Conference Paper

An Analysis of Black Energy 3, Crashoverride, and Trisis, Three Malware Approaches Targeting Operational Technology Systems

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Connected factories offer more and more possibilities to bring business logic in the industrial related components like industrial control systems (ICS). These systems in the operational technology (OT) sector are usually harder to update and to maintain compared to IT systems. In recent years, the number of cyberattacks that are specifically tailored to OT systems has increased. We analyzed BlackEnergy 3 (BE3), Crashoverride (CO), and Trisis (TS). After describing the occurrences of these attacks, we looked for similar strategies between these three approaches and propose promising methods to prevent such or similar attacks in the future.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... However, even though APT30 has used numerous auxiliary and supporting devices in the past, their primary tools, such as the Delete and NETEAGLE backdoors and a set of devices (SHIPSHAPE and SPACESHIP) accepted to be designed for contaminating (and stealing information from) air-gapped networks, have proven to be extremely reliable over time. As a result, APT30 may be able to modify and adapt its source code to meet the needs of their current targets (governments and commercial entities) [31]. Backdoor Delete has existed since at least 2005, and it is still being used today. ...
... It seems that APT30 has made a conscious decision to contribute to the long-term growth and progress of what appears to be a specific set of devices, rather simply exchanging one backdoor for another when more modern, adaptive, or feature-rich devices become available. When the APT30 (or the engineers who provide them with devices) or their victims (governments/private entities) have specific requirements, they may alter the source code to meet those requirements [31]. In use since at least 2005, the Delete backdoor has gone through various revisions. ...
... This alliance is an example of the new method of interdiction, which is a more effective way of doing things than the previous method that was being used. [30]- [31] On October 14 and 28, 2014, the team eliminated malware, disclosed position markers, and provided open information in an effort to mitigate the risk presented by the group of on-screen characters. Due to the fact that they are a particularly dangerous group, we will refer to them as the Axiom for the sake of this essay. ...
Article
Full-text available
This survey is Chinese Advanced Persistent Threat (APT) real attack groups and scenarios. This survey provides a taxonomy of Chinese APT groups/attacks in conjunction with the use of Threat Intelligence (TI) to detect and prevent the attacks. This paper will provide the current knowledge and emerging APT groups that target governments and private enterprises. In addition, this paper presents, contributions, performance comparison and methods of criticism of detection in the current solutions. The study covers many attack groups funded by different Chinese governments to attack other governments around the world, taking into account that each group is specialized to attack specific sectors, some of them attack the military, police and intelligence departments, and some attack the banking, commercial and agricultural sectors, and some attack the information technology, health, arts, and nanotechnology sectors, etc. In this paper, we propose solutions at the first potential victim, and at the network, level to stop APT attacks. We recommend that there must be multi-layer protection over the first machine and infrastructure to detect and prevent APT attacks. This Paper will use adversarial tactics techniques and common knowledge (ATT&CK) as a knowledge base. We recommend researchers focus on ATT&CK, and TI to develop a solution against APT attacks.
... This led to damage to many components of the industrial plant and to the eventual shutdown of production. (d) BlackEnergy 3 and CRASHOVERRIDE malware have caused power outages in Ukraine [22,23]. The first attack on the power grid took place on 23 December 2015. ...
... In 2016, a CRASHOVERRIDE attack based on the same mechanism led to an hourly power cut in Kiev. (e) In 2017, the SIS system of a petrochemical plant in Saudi Arabia was attacked with the TRISIS malware [22,24]. It was a very powerful and advanced software designed to attack a specific system of security instruments (SIS). ...
Article
Full-text available
This paper is concerned with the issue of the diagnostics of process faults and the detection of cyber-attacks in industrial control systems. This problem is of significant importance to energy production and distribution, which, being part of critical infrastructure, is usually equipped with process diagnostics and, at the same time, is often subject to cyber-attacks. A commonly used approach would be to separate the two types of anomalies. The detection of process faults would be handled by a control team, often with a help of dedicated diagnostic tools, whereas the detection of cyber-attacks would be handled by an information technology team. In this article, it is postulated here that the two can be usefully merged together into one, comprehensive, anomaly detection system. For this purpose, firstly, the main types of cyber-attacks and the main methods of detecting cyber- attacks are being reviewed. Subsequently, in the analogy to “process fault”—a term well established in process diagnostics—the term “cyber-fault” is introduced. Within this context a cyber-attack is considered as a vector containing a number of cyber-faults. Next, it is explained how methods used in process diagnostics for fault detection and isolation can be applied to the detection of cyber-attacks and, in some cases, also to isolation of the components of such attacks, i.e., cyber-faults. A laboratory stand and a simulator have been developed to test the proposed approach. Some test results are presented, demonstrating that, similarly to equipment/process faults, residua can be established and cyber-faults can be identified based on the mismatch between the real data from the system and the outputs of the simulation model.
