CPS-SPC’19- Proceedings of the ACM Workshop on Cyber-Physical Systems Security & PrivacyFull Citation in the ACM Digital Library
SESSION: Session 1: Keynote
Established in 2009 in the Netherlands as a University spin-off by a professor and two PhD students, SecurityMatters was acquired in 2018 by the American ForeScout Technologies Inc. (NASDAQ:FCST). Security Matters was the pioneer of a new way of realising network monitoring for cybersecurity that proved very successful in the Critical Infrastructure domain (Oil and Gas, Power Generation, Energy Distribution etc.). Besides being a success story, Security Matters has also represented an enormous learning experience, also from the technical viewpoint, allowing to benchmark different approaches against reality. In this lecture, one of the founders of SecurityMatters will give his unsweetened opinion regarding what works and what does not work, when it comes to network monitoring, and why.
SESSION: Session 2: Industrial Control Systems
Radar systems are used to detect the existence, location, and trajectory of objects in space using electromagnetic waves.They are mainly used for tracking aircraft, missiles, satellites, and watercraft. In recent years, as technology has evolved, the use of radar systems has increased, along with reliance on their correct and reliable operation. Given this, the reliability and availability of information provided by radar systems is growing in importance. Although the field of cyber security has been continuously evolving, most studies conducted on protecting radar systems have focused on electronic warfare. Radar systems also include a wide variety of components, such as a communications system or SCADA system, which are also vulnerable to cyber attacks. In this study, we present a risk analysis for radar systems. First, we present an in depth review of the existing literature on related topics. Then, we describe the threats we identified and their possible outcome. Finally, we demonstrate the realization of an attack on a radar system created for this task. We conclude by identifying future research directions aiming at protecting advanced radar systems from cyber attacks.
Numerous research efforts have focused on intrusion detection in industrial control networks, however, few of them discuss what to do after an intrusion has been detected. Because the safety of most of these control systems is time-sensitive, we need new research on automatic incident response. In this paper, we extend our work on leveraging Software-Defined Networking (SDN) to automatically reconfigure an industrial control network to mitigate the impact of attacks, and to deceive adversaries.
The Internet of Production (IoP) envisions the interconnection of previously isolated CPS in the area of manufacturing across institutional boundaries to realize benefits such as increased profit margins and product quality as well as reduced product development costs and time to market. This interconnection of CPS will lead to a plethora of new dataflows, especially between (partially) distrusting entities. In this paper, we identify and illustrate these envisioned inter-organizational dataflows and the participating entities alongside two real-world use cases from the production domain: a fine blanking line and a connected job shop.
Our analysis allows us to identify distinct security and privacy demands and challenges for these new dataflows. As a foundation to address the resulting requirements, we provide a survey of promising technical building blocks to secure inter-organizational dataflows in an IoP and propose next steps for future research. Consequently, we move an important step forward to overcome security and privacy concerns as an obstacle for realizing the promised potentials in an Internet of Production.
SESSION: Session 3: Intrusion Detection and Prevention
In the last years, the automotive industry has incorporated more and more electronic components in vehicles, leading to complex on-board networks of Electronic Control Units (ECUs) that communicate with each other to control all vehicle functions, making it safer and easier to drive. This communication often relies on Controller Area Network (CAN), a bus communication protocol that defines a standard for real-time reliable and efficient transmission. However, CAN does not provide any security measure against cyber attacks. In particular, it lacks message authentication, leading to the possibility of transmitting spoofed CAN messages for malicious purposes. Nowadays, Intrusion Detection Systems (IDSs) detect such attacks by identifying inconsistencies in the stream of information allegedly transmitted by a single ECU, hence assuming the existence of a second malicious node generating these messages. However, attackers can bypass this defense technique by disconnecting from the network the ECU of which they want to spoof the messages, therefore removing the authentic source of information.
To contrast this attack, we present CopyCAN, an Intrusion Detection System (IDS) that detects whether a node has been disconnected by monitoring the traffic and deriving the error counters of ECUs on CAN. Through this process, it flags subsequent spoofed messages as attacks and reacts accordingly even if there is no inconsistency in the stream of information. Our system, differently from many previous works, does not require any modification to the protocol or to already installed ECUs. Instead, it only requires the installation of a monitoring unit to the existing network, making it easily deployable in current systems and compliant with required CAN standards.
