Mason Rice

Constructing cost-effective and targetable industrial control system honeypots for production networks

Critical infrastructure assets - and especially industrial control systems - are at risk. Malicious actors are constantly developing exploits that sneak past security controls. Honeypots offer an opportunity to acquire knowledge about the tactics, techniques and procedures used by malicious entities to compromise sensitive systems. However, the proprietary, and often expensive, hardware and software used by industrial control systems make it very challenging to build flexible, economical and scalable honeypots. This paper describes a technique that uses proxy technology to produce multiple high-interaction honeypots using a single programmable logic controller. The technique provides a cost-effective method for distributing multiple, authentic, targetable honeypots at slightly more than the cost of a single programmable logic controller.

A framework for incorporating insurance in critical infrastructure cyber risk strategies

Smart critical infrastructure owners and operators are always looking for ways to minimize cyber risk while keeping a lid on cyber security expenditures. The insurance industry has been quantitatively assessing risk for hundreds of years to minimize risk and maximize profits. To achieve these goals, insurers continuously gather and analyze statistical data to improve their predictions, incentivize client investments in self-protection and periodically refine their models to improve the accuracy of risk estimates.This paper presents a framework that incorporates the operating principles of the insurance industry to provide quantitative estimates of cyber risk. The framework uses optimization techniques to suggest levels of investment in cyber security and insurance for critical infrastructure owners and operators. This analysis can be used to quantitatively formulate strategies to minimize cyber risk.

Evaluating the readiness of cyber first responders responsible for critical infrastructure protection

Abstract First responders go through rigorous training and evaluation to ensure that they are adequately prepared for emergencies. For example, fire departments continually evaluate the readiness of their firefighting personnel using a defined set of criteria that measures their performance in fire suppression and rescue procedures. However, in the cyber security domain, similar evaluation criteria and rigor are severely lacking for professionals who help detect, respond to and recover from cyber-based attacks against critical infrastructure assets. To address the gap, this paper provides a framework for evaluating the readiness of cyber first responders responsible for critical infrastructure protection. The evaluation criteria are conceptually based on the NFPA 1410 standards that are used to assess the readiness of firefighter first responders. The utility of the framework is illustrated using a military cyber training exercise that evaluated the readiness of professionals who respond to real-world cyber attack scenarios.

Misuse-based detection of Z-Wave network attacks

Wireless Sensor Networks (WSNs) are becoming ubiquitous, providing low-cost, low-power, and low-complexity systems in which communication and control are tightly integrated. Although much security research into WSNs has been accomplished, researchers struggle to conduct thorough analyses of closed-source proprietary protocols. Of the numerous available and underanalyzed proprietary protocols, those based on the ITU-T G.9959 recommendation specifying narrow-band sub-GHz communications have recently experienced significant growth. The Z-Wave protocol is the most common implementation of this recommendation. Z-Wave developers are required to sign nondisclosure and confidentiality agreements, limiting the availability of tools to perform open source research. Given recently demonstrated attacks against Z-Wave networks, defensive countermeasures are needed. This work extends an existing implementation of a Z-Wave Misuse-Based Intrusion Detection System (MBIDS). A side-by-side comparison is performed through experimentation to measure misuse detection accuracy of the baseline and extended MBIDS implementations. Experiment results determine the extended MBIDS achieves a mean misuse detection rate of 99%, significantly improving the security posture in MBIDS-monitored Z-Wave networks.

Practical Application Layer Emulation in Industrial Control System Honeypots

Attacks on industrial control systems and critical infrastructure assets are on the rise. These systems are at risk due to outdated technology and ad hoc security measures. As a result, honeypots are often deployed to collect information about malicious intrusions and exploitation techniques. While virtual honeypots mitigate the excessive cost of hardware-replicated honeypots, they often suffer from a lack of authenticity. In addition, honeypots utilizing a proxy to a live programmable logic controller suffer from performance bottlenecks and limited scalability. This chapter describes an enhanced, application layer emulator that addresses both limitations. The emulator combines protocol-agnostic replay with dynamic updating via a proxy to produce a device that is easily integrated into existing honeypot frameworks.

