Conference PaperPDF Available

Cyber Targets Water Management

  • October 2016
  • Conference: CRITIS 2016
  • At: UIC, Paris
Authors:
Pieter Burghouwt at The Hague University of Applied Sciences
Pieter Burghouwt
Marinus Maris at The Hague University of Applied Sciences
Marinus Maris
Sjaak van Peski
Sjaak van Peski
Sjaak van Peski
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Eric Luiijf at Luiijf Consultancy
Eric Luiijf
  • Luiijf Consultancy
Show all 6 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract

Water management is a critical infrastructure activity in The Netherlands. Many organizations, ranging from local municipalities to national departments are involved in water management by controlling the water level to protect the land from flooding and to allow inland shipping. Another important water management task is the purification of waste water and sewage. To fulfill these tasks, such organizations depend on information and communication technologies, ranging from standard office IT facilities to Industrial Control Systems (ICS), for example to control excess water pumps and locks, as well as to monitor and control water purification plants. The worldwide increase of both volume and sophistication of cyber attacks made the Dutch government decide to sponsor a project to determine a cyber security posture of the water management organizations by benchmarking the cyber security state of their water management installations and processes. In this paper we present our benchmark approach to the security of ICS. Moreover, we discuss the major results of the benchmark as well as a cyber security simulator that was developed to raise awareness and develop further knowledge on the ICS-specific issues.
Content uploaded by Pieter Burghouwt
Author content
All content in this area was uploaded by Pieter Burghouwt on Dec 26, 2022
Content may be subject to copyright.
Cyber Targets Water Management
Pieter Burghouwt1, Marinus Maris1, Sjaak van Peski1, Eric Luiijf2, Imelda van
de Voorde2, and Marcel Spruit1
1The Hague University of Applied Sciences, The Netherlands
{p.burghouwt, m.g.maris, j.vanpeski, m.e.m.spruit}@hhs.nl
2Netherlands Organisation for Applied Scientific Research TNO, The Netherlands
{eric.luiijf, imelda.vandevoorde }@tno.nl
Abstract. Water management is a critical infrastructure activity in The
Netherlands. Many organizations, ranging from local municipalities to
national departments are involved in water management by controlling
the water level to protect the land from flooding and to allow inland ship-
ping. Another important water management task is the purification of
waste water and sewage. To fulfill these tasks, such organizations depend
on information and communication technologies, ranging from standard
office IT facilities to Industrial Control Systems (ICS), for example to
control excess water pumps and locks, as well as to monitor and con-
trol water purification plants. The worldwide increase of both volume
and sophistication of cyber attacks made the Dutch government decide
to sponsor a project to determine a cyber security posture of the water
management organizations by benchmarking the cyber security state of
their water management installations and processes. In this paper we
present our benchmark approach to the security of ICS. Moreover, we
discuss the major results of the benchmark as well as a cyber security
simulator that was developed to raise awareness and develop further
knowledge on the ICS-specific issues.
Keywords: critical infrastructure protection, water management, cyber secu-
rity, industrial control system, SCADA, cyber resilience, benchmark, simulator
1 Introduction
For water management tasks in The Netherlands, numerous organizations are
involved, ranging from local municipalities and regional organizations to national
departments. Together they monitor and control water levels, ensure purification
of waste water and sewage and regulate irrigation. The history of water manage-
ment in the Netherlands dates back quite some time. Already in the year 1122,
twenty communities collaboratively worked on building a dam to protect their
cattle, land and properties against flooding. Much later, around the year 1900,
the distribution of drinking water by means of water networks and steam pumps
started. Nowadays, modern electric pumps have replaced the wellknown Dutch
windmills and steam pumps.
2 Burghouwt, Maris, van Peski, Luiijf, van de Voorde, and Spruit
1.1 Use of Industrial Control Systems
Critical water management services are remotely monitored and controlled by
Industrial Control Systems (ICS), including Supervisory Control and Data Ac-
quisition (SCADA) systems 3.
Most water management processes rely on a variety of ICS equipment such as
Programmable Logic Controllers (PLC), pumps, sensors and valves from a multi-
tude of vendors. The water management infrastructure is carefully designed and
operated with a safety-first mindset. Typically, the control systems are designed
in a redundant way, to ensure that operation continues in case of a breakdown
of a part of the systems. In addition, the controls of the water management
systems can be bypassed with manual operation, further increasing redundancy.
Meanwhile, the ICS equipment is augmented with networking capabilities using
the Internet Protocol [10], connecting the ICS domain to the office IT and public
networks such as the Internet.