... (revision) 25 May 2022 view view version 1 14 Apr 2022 view Introduction Windows 10 and 11 incorporate Windows Security, which provides users with the most recent antivirus assurance. Windows Security will begin operating and secure the system from the minute one begins Windows. 1 It ceaselessly looks for malware (pernicious programs), infections, and security dangers. 1 In addition to this real-time assurance, overhauls are downloaded automatically to assist in keeping the device secure from ongoing threats. ...
... In short, according to Avira, we can say that Microsoft Protector may be sufficient for the user to satisfactorily protect their data, but it is also clear that it represents a reputable and reliable 'non-free' antivirus option. 25 With regards to users who do not have high levels of technical experience, it is difficult for them to correctly judge whether this product is sufficient to protect them or not. It can therefore represent an advantageous product for some, and a limited one for others. ...
Article
Full-text available
Background: Microsoft Windows Security is a recently implemented safeguard for the Windows operating systems, including the latest versions of Windows10 and 11. However, there is a major shortcoming in this system to stop Advanced Persistent Threat (APT). These are government-financed groups that are funded to attack other government entities. Following the initial security breach, the hacked Windows device is used to access the rest of the network devices in order to transfer data to external storage (Exfiltration). Methods: In this work, we have tested the Microsoft Windows Security system using MITRE CALDERA and ATT&CK frameworks and explain how APT groups are able to bypass Windows Security. Results: In this study we used "54ndc47" agent through GoLang feature in MITRE CALDERA platform to test and bypass Microsoft Windows Security systems (MS Windows 10). Through it, we were able to bypass the Windows Security system and display entire files in the victim's device. Conclusions: In this paper, we have provided recommendations to Microsoft to improve their Windows Security tool through the use of Artificial intelligence (AI).
... (revision) 25 May 2022 view view version 1 14 Apr 2022 view Introduction Windows 10 and 11 incorporate Windows Security, which provides users with the most recent antivirus assurance. Windows Security will begin operating and secure the system from the minute one begins Windows. 1 It ceaselessly looks for malware (pernicious programs), infections, and security dangers. 1 In addition to this real-time assurance, overhauls are downloaded automatically to assist in keeping the device secure from ongoing threats. ...
... In short, according to Avira, we can say that Microsoft Protector may be sufficient for the user to satisfactorily protect their data, but it is also clear that it represents a reputable and reliable 'non-free' antivirus option. 25 With regards to users who do not have high levels of technical experience, it is difficult for them to correctly judge whether this product is sufficient to protect them or not. It can therefore represent an advantageous product for some, and a limited one for others. ...
Article
Full-text available
Background: Microsoft Windows Security is a recently implemented safeguard for the Windows operating systems, including the latest versions of Windows10 and 11. However, there is a major shortcoming in this system to stop Advanced Persistent Threat (APT). These are government-financed groups that are funded to attack other government entities. Following the initial security breach, the hacked Windows device is used to access the rest of the network devices in order to transfer data to external storage (Exfiltration). Methods: In this work, we have tested the Microsoft Windows Security system using MITRE CALDERA and ATT&CK frameworks and explain how APT groups are able to bypass Windows Security. Results: In this study we used "54ndc47" agent through GoLang feature in MITRE CALDERA platform to test and bypass Microsoft Windows Security systems (MS Windows 10). Through it, we were able to bypass the Windows Security system and display entire files in the victim's device. Conclusions: In this paper, we have provided recommendations to Microsoft to improve their Windows Security tool through the use of Artificial intelligence (AI).
... In this context, prior works cover different aspects related to modeling and analysis of malicious industrial intrusions [5,13,4,16,22]. However, existing works cannot illustrate the detailed analysis of ICS malware attacks. ...
... For each of these attacks, the authors described the attack methodology used and suggested potential mitigation techniques. In [16], the authors carried out a comparative analysis of three malware targeting operational technology systems. However, the authors only considered finding similar attack properties at a high level between ICS malware and discussed possible mitigation strategies based on these similarities. ...
Chapter
Full-text available
Cyber attacks against Industrial Control Systems are one of the major concerns for worldwide manufacturing companies. With the growth of emerging technologies, protecting large-scale Critical Infrastructures has become a considerable research topic in the past decade. Nowadays, software used to monitor Industrial Control Systems might be malicious and cause harm not only to physical processes but also to people working in industrial environments. To that end, integrating safety and security in Industrial Control Systems requires a well-developed understanding of malware-based cyber attacks. In this paper, we present a comparative analysis framework of ICS Malware in a bi-layered approach: A cyber threat intelligence layer based on the ICS cyber kill chain and a hybrid analysis layer based on a static and dynamic analysis of ICS malware. We evaluated our proposed method by experimenting five well-known ICS malware: Stuxnet, Havex, BlackEnergy2, CrashOverride, and TRISIS. Our comparative analysis results show different and similar strategies used by each ICS malware to disrupt the ICS environment.
