraction that would be viewed as incomplete within a traditional information system context. The work presented in this paper takes the understanding of ICS device vulnerabilities a step deeper. It offers a tool, PLC-VBS, that helps identify Programmable Logic Controller (PLC) vulnerabilities, specifically within logic used to monitor, control, and automate operational processes. PLC-VBS gives risk assessors a more coherent picture about the potential impact should the identified vulnerabilities be exploited; this applies specifically to operational process elements.

Multi-step attack detection in industrial control systems using causal analysis

In the old generation of industrial control systems (ICSs), their sub-components communicated within private networks and, therefore, it was assumed that ICSs are safe from cyber-attacks. However, new advanced ICS sub-components need Internet connectivity to control and monitor their geographically dispersed structure. Connection to corporate networks and the public Internet create various security issues. The increasing number of attacks has become a serious threat for ICS networks. These sophisticated attacks use multiple steps and affect different devices. A major weakness of existing attack detection methods is that they only detect attacks and they do not help security analysts identify the cause and effect of attacks. Therefore, manual analysis is required to identify and isolate the cause of the attack. Causal analysis can help to track the propagation of an attack. While there is weak security in ICS networks, there is not sufficient research in the causal analysis of attacks in these networks. To address this research gap in ICS networks, we present a solution that detects the causal impact of attacks by investigating causal dependencies in ICS logs. Our ICS causal anomaly detection (ICS-CAD) method consists of two phases. It initially detects attacks and identifies the ICS device generating the malicious traffic. Secondly, it analyses causal relationships between ICS logs to diagnose the attacker’s future effect. We use a causal decomposition method to discover causality relationships in ICS logs. The performance of the ICS-CAD is evaluated using two datasets collected in real-world ICS networks. The ICS-CAD provides 98% accuracy in detecting attacks and the causal impact of the detected attacks.

Exploring Ontologies for Mitigation Selection of Industrial Control System Vulnerabilities

Mitigating vulnerabilities in industrial control systems (ICSs) represents a highly complex task. ICSs may contain an abundance of device types, all with unique software and hardware components. Upon discovering vulnerabilities on ICS devices, cyber defenders must determine which mitigations to implement, and which mitigations can apply across multiple vulnerabilities. Cyber defenders need techniques to optimize mitigation selection. This exploratory research paper shows how ontologies, also known as linked-data models, can potentially be used to model ICS devices, vulnerabilities, and mitigations, as well as to identify mitigations that can remediate or mitigate multiple vulnerabilities. Ontologies can be used to reduce the complexity of a cyber defender’s role by allowing for insights to be drawn, especially in the ICS domain. Data are modelled from the Common Platform Enumeration (CPE), the National Vulnerability Database (NVD), standardized list of controls from the National Institute of Standards and Technology (NIST), and ICS Cyber Emergency Response Team (CERT) advisories. Semantic queries provide the techniques for mitigation prioritization. A case study is described for a selected programmable logic controller (PLC), its known vulnerabilities from the NVD, and recommended mitigations from ICS CERT. Overall, this research shows how ontologies can be used to link together existing data sources, to run queries over the linked data, and to allow for new insights to be drawn for mitigation selection.

Don’t get stung, cover your ICS in honey: How do honeypots fit within industrial control system security

The advent of Industry 4.0 and smart manufacturing has led to an increased convergence of traditional manufacturing and production technologies with IP communications. Legacy Industrial Control System (ICS) devices, now interconnected via public networks, are exposed to a wide range of previously unconsidered threats, which must be considered to ensure the continued safe operation of industrial processes. This paper surveys the ICS honeypot deployments in the literature to date, provides an overview of ICS focused threat vectors, and studies how honeypots can be integrated within an organisations defensive strategy. We discuss relevant legislation, such as the UK Cyber Assessment Framework, the US NIST Framework for Improving Critical Infrastructure Cybersecurity, and associated industry-based standards and guidelines supporting operator compliance. This is used to frame a discussion on our survey of existing ICS honeypot implementations, and the role of honeypots in supporting regulatory objectives. We observe that many low-interaction honeypots are limited in their use. This is largely due to the increased knowledge attackers have on how real-world ICS devices are configured and operate vs the configurability of simulated honeypot systems. Furthermore, we find that environments with increased interaction provide more extensive capabilities and value, due to their inherent obfuscation delivered through the use of real-world systems. Based on these insights, we propose a novel framework towards the classification and implementation of ICS honeypots.

