Two Decades of SCADA Exploitation: A Brief History
Simon Duque Anton, Daniel Fraunholz, Christoph Lipps, Frederic Pohl, Marc Zimmermann, Hans D. Schotten
TTwo Decades of SCADA Exploitation:A Brief History
Simon Duque Ant´on, Daniel Fraunholz, Christoph Lipps,Frederic Pohl, Marc Zimmermann and Hans D. Schotten
Intelligent Networks Research GroupGerman Research Center for Artificial IntelligenceDE-67663 KaiserslauternEmail: { firstname } . { lastname } @dfki.de Abstract —Since the early 1960, industrial process control hasbeen applied by electric systems. In the mid 1970’s, the termSCADA emerged, describing the automated control and dataacquisition. Since most industrial and automation networks werephysically isolated, security was not an issue. This changed,when in the early 2000’s industrial networks were openedto the public internet. The reasons were manifold. Increasedinterconnectivity led to more productivity, simplicity and easeof use. It decreased the configuration overhead and downtimesfor system adjustments. However, it also led to an abundance ofnew attack vectors. In recent time, there has been a remarkableamount of attacks on industrial companies and infrastructures.In this paper, known attacks on industrial systems are analysed.This is done by investigating the exploits that are available onpublic sources. The different types of attacks and their points ofentry are reviewed in this paper. Trends in exploitation as wellas targeted attack campaigns against industrial enterprises areintroduced.
I. I
NTRODUCTION
In the 1970’s, the third industrial revolution took place [1].During this phase, computers were introduced into industryin order to automate tasks that, until then, had to be doneby hand or by application-tailored solutions. Since then, thecomputer technology has taken huge steps. ReconfigurableProgrammable Logic Controllers (
PLCs ) took the place ofhard-wired relay logic circuits [2]. Domain-specific, propri-etary fieldbuses, like
CAN [3] and
Modbus [4], [5], have beenreplaced by
TCP/IP -based solutions, such as
ModbusTCP [5],[6],
ProfiNET [7] and
OPC UA [8], that make use of the vastlyavailable internet infrastructure and its network hardware.Opening networks to the outside enables easier managementof production capabilities. Remote maintenance, simpler ad-justment of machines and a constant flow of informationare but a few of the advantages. There are, however, somedownsides. Two of the main reasons why security is inherentlyabsent in virtually every technology and protocol used, are asfollows: Industrial networks were physically separated fromthe internet, when the technology arose [9] and each set up of
This is a preprint of a publication published at the 1st IEEE Conferenceon Application, Information and Network Security (AINS). Please cite as: S.D. Duque Anton, D. Fraunholz, C. Lipps, F. Pohl, M. Zimmermann, H. D.Schotten, “Two Decades of SCADA Exploitation: A Brief History,” in: .IEEE, IEEE Press, 2017, pp. 98-104. an industrial company is unique and very hard to get aroundin [9]. As recent events, many of which are explained insection V, show, both assertions do not hold true anymore,if they ever did. Many recent examples show that industrialnetworks can and will be breached. It needs to be highlighted,that, as in consumer electronics, the user plays a crucialrole in securing a system. Many of the newer botnets, suchas Hajime or Mirai, try to gain access by using defaultcredentials, with a tremendous success. This behaviour hasbeen analysed, among others, in our previous works [10], [11].Many industrial systems use credentials for means of config-uration. For reasons of ease of use, however, the passwordsare often weak and shared among many users. Attackers thattry standard configurations to gain access will succeed if thesystem credentials have not been altered. This kind of threatis also common in the exploits examined in section IV. It isvery hard for intrusion detection systems to discover abusethat is performed with valid credentials. Changing defaultcredentials is therefore a vital step in order to enable security ina system. The remainder of this work is structured as follows.In section II, surveys and analyses of attacks are listed. Afterthat, a statistical analysis of the Common Vulnerabilities andExposures (
CVE ) list is performed in section III. This isfollowed by an in-depth analysis of available SupervisoryControl And Data Acquisition (
SCADA )-system based exploitsin section IV, as well as a breakdown of attack campaignsagainst industry in section V. The lessons learned are listedin section VI. This work will be concluded in section VII.II. R
ELATED W ORK
Even though there are a lot of survey papers, as wellas taxonomies that present an overview of different kindsof attacks, there has not yet been a systematic analysis ofall publicly available
SCADA exploits to the best of ourknowledge. A very broad and extensive overview over current
SCADA -based attack-vectors can be found in the works ofZhu, Joseph and Sastry [12]. In addition to that, there areother works that give an overview over existing SCADA-attacks and survey current exploits [9], [13], [14], [15]. Notonly attacks on