Industrial Control Systems (ICS) are nowadays interconnected with various networks and, ultimately, with the Internet. Due to this exposure, malicious actors are interested into compromising ICS – not only for advanced and targeted attacks, but also in the context of more frequent network scanning and mass exploiting of directly Internet-exposed devices. To understand the level of interest towards Internet-connected ICS, we deploy a scalable network of low-interaction ICS honeypots based on the popular conpot framework, integrated with an analysis pipeline, and we analyze the in-the-wild traffic directed through a set of ICS-specific protocols. We present the results of running our honeypots for several months, showing that, although most of the traffic is originated by known, legitimate network scanners, and follows patterns similar to those of well-known ICS network mapping scripts, we found several requests from unknown actors that do not follow this pattern and may hint at malicious traffic.
The ever-increasing demand for safety, comfort, and automation in the automobile has increased their vulnerability to cybersecurity risk and attacks. Automobiles now embed several electronic devices to perform these functions, and the complexity in the design of these systems increases along with the functionalities they offer. These devices communicate through the vehicular network—such as controller area network (CAN) and local interconnect network—which are attractive targets for cyber attackers. In this paper, we propose a novel algorithm to detect and recover from message spoofing attacks aimed at distorting the operation of the CAN bus. Using the predictable run-time behavior of CAN message frames in our recovery process, we leverage the error handling capability (bus-off state) of the CAN bus in a reboot-based recovery process of the compromised network node. We implement this algorithm in tandem with a hardware CAN controller as a detector node, and we evaluate its effectiveness and performance in detecting and recovering a compromised node.
SESSION: Session 4: Physical Layer and Testbeds
Research efforts in the security of Industrial Control Systems (ICS) have dramatically increased over the past few years. However, there is a limiting factor when work cannot be evaluated on real-world systems due to safety and operational reasons. This has led to multiple deployments of ICS testbeds covering multiple sectors including water treatment, power distribution and transportation networks.
Over the last five years, we have designed and constructed ICS testbeds to support cyber security research. Our prior work in building testbeds culminated in a set of design principles and lessons learnt, formulated to support other researchers in designing and building their own ICS testbeds. In the last two years we have taken these lessons and used them to guide our own greenfield large-scale, complex and process-diverse security testbed affording a rare opportunity to design and build from the ground up — one in which we have been able to look back and validate those past lessons and principles.
In this work we describe the process of building our new ICS and Industrial Internet of Things (IIoT) testbed, and give an overview of its architecture. We then reflect on our past lessons, and contribute five previously unrecognised additional lessons based on this experience.
Strict regulations and security practices of critical cyber-physical systems, such as nuclear plants, require complete isolation between their data-acquisition zone and their safety and security zones. Isolation methods range from firewall devices, to ‘data diodes’ that only allow one-way communication.
In this work we explore a possible threat bypassing existing isolation methods by communicating through the physical process. Specifically, we show how a corrupt actuator in one zone can send covert information to a sensor in a different zone, breaking the isolation. This may allow an attack where the actuator is intentionally malfunctioning, and the sensor is intentionally masking the malfunction.
Furthermore, we show that under certain assumptions, such communication can be provably covert. Namely, it cannot be efficiently detected, by current and future detection systems. This has important implications for the design of security and safety mechanisms for critical cyber-physical systems.
A number of distance-bounding protocols have proposed multistate exchanges. In theory this can potentially improve the security of the protocol when using the same number of exchange rounds, i.e. as there are more than two states the probability of an attacker guessing a response correctly is lower. Similarly, for the same security probability, multistate distance-bounding protocols require less rounds. On the other hand, transmission errors during the timed exchange phase of the distance-bounding protocol also impact on the security of the protocol, as the verifier needs to allow a certain acceptance threshold of incorrect responses. This threshold causes False Acceptance and False Rejection in protocols and further influences the security of the protocol. In this paper, we investigate the security implications of multistate channel implementation and symbol energy considering their effect on the acceptance threshold. We show that implementing multistate responses using simple m- ary modulation methods found in contactless devices, does not necessarily provide the expected security improvement when devices have finite transmission energy to spend on challenge-response exchanges.