Evaluating ITU-T G.9959 Based Wireless Systems Used in Critical Infrastructure Assets

ITU-T G.9959 wireless connectivity is increasingly incorporated in the critical infrastructure. However, evaluating the robustness and security of commercially-available products based on this standard is challenging due to the closed-source nature of the transceiver and application designs. Given that ITU-T G.9959 transceivers are being used in smart grids, building security systems and safety sensors, the development of reliable, open-source tools would enhance the ability to monitor and secure ITU-T G.9959 networks. This chapter discusses the ITU-T G.9959 wireless standard and research on ITU-T G.9959 network security. An open-source, software-defined radio implementation of an ITU-T G.9959 protocol sniffer is used to explore several passive reconnaissance techniques and deduce the properties of active network devices. The experimental results show that some properties are observable regardless of whether or not encryption is used. In particular, the acknowledgment response times vary due to differences in vendor firmware implementations.

Modeling Control System Failures and Attacks – The Waterloo Campaign to Oil Pipelines

This paper presents a model for expressing control system failures and attacks on control protocols that involve the exchange of messages. Control failures and attacks are modeled using the notion of an attacker who can block and/or fabricate messages. These two attack mechanisms can cover a variety of scenarios ranging from control failures in the Waterloo Campaign to cyber attacks on oil pipelines. The model helps provide a comprehensive understanding of control system failures and attacks, which supports the development of strategies for attack as well as defense.

A cyber risk scoring system for medical devices

Abstract The increased connectivity of medical devices expedites patient treatment and provides lifesaving capabilities, but the lack of emphasis on device security has led to several cyber security breaches. Most medical professionals do not have adequate expertise in information technology or cyber security, yet they are responsible for assessing which medical devices provide the best balance of risk and probability of success. This paper proposes a cyber risk scoring system that considers a physician’s worst-case assessment of the potential of a medical device to impact a patient. The scoring system also relies on a security questionnaire based on the STRIDE model that helps generate a risk score for the medical device. Three test scenarios involving medical devices are used to demonstrate the application and utility of the risk scoring system.

Enabling Bluetooth Low Energy auditing through synchronized tracking of multiple connections

Abstract Bluetooth Low Energy is a wireless communications protocol that is increasingly used in critical infrastructure applications, especially for inter-sensor communications in wireless sensor networks. Recent security research notes a trend in which developers and vendors have opted out of implementing Bluetooth Low Energy link security in many devices, enabling protocol attacks and attack frameworks. To help defend devices with no link security, researchers recommend the use of Bluetooth Low Energy traffic sniffers to generate auditable communications logs. Unfortunately, current sniffers can only follow a single connection at a time, and some are ineffective at capturing long-lived connections due to synchronization problems. These limitations make current sniffers impractical for use in wireless sensor networks. This paper presents Bluetooth Low Energy Multi (BLE-Multi), a firmware enhancement to the open-source Ubertooth One that enables the sniffing of multiple simultaneous long-lived connections. To increase the capture effectiveness for long-lived connections, a novel synchronization mechanism is proposed that uses transmissions of empty packets to infer information about connection timing. Multi-connection sniffing is achieved by opportunistically switching between connections as they move from the active to inactive state, which is an inherent function in Bluetooth Low Energy to help conserve energy. The experimental evaluations demonstrate that BLE-Multi simultaneously captures multiple active connections while outperforming Ubertooth One when it captures a single connection, paving the way for the development and implementation of automated defensive tools for Bluetooth Low Energy and wireless sensor networks.

MULTI-CONTROLLER EXERCISE ENVIRONMENTS FOR TRAINING INDUSTRIAL CONTROL SYSTEM FIRST RESPONDERS

When systems are targeted by cyber attacks, cyber first responders must be able to react effectively, especially when dealing with critical infrastructure assets. Training for cyber first responders is lacking and most exercise platforms are expensive, inaccessible and/or ineffective. This chapter describes a mobile training platform that incorporates a variety of programmable logic controllers in a single system that helps impart the unique skills required of industrial control system cyber first responders. The platform is modeled after a jail in the United States and was developed to maximize realism. Training scenarios are presented that cover specific cyber first responder skills and techniques. The results demonstrate that the platform is robust and highly effective for conducting sustained training exercises in curricula developed for cyber first responders.