Preprint

Analyzing the Attack Surface and Threats of Industrial Internet of Things Devices

Authors:
Preprints and early-stage research may not have been peer reviewed yet.
To read the file of this research, you can request a copy directly from the authors.

Abstract

The growing connectivity of industrial devices as a result of the Internet of Things is increasing the risks to Industrial Control Systems. Since attacks on such devices can also cause damage to people and machines, they must be properly secured. Therefore, a threat analysis is required in order to identify weaknesses and thus mitigate the risk. In this paper, we present a systematic and holistic procedure for analyzing the attack surface and threats of Industrial Internet of Things devices. Our approach is to consider all components including hardware, software and data, assets, threats and attacks throughout the entire product life cycle.

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Modern electronic devices have become “smart" as well as omnipresent in our day-to-day lives. From small household devices to large industrial machines, smart devices have become very popular in every possible application domain. Smart devices in our homes, offices, buildings, and cities can connect with other devices as well as with the physical world around them. This increasing popularity has also placed smart devices as the center of attention among attackers. Already, several types of malicious activities exist that attempt to compromise the security and privacy of smart devices. One interesting and noteworthy emerging threat vector is the attacks that abuse the use of sensors on smart devices. Smart devices are vulnerable to sensor-based threats and attacks due to the lack of proper security mechanisms available to control the use of sensors by installed apps. By exploiting the sensors (e.g., accelerometer, gyroscope, microphone, light sensor, etc.) on a smart device, attackers can extract information from the device, transfer malware to a device, or trigger a malicious activity to compromise the device. In this paper, we explore various threats and attacks abusing sensors of smart devices for malicious purposes. Specifically, we present a detailed survey about existing sensor-based threats and attacks to smart devices and countermeasures that have been developed to secure smart devices from sensor-based threats. Furthermore, we discuss security and privacy issues of smart devices in the context of sensor-based threats and attacks and conclude with future research directions.
Conference Paper
Full-text available
As part of the Internet of Things, industrial devices are now also connected to cloud services. However, the connection to the Internet increases the risks for Industrial Control Systems. Therefore, a threat analysis is essential for these devices. In this paper, we examine Industrial Internet of Things devices, identify and rank different sources of threats and describe common threats and vulnerabilities. Finally, we recommend a procedure to carry out a threat analysis on these devices.
Article
Full-text available
A key application of the Internet of Things (IoT) paradigm lies within industrial contexts. Indeed, the emerging Industrial Internet of Things (IIoT), commonly referred to as Industry 4.0, promises to revolutionize production and manufacturing through the use of large numbers of networked embedded sensing devices, and the combination of emerging computing technologies, such as Fog/Cloud Computing and Artificial Intelligence. The IIoT is characterized by an increased degree of inter-connectivity, which not only creates opportunities for the industries that adopt it, but also for cyber-criminals. Indeed, IoT security currently represents one of the major obstacles that prevent the widespread adoption of IIoT technology. Unsurprisingly, such concerns led to an exponential growth of published research over the last few years. To get an overview of the field, we deem it important to systematically survey the academic literature so far, and distill from it various security requirements as well as their popularity. This paper consists of two contributions: our primary contribution is a systematic review of the literature over the period 2011-2019 on IIoT Security, focusing in particular on the security requirements of the IIoT. Our secondary contribution is a reflection on how the relatively new paradigm of Fog computing can be leveraged to address these requirements, and thus improve the security of the IIoT.
Article
Full-text available
Historically, Industrial Automation and Control Systems (IACS) were largely isolated from conventional digital networks such as enterprise ICT environments. Where connectivity was required, a zoned architecture was adopted, with firewalls and/or demilitarized zones used to protect the core control system components. The adoption and deployment of ‘Internet of Things’ (IoT) technologies is leading to architectural changes to IACS, including greater connectivity to industrial systems. This paper reviews what is meant by Industrial IoT (IIoT) and relationships to concepts such as cyber-physical systems and Industry 4.0. The paper develops a definition of IIoT and analyses related partial IoT taxonomies. It develops an analysis framework for IIoT that can be used to enumerate and characterise IIoT devices when studying system architectures and analysing security threats and vulnerabilities. The paper concludes by identifying some gaps in the literature.
