A Survey of Industrial Control Systems Security

This paper describes an international research effort that has been working toward identification of vulnerabilities in industrial control systems, mitigation strategies to address vulnerabilities, and development of tools to prevent intrusion on such systems.

Computers & Security, 2020

Industrial Control System (ICS) is a general term that includes supervisory control & data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as pro- grammable logic controllers (PLC). ICSs are often found in the industrial sectors and critical infrastruc- tures, such as nuclear and thermal plants, water treatment facilities, power generation, heavy industries, and distribution systems. Though ICSs were kept isolated from the Internet for so long, significant achiev- able business benefits are driving a convergence between ICSs and the Internet as well as information technology (IT) environments, such as cloud computing. As a result, ICSs have been exposed to the at- tack vectors used in the majority of cyber-attacks. However, ICS devices are inherently much less secure against such advanced attack scenarios. A compromise to ICS can lead to enormous physical damage and danger to human lives. In this work, we have a close look at the shift of the ICS from stand-alone systems to cloud-based environments. Then we discuss the major works, from industry and academia towards the development of the secure ICSs, especially applicability of the machine learning techniques for the ICS cyber-security. The work may help to address the challenges of securing industrial processes, particularly while migrating them to the cloud environments.

SpringerBriefs in Computer Science, 2013

and Alessandro Fasani, it's a natural follow-up of the previous paper and describes what Industrial Control Systems are, provides an analysis on what are the main vulnerabilities affecting ICS and describes the principal methodologies for attacking them. Then, the paper defines what measures could be taken in order to make ICS and Critical Infrastructures resilient. The document ends outlining what international measures are being taken in order to protect critical infrastructure and their systems.

GRD Journals, 2018

Industrial Control Systems (ICS) are used for controlling, operating and monitoring industrial processes. That current ICS infrastructures and elements are not amply secured against cyber threats in context of security. Woefully, due to the specific nature of these systems, the application of common security countermeasures is often not effective. We suggest building tools and mechanisms to improve the security and awareness in ICS. We discuss challenges and opportunities identified during a comprehensive analysis of ICS data system resources. Industrial processes are more exposed to cybersecurity risks through a range of vulnerabilities in software and hardware technologies as well as weaknesses inherited from the legacy design of ICS networks.

Computers & Security, 2019

Advanced Persistent Threats (APTs) have become a serious hazard for any critical infrastructure, as a single solution to protect all industrial assets from these complex attacks does not exist. It is then essential to understand what are the defense mechanisms that can be used as a first line of defense. For this purpose, this article will firstly study the spectrum of attack vectors that APTs can use against existing and novel elements of an industrial ecosystem. Afterwards, this article will provide an analysis of the evolution and applicability of Intrusion Detection Systems (IDS) that have been proposed in both the industry and academia.

International Journal of Internet Technology and Secured Transactions, 2017

Industrial control systems (ICS) are increasingly becoming the target of cyber attacks. In order to counter this threat, organisations are turning to traditional IT security mechanisms to protect their operations. However, ICS includes a range of technologies which are often unfamiliar to contemporary IT security professionals or the tools they deploy. This paper explores the applicability of these tools within an ICS and critically analyses contemporary ICS architectures. The contribution of this paper is a clear identification of the areas of ICS to which IT security mechanisms can be applied and the challenges that are faced in the others. The paper continues to explore what mechanisms may be considered in these non-traditional areas of technology.

2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE), 2016

Industrial control system (ICS) security has been a topic of research for several years now and the growing interconnectedness with enterprise systems (ES) is exacerbating the existing issues. Research efforts, however, are impeded by the lack of data that integrate both types of systems. This paper presents an empirical analysis of malicious activities aimed at integrated ICS and ES environment using the dataset created and released by the SANS Institute. The contributions of our work include classification of the observed malicious activities according to several criteria, such as the number of steps (i.e., single-step vs. multi-step), targeted technology (i.e., ICS, ES or both), types of cyber-probes and cyberattacks (e.g., port scan, vulnerability scan, information disclosure, code injection, and SQL injection), and protocols used. In addition, we quantified the severity of the attacks' impact on systems. The main empirical findings include: (1) More sophisticated multi-step attacks which leveraged multiple vulnerabilities had higher success rate and led to more severe consequences than single-step attacks; (2) Most malicious cyber activities targeted the embedded servers running on ICS devices rather than the ICS protocols. Specifically, cyber activities based only on ICS protocols accounted for a mere 2% of the total malicious traffic. We conclude the paper with a description of a sample of cybersecurity controls that could have prevented or weakened most of the observed attacks.

2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), 2015

Programmable Logic Controller (PLC) technology plays an important role in the automation architectures of several critical infrastructures such as Industrial Control Systems (ICS), controlling equipment in contexts such as chemical processes, factory lines, power production plants or power distribution grids, just to mention a few examples. Despite their importance, PLCs constitute one of the weakest links in ICS security, frequently due to reasons such as the absence of secure communication mechanisms, authenticated access or system integrity checks. While events such as the Stuxnet worm have raised awareness for this problem, industry has slowly reacted, either due to reliability or cost concerns. This paper introduces the Shadow Security Unit, a low-cost device deployed in parallel with a PLC or Remote Terminal Unit (RTU), being capable of transparently intercepting its communications control channels and physical process I/O lines to continuously assess its security and operational status. The proposed device does not require significant changes to the existing control network, being able to work in standalone or integrated within an ICS protection framework.

2020

Industrial Control Systems (ICS) are beginning to merge with IT solutions, in order to promote inter-connectivity. Although this brings countless benefits from a control perspective, ICS have been lacking in security mechanisms to ward off potential cyber threats, when compared to common information systems [29], [64]. Given the critical nature of these systems, and the recent occurrences of disastrous cyber-attacks, security is a topic that should be encouraged. In light of this problem, in this dissertation we present an assessment of possible security applications and controls that can be deployed in these critical environments and the implementation of an extensible security solution that responds to certain attacks focused on industrial systems, capable of being deployed in any industrial network that allows its connection. With the help of an extensible and portable framework for ICS testing, and other industrial testing environments, it was possible to analyze different threat scenarios, implement security mechanisms to detect them and evaluate the results in order to provide an idea on how to employ these mechanisms as best as possible in a real industrial control environment, without compromising it's process.

2014

Industrial control systems (ICS), which are used to control critical elements of the society's maintenance such as power generation and electricity distribution, are exposed to the Internet as a result of insecure design, and installation faults. Securing critical industrial systems is important for national cyber-security; malfunctioning elements in the critical infrastructure can quickly cascade into wide range of problems in the society. In the recent years increasing amount of cyber-attacks have been observed, and nations and criminals are developing offensive cybercapabilities; industrial systems are also targeted as was seen with the Stuxnetmalware in 2010 causing havoc in an Iranian uranium enrichment facility. In this thesis a concept is presented to automatically find and evaluate exposed ICSs and report vulnerable devices to authorities for remediation. A prototype of the concept is built to prove the viability of the concept and to get data from port scanning real ICS devices in the Internet. With the prototype, 91 ICS devices were found out of the assigned 2913 IP addresses. Traffic volume produced by the scanner was insignificant compared to overall Finnish Internet traffic. The concept, called KATSE, is viable but not without challenges: ICS devices can definitely be identified from the Internet but analyzing the actual importance and purpose of the devices is difficult. Currently the Finnish legislation does not allow system intrusions or unauthorized security auditing even by authorities. Automated security auditing for the found devices would be useful to find the most vulnerable devices first but such auditing would require a change in legislation.