Industrial control systems (ICS) are moving from dedicated communications to switched and routed corporate networks, exposing them to the Internet and placing them at risk of cyber-attacks. Existing ...methods of detecting cyber-attacks, such as intrusion detection systems (IDSs), are commonly implemented in ICS and SCADA networks. However, these devices do not detect more complex threats that manifest themselves gradually over a period of time through a combination of unusual sequencing of activities, such as process-related attacks. During the normal operation of ICSs, ICS devices record device logs, capturing their industrial processes over time. These logs are a rich source of information that should be analysed in order to detect such process-related attacks.
In this paper, we present a novel process mining anomaly detection method for identifying anomalous behaviour and cyber-attacks using ICS data logs and the conformance checking analysis technique from the process mining discipline. A conformance checking analysis uses logs captured from production systems with a process model (which captures the expected behaviours of a system) to determine the extent to which real behaviours (captured in the logs) matches the expected behaviours (captured in the process model). The contributions of this paper include an experimentally derived recommendation for logging practices on ICS devices, for the purpose of process mining-based analysis; a formalised approach for pre-processing and transforming device logs from ICS systems into event logs suitable for process mining analysis; guidance on how to create a process model for ICSs and how to apply the created process model through a conformance checking analysis to identify anomalous behaviours. Our anomaly detection method has been successfully applied in detecting ICS cyber-attacks, which the widely used IDS Snort does not detect, using logs derived from industry standard ICS devices.
Detection and prevention of global navigation satellite system (GNSS) "spoofing" attacks, or the broadcast of false global navigation satellite system services, has recently attracted much research ...interest. This survey aims to fill three gaps in the literature: first, to assess in detail the exact nature of threat scenarios posed by spoofing against the most commonly cited targets; second, to investigate the many practical impediments, often underplayed, to carrying out GNSS spoofing attacks in the field; and third, to survey and assess the effectiveness of a wide range of proposed defences against GNSS spoofing. Our conclusion lists promising areas of future research.
The move from point-to-point serial communication to traditional information technology (IT) networks has created new challenges in providing cyber-security for supervisory control and data ...acquisition (SCADA) systems in critical infrastructure. Current research on the attack landscape for critical infrastructure concentrates on either IT-based or protocol specific attacks. However, there is limited research focus on “the bigger picture”, the combination of IT attacks and critical infrastructure protocol attacks, and little consideration of cyber-attacks targeting an entire (SCADA)-based critical infrastructure system. Due to such narrow research, there is a complete lack of focus when comprehending full-scale cyber attacks on SCADA-based critical infrastructure systems. As a result, new attacks combining various vulnerabilities in engineering systems and IT systems are yet to be discovered.
In this paper, we collated existing known attacks, identified and combined the existing range of attack landscapes, expanded and “filled the gaps” in the landscape, thus presenting a complete cyber-attack framework that perceives attacks against entire SCADA-based critical infrastructure. Our framework identifies four attack types, traditional IT-based attacks, protocol specific attacks, configuration-based attacks and control process attacks, allowing us to describe practical attacks. The benefit of recognizing the range of attacks on entire critical systems is that it allows us to defend against attacks with far greater efficiency and intelligence. To support the validity of our presented framework, we present a case study demonstrating a series of attacks on physical Distributed Network Protocol 3 (DNP3) critical infrastructure equipment.
Electric substation automation systems based on the IEC 61850 standard predominantly employ the GOOSE and MMS protocols. Because GOOSE and MMS messages are not encrypted, an attacker can observe ...packet header information in protocol messages and inject large numbers of spoofed messages that can flood a substation automation system. Sophisticated machine-learning-based intrusion detection systems are required to detect these types of distributed denial-of-service attacks. However, the performance of machine-learning-based classifiers is hindered by the relative lack of features that express GOOSE and MMS protocol behavior.
This paper evaluates a number of features described in the literature that may be used to detect distributed denial-of-service attacks on the GOOSE and MMS protocols. However, these features do not include advanced features that capture the periodic transmission behavior of SCADA protocols. Three SCADA-protocol-specific steps are specified for constructing new GOOSE and MMS advanced features by leveraging domain knowledge and adopting a time-window-based feature construction method. The resulting feature set, which comprises seventeen new GOOSE and MMS advanced features, outperforms the feature sets described in previous research when used with the popular decision tree, neural network and support vector machine classifiers. The evaluations also reveal that the decision tree classifier is superior to the neural network and support vector machine classifiers. A key contribution of this research is the application of SCADA-protocol-based domain knowledge to develop high-performance intrusion detection systems that require reduced training and testing times.
The advent of Industry 4.0 has led to a rapid increase in cyber attacks on industrial systems and processes, particularly on Industrial Control Systems (ICS). These systems are increasingly becoming ...prime targets for cyber criminals and nation-states looking to extort large ransoms or cause disruptions due to their ability to cause devastating impact whenever they cease working or malfunction. Although myriads of cyber attack detection systems have been proposed and developed, these detection systems still face many challenges that are typically not found in traditional detection systems. Motivated by the need to better understand these challenges to improve current approaches, this paper aims to (1) understand the current vulnerability landscape in ICS, (2) survey current advancements of Machine Learning (ML) based methods with respect to the usage of ML base classifiers (3) provide insights to benefits and limitations of recent advancement with respect to two performance vectors; detection accuracy and attack variety. Based on our findings, we present key open challenges which will represent exciting research opportunities for the research community.
We present CHURNs, a method for providing freshness and authentication assurances to human users. In computer-to-computer protocols, it has long been accepted that assurances of freshness such as ...random nonces are required to prevent replay attacks. Typically, no such assurance of freshness is presented to a human in a human-and-computer protocol. A Computer-HUman Recognisable Nonce (CHURN) is a computer-aided random sequence that the human has a measure of control over and input into. Our approach overcomes limitations such as 'humans cannot do random' and that humans will follow the easiest path. Our findings show that CHURNs are significantly more random than values produced by unaided humans; that humans may be used as a second source of randomness, and we give measurements as to how much randomness can be gained from humans using our approach; and that our CHURN-generator makes the user feel more in control, thus removing the need for complete trust in devices and underlying protocols. We give an example of how a CHURN may be used to provide assurances of freshness and authentication for humans in a widely used protocol.