William R. Mahoney

An integrated framework for control system simulation and regulatory compliance monitoring

Abstract This paper presents SCADASiM, an integrated framework for control system simulation and near-real-time regulatory compliance monitoring with respect to cybersecurity. With numerous legacy control system installations already in place, current approaches for highly detailed simulations demand a significant modeling effort to be useful. Furthermore, the complexity and lack of technical uniformity in legacy SCADA systems often obscures their core operational semantics, making regulatory compliance monitoring only available to personnel with intimate knowledge about the system. To address these issues, the SCADASiM framework includes two parts. First, it allows rapid recreation of message-based interactions between cyber and physical entities. The resulting simulation is geared towards facilitating the development of strategic and near-real-time security related regulatory compliance monitoring capabilities for critical infrastructure owners. Second, it includes new language utilities for collecting and monitoring the system events necessary to demonstrate regulatory compliance in real-time. In an integrated framework, the simulation facilitates policy authoring using the new language utilities, which in turn allow the observance of policy violation with its operational impact using “what-if” scenarios about coordinated attacks on the infrastructure. The two parts of the framework are synchronized by a SCADA taxonomy described using semantic web representation standards. The abstract layers of our taxonomy map to regulatory requirements that mandate security controls in the critical infrastructure, while the lower layers map to actual system components and their events that characterize actual system behavior. Here we describe the design decisions and structure of the SCADASiM framework as well as its initial feasibility using an in-lab control system simulation that replicates a water supply system.

Building a Social Dimensional Threat Model from Current and Historic Events of Cyber Attacks

The volume of cyber attacks has increased tremendously in the recent years. Many of these cyber attacks can be linked to current and historic events in the social, political, economic, and cultural (SPEC) dimensions in the human world. In this paper, we analyze the expression of such cyber attacks in news media and publications based on past social events, explore the factors in social dimension that triggered the cyber attacks, and map these factors to concepts in a cyber attack domain model. The goal of this research is to gain a better understanding of the likelihood of cyber attacks upon social disturbances in the human world. Such insight would allow predictions to be made about an impending cyber attack, the means and methods with which such attacks could be carried out, the potential victims, and the time and duration of the attacks. In our future work, we aim to utilize our models to provide early warnings such that necessary defenses can be built up before cyber attacks occur in response to disturbances in the SPEC dimensions.

A Coherent Measurement of Web-Search Relevance

We present a metric for quantitatively assessing the quality of Web searches. The relevance-of-searching-on-target index measures how relevant a search result is with respect to the searchers interest and intention. The measurement is established on the basis of the cognitive characteristics of common users online Web-browsing behavior and processes. We evaluated the accuracy of the index function with respect to a set of surveys conducted on several groups of our college students. While the index is primarily intended to be used to compare the Web-search results and tell which is more relevant, it can be extended to other applications. For example, it can be used to evaluate the techniques that people apply to improve the Web-search quality (including the quality of search engines), as well as other factors such as the expressiveness of search queries and the effectiveness of result-filtering processes.

Hardware Implementation of Quasigroup Encryption for SCADA Networks

We present an efficient hardware implementation of a quasigroup block cipher system. Power and resource comparisons are done with AES and we show that the proposed quasigroup system provides an inexpensive alternative for SCADA networks and other low powered, resource constrained devices.

Privacy Preserving Computations Using Implicit Security

We present a new technique for privacy preserving computation using an implicit security model that has applications in cloud computing. In the proposed technique, data is divided into partitions and stored over independent cloud servers. When the user wishes to perform computations on the data, he sends a signal to the servers and the servers perform the required computations. We show that if the main data storage servers do not collude, the privacy of the user data is maintained. This can be guaranteed by the use of independent cloud providers. The proposed technique eliminates the requirement of key management, is efficient and practical.

SCADA Threats in the Modern Airport

Critical infrastructures are ubiquitous in the modern world and include electrical power systems, water, gas, and other utilities, as well as trains and transportation systems including airports. This work is concerned with Supervisory Control and Data Acquisition (SCADA) systems that are at the heart of distributed critical infrastructures within airports. Modern airports are highly competitive cost driven operations that offer a range of public and private services. Many airport systems such as car parking and building control systems are SCADA controlled. This is achieved with sensors and controllers monitored over a large, geographically disperse area. To increase efficiency and to achieve cost savings, SCADA systems are now being connected to information technology system networks using TCP/IP. The merging of SCADA systems into the main IT network backbone is presenting new security problems for IT security managers. Historically, proprietary solutions, closed systems, ad-hoc design and implementation, and long system life cycles have led to significant challenges in assessing the true security posture of SCADA systems. To address this, this work seeks how SCADA systems are being integrated into the IT network within a modern airport. From this new standpoint we will be able to identify ways in which SCADA may be vulnerable to malicious attack via the IT network. The results of this work could offer solutions to increase security within airports. SCADA Threats in the Modern Airport