SCADA -systems are well documented, but alsocountermeasures, as well as means for hardening systems, areprocessed in literature [16], [17]. There are also works pre- a r X i v : . [ c s . CR ] M a y enting taxonomies of attacks, also in order to help operatorsassess risks and threats to their systems and implement theaccording countermeasures [18], [19], as well as works for thecollection of data that allows for insight about the condition ofa system [20], [21]. The German Federal Office for Informa-tion Security ( BSI ) periodically releases security advices forindustry [22]. Furthermore, there are surveys analysing specificdomains, such as automotive and fieldbus-security [23] (someof the relevant works are in German [24], [25]) and wireless-security [26]. Many of the exploits we examine in this paperhave already been investigated in literature. The amount ofworks analysing singular attacks is vast, therefore, we onlyreference such works in the according sections.III. S
TATISTICAL A NALYSIS
An exhaustive list of all
CVEs can be found online [27].Since it contains over 100 000 entries, manual analysis wasinfeasible. We developed a text-processing script in order togain statistical information about the distribution of exploits.A major drawback was that the most specific information waswritten in natural language, without any form. We searchedthe document for keywords while using stemming in orderto find any variant of the keyword. Stemming is a techniqueemployed to process natural languages [28]. The word stemsof keywords are derived, then similar word stems are searchedin the target file. We used the python stemming-library [29].The results of the statistical analysis are summarised in table I.The entry ”Overall categorized entries”, as well as the”Percentage covered by keywords”, display the number ofdifferent attacks that have been classified, after accounting forentries with multiple keywords. That means 65 919 entries (or61.87%) in the
CVE list can be attributed to at least one of thecategories. The largest group is Remote Code Execution with28 000 occurrences, closely followed by Denial of Service(
DoS ) and Injection attacks.
SCADA exploits are relativelysmall, with only 373 entries. This shows that, even thoughit is not as present as office IT -based attacks, SCADA -basedexploits are becoming more of an issue for manufacturers.IV. I N - DEPTH A NALYSIS
In this section, four different types of attacks that arerelevant for industrial applications are analysed. First, attackson
PLC systems are considered in subsection IV-A. After that,fieldbus-based exploits are discussed in subsection IV-B, fol-lowed by wireless- and hardware-attacks in subsections IV-Cand IV-D. These types of attacks were chosen to be discussedas they are the industrial-specific attack vectors and havenot be discussed at large in the context of office- IT -security. PLCs can mostly be found in industrial environments as theyare used to control production machines. The same goes forfieldbus systems, that, aside from some appliances in homeautomation, are comonly employed in industrial automation.Wireless networks are also commonly used in office and homeenvironments. There are, however, industry specific protocolsthat are only applied in this context. These protocols arediscussed here. Hardware attacks can have a great impact due to the distributed nature of production environment and thefact that machines have hardware interfaces.
A. Attacks on PLCsPLCs are resource for industrial applications controllingCyber-Physical (Production) Systems. Hence, they interactwith and operate devices in the physical world. In contrast tooffice IT systems which only handle data, they interact withthe real world. Attacks on PLCs therefore have an impact onphysical entites, be it human workers or production resources.This leads to grave consequences of the successful abuseof
PLCs . As common computation resources,
PLCs usuallyrequire an underlying operating system. In most cases, thisis a version of Windows, adapted to the specific needs forindustrial applications. As there is an abundance of exploitsand vulnerabilites based on flaws in the operating system,we only consider vulnerabilities that specifically derive fromthe industrial application of the given system. Furthermore,only threats that occur in this context are analysed. In total,we found about 100 exploits as metasploit [30] modules andProofs of Concepts (
PoC ). All metasploit-modules are listed inthe
Rapid7 -database [31]. The databases we searched addition-ally were exploit-db [32], [33] and packetstorm-security [34]. This number is smaller than the entries foundin the
CVE list in section III as there is executable code to befound. As a result, anybody can exploit these vulnerabilitieswithout much difficulties, rendering them very dangerousfor operators. The number of
CVE discoveries and exploitdevelopments per year is shown in figure 1. Unfortunately,some exploits could not be attributed to a year; this has beenaccounted for by a question mark. The list amounts to a meanvalue of 8.8 and a median of 7 exploit developments per year.A peak of 31 developments per year can be found in 2011. Onepossible explanation is that it was the year after
Stuxnet [35]was discovered (see table II) and there was a special interestin
PLC -exploitation. The trend of
CVE -development is alsorising, meaning that the amount of
CVEs discovered per yearhas been rising, starting in 2011.