Industrial control system device classification using network traffic features and neural network embeddings

Characterization of modern cyber–physical Industrial Control System (ICS) devices is critical to the evaluation of their security posture and an understanding of the underlying industrial processes with which they interact. In this work, we address two related ICS device identification tasks: (1) separating ICS from non-ICS devices and (2) identifying specific ICS device types. We propose two distinct methods (one based on the existing IP2Vec method, and a novel traffic-features-based method) for achieving the first task. For transferability of the first task between two datasets, the traffic-features-based method performs significantly better (75% overall accuracy) compared to IP2Vec (22.5% overall accuracy). We further propose a novel method called DNP2Vec to address the second task. DNP2Vec is evaluated on two different datasets and achieves perfect multi-class classification accuracy (100%) for both datasets.

CyBERT: Cybersecurity Claim Classification by Fine-Tuning the BERT Language Model

We introduce CyBERT, a cybersecurity feature claims classifier based on bidirectional encoder representations from transformers and a key component in our semi-automated cybersecurity vetting for industrial control systems (ICS). To train CyBERT, we created a corpus of labeled sequences from ICS device documentation collected across a wide range of vendors and devices. This corpus provides the foundation for fine-tuning BERT’s language model, including a prediction-guided relabeling process. We propose an approach to obtain optimal hyperparameters, including the learning rate, the number of dense layers, and their configuration, to increase the accuracy of our classifier. Fine-tuning all hyperparameters of the resulting model led to an increase in classification accuracy from 76% obtained with BertForSequenceClassification’s original architecture to 94.4% obtained with CyBERT. Furthermore, we evaluated CyBERT for the impact of randomness in the initialization, training, and data-sampling phases. CyBERT demonstrated a standard deviation of ±0.6% during validation across 100 random seed values. Finally, we also compared the performance of CyBERT to other well-established language models including GPT2, ULMFiT, and ELMo, as well as neural network models such as CNN, LSTM, and BiLSTM. The results showed that CyBERT outperforms these models on the validation accuracy and the F1 score, validating CyBERT’s robustness and accuracy as a cybersecurity feature claims classifier.

Evolution and Trends of Industrial Control System Cyber Incidents since 2017

The industrial control systems (ICSs) that manage our critical infrastructure are increasingly converging with corporate networks and the Internet as technology and businesses prioritize digital connectivity. These connections make them more vulnerable and available to malicious cyber actors who traditionally targeted the companies' more public‐facing information technology (IT) networks. This paper will review select publicly reported cyber incidents to highlight the continued and growing threat to ICS devices and operational technology (OT) environments. It will summarize the incident and when available, will provide information on the cyber actors, the vulnerabilities they exploited, and any publications the U.S. Government (USG) provided in response. Data belonging to the Department of Homeland Security (DHS) will be used to highlight quantitative trends concerning ICS incidents. This paper builds on “History of Industrial Control System Cyber Incidents” (Hemsley & Fisher 2018), a paper that highlighted select noteworthy threats and incidents to ICS systems up to 2017. This paper will similarly review select incidents occurring after the last previously reviewed incident, Triton/HatMan, December 2017, and will note ICS incident trends including IT/OT convergence and advances in cyber‐threat actors' capabilities in observed in the examined incidents.

Threat Intelligence Generation Using Network Telescope Data for Industrial Control Systems

Industrial Control Systems (ICSs) are cyber-physical systems that offer attractive targets to threat actors due to the scale of damages, both physical and cyber, that successful exploitation can cause. As such, ICSs often find themselves victims to reconnaissance campaigns - coordinated scanning activity that targets a wide subset of the Internet - that aim to discover vulnerable systems. As these campaigns likely scan broad netblocks of the Internet, some traffic is directed to network telescopes, which are routable, allocated, and unused IP space. In this paper, we explore the threat landscape of ICS devices by analyzing and investigating network telescope traffic. Our network traffic analysis tool takes darknet traffic and generates threat intelligence on scanning campaigns targeting ICSs in the form of campaign fragments, which we leverage in new ways to get more in-depth knowledge of the cybersecurity threats. We investigate the payloads of the identified campaigns using a custom Deep Packet Inspection (DPI) technique to dissect and analyze the packets. We found 13 distinct payload templates and deduced their purpose, and by extension the campaign goals. We use machine learning to classify the sources behind the campaigns and identify threat actors such as botnets, malicious attackers, or researchers, and establish a methodology to rank our campaigns to prioritize our analysis. To conduct our analysis of the threats targeting ICSs, we have leveraged 12.85 TB (330 days) of network traffic received by our observed darknet IP space. Combining these investigative threads, we provide a thorough overview of the threat landscape targeting ICS systems.