A freshman level course on information assurance: can it be done? here's how

O ffering a freshman level course in Information Assurance (IA) that is open to all majors in a University seems like a responsible thing to do. However, IA is considered as an advanced technical topic, and its integration in undergraduate curriculums is primarily at the junior and senior level. Here we describe our experiences in designing and imparting a freshman level IA course. We discuss challenges and solutions for making the course appealing to a broad audience; strategies to increase enrollment; pedagogical techniques, and experiences from the past six semesters that such a course has been successfully taught at the University of Nebraska at Omaha (UNO). above, to interact early with the students so that they become aware of IA issues. Some of the authors had forgotten the challenges in dealing with brand new students in a university setting, and these issues are described in section four. In section five we describe our approach to satisfy the global diversity GenEd requirements at our university, followed by conclusions and acknowledgements. 2 INFORMATION SECURITY IN UNDERGRADUATE CURRICUlA ACM, AIS and IEEE curricula recommendations act as a benchmark for the body of knowledge to be disseminated in undergraduate (as well as some graduate) computing degree programs. In this section we discuss our findings for the early exposure to IA topics in the context of computing curricula recommendations. CC 2005 [3] provides undergraduate curriculum guidelines for five defined sub-disciplines of computing: Computer Science (CS), Computer Engineering (CE), Information Systems (IS), Information Technology (IT), and Software Engineering (SE). Since all computing graduates cannot be proficient in all knowledge areas, CC 2005 recommends different weights for different sub-disciplines. With regards to such distribution IT provides the highest coverage of security implementation and management knowledge areas, whereas CS provides the highest coverage for security issues and principles knowledge areas. CS 2008 curriculum recommendations [1] now provide explicit focus on integration of security issues across its knowledge areas. Security is a focus not only in operating systems and networking knowledge areas, but also in programming to write safe and secure software. The recommended CS3xx Introduction to Computer Security course in CS 2008 requires a foundation of CS 102, and a co-requisite of data structures and algorithms in CS 103 as defined in CS 2001 [2]. As a result an in-depth treatment of fundamental principles of information security is only accessible to computing students late in their degree programs. …

Using anomalous event patterns in control systems for tamper detection

Supervisory Control And Data Acquisition (SCADA) systems are used for geographically distributed process control by collecting sensory data that are processed by a central computer. These systems are used in critical domains such as nuclear power plants, public power grids, railway scheduling and ticketing, and others. The malfunctioning of these systems, e.g., if being comprised, could cause severe equipment damage, loss of life, and possibly shutdown of facilities that affect an entire community. As a result, SCADA systems provide nefarious actors, both insiders and outsiders, with great temptation as possible attack targets. In this paper, we present our work for monitoring SCADA systems through the development of a technology that incrementally learns normal behaviors of the system and then continuously watches for the occurrence of abnormal behaviors. Our technology exploits the repeating patterns of normal behavior in SCADA system operation. We describe the system architecture, prototype implementation and results in this paper.

Comparing the effectiveness of commercial obfuscators against MATE attacks

The ability to protect software from malicious reverse engineering remains a challenge faced by commercial software companies who invest a large amount of resources in the development of their software product. In order to protect their investment from potential attacks such as illegal copying, tampering, and malicious reverse engineering, most companies utilize some type of protection software, also known as obfuscators, to create variants of their products that are more resilient to adversarial analysis. In this paper, we report on the effectiveness of different commercial obfuscators against traditional man-at-the-end (MATE) attacks where an adversary can utilize tools such as debuggers, disassemblers, and de-compilers as a legitimate end-user of a binary executable. Our case study includes four benchmark programs that have associated adversarial goals categorized as either comprehension or change tasks. We use traditional static and dynamic analysis techniques to identify the adversarial workload and outcomes before and after each program is transformed by a set of three commercial obfuscators. Our results confirm what is typically assumed: an adversary with a reasonable background in the computing disciplines can both comprehend and make changes to any of our completely unprotected programs using standard tools. Additionally, given the same skill set and attack approach, protected programs can still be probed to leak certain information, but none could be successfully altered and saved to create a cracked version. As a contribution, our methodology is unique compared to prior studies on obfuscation effectiveness in that we categorize adversarial skill and delineate program goals into comprehension and change ability, while considering the load time and overhead of obfuscated variants.

Authentication Bypass and Remote Escalated I/O Command Attacks

The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradleys implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradleys RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000s use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.