Fig. 1. Number of Exploit and
CVE
Discoveries per Year
We distinguished between four different categories of ex-ploits: • Code Execution is the unauthorised execution of mali-cious code
ABLE IS
TATISTICAL A NALYSIS OF THE
CVE -L IBRARY
Description Keywords Number PercentageAll CVEs - 106 540 100.00%Remote Code Execution rce, arbitrary, execution 28 016 26.30%Denial of Service denial, crash, instable, consume 19 638 18.43%Injection attacks injection, sql 17 280 16.22%Information Disclosure traverse, disclose, sensitive, bypass 14 875 13.96%Buffer Overflows buffer, overflow 9 800 9.20%SCADA-attacks scada, plc, industry, modbus, profinet, beckhoff, siemens 373 0.35%Overall categorized entries - 65 919 61.87%Entries w/ multiple keywords - 21 620 20.29% • Data Extraction is the unauthorised disclosure of infor-mation • DoS describes the partial or full degradation of theavailability of a service or resource • Privilege Escalation is the process of maliciously obtain-ing higher privileges on a system than intendedThe distribution of these categories on windows-based sys-tems is depicted in figure 2. Of 66 windows-based exploits,almost three quarters allow the execution of arbitrary code.This is a tremendous threat since it allows an attacker to alter,add and delete resources on the affected system.
Fig. 2. Distribution of Categories on Windows PlatformsFig. 3. Distribution of Categories for Local Exploits
Furthermore, we grouped all exploits into remote and local . Local exploits allow an attacker to execute an exploit on a
Fig. 4. Distribution of Categories for Remote Exploits system he already has unprivileged access to, usually in theform of a user account with limited rights.
Remote exploitscan be executed without any prior access to the system,despite some form of network connection. In figure 3, thedistribution of the categories for local access is shown. Theoverall number of local exploits is relatively small, comprisingonly 12 exploits. In this scenario, the execution of code is mostcommon. The distribution of the categories for remote accessis shown in figure 4. It comprises of 84 exploits, most ofwhich are code execution as well. The most prevalent threatfor
PLC -based exploitation is the execution of remote code.This is a very severe threat because of the priorities of industry.While in classic office- IT , the CIA (Confidentiality, Integrity,Availability) security targets are common, each with about thesame importance, the most important security target by farfor industry is availability. Unavailable production facilitiescost a huge amount of money, making this the top priority ofmachine operators.
Code Execution has the potential to disablefacilities, rendering them unavailable and costing revenue.
B. Attacks on Fieldbus-Level
Due to the proprietary nature of industrial networks, a vastlandscape of fieldbus protocols has emerged. Protocols such as
Modbus [4],
Profinet [7],
CAN [3],
Local Interconnect Network(LIN) [36],
Media Oriented System Transport (MOST) [37] and
FlexRay [38]. These protocols have inherent security flaws.Since there are no means of authentication, identities arenot assigned to the participating entities [12]. That meansn attacker with access to the bus can appear as a validcommunication partner and thus extract and inject messages.This results in a break of confidentiality and integrity. Dueto these security flaws and the lack of encryption [39], anattacker can monitor the systems and even deploy attacks.Examples for such attacks are Man in the Middle (
MitM ) and
DoS . In systems using
Modbus , malicious adversaries can readall messages to discover active controllers and used functioncodes as well as inject commands themselves. Additionally,they can send incorrect messages or error flags to eliminatesingle controllers or even the entire system. Many industrialsystems have a remote maintenance interface that can beaccessed via internet [14]. Often, this interface is securedpoorly, or not at all [14]. This means that an attacker withaccess to the same network as the interface can change systemsettings and read system conditions. Gateways are used inorder to connect several fieldbus networks. Oftentimes, thesegateways are not configured securely, allowing an attacker thathas access to one fieldbus network, to traverse to differentnetworks [24]. As a counter example,
OPC-UA [8] needs tobe mentioned. It is a very modern fieldbus-protocol that allowsdefinition of entities, including authentication and encryption.The shell model allows for encapsulation of functional unitsand the definition of interfaces.
