Igor Nai Fovino

Modbus/DNP3 State-Based Intrusion Detection System

The security of Industrial Critical Infrastructures is become a prominent problem with the advent of modern ICT technologies used to improve the performances and the features of the SCADA systems. In this paper we present an innovative approach to the design of Intrusion Detection Systems. The aim is to be able to detect complex attacks to SCADA systems, by monitoring its state evolution. By complex attack, we mean attacks composed of a set of commands that, while licit when considered in isolation on a single-packet basis, can disrupt the correct behavior of the system when executed in particular operating states. The proposed IDS detects these complex attacks thanks to an internal representation of the controlled SCADA system. We also present the corresponding rule language powerful enough to express the system’s critical states. Furthermore, we present a prototype of the proposed IDS, able to monitor systems using the ModBus and DNP3 communication protocols.

Integrating cyber attacks within fault trees

In this paper, a new method for quantitative security risk assessment of complex systems is presented, combining fault-tree analysis, traditionally used in reliability analysis, with the recently introduced Attack-tree analysis, proposed for the study of malicious attack patterns. The combined use of fault trees and attack trees helps the analyst to effectively face the security challenges posed by the introduction of modern ICT technologies in the control systems of critical infrastructures. The proposed approach allows considering the interaction of malicious deliberate acts with random failures. Formal definitions of fault tree and attack tree are provided and a mathematical model for the calculation of system fault probabilities is presented.

An experimental investigation of malware attacks on SCADA systems

Abstract Modern critical infrastructures are continually exposed to new threats due to the vulnerabilities and architectural weaknesses introduced by the extensive use of information and communications technologies (ICT). Of particular significance are the vulnerabilities in the communication protocols used in supervisory control and data acquisition (SCADA) systems that are commonly employed to control industrial processes. This paper presents the results of our research on the impact of traditional ICT malware on SCADA systems. In addition, it discusses the potential damaging effects of computer malware created for SCADA systems.

An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants

SCADA systems are nowadays exposed not only to traditional safety and availability problems, but also to new kinds of security threats. These are mainly due to the large number of new vulnerabilities and architectural weaknesses introduced by the extensive use of ICT and networking technologies into such complex systems. The analysis of the effects of these new threats is a mandatory activity to ensure the security of critical installation relying on SCADA systems. In this paper, after describing an experimental platform developed for studying the effects of ICT attacks against SCADA systems, we present some attack scenarios successfully exploited in this experimental platform, taking as reference the SCADA system of a typical Turbo-Gas Power Plant. Moreover we present a brief overview of the possible countermeasures for enhancing the security of SCADA systems.

A cyber-physical experimentation environment for the security analysis of networked industrial control systems

Although many studies address the security of Networked Industrial Control Systems (NICSs), today we still lack an efficient way to conduct scientific experiments that measure the impact of attacks against both the physical and the cyber parts of these systems. This paper presents an innovative framework for an experimentation environment that can reproduce concurrently physical and cyber systems. The proposed approach uses an emulation testbed based on Emulab to recreate cyber components and a real-time simulator, based on Simulink, to recreate physical processes. The main novelty of the proposed framework is that it provides a set of experimental capabilities that are missing from other approaches, e.g. safe experimentation with real malware, flexibility to use different physical processes. The feasibility of the approach is confirmed by the development of a fully functional prototype, while its applicability is proven through two case studies of industrial systems from the electrical and chemical domain.

State-based network intrusion detection systems for SCADA protocols: a proof of concept

We present a novel Intrusion Detection System able to detect complex attacks to SCADA systems. By complex attack, we mean a set of commands (carried in Modbus packets) that, while licit when considered in isolation on a single-packet basis, interfere with the correct behavior of the system. The proposed IDS detects such attacks thanks to an internal representation of the controlled SCADA system and a corresponding rule language, powerful enough to express the systems critical states. Furthermore, we detail the implementation and provide experimental comparative results.

Scada Malware, a Proof of Concept

Critical Infrastructures are nowadays exposed to new kind of threats. The cause of such threats is related to the large number of new vulnerabilities and architectural weaknesses introduced by the extensive use of ICT and Network technologies into such complex critical systems. Of particular interest are the set of vulnerabilities related to the class of communication protocols normally known as SCADA protocols, under which fall all the communication protocols used to remotely control the RTU devices of an industrial system. In this paper we present a proof of concept of the potential effects of a set of computer malware specifically designed and created in order to impact, by taking advantage of some vulnerabilities of the ModBUS protocol, on a typical Supervisory Control and Data Acquisition system.

A Permission verification approach for android mobile applications

Mobile applications build part of their security and privacy on a declarative permission model. In this approach mobile applications, to get access to sensitive resources, have to define the corresponding permissions in a manifest. However, mobile applications may request access to permissions that they do not require for their execution (over-privileges) and offer opportunities to malicious software to gain access to otherwise inaccessible resources. In this paper, we investigate on the declarative permissions model on which security and privacy services of Android rely upon. We propose a practical and efficient permission certification technique, in the direction of risk management assessment. We combine both runtime information and static analysis to profile mobile applications and identify if they are over-privileged or follow the least privilege principle. We demonstrate a transparent solution that neither requires modification to the underlying framework, nor access to the applications original source code. We assess the effectiveness of our approach, using a randomly selected varied set of mobile applications. Results show that our approach can accurately identify whether an application is over-privileged or not, whilst at the same time guaranteeing the need of declaring specific permissions in the manifest.

Analyzing Cyber-Physical Attacks on Networked Industrial Control Systems

Considerable research has focused on securing SCADA systems and protocols, but an efficient approach for conducting experiments that measure the impact of attacks on the cyber and physical components of the critical infrastructure is not yet available. This paper attempts to address the issue by presenting an innovative experimental framework that incorporates cyber and physical systems. An emulation testbed based on Emulab is used to model cyber components while a soft real-time simulator based on Simulink is used to model physical processes. The feasibility and performance of the prototype is evaluated through a series of experiments. The prototype supports experimentation with networked industrial control systems and helps understand and measure the consequences of cyber attacks on physical processes.

Emergent Disservices in Interdependent Systems and System-of-Systems

The assessment and the evaluation of the risk exposure to failures and cyber attacks, is nowadays - in times of pervasive ICT applications - a much required task. However, in some cases, and especially when evaluating an ICT infrastructure (which can be logically and geographically sparse and which can provide services to other systems), the evaluation of system risk is not sufficient. In fact in this context, a failure judged negligible for the life of a system may have not negligible effect on another system which is in someway in relation with the former one. In this paper, we present a formal approach based on the concept of system of system allowing to represent the interdependencies existing among a group of collaborating systems. Moreover we show how such an approach can be integrated in a risk assessment methodology in order to obtain a system of system risk assessment framework.