... In this context, prior works cover different aspects related to modeling and analysis of malicious industrial intrusions [5,13,4,16,22]. However, existing works cannot illustrate the detailed analysis of ICS malware attacks. ...
... For each of these attacks, the authors described the attack methodology used and suggested potential mitigation techniques. In [16], the authors carried out a comparative analysis of three malware targeting operational technology systems. However, the authors only considered finding similar attack properties at a high level between ICS malware and discussed possible mitigation strategies based on these similarities. ...
... Cyber-attacks against ICS have increased in the frequency and sophistication of tactics to avoid detection mechanisms. Firoozjaei et al. [24] demonstrated the adversarial tactics and analyzed the attack mechanisms of six significant real-world ICS cyber incidents in the energy and power industries, namely Stuxnet [25], BlackEnergy [26], Crashoverride [27], Triton, Irongate, and Havex [28]. He provided an evaluation framework for each attack's threat level of ICS malware and introduced a weighting scheme to rank their influences on ICS. ...
Article
Full-text available
Anomaly detection has been known as an effective technique to detect faults or cyber-attacks in industrial control systems (ICS). Therefore, many anomaly detection models have been proposed for ICS. However, most models have been implemented and evaluated under specific circumstances, which leads to confusion about choosing the best model in a real-world situation. In other words, there still needs to be a comprehensive comparison of state-of-the-art anomaly detection models with common experimental configurations. To address this problem, we conduct a comparative study of five representative time series anomaly detection models: InterFusion, RANSynCoder, GDN, LSTM-ED, and USAD. We specifically compare the performance analysis of the models in detection accuracy, training, and testing times with two publicly available datasets: SWaT and HAI. The experimental results show that the best model results are inconsistent with the datasets. For SWaT, InterFusion achieves the highest F1-score of 90.7% while RANSynCoder achieves the highest F1-score of 82.9% for HAI. We also investigate the effects of the training set size on the performance of anomaly detection models. We found that about 40% of the entire training set would be sufficient to build a model producing a similar performance compared to using the entire training set.
... The operators eventually had to manually shutdown the system to avoid further damage. This piece of malware was specifically designed to attack electrical grids, as it targeted IEC protocols 101, 104, and 61850, all of which are network protocols that can be used for industrial control systems [21]. CRASHOVERRIDE was able to issue commands over these IEC protocols to remote terminal control units that had access to the electrical grid's circuit breakers. ...
Conference Paper
In recent years, countries across the world have started developing small modular reactors (SMRs), nuclear reactors that generally produce around 300 megawatts of electricity (MWe). Many believe this type of reactor could be key in helping countries achieve their net-zero goals, as they are theoretically less expensive and safer than their larger counterparts, which usually produce more than 500 MWe. SMRs will be assembled in factories and operated in a mostly remote manner, raising concerns about cybersecurity. This paper attempts to analyze the cybersecurity of traditional nuclear reactors and the cyber-physical systems they rely on, analyze the novel ways in which SMRs will be developed and operated, and then highlight how and why SMRs could be particularly vulnerable to cyber-attacks. This paper finds that SMRs will be more susceptible to cyber-attacks when compared to larger, more traditional reactors. Mitigations are offered that should increase the cyber-resilience of SMRs.
... c) Os cibercriminosos podem se apoderar de credenciais de acesso a sistemas, obtendo nomes de usuários e senhas. No incidente na Ucrânia, e-mails contendo anexos com o malware intitulado BlackEnergy3 [22] foram enviados para profissionais da tecnologia da informação e administradores de sistemas que trabalhavam para múltiplas empresas responsáveis pela distribuição de energia elétrica. O malware estabelecia um backdoor [23] nas máquinas quando a funcionalidade de macro de um editor de texto era habilitada pelos usuários para abrir os documentos anexados e infectados. ...
Conference Paper
Sistemas elétricos de potência estão cada vez mais interligados e dependentes de dispositivos de monitoramento e proteção, interconectados por redes de comunicação e informação. Contudo, ao possibilitar novas formas de interação com o sistema, repercutem-se em novos riscos e desafios relacionados à segurança cibernética do setor elétrico. As consequências do aproveitamento de vulnerabilidades por atores mal-intencionados podem ser estimadas a partir da investigação de casos reais de ataques cibernéticos. Os incidentes abrangem desde roubos de informações até o colapso de uma rede de distribuição de energia elétrica na Ucrânia em 2015, deixando cerca de 220.000 consumidores sem abastecimento energético por horas. Dessa forma, este trabalho objetiva contextualizar o cenário atual de cibersegurança no setor elétrico. Métodos de ataque cibernetico são discutidos, relacionando-os com ocorrências em sistemas elétricos ou com potenciais riscos. Por fim, metodologias que podem ser implementadas para evitar ou mitigar os efeitos desses ataques sao apresentadas.