C. Attacks on Wireless Systems
Driven by the fourth industrial revolution, wireless commu-nication finds its way into industrial systems. There are someprotocols that are commonly used in industrial applications,such as
Bluetooth Low Energy [40],
ZigBee [41] and
Z-Wave [42],
Radio Frequency IDentifier (RFID) [43] and the
Long Range Wide Area Network (LoRa) [44].
Wireless LocalArea Network (WLAN) [45] is also often used in industry, butsince it was originally developed for classical office- IT , it is notconsidered in this work. RFID is commonly used by industryto tag entities and materials and account for them in storageor production. The other protocols are commonly used fordata transmission and communication. There are several flawsand fixes for
WLAN , but they are out of scope for this workfor the reasons named above. As there is no physical accesscontrol to the wireless channel, an adversary can listen to thecommunication, given he is within the range of the wirelesssignal. Therefore, most wireless communication protocols areencrypted. Still, some encryption schemes can be broken,rendering the content unprotected. If there is no, or weak,encryption, an attacker can listen to the communication andextract information to perform a
MitM [46] attack. Further-more, he can inject messages into the network with the purposeof launching
DoS attacks. A famous example is
WirelessEquivalent Privacy (WEP) [47], that is broken [48] but still inuse. Another example is
ZigBee whose encryption key, in itsdefault configuration, can easily be recovered by an attacker.Due to poor manufacturer implementations, the secret key isoften transmitted in plain text if a new device advertises tothe network, for example after restarting [49]. An attacker canobtain this key and gains full access to the network. Another problem in wireless networks are relay attacks. Using those, anattacker can capture a communication packet, transport it overa different protocol, and inject it into the network on a differentplace. This is commonly done with
Bluetooth or RFID . Anattacker can use this method to get a response to a challenge,even though the key is not near a key reader. This method hasalready successfully been applied to break the
Passive KeylessEntry and Start (PKES) of different car manufacturers [50].Spoofing and impersonation are other common attack conceptson wireless protocols. Spoofing means the disguise of anattacker as a valid entity to participate in a communication,impersonation describes an attacker that claims to be an entityshe is not.
Bluetooth is vulnerable to attacks with
RogueAccess Points (APs) [26], among others. Those are
APs thatare set up by an attacker and imitate valid APs. Becauseof the ad-hoc nature and the frequency hopping propertiesof
Bluetooth , rogue
APs are hard to detect [26]. The sameconcept can be applied to
RFID , where fake tags or readerscan read or manipulate entries [51]. Furthermore, wirelesschannels are inherently prone to jamming attacks. Since thereis no access control, an attacker can flood the channel withpackets, or simply jam it with noise [52]. This prevents thevalid users from communicating with each other. There arealso more sophisticated approaches that exploit protocol flawsto prevent communication or that do not jam constantly tomake discovery harder [52].