Vulnerabilities on the wire: Mitigations for insecure ICS device communication

Modbus transmission control protocol (TCP) and other legacy ICS protocols ported over from serial communications are widely used in many ICS verticals. Due to extended operational industrial control system (ICS) component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate programmable logic controller (PLC) code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution.1 This paper examines the viability of deploying PLC configuration modifications, programming best practices and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluating ICS protocols and device configurations.

IFinger: Intrusion Detection in Industrial Control Systems via Register-Based Fingerprinting

Nowadays, the industrial control system (ICS) plays a vital role in critical infrastructures like the power grid. However, there is an increasing security concern that ICS devices are being vulnerable to malicious users/attackers, where any subtle changing or tampering attack would cause significant damage to industrial manufacturing. In this paper, we propose the iFinger , a novel detection approach designed to mitigate ICS attacks adapting to various industrial scenes. We take advantage of an important insight that industrial protocol packets include register status values that are used to reflect the physical characteristics of ICS controllers. The iFinger utilizes register states to generate ICS fingerprints to detect malicious attacks on industrial networks. Specifically, the boolean logic represents every register state sequence of the ICS controller, and the deterministic finite automaton (DFA) generates a device fingerprint. To discover the ICS attacks, we propose two detection approaches based on device fingerprints, including passive and active detection. We present a prototype of the iFinger and conduct real-world experiments to validate its performance. Results show that our approach achieves 97.1% F1 score in ICS device identification. Furthermore, we simulate two typical ICS attacks (replacement and code modification) to validate the effectiveness of our iFinger in industrial networks. Our device fingerprints would detect those malicious attacks within 2s latency at 98.0% recall.

Identifying Honeypots from ICS Devices Using Lightweight Fuzzy Testing

The security issues of industrial control systems (ICSs) have become increasingly prevalent. As an important part of ICS security, honeypots and antihoneypots have become the focus of offensive and defensive confrontation. However, research on ICS honeypots still lacks breakthroughs, and it is difficult to simulate real ICS devices perfectly. In this paper, we studied ICS honeypots to identify and address their weaknesses. First, an intelligent honeypot identification framework is proposed, based on which feature data type requirements and feature data acquisition for honeypot identification is studied. Inspired by vulnerability mining, we propose a feature acquisition approach based on lightweight fuzz testing, which utilizes the differences in error handling between the ICS device and the ICS honeypot. By combining the proposed method with common feature acquisition approaches, the integrated feature data can be obtained. The experimental results show that the feature data acquired is effective for honeypot identification.

Trends and Detection Avoidance of Internet-Connected Industrial Control Systems

The search engine Shodan crawls the Internet for, among other things, Industrial Control Systems (ICS). ICS are devices used to operate and automate industrial processes. Due to the increasing popularity of the Internet, these devices are getting more and more connected to the Internet. These devices will, if not hidden, be shown on Shodan. This study uses Shodan, together with data found by other researches to plot the trends of these ICS devices. The studied trends focus on the country percentage distribution and the usage of ICS protocols. The results show that all studied countries, except the United States, have decreased their percentage of world total ICS devices. We suspect that this does not represent the real story, as companies are getting better at hiding their devices from online crawlers. Our results also show that the usage of old ICS protocols is increasing. One of the explanations is that industrial devices, running old communication protocols, are increasingly getting connected to the Internet. In addition to the trend study, we evaluate Shodan by studying the time it takes for Shodan to index one of our devices on several networks. We also study ways of avoiding detection by Shodan and show that, by using a method called port knocking, it is relatively easy for a device to hide from Shodan, but remain accessible for legitimate users.

Anomaly detection for industrial control systems using process mining

Industrial control systems (ICS) are moving from dedicated communications to switched and routed corporate networks, exposing them to the Internet and placing them at risk of cyber-attacks. Existing methods of detecting cyber-attacks, such as intrusion detection systems (IDSs), are commonly implemented in ICS and SCADA networks. However, these devices do not detect more complex threats that manifest themselves gradually over a period of time through a combination of unusual sequencing of activities, such as process-related attacks. During the normal operation of ICSs, ICS devices record device logs, capturing their industrial processes over time. These logs are a rich source of information that should be analysed in order to detect such process-related attacks.In this paper, we present a novel process mining anomaly detection method for identifying anomalous behaviour and cyber-attacks using ICS data logs and the conformance checking analysis technique from the process mining discipline. A conformance checking analysis uses logs captured from production systems with a process model (which captures the expected behaviours of a system) to determine the extent to which real behaviours (captured in the logs) matches the expected behaviours (captured in the process model). The contributions of this paper include an experimentally derived recommendation for logging practices on ICS devices, for the purpose of process mining-based analysis; a formalised approach for pre-processing and transforming device logs from ICS systems into event logs suitable for process mining analysis; guidance on how to create a process model for ICSs and how to apply the created process model through a conformance checking analysis to identify anomalous behaviours. Our anomaly detection method has been successfully applied in detecting ICS cyber-attacks, which the widely used IDS Snort does not detect, using logs derived from industry standard ICS devices.