... In short, according to Avira, we can say that Microsoft Protector may be sufficient for the user to satisfactorily protect their data, but it is also clear that it represents a reputable and reliable 'non-free' antivirus option. 24 With regards to users who do not have high levels of technical experience, it is difficult for them to correctly judge whether this product is sufficient to protect them or not. It can therefore represent an advantageous product for some, and a limited one for others. ...
Article
Full-text available
Background: Microsoft Windows Security is a recently implemented safeguard for the Windows operating systems, including the latest versions of Windows10 and 11. However, there is a major shortcoming in this system to stop Advanced Persistent Threat (APT). These are government-financed groups that are funded to attack other government entities. Following the initial security breach, the hacked Windows device is used to access the rest of the network devices in order to transfer data to external storage (Exfiltration). Methods: In this work, we have tested the Microsoft Windows Security system using MITRE CALDERA and ATT&CK frameworks and explain how APT groups are able to bypass Windows Security. Results: In this study we used "54ndc47" agent through GoLang feature in MITRE CALDERA platform to test and bypass Microsoft Windows Security systems (MS Windows 10). Through it, we were able to bypass the Windows Security system and display entire files in the victim's device. Conclusions: In this paper, we have provided recommendations to Microsoft to improve their Windows Security tool through the use of Artificial intelligence (AI).
... Much of what we commonly perceive as material goods have remained largely unaffected by malware, even as more and more security incidents often make headlines. Some high-profile ICS attacks, such as the Stuxnet [1], Black-Energy [2], Duqu [3], and Havex [4], have been targeted attacks to sabotage rather than for financial profit. However, most criminals on the Internet do not have a statesponsored background but are encouraged by economic motives. ...
Article
Full-text available
The Industrial Control System (ICS) is a public facility that provides services to lots of users; thus, its security has always been a critical factor in measuring its availability. Recently, a new type of attack on ICS has occurred frequently, which realizes the extortion of users by invading the information domain and destroying the physical domain. However, due to the diversity and unavailability of an ICS control logic, the targets of such attacks are usually limited to PCs and servers, leaving more disruptive attack methods unexplored. To contribute more possible attack methods to strengthen the immunity of ICS, in this paper, we propose a novel ransomware attack method named Industrial Control System Automatic Ransomware Constructor (ICS-ARC). Compared to existing ICS ransomware, ICS-ARC can automatically generate an International Electrotechnical Commission (IEC) compliant payload to compromise the Programmable Logic Controller (PLC) without a pre-known control logic, dramatically reducing adversary requirements and leaving room for error. To evaluate the attack capability of ICS-ARC, we built a tap water treatment system as the simulation experiment target for verification. The experimental results determine that ICS-ARC can automatically generate malicious code without the control logic and complete the attack against target PLCs. In addition, to assist the related research on future attacks and defenses, we present the statistical results and corresponding analysis of PLC based on Shodan.
... Safety and security are interdependent [4]. For example, the manipulation of a Safety Instrumented Systems (SIS), a device meant to increase safety, may lead to not being able to execute the safety function when needed [6,15]. This interference with the safety function of the SIS may injure people or damage the industrial architecture as a consequence. ...
Conference Paper
Full-text available
Information Technology (IT) and Operational Technology (OT) are converging further, which increases the number of interdependencies of safety and security risks arising in industrial architectures. Cyber attacks interfering safety functionality may lead to serious injuries as a consequence. Intentionally triggering a safety function may introduce a security vulnerability during the emergency procedure, e.g., by opening emergency exit doors leading to enabling unauthorized physical access. This paper introduces a risk evaluation methodology to prioritize and manage identified threats considering security, safety, and their interdepedencies. The presented methodology uses metrics commonly used in the industry to increase its applicability and enable the combination with other risk assessment approaches. These metrics are Common Vulnerability Scoring System (CVSS), Security Level (SL) from the standard IEC 62443 and Safety Integrity Level (SIL) from the standard IEC 61508. Conceptional similarities of those metrics are considered during the risk calculation, including an identified relation between CVSS and SL. Besides this relation, the skill level and resources of threat actors, threats enabling multiple identified attacks, the SIL of safety-relevant components affected, business criticality of the targeted asset, and the SL-T of the zone targeted by the attack are considered for risk evaluation. The industrial architecture to be analyzed is separated into zones and conduits according to IEC 62443, enabling the analyzed system to be compliant with its requirements.
... More recently, the Trisis [78] malware successfully attacked equipment employed in energy, oil, and gas control systems. Other research dealt with a combined analysis of BlackEnergy, Crashoverride, and Trisis [79], whereas Hemsley et al. [80] discussed the history of ICS cyber incidents. ...