D. Physical-Layer Attacks
Physical, or hardware attacks, are among the most dif-ficult ones. An adversary with physical access to a deviceor system has more possibilities of inflicting damage andabusing services than one on a remote location. Industrialcompanies, therefore, put a strong emphasis on obstruction ofphysical access by perimeters such as, walls, gates and guards.Given access, an adversary can, with enough force, alwaysdestroy a system rendering it unusable and creating a
DoS .There are, however, more sophisticated and subtle approachesin tampering with devices. There are attacks on embeddeddevices, particularly
PLCs , that falsify sensor values. This,in turn, creates, inapt reactions from the devices, leading toundesired behaviour. In literature, there is the ”Ghost in thePLC”-attack, that alters the input-pins of a
PLC , as describedby Abbasi and Hashemi [53]. Another work on falsifying inputvalues and creating improper responses from the system isshown by Urbina, Giraldo, Tippenhauer and Cardenas [54]. Inaddition to tampering with sensor-values, an attacker can reador update the code on a
PLC . Such an attack is described byBasnight, Butts, Lopez and Dube [55]. In order to stealthilydeploy malware on a
PLC , Garcia, Brasser, Cintuglu, Sadeghi,Mohammed and Zonouz propose a method to read systeminformation and create a fitting rootkit [56]. Even though itis not the most relevant attack vector in practice, securingphysical access is a vital task for industry, since adversarieswith direct access have many opportunities with a potentiallyhigh impact.. A
TTACK C AMPAIGNS
The exploits that have been introduced in section IV havebeen used for attack campaigns against industrial players. Wefound that there were two noteworthy kinds of attacks: • Spearphishing campaigns against employees • Attacks on the industrial infrastructurePhishing and spearphishing are common practices for mali-cious adversaries intending to gain insight on company secretsby gaining access to the office IT infrastructure and stealingdata. A timeline of known spearphishing campaigns with anindustrial background is shown in figure 5. In phishing, un-suspecting victims are sent emails with malicious content, of-tentimes a link to a website that is infected with malware [57].Attachments with malicious content are another common formof phishing [57]. The chances of an attacker to get a victim tofollow the link can be increased by personalizing the email.This is called “social engineering” [57], the application ofphishing to selected targets with highly adapted content iscalled “spearphishing”. Fig. 5. Timeline of Selected Spearphishing Campaigns
Operation Aurora [58] aimed at the software industry, par-ticularly
Google . The
Night Dragon , Greek Oil and
New Year’s campaigns aimed at various branches of the energy industry,namely research and petroleum processing [59]. Furthermore,the
Nitro campaign [60] aimed at the chemical industry andwas intended to obtain sensitive documents, designs andschemas for manufacturing.
Black Vine [61] campaign wasused for several targets. First, aerospace companies were inthe focus. After that, it was aimed against healthcare institu-tions in the U.S. The
Dragonfly [62] and
Black Energy [63]campaigns aimed at the energy industry as well, this timeagainst
Industrial Control System (ICS) manufacturing andpower generation. In a report, an attack campaign, that is called
Unnamed [64] in our timeline in figure 5, was described alsoaimed for the extraction of confidential information about
ICS manufacturing in the energy industry. Attacks on the industrialinfrastructure often aim at sabotaging production. Highlysophisticated malware is employed in these campaigns [57].A selected list of all known industrial malware campaigns canbe found in table II. In this table, the name of the malwareis shown, as well as the year of discovery. Furthermore, thepresumed target is listed, followed by a
Target Score (TS) describing the kind of attack that was employed. The TS isassigned a value according to the following scheme: • : The malware does not specifically target ICS , theincurred consequences are a side effect • : The malware targets Windows machines related to
ICS • : The malware targets software related to ICS projects • : The malware targets PLCs and other native devicesand protocolsIn addition to that, the presumed purpose, the affected
ICS and
CVEs that were used in the exploit are listed.
Slam-mer and
Conficker were computer worms that also infectednuclear power station [65] respectively air force stations inFrance and Germany [66].
Stuxnet [35] is one of the mostrenowned industrial malwares. It was aimed at Iranian nuclearenrichment facilities, but, due to programming errors, alsoinfected other systems and therefore was found. It used severaldifferent 0-day exploits, depending on the operating systems itencountered, and showed a deep understanding of
Siemens S7-300 PLCs . Duqu and
Duqu 2.0 [67], [68] were used for spy-ing on industrial project documents.
Shamoon and
Shamoon2.0 [69] were intended on sabotaging the Saudi-Arabian oilindustry.
Stuxnet 0.5 [70] was aimed at sabotaging Iraniannuclear enrichment facilities, also by infecting
Siemens S7-300PLCs . It was employed before
Stuxnet , but was found laterdue to a different propagation mechanism.