Article
Full-text available
Internet of Things (IoT) is an emerging domain that promises ubiquitous connection to the Internet, turning common objects into connected devices. The IoT paradigm is changing the way people interact with things around them. It paves the way to creating pervasively connected infrastructures to support innovative services and promises better flexibility and efficiency. Such advantages are attractive not only for consumer applications, but also for the industrial domain. Over the last few years, we have been witnessing the IoT paradigm making its way into the industry marketplace with purposely designed solutions. In this paper, we clarify the concepts of IoT, Industrial IoT, and Industry 4.0. We highlight the opportunities brought in by this paradigm shift as well as the challenges for its realization. In particular, we focus on the challenges associated with the need of energy efficiency, real-time performance, coexistence, interoperability, and security and privacy. We also provide a systematic overview of the state-of-the-art research efforts and potential research directions to solve Industrial IoT challenges.
Conference Paper
Full-text available
Solving security concerns are one of the main challenges for the Internet of Things. There are different issues to be solved within the physically connected part of the IoT and in the networking domain, and another set of issues exist for the data-processing back-end, not to mention the presentation/configuration layer, where direct human interaction brings in further threats. Automation IoT applications have special real-time requirements, they are expected to have high level of reliability, and often operate in safety-critical environment. These requirements justify extreme security and safety measures. This paper discusses the security threats that can appear in the different layers of an IoT architecture, especially in the automation domain. The mitigation practices of the various security issues are also discussed, bearing in mind that the solutions can bring quite different measures for the physical equipment in the field, for the communication infrastructure, or for the data processing applications.
Conference Paper
Full-text available
The Internet of Things (IoT) has various fields of application including health care, resource management, asset tracking, etc. Depending on the use case, various technologies like RFID, Wireless Sensor Network (WSN) or Smart Objects can be used. With each of these comes a specific vision of what the IoT and connected objects are and – to our knowledge – there is no global picture of the IoT. The issue with this approach is that specific problems have been addressed before global ones: what if something has been missed? We propose a definition and taxonomy for connected objects and the IoT.
Article
Full-text available
Internet of Things (IoT) devices are rapidly becoming ubiquitous while IoT services are becoming pervasive. Their success has not gone unnoticed and the number of threats and attacks against IoT devices and services are on the increase as well. Cyber-attacks are not new to IoT, but as IoT will be deeply interwoven in our lives and societies, it is becoming necessary to step up and take cyber defense seriously. Hence, there is a real need to secure IoT, which has consequently resulted in a need to comprehensively understand the threats and attacks on IoT infrastructure. This paper is an attempt to classify threat types, besides analyze and characterize intruders and attacks facing IoT devices and services.
Article
Full-text available
The Internet of Things paradigm envisions the pervasive interconnection and cooperation of smart things over the current and future Internet infrastructure. The Internet of Things is, thus, the evolution of the Internet to cover the real world, enabling many new services that will improve people's everyday lives, spawn new businesses, and make buildings, cities, and transport smarter. Smart things allow indeed for ubiquitous data collection or tracking, but these useful features are also examples of privacy threats that are already now limiting the success of the Internet of Things vision when not implemented correctly. These threats involve new challenges such as the pervasive privacy-aware management of personal data or methods to control or avoid ubiquitous tracking and profiling. This paper analyzes the privacy issues in the Internet of Things in detail. To this end, we first discuss the evolving features and trends in the Internet of Things with the goal of scrutinizing their privacy implications. Second, we classify and examine privacy threats in this new setting, pointing out the challenges that need to be overcome to ensure that the Internet of Things becomes a reality. Copyright © 2013 John Wiley & Sons, Ltd.
Article
• IN 2018, an article in Bloomberg Businessweek made the stupendous assertion that Chinese spy services had created back doors to servers built for Amazon, Apple, and others by inserting millimeter-size chips into circuit boards.
Article