Article
Full-text available
Active buildings can be briefly described as smart buildings with distributed and renewable energy resources able to energise other premises in their neighbourhood. As their energy capacity is significant, they can provide ancillary services to the traditional power grid. As such, they can be a worthy target of cyber-attacks potentially more devastating than if targeting traditional smart buildings. Furthermore, to handshake energy transfers, they need additional communications that add up to their attack surface. In such a context, security analysis would benefit from collection of cyber threat intelligence (CTI). To facilitate the analysis, we provide a base active building model in STIX in the tool cyberaCTIve that handles complex models. Active buildings are expected to implement standard network security measures, such as intrusion-detection systems. However, to timely respond to incidents, real-time detection should promptly update CTI, as it would significantly speed up the understanding of the nature of incidents and, as such, allow for a more effective response. To fill this gap, we propose an extension to the tool cyberaCTIve with a web service able to accept (incursion) feeds in real-time and apply the necessary modifications to a STIX model of interest.
... Over the years, attacks to Smart-Grid power control components, such as, the Stuxnet worm [1], Black Energy 3 [2], Crashoverride [3], and Trisis [4], were able to significantly damage Industrial Control Systems (ICS) [5]. In the first quarter of 2021 the US' East Coast oil supply chain, provided by Colonial Pipeline, was the target of a serious attack. ...
Article
Full-text available
Recent cyber-attacks in critical infrastructures have highlighted the importance of investigating how to improve Smart-Grids (SG) resiliency. In the future, it is envisioned that grid connected micro-grids would have the ability of operating in 'islanded mode’ in the event of a grid-level failure. In this work, we propose a method for unfolding aging and rejuvenation models into their sequential counterparts to enable the computation of transient state probabilities in the proposed models. We have applied our methodology to one specific security attack scenario and four large campus micro-grids case studies. We have shown how to convert the software aging and rejuvenation, with cycles, to its unfolded counterpart. We then used the unfolded counterpart to support the survivability computation. We were able to analytically evaluate the transient failure probability and the associated Instantaneous Expected Energy Not Supplied metric, for each of the four case studies, from one specific attack. We envision several practical applications of the proposed methodology. First, because the micro-grid model is solved analytically, the approach can be used to support micro-grid engineering optimizations accounting for security intrusions. Second, micro-grid engineers could use the approach to detect security attacks by monitoring for unexpected deviations of the Energy Not Supplied metric.
... It is not a surprise, given that the control of industrial plants today relies almost entirely on IT support and their security becomes a strategic issue of national interest. Analyzing some of the well-known cyber-attacks of the last decade, such as BlackEnergy3 malware -Ukrainian power grid crash (2015) [1], Stuxnet -attack on Iranian nuclear facilities (2010) [2], Triton malware -Petrochemical plant in Saudi Arabia (2017) [3] and similar, it becomes clear that the sophistication of the algorithm and the required level of knowledge from multiple areas, is not the work of individuals or smaller groups, but more likely, an interference of state-level controlled organizations. Fortunately, some of the relevant international institutions and organizations have been actively involved in developing methods of prevention and defense against these attacks, which has resulted in concrete measures and guidelines for building and maintaining more secure ICS, and especially it's network component. ...
Article
Recently, Critical Infrastructures (CI) such as energy, power, transportation, and communication have come to be increasingly dependent on advanced information and communication technology (ICT). This change has increased the connection between the Industrial Control System (ICS) supporting the CI and the Internet, resulting in an increase in security threats and allowing a malicious attacker to manipulate and control the ICS arbitrarily. On the other hand, ICS operators are reluctant to install security systems for fear of adverse effects on normal operations due to system changes. Therefore, new research is needed to detect anomalies quickly and identify attack types while ensuring the high availability of ICS. This study proposes a host-based method to detect and identify abnormalities in an Oil Refinery’s Distributed Control System (DCS) network using DCS vendor-proprietary protocols using a proposed method based on the tree-based machine learning algorithm. The results demonstrate that the proposed method can effectively detect an abnormality with the eXtreme Gradient Boosting (XGB) classifier, with up to 99% accuracy. Taken together, the results of this study contribute to the accurate detection of abnormal events and identification of attack types on the network without disrupting the normal operation of the DCS in the Oil Refinery.
Article
Industrial control systems (ICSs) and critical infrastructure are targeted by sophisticated cyber incidents launched by skillful and persistent attackers. Due to political, public image, or industrial competition reasons, most incidents are not publicly reported. Therefore, their consequences and threats are not as known as well as those in information technology (IT) systems. This paper aims to provide a foundation for cyber risk assessment for operational technology (OT) systems. To this end, we review the adversarial tactics and techniques employed by attackers to launch ICS cyberattacks and analyze the attack mechanisms of six significant ICS cyber incidents in the energy and power industries, namely Stuxnet, BlackEnergy, Crashoverride, Triton, Irongate, and Havex. We introduce an evaluation framework to evaluate the threat level of the ICS cyber incidents based on their sophistication and incident consequences. Finally, we rate the analyzed ICS cyber incidents based on their threat scores. Our evaluation rates Stuxnet as the most sophisticated and high-threat ICS malware and Irongate the lowest. We hope our evaluation can shed light on the design of protection solutions for OT systems.