Havex [62] wasa malware infecting the European energy industry and spyingon confidential information.
BlackEnergy and
Industroyer [71]were aimed at Ukrainian power plants. Major blackouts inDecember of 2015, respectively December of 2016 in theUkraine are said to result from
BlackEnergy and
Industroyer .VI. L
ESSONS L EARNED
We used
Shodan [72], an internet search engine that spe-cialises on the
Internet of Things (IoT) and industrial ap-plications. Specifically, we grouped our search by ports andonly looked for ports that are the default for several industrialprotocols. The results of this survey is shown in table III. It canbe seen that there still is a huge amount of industrial devices tobe found, directly connected to the internet. Since all of the en-tries in table III are fieldbuses, their connection to the internetis risky. They were never designed for security as one of theparadigms in their development was the physical separationof industrial network and internet [9]. This assumption doesnot hold for about 1.45 million fieldbuses, that, depending ontheir configuration, can be accessed - and probably tamperedwith - by an attacker via internet access. We introduced someconcepts for botnets in our previous works [10], [11], and thereare other projects that develop industrial honeypots, such as the
Conpot [73]-project and the
IoT-pot [74]. One could assumethat some of the entries in table III originate in honeypots.We found that of the above entries definitely stem fromhoneypots by comparing the banners found with the defaultbanners of
Conpot . Even though it is plausible that we missedseveral honeypots, we deem it probable that a majority ofthe entries is from productive systems. Despite the fact thatsecurity flaws in industrial applications have been a criticalissue for quite some time, there still are devices and protocolsused in insecure ways.
ABLE IIA S
ELECTION OF A TTACK T OOLS AND C AMPAIGNS
Name Year Presumed Target TS Purp. Affected
ICS
Exploited
CVE
Slammer 2003 untargeted 1 Sabot. Nuclear Power Station CVE-2002-0649Conficker 2009 untargeted 1 Sabot. French & German Air Force CVE-2008-4250Stuxnet 2010 Iranian Nuclear Enrichment Facilites 4 Sabot. Siemens S7-300 CVE-2010-2568CVE-2008-4250CVE-2010-2729CVE-2010-2772Duqu / Duqu 2.0 2011/2015 Industrial Project Documents 3 Esp. - -Shamoon / Shamoon 2.0 2012/2017 Saudi-Arabian Oil Industry 2 Sabot. - -Regin 2012 GSM Base Stations 4 Esp. - -Stuxnet 0.5 2013 Iranian Nuclear Enrichment Facilites 4 Sabot. Siemens S7-300 CVE-2012-3015Havex 2013 European Energy Industry 3 Esp. - -BlackEnergy 2016 Ukrainian Power Plant 3 Sabot. - CVE-2014-4114CVE-2014-0751Industroyer 2017 Ukrainian Power Plant 4 Sabot. Siemens SIPROTEC CVE-2015-5374TABLE IIID
EVICES F OUND P UBLICLY A DDRESSABLE BY
Shodan
Service Port Numbers Hits Hit PercentageEtherNet/IP 2222 1 015 093 69.78%DNP3 20000 232 108 15.95%OMRON 9600 51 911 3.57%Niagara Fox 1911 46 806 3.22%ENIP 44818 32 100 2.21%Proconos 20547 19 761 1.36%Modbus 502 18 732 1.29%CoDeSys 1200, 2455 17 667 1.21%PCWorx 1962 14 949 1.03%Siemens 102 3368 0.23%Fieldbus 1089-1091 924 0.06%Profinet 34962-34964 809 0.06%DNP 19999 300 0.02%EtherCAT 34980 270 0.02%Sum - 1 454 798 100.00%
VII. C
ONCLUSION
The trend in figure 1 shows that
PLC -exploitation is be-coming more relevant. At the same time, our findings insection VI point out that many operators do not employtheir industrial networks in a physically separated way toat least provide basic security. In this work, we showedthat the kill chain for