1.2 Cyber threats and risk
In the recent years, an increasing number of security-related incidents have oc-
curred in ICS [10], also in critical infrastructure sectors [5] [11]. But, not only
the likelihood of cyber attacks on ICS in critical infrastructure increases; also
the consequences become more serious, since critical services become increas-
ingly dependent on ICS. The possibilities of manual intervention during or after
a cyber attack are limited by: the dependency chains of key services, which in
turn depend on the proper functioning of ICS, and the decreasing number of
operators being familiar with the (old fashioned) manual control. The resulting
increased cyber risk urges most organizations, which deploy ICS, to thoroughly
examine their internal procedures and protection mechanisms in order to thwart
cyber attacks by adversaries, such as vengeful employees, terrorists, criminals,
and even rogue states. For these reasons, a pro ject was granted by the Dutch
government to the The Hague University of Applied Sciences and TNO in or-
der to conduct research on the cyber security posture of water management
organizations.
Three objectives were identified to support future direction and decisions
regarding cyber security in relation to water management:
1. A benchmark of the cyber security resilience of the ICS environment against
all kinds of hazards, including cyber attacks.
2. A demonstration and simulation environment to gain both awareness and
further knowledge about ICS-specific security issues, derived from the results
of the benchmark.
3. A benchmark aimed at determining the cyber security maturity level of the
organizations (not discussed in this paper).
3We will use the term ICS hereafter as a generic term for ICS and SCADA.
Cyber Targets Water Management 3
1.3 Structure of this paper
Section 2 relates our work with existing publications. Section 3 presents the ICS
cyber security benchmark and the main results. Section 4 elaborates on specific
cyber security-related dilemmas. Section 5 presents the design and use of the
physical simulation environment and tooling we developed. Section 6 concludes
the research and proposes future work.
2 Related work
Security Risk Assesment is well described in various standards and guidelines,
such as the IEC/ISO27005 [4]. In general the assessment compares the actual
situation with well-defined risk criteria. Our benchmark approach enables or-
ganizations with similar activities to compare themselves with each other in a
relatively simple way by means of a questionnaire.
In 2007, Luiijf et al. developed an ICS security benchmark questionnaire for
the Dutch drinking water sector. The main benchmark results were discussed in
[7]. In our work we have assessed the cyber security of Dutch water management
organizations. For our study we have updated and improved the questionnaire of
2007, reflecting technology changes, such as the move from ISDN to IP/VPN and
4G data links, and increased insights in the ICS set of organizational, technical
and human-related threats [10].
Amin at al propose a framework for benchmarking security risks in cy-
ber physical systems [2]. The game-theoretic approach results in an assessment
model. They propose Deterlab [12] as an environment for further assessing the
related cyber risks. Our study benchmarks multiple organizations with similar
activities by the use of a questionnaire. Our work also presents DESI, a self-
designed and developed simulator for demonstration of and experiments with
cyber attacks in ICS environments to raise awareness and increase knowledge.
DESI can be seen as a testbed with demonstration facilities. In contrast to De-
terlab, DESI is equipped with real hardware components, such as PLCs and
HMI-panels in addition to the virtual implementation of standard computer
components. The support of real ICS equipment and dedicated network com-
ponents, in addition to virtualized components, results in a more realistic and
better recognizable simulation environment that allows for a wide range of cyber
attacks which exploit ICS-specific vulnerabilities.
Another security-related testbed that focusses on ICS is SCADAVT-A [1].
Unlike our simulator, SCADAVT-A is aimed at a Modbus-emulation and a cus-
tom TCP protocol for the connection with a simulator of dedicated I/O modules.
This restricts the degree of reality as the possibilities of extending the simulator
with real hardware are limited.
3 A benchmark of the resilience of the ICS environment
To assess the security posture of ICS environments in water management sys-
tems, we have reused and further developed the benchmarking methodology,
4 Burghouwt, Maris, van Peski, Luiijf, van de Voorde, and Spruit
based on elaborated questionnaires, as described by Luiijf et al. [7]. The origi-
nal methodology has been used three times by the Dutch drinking water sector
and twice by the Dutch energy sector. For this study, we updated and improved
the methodology. The main reasons for assessing the cyber security posture of
the ICS environments include the strong dependence of the water management
systems on the ICS environments, the severe consequences in case the cyber
security of these environments would fail, as well as the earlier results from the
two critical sectors which showed a need for significant security improvements.
The questionnaire of the original methodology by Luiijf et al. contained 39
main questions which can be found in the annex to [7]. Several questions have
been dropped or combined with another question based upon the experiences
with the drinking water and energy sector benchmarks. In the meantime, the
questionnaire has grown to 48 (closed and open) questions (in Dutch). Some
questions are used to validate the reliability of earlier given answers. The addi-
tional questions help to clarify the security posture of the ICS environment, from
the perspectives of governance, organization, system management, networking,
new system acquisition, and (third party) maintenance.
The additional main questions regarding organizational aspects are:
1. Does the organization have a security officer with integral responsibilities?
A CISO? A security officer of ICS? An internal audit department verifying
the cyber security of ICS? An external audit service performing the same
task?
