Hyunguk Yoo

Challenges and research directions for heterogeneous cyber-physical system based on IEC 61850

IEC 61850, an international standard for communication networks, is becoming prevalent in the cyber-physical system (CPS) environment, especially with regard to the electrical grid. Recently, since cyber threats in the CPS environment have increased, security matters for individual protocols used in this environment are being discussed at length. However, there have not been many studies on the types of new security vulnerabilities and the security requirements that are required in a heterogeneous protocol environment based on IEC 61850. In this paper, we examine the electrical grid in Korea, and discuss security vulnerabilities, security requirements, and security architectures in such an environment. There are security concerns in the heterogeneous CPS environment based on IEC 61850.Two connections (IEC 61850-DNP3, IEC 61850-IEC 61970) are drawn from a case study.We classify the security vulnerabilities of the heterogeneous protocol environment.We present security requirements and architectures in the heterogeneous CPS environment.

Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850

An SA (Substation Automation) system based on IEC 61850 is an intelligent substation; it has been receiving considerable attention as a core component of a smart grid. The explosive increase of threats to cyber security has been expanded to critical national infrastructures including the power grid. Substation Automation has also become a main target of cyber-attacks. Currently, various countermeasures such as firewalls, IDS (Intrusion Detection System)s, and anti-virus solutions have been developed, but to date, these have not sufficiently reflected the inherent features of Substation Automation based on IEC 61850. This study suggests a method of anomaly detection for MMS (Manufacturing Message Specification) and GOOSE (Generic Object Oriented Substation Events) packets, the main communication protocols of IEC 61850 Substation Automation. 3-Phase preprocessing, EM (Expect Maximization), and one-class SVM (Support Vector Machine) techniques are applied. The effectiveness of the suggested method is evaluated through experiments.

Grammar-based adaptive fuzzing: Evaluation on SCADA modbus protocol

Software security for critical infrastructure, such as electrical grid and SCADA systems is becoming an increasing important issue. Fuzzing techniques are widely used to detect software security vulnerability, from various approaches (mutation-based or grammar-based, blackbox or whitebox) depending on the information used to generate test input. Although existing studies have advantages, they also have limitations for software with structured inputs, such as SCADA protocol implementations. This paper presents a novel fuzzing method leveraging software input grammar for test and dynamic information extracted from target program execution. The proposed fuzzing method was evaluated for two applications using a Modbus protocol, which is widely used in SCADA systems, and showed improved code coverage, compared to current well-known fuzzing tools.

Packet Diversity-Based Anomaly Detection System with OCSVM and Representative Model

As a number of attacks such as Stuxnet and BlackEnergy targeting the control system of critical infrastructure have happened, the importance of security enhancement for the facilities such as industrial CPS (Cyber Physical System) has emerged. In this paper, by reflecting the characteristics of industrial CPS, we propose a packet diversity-based anomaly detection model which we can learn and conduct detection with more effectively than the existing anomaly detection systems. In the proposed detection system, in order to enhance the sensitivity of the detection model, we construct a detection models on each after grouping the data of an industrial CPS into packet structure based on features of packet header. The proposed detection system aims single packet anomaly detection to cope with the threats such as injection attacks, malformed packet used in fuzzing and others. For the architecture of anomaly detection system, we suppose a structure applying whitelist and learning-based detection model doubly. Measuring packet diversity using payload variation of packet and entropy-based uncertainty is also proposed to select which learning-based detection model is appropriate to dataset. As learning-based detection models, anomaly detection system uses a model constructed with a well-known learning method OCSVM (One Class SVM) and a newly proposed representative detection model made for solving the limitation of OCSVM.

Secure and reliable electronic record management system using digital forensic technologies

Currently, most records are produced and stored digitally using various types of media storage and computer systems. Unlike physical records such as paper-based records, identifying, collecting, and analyzing digital records require technical knowledge and tools that are not found in archival institutions. As a result, archival institutions face challenges in their attempt to collect digital archives. One approach to overcome this problem is for archival institutions to use digital forensic knowledge and technologies. In this paper, we propose the Digital Archive Management System that integrates digital forensic technologies and archival information management systems to acquire, identify, analyze, and manage digital records in archival intuitions.