ICS is rather easy to use. There aretools to identify vulnerable systems, as well as databases thatcontain information about vulnerabilities and sometimes alsothe corresponding exploits. This makes it simple also for nontech-savvy people to attack systems and cause damage. Therising importance of interconnectivity in industrial applicationswill lead to an increase in interest of attackers. As moreand more industrial systems become accessible, get morecomplex software and are remotely configurable, the numberof possibilities for exploitation and intrusion also increases.Many industrial operators maintain their production units fordecades with little or no possibilities for software updates.This leads to a tremendous danger, as more exploits occurevery year. A
CKNOWLEDGMENTS
This work has been supported by the Federal Ministry ofEducation and Research of the Federal Republic of Germany(Foerderkennzeichen KIS4ITS0001, IUNO). The authors aloneare responsible for the content of the paper.R
IEEE Communications Surveys Tutorials
Computers & Security , vol. 25, pp. 498–506, 2006.[10] D. Fraunholz, D. Krohmer, S. Duque Anton, and H. D. Schotten, “Inves-tigation of cyber crime conducted by abusing weak or default passwordswith a medium interaction honeypot,” in
International Conference OnCyber Security And Protection Of Digital Services(Cyber Security-17) .IEEE, 2017.[11] D. Fraunholz, M. Zimmermann, S. Duque Anton, J. Schneider, and H. D.Schotten, “Distributed and highly-scalable wan network attack sensingand sophisticated analysing framework based on honeypot technology,”in , Amity School of Engineering andTechnology. IEEE, 1 2017, p. 33.[12] B. Zhu, A. Joseph, and S. Sastry, “A taxonomy of cyber attacks on scadasystems,” , pp.380–388, 2011.13] P. S. Motta Pires and Oliveira, Luiz Affonso H. G., “Security aspectsof scada and corporate network interconnection: An overview,” ∼ International Conferenceon Critical Infrastructure Protection
17. VDI Automatisierungskongress(AUTOMATION-2016) , VDI. VDI, 6 2016.[20] S. Duque Anton, D. Fraunholz, and H. D. Schotten, “Angriffserken-nung fuer industrielle netze innerhalb des projektes iuno,” in
ITG-Fachtagung Mobilkommunikation - Technologien und Anwendungen(ITG-17) , P. Roer, H. D. Schotten, R. Toenjes, and C. Westerkamp,Eds., Informationstechnische Gesellschaft im VDE (ITG). VDE VerlagGmbH, 2017, pp. 68–73.[21] S. Duque Anton, D. Fraunholz, J. Zemitis, F. Pohl, and H. D. Schotten,“Highly scalable and flexible model for effective aggregation of context-based data in generic iiot scenarios,” in
Proceedings of the 20th USENIX Conference on Security
MechanicalTranslation and Computational Linguistics ∼ IEEE Communications Surveys Tutorials
Selected Areas in Cryptography 2001
Black HatEurope 2016 , pp. 1–35, 2016.[54] D. Urbina, J. Giraldo, N. O. Tippenhauer, and A. Cardenas, “Attackingfieldbus communications in ics: Applications to the swat testbed,”
Proceedings of the Singapore Cyber-Security Conference (SG-CRC) ,vol. 14, pp. 75–89, 2016.[55] Z. Basnight, J. Butts, J. Lopez, and T. Dube, “Firmware modificationattacks on programmable logic controllers,”
International Journal ofCritical Infrastructure Protection , vol. 6, no. 2, pp. 76–84, 2013.56] L. A. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. Mohammed,and S. A. Zonouz, “Hey, my malware knows physics! attacking plcs withphysical model aware rootkit,”
NDSS Symposium 2017
SANS Industrial Control Systems ,2016. [Online]. Available: https://ics.sans.org/media/E-ISAC SANSUkraine DUC 5.pdf[64] “Threat landscape for industrial automation systems in thesecond half of 2016,” Kaspersky Lab, Tech. Rep., 2017.[Online]. Available: https://ics-cert.kaspersky.com/wp-content/uploads/sites/6/2017/03/KL-ICS-CERT H2-2016 report FINAL EN.pdf[65] B. Kesler, “The vulnerability of nuclear facilities to cyber attack,”
Strategic Insights , vol. 10, no. 1, pp. 15–25, 2011.[66] G. Sciacco, “Larm´ee de lair face `a la menace dun ”cyberpearl harbor”,”
Res Militaris9th USENIX Workshop on Offensive Technologies (WOOT 15)