2. Has the cyber security of your ICS been outsourced?
3. Does your organization perform a (cyber) security audit of a third party
before in-sourcing services?
The additional main question regarding telecommunication aspects is:
1. Are you using IP version 6? If not, do you have a IPv6 migration plan?
The additional main questions regarding system management aspects are:
1. Do you screen employees? If yes, what is the frequency?
2. Do you screen third party employees or do you have contractual arrange-
ments?
3. Which type of outside access to your ICS is allowed? By whom? What access
rights are granted?
4. Has the system management of ICS been outsourced?
5. Does your acquisition process include cyber security requirements when con-
tracting third party ICS services? (now an explicit question; formerly part
of a more general question)
6. Do you make use of pen testing or white hat hackers to verify the security
posture of your ICS environment?
7. Has the organization a recurring process to monitor security incidents in the
ICS environment?
8. Are ICS security incidents reported as part of the management reporting
process?
Cyber Targets Water Management 5
9. What type of physical security measures have been taken to protect the
integrity and availability of your ICS?
10. Which ICS security topics need to be addressed sector-wide?
No changes have been made to the weights and scoring of the answers since
2007. In this way, the benchmark results can be compared with older results
if the organizations involved are willing to share the results cross-sector in a
trusted setting.
As described in [8], the received questionnaires are linked to a random orga-
nization number. The benchmark results have been reported anonymously under
the Traffic Light Protocol (TLP) [3], whereas each individual benchmarked or-
ganization received its own relative performance to the benchmark average in
the form of three radar diagrams - one for organizational issues, one for sys-
tem management issues and one for networking -, each accompanied by a con-
cise explanation. A water management sector-specific baseline, derived from the
ISO27001/2 standards has been used for metrics for the specific findings in the
benchmark report.
The main observations regarding ICS cyber security are described below. 19
water management organizations participated in the benchmark. We will refer
to them as the assessed organizations. We have omitted information that could
hamper national and/or company security.
1. Some of the assessed organizations are more advanced in protecting their
ICS environment than the benchmark average. Even for them, we identified
measures to reduce the risk to the ICS environment considerably. Those
comprise measures to increase management awareness with respect to the
influence of ICS on their critical services, and with that funding for detailed
risk analyses and improvements.
2. ICS security was in some cases approached from a holistic point of view. In
the other assessed organizations technical measures, organizational measures
and physical security fell under distinct responsibilities. Within the latter
organizations coinciding measures, which strengthen each other, existed just
by coincidence.
3. 35% of the organizations outsourced the complete installation and mainte-
nance of their ICS environment to a third party. Because water management
is a critical activity, screening of third party personnel is required. However,
in practice only 20% of the organizations had such measures in place.
4. Not all of the assessed organizations had taken measures according to the
Dutch cybercrime law which exempt them in court from revealing detailed
cyber security measures in case of the prosecution of a hacker of the water
management systems.
5. 40% of the assessed organizations did not state decisive cyber security re-
quirements when acquiring new ICS or ICS-related services. Only one or-
ganization assessed the cyber security due diligence of their ICS hardware,
software and service suppliers.
6. 50% of the assessed organizations discussed with their ICS suppliers a fast
delivery of new equipment in case of an emergency, e.g. a fire.
6 Burghouwt, Maris, van Peski, Luiijf, van de Voorde, and Spruit
7. Cyber security incidents in the ICS domain have been reported by a number
of the assessed organizations over the last years. Other incidents could have
happened unnoticed as some organizations did neither have intrusion detec-
tion and firewall monitoring measures in place, nor have incident reporting
procedures.
Networking aspects:
1. Despite existing good practices [7][8][9], 15% of the assessed organizations
did not separate their office IT network from their ICS network. 10% of the
assessed organizations separated these networks only for new installations
and at the larger locations. On the other hand, 30% of the organizations
used a physical network separation.
2. Firewall logging and audits of firewalls were in some cases no part of daily
operations, which means that intrusion attempts could go unnoticed for a
long period of time.
3. Configuration management and change management of ICS and the ICS
networks were often not seen as an operational measure.
4. At the time of the benchmark there were no plans at all for an IPv4 to IPv6
migration of systems and networks.
5. 75% of the assessed organizations allowed third party engineers and their ICS
suppliers to remotely access their ICS domain. The majority of the assessed
organizations used additional measures, such as strong authentication on
this type of access.
6. However, some of the assessed organizations allowed third parties to plug in
laptops and other components in the ICS network without any restriction.
The only barrier was physical access control.
System management aspects:
1. Despite existing good practices [7][8][9], 30% of the assessed organizations
use in some situations the default manufacturer passwords. Legacy aspects
of ICS is one of the reasons mentioned.
2. The critical nature of water management requires individual passwords and
disallows ’group passwords’. Passwords need to be changed within a given
period. The reality is that 35% of the assessed organizations use a mixture
of group and individual passwords in their ICS domain, and that even some
of the assessed organizations use passwords ’lifelong’.