Conference Paper
Full-text available
Energy, in its many forms, is vital for modern society. It is not just the electricity we get from the plug, but it contains the varied production methods and the means to bring it to the end-users whether they are industries, traffic or homes. If this chain is broken and energy cannot be distributed, the results are complicated. Especially, the lack of electricity tests the reserve power production capabilities in hospitals and in other critical infrastructures. Readiness plans have to be kept up to date and rehearsed regularly in order to keep them effective. This requires information of the changes in security scenarios based on new emerged threats. Energy sector is facing new opportunities as smart grid solutions provide possibilities for more efficient energy production, transmission and distribution. However, new risks arise from connectivity and automation. Bringing remote access to systems that are not designed for it security-wise, aids adversaries to reach their goals undetected. We have seen cyber risks actualizing and having an effect on our physical world. In addition to causing inconvenience in society's basic functionalities, intentional power outages also shatter the sense of security. This is why national and international research projects are formed around this topic. From Finland's perspective, interest in smart and flexible energy systems is very high. In addition, our energy production is quite distributed, and there are numerous operators on the market. Because of that, we need to consider the cyber threats in national level. There are studies and models on how to prepare for these events or even better how to prevent them. We wish to see how realistic these models are against real-world scenarios. We survey and analyze current publicly known cyber-attacks against actors in energy sector and compare the kill chain, adversaries and impacts. We also explore mitigation strategies for future scenarios based on the findings of our analysis. The result describes current energy sector cyber threat landscape. It provides information to security solution developers in business but also in national level. Results can be seen as a baseline for future trend comparisons.
Chapter
Full-text available
Nowadays it is important to note that security of critical infrastructures and enterprises consists of two factors, those are cyber security and physical security. It is important to emphasise that those factors cannot be considered separately and that the comprehensive cyber-physical approach is needed. In this paper we analyse different methods, methodologies and tools suits that allows modelling different cyber security aspects of critical infrastructures. Moreover, we provide an overview of goals an challenges, an overview of case studies (which show an increasing complexity of cyber physical systems), taxonomies of cyber threats, and the analysis of ongoing actions trying to comprehend and address cyber aspects.
Article
Full-text available
Advances in computing technology is acquainting numerous colossal changes with individuals' way of life and working example as of late for its countless advantages. In any case, the security of cloud computing and server level technologies is dependably the center of various potential clients, and a major obstruction for its far-reaching applications. This paper introduces a novel approach of testing various tools that can be used to measure the potential helplessness of a digital system to particular sorts of assaults that uses lateral movement and privileged heightening, such as Pass The Hash. Earlier papers have only done the comparison at limited resources and have failed to show accurate result. While other papers and assets concentrate fundamentally on running the tools and in some cases contrasting them, this paper offers a top to bottom, orderly examination of the apparatuses over the different Windows stages, including AV discovery rates. It additionally gives broad counsel to moderate pass the hash assaults and talks about the upsides and downsides of a portion of the methodologies.
Conference Paper
Full-text available
A Network Intrusion Detection System (NIDS) helps system administrators to detect network security breaches in their organizations. However, many challenges arise while developing a flexible and efficient NIDS for unforeseen and unpredictable attacks. We propose a deep learning based approach for developing such an efficient and flexible NIDS. We use Self-taught Learning (STL), a deep learning based technique, on NSL-KDD - a benchmark dataset for network intrusion. We present the performance of our approach and compare it with a few previous work. Compared metrics include accuracy, precision, recall, and f-measure values.
Article
Full-text available
In a model-based intrusion detection approach for protecting SCADA networks, we construct models that characterize the expected/acceptable behavior of the system, and detect attacks that cause violations of these models. Process control networks tend to have static topologies, regular trac patterns, and a limited number of applications and protocols running on them. Thus, we believe that model-based monitoring, which has the potential for detecting unknown attacks, is more feasible for control networks than for general enterprise networks. To this end, we describe three model-based techniques that we have developed and a prototype implementation of them for monitoring Modbus TCP networks.
Article
Full-text available
– Most critical infrastructure such as chemical processing plants, electrical generation and distribution networks, and gas distribution is monitored and controlled by Supervisory Control and Data Acquisition Systems (SCADA). These systems have been the focus of increased security and there are concerns that they could be the target of international terrorists. With the constantly growing number of internet related computer attacks, there is evidence that our critical infrastructure may also be vulnerable. Researchers estimate that malicious online actions may cause $75 billion at 2007. One of the interesting countermeasures for enhancing information system security is called intrusion detection. This paper will briefly discuss the history of research in intrusion detection techniques and introduce the two basic detection approaches: signature detection and anomaly detection. Finally, it presents the application of techniques developed for monitoring critical process systems, such as nuclear power plants, to anomaly intrusion detection. The method uses an autoassociative kernel regression (AAKR) model coupled with the statistical probability ratio test (SPRT) and applied to a simulated SCADA system. The results show that these methods can be generally used to detect a variety of common attacks. I. BACKGROUND Any action that is not legally allowed for a user to take towards an information system is called intrusion and intrusion detection is a process of detecting and tracing
Conference Paper
Full-text available
As the obfuscation is widely used by malware writers to evade antivirus scanners, so it becomes important to analyze how this technique is applied to malwares. This paper explores the malware obfuscation techniques while reviewing the encrypted, oligomorphic, polymorphic and metamorphic malwares which are able to avoid detection. Moreover, we discuss the future trends on the malware obfuscation techniques.