Understanding the Usage of Industrial Control System Devices on the Internet

Industrial control system (ICS) devices play a crucial role in critical infrastructures, such as power grid. In recent years, numerous ICS devices are accessible on the Internet, resulting in potential security issues. However, there is a lack of deep understanding of these devices’ characteristics in the cyberspace. In this paper, we take the first step in this direction by investigating these visible ICS devices on the Internet. Because of the critical nature of ICSs, the detection of online ICS devices should be done in a nonintrusive and timely manner. We first analyze 17 industrial protocols widely used in ICSs and train a probability model through the learning algorithm to improve detection accuracy. Then, we discover online ICS devices in the IPv4 space while reducing the negative effects caused by industrial honeypots and dynamic IP addresses. To observe the dynamics of ICS devices in a relatively long run, we have deployed our discovery system on Amazon EC2 and detected online ICS devices in the whole IPv4 space for eight times from August 2015 to March 2016. Based on the ICS device data collection, we conduct a comprehensive data analysis to characterize the usage of ICS devices, especially in answer to the following three questions: 1) what are the distribution features of ICS devices; 2) who use these ICS devices; and 3) what are the functions of these ICS devices.

Characterizing and Modeling Patching Practices of Industrial Control Systems

Industrial Control Systems (ICS) are widely deployed in mission critical infrastructures such as manufacturing, energy, and transportation. The mission critical nature of ICS devices poses important security challenges for ICS vendors and asset owners. In particular, the patching of ICS devices is usually deferred to scheduled production outages so as to prevent potential operational disruption of critical systems. Unfortunately, anecdotal evidence suggests that ICS devices are riddled with security vulnerabilities that are not patched in a timely manner, which leaves them vulnerable to exploitation by hackers, nation states, and hacktivist organizations. In this paper, we present the results from our longitudinal measurement and characterization study of ICS patching behavior. Our study is based on IP scan data collected from Shodan over the duration of three years for more than 500 known industrial ICS protocols and products. Our longitudinal measurements reveal the impact of vulnerability disclosures on ICS patching. Our analysis of more than 100 thousand Internet-exposed ICS devices reveals that about 50% upgrade to newer patched versions within 60 days of a vulnerability disclosure. Based on our measurement and analysis, we further propose a variation of the Bass model to forecast the patching behavior of ICS devices. The evaluation shows that our proposed models have comparable prediction accuracy when contrasted against traditional ARIMA timeseries forecasting models, while requiring less parameters and being amenable to direct physical interpretation.

Characterizing and Modeling Patching Practices of Industrial Control Systems

Industrial Control Systems (ICS) are widely deployed in mission critical infrastructures such as manufacturing, energy, and transportation. The mission critical nature of ICS devices poses important security challenges for ICS vendors and asset owners. In particular, the patching of ICS devices is usually deferred to scheduled production outages so as to prevent potential operational disruption of critical systems. In this paper, we present the results from our longitudinal measurement and characterization study of ICS patching behavior. Our analysis of more than 100 thousand Internet-exposed ICS devices reveals that fewer than 30% upgrade to newer patched versions within 60 days of a vulnerability disclosure. Based on our measurement and analysis, we further propose a model to forecast the patching behavior of ICS devices.

Who's attacking your industrial control systems?: Part 1

The critical national infrastructure is increasingly reliant on modern industrial control systems (ICS) to ensure effective operation in meeting consumer demands. The impact of an ICS cyber-attack can potentially cause disruption to business operations and services, damage and destruction of equipment and injury to people. To provide an effective defence against an ICS cyber-attack, it is necessary to understand the tactics, tools and techniques used by digital attackers. This study looks at who is attacking ICS and how they are doing it by providing an emulated vulnerable IT and ICS environment. It is shown that attacks against unprotected or weakly protected ICS devices occur on a regular basis and originate from countries around the world, with particularly high volumes of attack originating in Eastern China and Western Europe. By exposing a broad attack surface, it is demonstrated that the routes to accessing and exploiting vulnerable ICS are many and varied.