Anomaly Detection for IEC 61850 Substation Network

This paper proposes normal behavior profiling methods for anomaly detection in IEC 61850 based substation network. Signature based security solutions, currently used primarily, are inadequate for APT attack using zero-day vulnerabilities. Recently, some researches about anomaly detection in control network are ongoing. However, there are no published result for IEC 61850 substation network. Our proposed methods includes 3-phase preprocessing for MMS/GOOSE packets and normal behavior profiling using one-class SVM algorithm. These approaches are beneficial to detect APT attacks on IEC 61850 substation network.

Inferring State Machine Using Hybrid Teacher

Inferring a correct state machine of a protocol implementation is an important problem in software engineering and security domains. The protocol state machine inference method can be widely used in various security applications, such as software vulnerability detection, intrusion detection system, protocol implementation fingerprinting, and protocol reversing. In this paper, we propose an advanced technique to efficiently infer protocol state machine. The proposed technique is evaluated by inferring a state machine of a SCADA protocol implementation. The SCADA system is one of the most critical cyber-physical systems, which has high importance, and the proposed technique can be used for various security applications in these systems. The proposed technique is based on Angluins L* algorithm, but we advance the algorithm using the Hybrid Teacher which uses both the random sampling oracle and the modified W-method. We demonstrate that the proposed technique can learn a correct state machine with a fewer number of queries than existing techniques, through experiments on an application of the DNP3 protocol, which is widely used in the SCADA system.

Scenario-Based Attack Route on Industrial Control System

In the past, control system networks were isolated from public external networks, so there was no way to access the control system networks from external networks. Security issues of control system networks were originated and guaranteed by itself. It can be a security by obscurity. Recently, most of devices in the control systems are changing with communication capability, and the interoperability between devices is very significant. Thus, effective management system for control system networks have been required and this have triggered connection between the control system network and external system networks. These changes make control system management easier than before, but the threat of cyberattacks from external networks are also increasing. To prevent a variety of security attacks, many security standards and solutions are applied to control systems. In this paper, we present scenario-based attack and propose a countermeasure using security control of field devices in order to improve security in control system networks.

Research on Development of Digital Forensics based Digital Records Migration Procedure and Tool

ABSTRACT Digital Records, which are created, stored, and managed in digi tal form, contains security vulnerability such as data modification, due to the characteristic of digital data. Therefore it is necessary to guarantee the reliability by verification of integrity and authenticity when managing digital records. This paper propose digital forensics based migration process for electronic records by analyzing legacy digital forensics process, and derives the requirements to develop digital forensics based electronic records migration tool through analyzing trends of a broad digital records migration technique and tool. Based on th ese develop digital forensic based digital records migration tool t o guarantee integrity and authenticity of digital records. Keywords: Digital Forensics, Digital Records, Electronic Records, Migration, Transfer접수일(2014년 3월 31일), 수정일(2014년 5월 14일),게재확정일(2014년 6월 2일)* 본 연구는 안전행전부 국가기로구언 재원으로 2013년 기록보존기술 연구개발사업의 지원을 받아 수행된 연구임†주저자, go467913@ajou.ac.kr‡교신저자, tsshon@ajou.ac.kr(Corresponding author)

Research on Advanced Electronic Records Management Technology Using Digital Forensics

Recently, according with a sudden increase of records produced and stored by digital way, it becomes more important to maintain reliability and authenticity and to ensure legal effect when digital records are collected, preserved and managed. On the basis of domestic legal procedure law and record management-related legislation, this paper considered judicial admissibility of evidence on electronic records managed by National Archives of Korea and drew potential problems when these are submitted to court as a evidence. Also, this paper suggested a plan applying digital forensics technique to electronic records management to ensure admissibility of evidence about electronic records stored in National Archives of Korea.