Conference Paper
Establishing adequate cybersecurity for their operational technology (OT) is an existential challenge for manufacturing enterprises. Domain-specific security standards should provide essential support in this challenge. However, they cannot be implemented equally for enterprises of all sizes. We investigate to what extent domain-specific security standards for operational technology are applicable by small and medium-sized as well as large manufacturing enterprises, and how their individual need for action can be identified and addressed. We support our investigation with the results of two independent surveys among manufacturers about their needs for cybersecurity support. In the course of this investigation, we learned that most domain-specific security standards are well applicable to large enterprises. In contrast, small and medium-sized enterprises (SME) seek the support of security experts, who, for their part, are often struggling with a lack of experience in operational technology. To facilitate this cooperation, we provide an introduction for OT- and cybersecurity-experts to the respective basic concepts of their collaborators.
Conference Paper
As critical infrastructures have become strategic targets for advanced cyber-attacks, we face the severe challenge to provide new defense technologies for their protection. We propose a distributed supranational architecture for detection, classification, and mitigation of highly sophisticated cyber incidents targeted simultaneously at multiple critical infrastructures. We build upon a three layered architecture comprised of As critical infrastructures have become strategic targets for advanced cyber-attacks, we face the severe challenge to provide new defense technologies for their protection. We propose a distributed supranational architecture for detection, classification, and mitigation of highly sophisticated cyber incidents targeted simultaneously at multiple critical infrastructures. We build upon a three layered architecture comprised of Security Operations Centres at organizational (O-SOC), national (N-SOC), and European (E-SOC) level using IDS and SIEM solutions. In our approach we combine machine learning and automatic ontological reasoning: First, we apply methods from the field of machine learning to analyse threat indicators of different granularity. This provides classification of very specific observables collected at compromised sites. Second, we perform ontological analysis to identify large scale correlations within an incident knowledge graph. This yields insight into ongoing attack campaigns, especially regarding extent and expected impact. Our approach further allows to identify targets that are likely also to be affected or already compromised. Our proposed architecture counters advanced threats targeted against the critical infrastructures of Europe. We currently develop a prototype of our approach within the framework of European Union FP7 project ECOSSIAN (607577).
Article
As technology progresses, cyber-physical systems are becoming susceptible to a wider range of attacks. In manufacturing, these attacks pose a significant threat to ensuring products conform to their original design intent and to maintaining the safety of equipment, employees, and consumers. This letter discusses the importance of research and development of cyber-security tools specifically designed for manufacturing. A case study of a cyber-attack on a small-scale manufacturing system is presented to (i) illustrate the ease of implementing attacks, (ii) highlight their drastic effects and (iii) demonstrate the need for educating the current and future manufacturing workforce.
Article
A political figure in Hong Kong continuously receives spear-phishing emails that encourage clicking on shortcuts or opening attachments with file extensions, such as .pdf, .doc(x), .xls(x), .chm, and so on. He suspects that such emails were actively sent from seemingly known parties during the pre- and postelection periods. The emails and samples were sent to us for investigation, and two nearly identical samples were chosen for the case study. These malwares appear to be the first Advanced Persistent Threat (APT) incident to undergo detailed study in Hong Kong. APT is defined by MANDIANT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target or entity for a prolonged period. The malware performs the following functions similar to those of “Operation Shady RAT”, it attempts to hide itself from known anti-virus programs, downloads and executes additional binaries, enumerates all file information in the hard disk, gathers email and instant messaging passwords from victims, collects screen captures, establishes outbound encrypted HTTP connections, sends all gathered intelligence to a Command and Control, and deletes all temporary files of the collected information from the victims' machine after uploading. The forensic findings lead us to believe that APT is a real threat in Hong Kong.
Conference Paper
Intrusion detection is the process of identifying and responding to suspicious activities targeted at computing and communication resources, and it has become the mainstream of information assurance as the dramatic increase in the number of attacks. Intrusion detection system (IDS) monitors and collects data from a target system that should be protected, processes and correlates the gathered information, and initiates responses when evidence of an intrusion is detected. In this paper, we designed and implemented a host-based intrusion detection system, which combines two detection technologies, one is log file analysis technology and the other is BP neural network technology. Log file analysis is an approach of misuse detection, and BP neural network is an approach of anomaly detection. By combination of these two kinds of detection technologies, the HIDS that we have implemented can effectively improve the efficiency and accuracy of intrusion detection.
