Jonathan Petit

Modeling message sequences for intrusion detection in industrial control systems

Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware” intrusion detection systems.

Binary hash tree based certificate access management for connected vehicles

We present a certificate access management system to support the USDOTs proposed rule on Vehicle-to-Vehicle (V2V) communications, Federal Motor Vehicle Safety Standard (FMVSS) No. 150. Our proposal, which we call Binary Hash Tree based Certificate Access Management (BCAM) eliminates the need for vehicles to have bidirectional connectivity with the Security Credential Management System (SCMS) for certificate update. BCAM significantly improves the ability of the SCMS to manage large-scale software and/or hardware compromise events. Vehicles are provisioned at the start of their lifetime with all the certificates they will need. However, certificates and corresponding private key reconstruction values are provided to the vehicle encrypted, and the keys to decrypt them are only made available to the vehicles shortly before the start of the validity periods of those certificates. Vehicles that are compromised can be effectively removed from the V2V system by preventing them from decrypting the certificates. We demonstrate that the system is feasible with a broadcast channel for decryption keys and other revocation information, even if that channel has a relatively low capacity. Reproducibility VM download link: https://drive.google.com/open?id=0B4ozf__jZFRs7VmhqampHczhBTkU

An Evaluation of Pseudonym Changes for Vehicular Networks in Large-Scale, Realistic Traffic Scenarios

Changing pseudonym certificates are the agreed-upon approach for privacy-friendly message authentication in upcoming vehicular ad hoc networks and are included in recent standards. This paper examines the performance of four different pseudonym change strategies and their parameters using simulations of realistic, large-scale traffic scenarios. The strategies are assessed by measuring their effectiveness and efficiency in protecting drivers from being tracked by an attacker with limited coverage. In an urban scenario, all strategies achieve satisfactory privacy protection, but the change frequency required is rather high. In a highway scenario, the attacker algorithm achieves a high-tracking success for all strategies, especially in low traffic, even for very short change intervals. This paper proposes concrete change intervals for urban scenarios, which are higher than currently foreseen, but concludes that privacy protection in uniform traffic conditions remains a challenge.

Context-adaptive detection of insider attacks in VANET information dissemination schemes

Information dissemination is one of the most-discussed applications for vehicular ad hoc networks (VANETs) and other ad hoc networks. To provide dependability for applications, information dissemination must be resilient against different kinds of attacks. Especially insider attackers, which may create valid messages that cannot easily be detected using cryptographic signatures alone, pose a viable threat to information dependability. Many proposals in existing work offer solutions to detect individual attack patterns using data consistency checks and other means. We propose a generic framework that can integrate a wide range of existing detection mechanisms, allows to combine their outputs to improve attack detection, and enables mechanism adaptation based on current attack likelihood. We employ subjective logic opinions, which enable flexible security mechanism output representation, and which we extend to support continuing operation in dynamic networks, such as VANETs. Simulation results show that our framework improves detection accuracy compared to applying individual mechanisms.

Privacy of Connected Vehicles

By enabling vehicles to exchange information with infrastructure and other vehicles, connected vehicles enable new safety applications and services. Because this technology relies on vehicles to broadcast their location in clear text, it also raises location privacy concerns. In this chapter, we discuss the connected-car ecosystem and its underlying privacy threats. We further present the privacy protection approach of short-term identifiers, called pseudonyms, that is currently foreseen for emerging standards in car-to-X communication. To that end, we discuss the pseudonym lifecycle and analyze the trade-off between dependability and privacy requirements. We give examples of other privacy protection approaches for pay-as-you-drive insurance, sharing of trip data, and electric vehicle charging. We conclude the chapter by an outlook on open challenges.

Threat and Countermeasures Analysis for WAVE Service Advertisement

The WAVE Service Advertisement (WSA) is a key part of the IEEE 1609 family of standards which specify the wireless technology that will be used for Vehicle-to-Anything (V2X) communications in the US. Despite this, it has never received a thorough security analysis, and the security mechanisms in the current version of the standards are ad hoc and have significant management overhead, making it difficult to deploy services quickly or to understand exactly what communications security approach needs to be taken in a given situation. This paper provides summary results of a comprehensive security analysis of the WSA carried out over a period of more than a year. We note numerous potential vulnerabilities in the use of the WSA: the WSA could be used to leave poorly-implemented receivers essentially isolated from the system, and it can also be used to trigger a number of different force-multiplier denial of service attacks. In considering how WSAs can be used to induce improper behavior, we note that in the Cooperative Intelligent Transportation Systems (C-ITS) setting in the US there is as yet no complete definition of proper behavior. We end by making recommendations for how WSAs may be secured and by identifying the elements that need to be specified as part of a policy that defines proper behavior.

Security and privacy in vehicular networks

This chapter addresses the issues related to security and privacy protection in Car-to-X (C2X) networks. We highlight the importance of proper security and privacy protection for the success of C2X and show the three major building blocks of a secure C2X system: (1) identity management, authentication, and message integrity; (2) privacy protection; and (3) misbehaviour detection. The chapter concludes with a list of future challenges.