3. The far ma jority of the assessed organizations uses antivirus software, al-
though not all assessed organizations regularly update their detection pro-
files. This results in a long vulnerability period average.
4. Security patching is far from being performed according to the base-line
requirement, as is outlined in the next section.
To conclude, the methodology presented above has given a broad insight into
the weak and strong areas of cyber security of the ICS environment of Dutch
water management organizations. The benchmark produced very diverse results
between the individual organizations, concerning the security level of ICS. The
Cyber Targets Water Management 7
main causes of this diversity are: the outsourcing of ICS maintenance, the divided
or unclear security-related responsibilities of the ICS part of installations, and
the lack of organization-wide awareness of specific ICS cyber risks. Some weak-
nesses can be resolved by individual organizations; on others, collaboration may
be more efficient and effective. Despite the high diversity, certain technology-
related security issues were seen in the majority of the participating organiza-
tions. We will elaborate on this in Section 4.
4 Observed ICS security dilemmas
The results of the ICS benchmark revealed several technology-related dilemmas,
highly related with ICS and the distributed nature of the water management
installations. Through further interviews with the technical staff and security
officers, and field studies, including on-site visits, we elaborated these dilemmas.
We found that the three most important dilemmas are:
1. Patching vs. Continuity: The difficulty of patching in the ICS environment
is a notorious problem. The time interval between the discovery of a new
vulnerability of an ICS-device and the actual deployment of a patch to re-
move the vulnerability or to mitigate its effect is often extremely long. Good
practice states a maximum delay in the order of days for critical patches and
a delay until the next regular maintenance activities for non-critical patches.
In practice an average patch delay can be significantly longer. Interviews with
the technical staff revealed that the main cause of this delay is not lack of
awareness but the fear of process interruption. Patching an ICS device, such
as a PLC, introduces the risk that the system will malfunction. Rollback,
replacement, or repair is in such cases often difficult and time-consuming. As
there is not always a realistic test facility available that can, thoroughly and
in advance, test the effects of the patch, this dilemma is not solved easily.
2. Isolated vs. Centralized Control: Traditionally the water management instal-
lations were isolated entities with dedicated hardware and limited remote
control facilities. This isolation created a de facto security layer. With the
introduction of Internet technology and commercial off-the-shelf (COTS)
solutions in ICS, this type of isolation has disappeared. The result may
be an insecure network architecture with uncontrolled types of communica-
tion between the office network, the control room and the ICS-environment.
A well-known and proven solution for this problem is the use of network
compartments as well as traffic monitoring and restrictions per segment.
However, due to the high variety of allowed traffic, detecting and filtering
of undesired traffic can be difficult, especially in the case of a sophisticated
cyber attack where malicious traffic is carefully crafted to mimic allowed
traffic. Moreover, firewalls that filter too restrictively or Network Intrusion
Detection Systems (NIDS) that detect too many false positives, obstruct the
desired central control. In such cases, the operational staff can be tempted to
configure or even completely bypass the security controls in order to obtain
8 Burghouwt, Maris, van Peski, Luiijf, van de Voorde, and Spruit
the desired functionality. Hence, the critical parts of the network should be
logically isolated as much as possible, but this does not solve the dilemma.
3. Automation vs. Disaster Recovery Capacity: An important objective in au-
tomation is cost reduction because it allows a relatively small staff to operate
a relatively complex and critical process. However, in the case of service dis-
ruption, people are needed to respond and maintain continuity. As long as
the malfunctions are local, a mobile team of limited size can solve the prob-
lems, especially because in most situations there is enough time to respond
before water levels become critical or failing purification impacts society.
However, in case of a large scale sophisticated cyber attack that affects mul-
tiple key processes at the same time, process control continuity would require
a large number of skilled personnel instantly available on the numerous sites
of the water management organizations. Anticipating these types of cyber
attacks limits the aforementioned cost reduction, as more people would con-
tinuously be on guard. Hence this dilemma asks for awareness and careful
consideration of the cyber attack scenarios and new cyber threats.
5 Cyber security simulator for water management control
systems
In order to demonstrate and examine the cyber-physical security issues, men-
tioned in Sections 3 and 4, we developed DESI, a simulator for demonstration
and experimentation purposes. In this simulation environment, attack scenarios
with given vulnerabilities and controls can be set up, to demonstrate and eval-
uate attack consequences and the effectiveness of cyber security controls. The
two main objectives of DESI are:
Create awareness by demonstration of realistic cyber attack scenarios, re-
lated with the aforementioned security dilemmas. The intended audience
is not limited to the technical staff of the organizations, but includes also
its higher management, decision makers, and even students as the future
designers and operators of these installations.
Increase knowledge about ICS cyber attacks and defenses to contribute to
optimally secure design and operation of the water management processes.
