Mauricio Papa

Attack taxonomies for the Modbus protocols

Abstract The Modbus protocol and its variants are widely used in industrial control applications, especially for pipeline operations in the oil and gas sector. This paper describes the principal attacks on the Modbus Serial and Modbus TCP protocols and presents the corresponding attack taxonomies. The attacks are summarized according to their threat categories, targets and impact on control system assets. The attack taxonomies facilitate formal risk analysis efforts by clarifying the nature and scope of the security threats on Modbus control systems and networks. Also, they provide insights into potential mitigation strategies and the relative costs and benefits of implementing these strategies.

A TAXONOMY OF ATTACKS ON THE DNP3 PROTOCOL

Distributed Network Protocol (DNP3) is the predominant SCADA protocol in the energy sector – more than 75% of North American electric utilities currently use DNP3 for industrial control applications. This paper presents a taxonomy of attacks on the protocol. The attacks are classified based on targets (control center, outstation devices and network/communication paths) and threat categories (interception, interruption, modification and fabrication). To facilitate risk analysis and mitigation strategies, the attacks are associated with the specific DNP3 protocol layers they exploit. Also, the operational impact of the attacks is categorized in terms of three key SCADA objectives: process confi- dentiality, process awareness and process control. The attack taxonomy clarifies the nature and scope of the threats to DNP3 systems, and can provide insights into the relative costs and benefits of implementing mitigation strategies.

Security Strategies for SCADA Networks

SCADA systems have historically been isolated from other computing resources. However, the use of TCP/IP as a carrier protocol and the trend to interconnect SCADA systems with enterprise networks introduce serious security threats. This paper describes two strategies for securing SCADA networks, both of which have been implemented in a laboratory-scale Modbus network. The first utilizes a security services suite that minimizes the impact on time-critical industrial process systems while adhering to industry standards. The second engages a sophisticated forensic system for SCADA network traffic collection and analysis. The forensic system supports the post mortem analysis of security breaches and the monitoring of process behavior to optimize plant

Applying Data Mining of Fuzzy Association Rules to Network Intrusion Detection

This paper describes the use of fuzzy logic in the implementation of an intelligent intrusion detection system. The system uses a data miner that integrates Apriori and Kuoks algorithms to produce fuzzy logic rules that capture features of interest in network traffic. Using an inference engine, implemented using FuzzyJess, the intrusion detection system evaluates these rules and gives network administrators indications of the firing strength of the ruleset. The resulting system is capable of adapting to changes in attack signatures. In addition, by identifying relevant network traffic attributes, the system has the inherent ability to provide abstract views that support network security analysis. Examples and experimental results using intrusion detection datasets from MIT Lincoln Laboratory demonstrate the potential of the approach

Critical Infrastructure Protection II

The information infrastructure---comprising computers, embedded devices, networks and software systems---is vital to day-to-day operations in every sector: information and telecommunications, banking and finance, energy, chemicals and hazardous materials, agriculture, food, water, public health, emergency services, transportation, postal and shipping, government and defense. Global business and industry, governments, indeed society itself, cannot function effectively if major components of the critical information infrastructure are degraded, disabled or destroyed. Critical Infrastructure Protection II describes original research results and innovative applications in the interdisciplinary field of critical infrastructure protection. Also, it highlights the importance of weaving science, technology and policy in crafting sophisticated, yet practical, solutions that will help secure information, computer and network assets in the various critical infrastructure sectors. Areas of coverage include: - Themes and Issues - Infrastructure Security - Control Systems Security - Security Strategies - Infrastructure Interdependencies - Infrastructure Modeling and Simulation This book is the second volume in the annual series produced by the International Federation for Information Processing (IFIP) Working Group 11.10 on Critical Infrastructure Protection, an international community of scientists, engineers, practitioners and policy makers dedicated to advancing research, development and implementation efforts focused on infrastructure protection. The book contains a selection of twenty edited papers from the Second Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection held at George Mason University, Arlington, Virginia, USA in the spring of 2008. Critical Infrastructure Protection II is an important resource for researchers, faculty members and graduate students, as well as for policy makers, practitioners and other individuals with interests in homeland security. Mauricio Papa is an Associate Professor of Computer Science and a principal with the Center for Information Security at the University of Tulsa, Tulsa, Oklahoma, USA. Sujeet Shenoi is the F.P. Walter Professor of Computer Science and a principal with the Center for Information Security at the University of Tulsa, Tulsa, Oklahoma, USA.

Cell mapping for controller design and evaluation

Cell mapping is a powerful computational technique for analyzing the global behaviour of nonlinear dynamical systems. It simplifies the task of analyzing a continuous phase space by partitioning it into a finite number of disjoint cells and approximating system trajectories as cell transitions. The resulting cell map provides global measures of stability and other performance characteristics that are valuable in system analysis and controller design. This article shows how cell mapping can be used to design high-performance, conventional and fuzzy, controllers. It also shows how cell maps can provide global performance measures of the designed controllers, including time optimality, controllability, and empirical assessments of robustness. Evaluating controller performance based on these global measures is superior to simply examining time domain responses for various initial conditions.

Forensic analysis of SCADA systems and networks

Supervisory Control and Data Acquisition (SCADA) systems are commonly used to automate and control industrial processes. Modern SCADA protocols leverage TCP/IP to transport sensor data and control signals. Also, corporate IT infrastructures now interconnect with previously isolated SCADA networks, raising serious security issues. This paper describes an architecture that supports the forensic analysis of SCADA systems and networks. The architecture is implemented in a prototype networked environment using the popular Modbus TCP protocol. In addition to supporting forensic investigations, the architecture incorporates mechanisms for monitoring process behaviour and analysing trends that can help improve plant performance.

Security policy coordination for heterogeneous information systems

Coordinating security policies in information enclaves is challenging due to their heterogeneity and autonomy. Administrators must reconcile the semantic diversity of data and security models before negotiating secure interoperation. This paper proposes an architecture that uses mediators and a primitive ticket-based authorization model to manage disparate policies in information enclaves. The formal foundation of the architecture facilitates static and dynamic analysis of global consistency and policy enforcement.

A Framework for Hybrid Fuzzy Logic Intrusion Detection Systems

This paper describes a framework for implementing intrusion detection systems using fuzzy logic. A fuzzy data-mining algorithm is used to extract fuzzy rules for the inference engine. The modular architecture is implemented using the Java expert system shell (Jess) and the FuzzyJess toolkit developed by Sandia National Laboratories and the National Research Council of Canada respectively. Experimental results for a hybrid prototype system using anomaly-based and fuzzy signatures are provided using data sets from MIT Lincoln Laboratory

Security Risks Associated with Radio Frequency Identification in Medical Environments

Radio frequency identification (RFID) is a form of wireless communication that is used to identify assets and people. RFID has significant benefits to the medical environment. However, serious security threats are present in RFID systems that must be addressed in a medical environment. Of particular interest are threats to patient privacy and safety based on interception of messages, interruption of communication, modification of data, and fabrication of messages and devices. This paper presents an overview of these security threats present in RFID systems in a medical environment and provides guidance on potential solutions to these threats. This paper provides a roadmap for researchers and implementers to address the security issues facing RFID in the medical space.