Conference Paper
Conficker [26] is the most recent widespread, well-known worm/bot. According to several reports [16, 28], it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large scale, including about 25 millions victims, and study various interesting aspects about this state-of-the-art malware. By analyzing Conficker, we intend to understand current and new trends in malware propagation, which could be very helpful in predicting future malware trends and providing insights for future malware defense. We observe that Conficker has some very different victim distribution patterns compared to many previous generation worms/botnets, suggesting that new malware spreading models and defense strategies are likely needed. Furthermore, we intend to determine how well a reputation-based blacklisting approach can perform when faced with new malware threats such as Conficker. We cross-check several DNS blacklists and IP/AS reputation data from Dshield [6] and FIRE [7], and our evaluation shows that unlike a previous study [18] which shows that a blacklist-based approach can detect most bots, these reputation-based approaches did relatively poorly for Conficker. This raised the question, how can we improve and complement existing reputation-based techniques to prepare for future malware defense? Finally, we look into some insights for defenders. We show that neighborhood watch is a surprisingly effective approach in the Conficker case. This suggests that security alert sharing/correlation (particularly among neighborhood networks) could be a promising approach and play a more important role for future malware defense.
Article
Last year marked a turning point in the history of cybersecurity-the arrival of the first cyber warfare weapon ever, known as Stuxnet. Not only was Stuxnet much more complex than any other piece of malware seen before, it also followed a completely new approach that's no longer aligned with conven tional confidentiality, integrity, and availability thinking. Con trary to initial belief, Stuxnet wasn't about industrial espionage: it didn't steal, manipulate, or erase information. Rather, Stuxnet's goal was to physically destroy a military target-not just meta phorically, but literally. Let's see how this was done.
Hackers hit dozens of countries exploiting stolen n.s.a. tool
  • perlroth
N. Perlroth and D. E. Sanger. "Hackers hit dozens of countries exploiting stolen n.s.a. tool.", 2017. [Online]. Available: https://www.nytimes.com/2017/05/12/world/europe/uknational-health-service-cyberattack.html (visited on 2019-04-30).
Global ransomware attack: What we know and don’t know
  • S Frenkel
S. Frenkel. "Global ransomware attack: What we know and don't know.", 2017. [Online]. Available: https://www.nytimes.com/2017/06/27/technology/globalransomware-hack-what-we-know-and-dont-know.html (visited on 2019-07-14).
Department of Homeland Security, Advisory (icsa-14-178-01) -ics focused malware
  • Ics Cert
ICS CERT, Department of Homeland Security, Advisory (icsa-14-178-01) -ics focused malware, 2014. [Online].
Evolution of ICS Attacks and the Prospects for Future Disruptive Events
  • slowik
J. Slowik. "Evolution of ICS Attacks and the Prospects for Future Disruptive Events", Report, 2019.
IEC TS 62443, Industrial communication networks -Network and system security
International Electrotechnical Commission and others. "IEC TS 62443, Industrial communication networks -Network and system security", IEC, Geneva, CH, Standard-Listing, 2009.
IT-security for industrial automation General model, VDI/VDE 2182 Blatt 1
  • Vde Vdi
VDI and VDE, IT-security for industrial automation General model, VDI/VDE 2182 Blatt 1, Beuth Verlag, Berlin, Germany
Informationssicherheitmanagementsystem für kleine und mittlere Unternehmen
  • Gmbh Vds Schadenverhütung
VdS Schadenverhütung GmbH, Informationssicherheitmanagementsystem für kleine und mittlere Unternehmen [Online].
The industrial control system cyber kill chain
  • J Michael
  • Robert M Assante
  • Lee
Assante, Michael J., and Robert M. Lee. "The industrial control system cyber kill chain.", SANS Institute InfoSec Reading Room 1 (2015).
Analysis of Safety System Targeted Malware
  • Dragos Inc
  • Trisis Malware
Dragos Inc., TRISIS Malware Analysis of Safety System Targeted Malware, 2017. [Online]. Available: https://dragos.com/wp-content/uploads/TRISIS-01.pdf (accessed on 2020-05-08).
Why crack when you can pass the hash
  • hummel
Hummel, Chris. "Why crack when you can pass the hash." SANS Institute InfoSec Reading Room 21: 2009.
Using model-based intrusion detection for SCADA networks
  • S Cheung
S. Cheung et al. "Using model-based intrusion detection for SCADA networks.", In Proceedings of the SCADA security scientific symposium. Vol. 46. 2007.
The EU Cybersecurity Act: a new Era dawns on ENISA
  • E U The
  • Cybersecurity
The industrial control system cyber kill chain
  • assante
Global ransomware attack: What we know and don’t know
  • frenkel