In addition to the objectives, DESI had to meet three important requirements:
1. Flexible and modular design to support the wide variety of equipment and
configurations in use at the water management organizations and a wide
variety of cyber attacks to ICS.
2. Realistic configuration, especially for the ICS part, and realistic attacks.
3. Provide a clear insight in a cyber attack and its consequences, by making
the demonstration easily accessible for a large audience.
To support the first requirement, the simulator has a modular design as shown in
Figure 1. The virtualization of generic IT equipment, such as office computers,
switches and routers, facilitates easy deployment of standard IT-components and
Cyber Targets Water Management 9
Fig. 1. Schematic overview of the DESI simulation environment.
network topologies. Generic end systems, such as desktop computers and servers
are virtualized in KVM [6]. KVM is a a completely open source virtualization
platform that allows for an open and scalable implementation. The virtual envi-
ronment of DESI is divided over two KVM hosts, each with a Linux workstation
as hardware.
Central Office hosts the end systems and generic network equipment located
in the Central office, such as desktop computers, web, mail, and application
servers.
ICS-SCADA hosts the end systems and generic network equipment located
in the vicinity of the physical process, such as on-site SCADA-systems and
engineering workstations.
The generic network equipment is virtualized in Open vSwitch [14] that is also
implemented on both KVM hosts. This allows for a flexible design of networks
and interconnections.
To meet the second requirement, the simulator supports the inclusion of
physical ICS devices, such as the Siemens Simatic S7-1200 PLC and the Siemens
Simatic Basic human-machine interface (HMI) panel [16]. Each of both KVM
hosts is connected to a physical L2-switch (Cisco Catalyst 2960) by a IEEE802.1q
VLAN trunk. In both hosts, VLAN’s and trunking are managed by Open vSwitch.
In this way a physical device, such as a PLC, can be connected to the ICS-
SCADA block that runs one or more virtualized end systems, such as a SCADA
computer. In the same way, specialized network hardware, such as a dedicated
firewall or a VPN-solution, can be connected with the switches of both KVM-
hosts to create a realistic physical interconnection, outside the virtualized envi-
ronment.
A scaled physical model of a typical water management process with typi-
cal equipment was developed to contribute further to the insightfulness of the
10 Burghouwt, Maris, van Peski, Luiijf, van de Voorde, and Spruit
demonstrations for the intended audiences, as stated in the third requirement.
The physical model represents a Dutch polder with canals on different water
levels, real water, pumps and level meters. Failure of the ICS system can result
in flooding of the polder.
The modular design provides also a visible spatial separation between the on-
site IT-equipment and the Central Office by a physical communication network
that connects both locations, and the external threat actor. The external threat
actor is typically a connected external computer (laptop) or optionally a virtual
instance in one of the KVM hosts. In addition the physical L2-switches facilitate
easy network traffic observations and the insertion of internal attack instances.
5.1 Deployment of attack scenarios
For demonstration purposes, university students of the department of Computer
Science of our university, in collaboration with cyber security experts, designed
and implemented realistic cyber attack scenarios. Each attack scenario is feasi-
ble for a medium skilled hacker with a laptop, running Kali Linux with common
attack tools, such as Metasploit with Armitage [13]. This approach resulted in
several highly realistic cyber security scenarios with a high likelihood of occur-
rance.
All cyber attacks are multi-staged, for example:
1. An infection, such as one caused by an employee who opens in the office an
infected pdf file which was received as an attachment to an email.
2. The malware from the pdf file installs itself on the computer and creates a
backdoor.
3. The hacker uses the backdoor and moves laterally through the network to-
wards the ICS-part.
4. The hacker creates specially-crafted packets, e.g. Siemens S7-packets, to in-
fluence the processing of an unpatched PLC.
5. Pumps are disabled, without notification on HMI or SCADA. Sensor readings
of water levels remain unchanged at the central consoles.
6. Flooding of a region, e.g. due to rain, while excess water is not pumped away.
In the demonstrations we make clear that once the PLC is compromised,
on-site action by specialized personal is required to regain control. As an organi-
zation can operate thousands of PLC’s, the recovery of a cyber attack may take
long and may require an outrageous amount of expert man power.
One might say that in all stages, the hacker exploits obvious vulnerabilities.
However, the countermeasures against such a cyber attack are manifold and not
always trivial as pointed out in the aforementioned dilemmas.
5.2 DESI results
DESI meets both ob jectives, as formulated at the start of Section 5:
Cyber Targets Water Management 11
Creation of cyber attack awareness by demonstration: On several occasions
the cyber-physical attack scenarios have been successfully demonstrated by
DESI to technical staff and decision makers inside and outside water manage-
ment organizations. This resulted in positive feedback and vivid discussions
about the demonstrated cyber-physical attacks, the risks, and the appro-
priate controls in the ICS domain to mitigate the demonstrated risks. The
feedback and discussions reflected the increase in awareness of the subject.
Knowledge development: Students of our department have studied in DESI
various controls to counter cyber-physical attacks, including: the deployment
of restricted network compartments, custom firewal rules, and the effects of
patching and various types of detection. One of the results was a custom
signature for Snort [15], a NIDS (Network Intrusion Detection System) to
detect unwanted ICS traffic in non-ICS subnets.
6 Conclusions and future work
The cyber security posture of the 19 organizations involved in water manage-
ment is successfully measured by an enhanced ICS benchmark methodology
which allows comparison with other organizations and facilitates cyber security
dialogues. The benchmark identified various cyber-security related strengths and
vulnerabilities in the assessed systems of the water management organizations.
Some of the vulnerabilities are easy to solve by well-known controls. However,
we also identified cyber security dilemmas in the ICS environment, related with
patching, centralized control, and disaster recovery, with no trivial controls to
solve these issues. Another observation was the high diversity between the se-
curity postures of the participating organizations, partly caused by outsourcing
and divided or unclear security responsibilities.
To optimally control ICS-related dilemmas and cyber risk in general, aware-
ness and knowledge is required. We designed and built DESI, a simulator for
cyber-physical attack demonstrations, experiments, and solution verification.
DESI is a scaled model of a water level management system, including ICS
components and a virtualized central office environment. DESI is actively used
for demonstrations to various stakeholders as well as students. DESI is also de-
ployed for the development and test of custom controls.
6.1 Future work
We foresee from our results two types of future work. First, while the assess-
ment of cyber risk in ICS environments remains challenging by a dynamic threat
landscape, increasing system complexity, and increasing dependence, continuous
research is required to further improve, extend and adapt benchmark method-
ologies and tools. Second, the successful deployment of DESI to model water
management processes and support cyber-physical attack demonstrations and
experiments, invites for further development of the simulation environment and
also the deployment of DESI in other areas involving ICS-controlled processes.
12 Burghouwt, Maris, van Peski, Luiijf, van de Voorde, and Spruit
Acknowledgment The Dutch government funds research by universities which
aim to generate knowledge which needs to flow to both the education of next gen-
eration students and to organizations. This funding scheme is called ’Regionale
Aandacht en Actie voor Kenniscirculatie’, abbreviated RAAK which translates
into English as on tar-get.
References
1. Almalawi, A., Tari, Z., Khalil, I., Fahad, A.: Scadavt-a framework for scada security
testbed based on virtualization technology. In: Local Computer Networks (LCN),
2013 IEEE 38th Conference on. pp. 639–646. IEEE (2013)
2. Amin, S., Schwartz, G.A., Hussain, A.: In quest of benchmarking security risks to
cyber-physical systems. IEEE Network 27(1), 19–24 (2013)
3. CIP: Traffic light protocol (tlp). https://publicwiki-01.fraunhofer.de/
CIPedia/index.php/Traffic_Light_Protocol_%28TLP%29 (2015), visited April
2016
4. ISO: Iso/iec 27005:2011: Information technology - security techniques - information
security risk management. Tech. rep., ISO (2011)
5. Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security.
In: IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society.
pp. 4490–4494. IEEE (2011)
6. Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: kvm: the linux virtual
machine monitor. In: Proceedings of the Linux symposium. vol. 1, pp. 225–230
(2007)
7. Luiijf, E., Ali, M., Zielstra, A.: Assessing and improving scada security in the dutch
drinking water sector. International Journal of Critical Infrastructure Protection
4(3), 124–134 (2011)
8. Luiijf, H.: SCADA Security Good Practices for the Drinking Water Sector. Den
Haag: TNO (2008)
9. Luiijf, H., te Paske, B.: Cyber security of industrial control systems. Tech. rep.,
TNO (2015)
10. Macaulay, T., Singer, B.L.: Cybersecurity for industrial control systems: SCADA,
DCS, PLC, HMI, and SIS. CRC Press (2011)
11. Mattioli, R., Moulinos, K.: Analysis of ics-scada cyber security maturity levels in
critical sectors. Tech. rep., ENISA (2015)
12. Mirkovic, J., Benzel, T.: Teaching cybersecurity with deterlab. Security & Privacy,
IEEE 10(1), 73–76 (2012)
13. O’Gorman, J., Kearns, D., Aharoni, M.: Metasploit: The penetration tester’s guide.
No Starch Press (2011)
14. Pfaff, B., Pettit, J., Amidon, K., Casado, M., Koponen, T., Shenker, S.: Extending
networking into the virtualization layer. In: Hotnets (2009)
15. Roesch, M., et al.: Snort: Lightweight intrusion detection for networks. In: Proc. of
the 13th USENIX Large Installation Systems Administration Conference, LISA’99.
vol. 99, pp. 229–238. USENIX Association (1999)
16. Siemens: System overview simatic s7-1200. http://w3.siemens.com/mcms/
programmable-logic-controller/en/basic-controller/s7-1200/system-
overview/Pages/default.aspx (2016), visited April 2016

Supplementary resources (2)

QuestionnaireBenchmarkUKEnglish SAN
Data
October 2016
Pieter Burghouwt · Marinus Maris · Sjaak van Peski · Eric Luiijf · M. Spruit
Vragenlijst waterkeren en beheren SAN
Data
October 2016
Pieter Burghouwt · Marinus Maris · Sjaak van Peski · Eric Luiijf · M. Spruit
... The study was effective and resulted in the development of good practices for SCADA security for drinking water organisations, which are available both in Dutch and English [113]. Building on this work, Burghouwt et al. [114] measured the cyber-security state of the 19 water management organisations in the Netherlands through an improved questionnaire. Researchers identified a lack of uniformity on security postures between organisations, partly due to ineffective management of security responsibilities. ...
... Researchers identified a lack of uniformity on security postures between organisations, partly due to ineffective management of security responsibilities. They designed and built DESI [114], a simulator to demonstrate cyber-physical attack scenarios and improve cyber-attack knowledge. ...
A Systematic Review of the State of Cyber-Security in Water Systems
Article
Full-text available
  • Jan 2021
Critical infrastructure systems are evolving from isolated bespoke systems to those that use general-purpose computing hosts, IoT sensors, edge computing, wireless networks and artificial intelligence. Although this move improves sensing and control capacity and gives better integration with business requirements, it also increases the scope for attack from malicious entities that intend to conduct industrial espionage and sabotage against these systems. In this paper, we review the state of the cyber-security research that is focused on improving the security of the water supply and wastewater collection and treatment systems that form part of the critical national infrastructure. We cover the publication statistics of the research in this area, the aspects of security being addressed, and future work required to achieve better cyber-security for water systems.
View
Modelling cyber resilience in a water treatment and distribution system
Article
Full-text available
Considering the increasing introduction of cyber-physical systems in modern industrial plants, the analysis of systems’ performance pushes for developing a cyber resilience perspective to complement a traditional physical resilience assessment. This point of view becomes central for critical infrastructures, considering the potential societal and economic consequences a disruption may have. This work provides a cyber-resilience simulation-based assessment for a seawater desalination plant and its connected distribution system. For this purpose, a digital twin has been developed. It integrates a MATLAB/Simulink model of the reverse osmosis treatment plant with a georeferenced water distribution network designed in EPANET. Four stochastic cyber resilience metrics have been proposed and computed to assess the impact of a successful replay cyber attack. The results exemplify the benefits of cyber-physical simulations to understand the behavior of modern water treatment plants, to identify system's criticalities, and eventually to support decision making by identifying hotspots and prioritizing mitigating actions.
View
Cyber Security of Industrial Control Systems
Book
Full-text available
  • Mar 2015
Crucial processes in most critical infrastructures, and in many other organisations, rely on the correct and undisturbed functioning of Industrial Control Systems (ICS). A failure of ICS may both cause critical services to fail and may result in safety risk to people and or the environment. Therefore, the cyber security and resilience of ICS is of utmost importance to society as a whole, to utilities and other critical infrastructure operators, and to organisations which use ICS. This document first and foremost, provides private and public sector executives with an Executive Summary outlining the ICS risk and challenges. We appeal to the executive leadership of organisations to address the clear and present cyber security danger to their organisations and our societies as a whole. Underpinning the Executive Summary, this document provides governmental policy-makers, technical managers, ICS suppliers and others involved in the ICS domain with background and security awareness information about the cyber security challenges for ICS. Moreover, this document provides you with a perspective for action and pointers to relevant resources.
View
Stuxnet Worm Impact on Industrial Cyber-Physical System Security
Article
Full-text available
  • Nov 2011
Industrial systems consider only partially security, mostly relying on the basis of "isolated" networks, and con-trolled access environments. Monitoring and control systems such as SCADA/DCS are responsible for managing critical infrastructures operate in these environments, where a false sense of security assumptions is usually made. The Stuxnet worm attack demonstrated widely in mid 2010 that many of the security assumptions made about the operating environment, technological capabilities and potential threat risk analysis are far away from the reality and challenges modern industrial systems face. We investigate in this work the highly sophisticated aspects of Stuxnet, the impact that it may have on existing security considerations and pose some thoughts on the next generation SCADA/DCS systems from a security perspective.
View
View
Cybersecurity for industrial control systems: SCADA, DCS, PLC, HMI, and SIS
Book
  • Apr 2016
As industrial control systems (ICS), including SCADA, DCS, and other process control networks, become Internet-facing, they expose crucial services to attack. Threats like Duqu, a sophisticated worm found in the wild that appeared to share portions of its code with the Stuxnet worm, emerge with increasing frequency. Explaining how to develop and implement an effective cybersecurity program for ICS, Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS provides you with the tools to ensure network security without sacrificing the efficiency and functionality of ICS. Highlighting the key issues that need to be addressed, the book begins with a thorough introduction to ICS. It discusses business, cost, competitive, and regulatory drivers and the conflicting priorities of convergence. Next, it explains why security requirements differ from IT to ICS. It differentiates when standard IT security solutions can be used and where SCADA-specific practices are required. The book examines the plethora of potential threats to ICS, including hi-jacking malware, botnets, spam engines, and porn dialers. It outlines the range of vulnerabilities inherent in the ICS quest for efficiency and functionality that necessitates risk behavior such as remote access and control of critical equipment. Reviewing risk assessment techniques and the evolving risk assessment process, the text concludes by examining what is on the horizon for ICS security, including IPv6, ICSv6 test lab designs, and IPv6 and ICS sensors.
View
SCADAVT-A framework for SCADA security testbed based on virtualization technology
Conference Paper
  • Oct 2013
Supervisory Control and Data Acquisition (SCADA) systems monitor and control infrastructures and industrial processes such as smart grid power and water distribution systems. Recently, such systems have been attacked, and traditional security solutions have failed to provide an appropriate level of protection. Therefore, it is important to develop security solutions tailored to SCADA systems. However, it is impractical to evaluate such solutions on actual live systems. This paper proposes a SCADA security testbed based on virtualization technology, and introduces a server which is used as a surrogate for water distribution systems. In addition, this paper presents a case study of two malicious attacks to demonstrate how the testbed can easily monitor and control any automatised processes, and also to show how malicious attacks can disrupt supervised processes.
View
In quest of benchmarking security risks to cyber-physical systems
Article
  • Jan 2013
We present a generic yet practical framework for assessing security risks to cyber-physical systems (CPSs). Our framework can be used to benchmark security risks when information is less than perfect, and interdependencies of physical and computational components may result in correlated failures. Such environments are prone to externalities, and can cause huge societal losses. We focus on the risks that arise from interdependent reliability failures (faults) and security failures (attacks). We advocate that a sound assessment of these risks requires explicit modeling of the effects of both technology-based defenses and institutions necessary for supporting them. Thus, we consider technology-based security defenses grounded in information security tools and fault-tolerant control in conjunction with institutional structures. Our game-theoretic approach to estimating security risks facilitates more effective defenses, especially against correlated failures.
View
Extending Networking into the Virtualization Layer
Article
  • Jan 2009
The move to virtualization has created a new network access layer residing on hosts that connects the various VMs. Virtualized deployment environments impose re- quirements on networking for which traditional models are not well suited. They also provide advantages to the networking layer (such as software flexibility and well- defined end host events) that are not present in physical networks. To date, this new virtualization network layer has been largely built around standard Ethernet switching, but this technology neither satisfies these new requirements nor leverages the available advantages. We present Open vSwitch, a network switch specifically built for virtual environments. Open vSwitch differs from traditional approaches in that it exports an external interface for fine-grained control of configuration state and forwarding behavior. We describe how Open vSwitch can be used to tackle problems such as isolation in joint-tenant environments, mobility across subnets, and distributing configuration and visibility across hosts.
View
KVM: The Linux virtual machine monitor
Article
  • Jan 2007
Virtualization is a hot topic in operating systems these days. It is useful in many scenarios: server consolida-tion, virtual test environments, and for Linux enthusiasts who still can not decide which distribution is best. Re-cently, hardware vendors of commodity x86 processors have added virtualization extensions to the instruction set that can be utilized to write relatively simple virtual machine monitors. The Kernel-based Virtual Machine, or kvm, is a new Linux subsystem which leverages these virtualization extensions to add a virtual machine monitor (or hyper-visor) capability to Linux. Using kvm, one can create and run multiple virtual machines. These virtual ma-chines appear as normal Linux processes and integrate seamlessly with the rest of the system.
View
Snort - Lightweight Intrusion Detection for Networks
Conference Paper
  • Jan 1999
ABSTRACT Network intrusion detection systems (NIDS) are an important part of any network security architecture They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost Snort was designed to address these issues
View
Assessing and Improving SCADA Security in the Dutch Drinking Water Sector
Conference Paper
  • Jan 2008
International studies have shown that information security for process control systems, in particular SCADA, is weak. As many critical infrastructure (CI) services depend on process control systems, any vulnerability in the protection of process control systems in CI may result in serious consequences for citizens and society. In order to understand their strengths and weaknesses, the drinking water sector in The Netherlands benchmarked the information security of their process control environments. Large differences in their security postures were found. Good Practices for SCADA security were developed based upon the study results. This paper will discuss the simple but effective approach taken to perform the benchmark, the way the results were reported to the drinking water companies, and the way in which the SCADA security good practices were developed. Figures shown in this paper are based on artificially constructed data since the study data contain company and national sensitive information.
View