The Internet of Things (IoT) is an emerging paradigm focusing on the inter-connection of things or devices to each other and to the users. This technology is anticipated to become an integral milestone in the development of smart homes and smart cities. For any technology to be successful and achieve widespread use, it needs to gain the trust of users by providing adequate security and privacy assurance. Despite the growing interest of the research community in IoT, and the emergence of several surveys and papers addressing its architecture and its elements, we are still lacking a thorough analysis of the security and privacy properties that are required for a system where the constituent devices vary in their capabilities. In this paper we provide a threat model based on use-cases of IoT, which can be used to determine where efforts should be invested in order to secure these systems. We conclude by recommending measures that will help in providing security and assuring privacy when using IoT.
Article
Spply voltage glitches are a well-known fault njection method used to attack electronic circuits. The aim of this paper is to identify the specific threats of mixed signal systems and to provide some solutions to ensure their security. Indeed, many Systems on Chip use both analog and digital circuits but, most of the time, the security of such application is considered only from an exclusively digital or sometimes nalog oint of view. However, in mixed-signals systems, analog and digital solutions coexist and must be considered as a unique system to ensure the security of the whole application. In this purpose, this paper gives an overview of voltage glitch attacks effects and countermeasures for analog and digital blocks as part of Mixed-Signal SoCs (AMS-SoCs). It also emphasizes the unique behavior of mixed-signal circuits during glitch attacks and suggest some guidelines to associate efficiently analog and digital solutions to secure a mixed-signal system.
Article
Last year marked a turning point in the history of cybersecurity-the arrival of the first cyber warfare weapon ever, known as Stuxnet. Not only was Stuxnet much more complex than any other piece of malware seen before, it also followed a completely new approach that's no longer aligned with conven tional confidentiality, integrity, and availability thinking. Con trary to initial belief, Stuxnet wasn't about industrial espionage: it didn't steal, manipulate, or erase information. Rather, Stuxnet's goal was to physically destroy a military target-not just meta phorically, but literally. Let's see how this was done.
Threat landscape for industrial automation systems: Statistics for H2 2020
"Threat landscape for industrial automation systems: Statistics for H2 2020," Kaspersky ICS CERT, Mar. 2021. [Online]. Available: https://ics-cert.kaspersky.com/media/Kaspersky-Threat-landscape-forindustrial-automation-systems-statistics-for-H2-2020-En.pdf [accessed: 2021-12-01]
Operational Cybersecurity for Digitized Manufacturing: Emerging Approaches for the Converged Physical-Virtual Environment
  • J Santagate
  • R Glaisner
  • R Westervelt
J. Santagate, R. Glaisner, and R. Westervelt, "Operational Cybersecurity for Digitized Manufacturing: Emerging Approaches for the Converged Physical-Virtual Environment," IDC, Aug. 2019. [Online]. Available: https://www.fortinet.com/content/dam/fortinet/assets/white-papers/ wp-idc-operational-cybersecurity-for-digitized-manufacturing.pdf [accessed: 2021-12-01]
  • M Bakuei
  • R Flores
  • Lord Remorin
  • F Yarochkin
M. Bakuei, R. Flores, Lord Remorin, and F. Yarochkin, "2020 Report on Threats Affecting ICS Endpoints," Trend Micro Research, Jun. 2021. [Online]. Available: https://www.trendmicro.com/vinfo/us/security/ news/internet-of-things/2020-report-ics-endpoints-as-starting-pointsfor-threats [accessed: 2021-12-01]
DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
"DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks," Cybersecurity & Infrastructure Security Agency (CISA), May 2021. [Online]. Available: https://us-cert.cisa.gov/ ncas/alerts/aa21-131a [accessed: 2021-12-01]
Water Treatment Facility
"Compromise of U.S. Water Treatment Facility," Cybersecurity & Infrastructure Security Agency (CISA), Feb. 2021. [Online]. Available: https://us-cert.cisa.gov/ncas/alerts/aa21-042a [accessed: 2021-12-01]
Industrial Internet of Things (IIoT) leading use cases worldwide as of 2019*
"Industrial Internet of Things (IIoT) leading use cases worldwide as of 2019*," PTC, Chart. May 1, 2019. [Online]. Available: https://www.statista.com/statistics/1102202/industrial-iot-worldwideuse-cases/ [accessed: 2021-12-01]
Operational Technology and Information Technology in Industrial Control Systems
  • A Hahn
A. Hahn, "Operational Technology and Information Technology in Industrial Control Systems," in Cyber-security of SCADA and Other Industrial Control Systems, 2016, pp. 51-68, DOI: 10.1007/978-3-319-32125-7 4.
Mapping of IoT security recommendations, guidance and standards
"Mapping of IoT security recommendations, guidance and standards," Department for Digital, Culture, Media & Sport, Oct. 2018. [Online]. Available: https://www.gov.uk/government/publications/ mapping-of-iot-security-recommendations-guidance-and-standards [accessed: 2021-12-01]
Distribution of operating systems used for Internet-of-Things (IoT) devices, as of 2016
IEEE (Internet of Things), European Commission (Agile IoT), and Eclipse IoT Working Group, "Distribution of operating systems used for Internet-of-Things (IoT) devices, as of 2016," Apr. 2016. [Online]. Available: https://www.statista.com/statistics/659581/worldwideinternet-of-things-survey-operating-systems/ [accessed: 2021-12-01]
A performance study of crypto-hardware in the low-end IoT
  • P Kietzmann
  • L Boeckmann
  • L Lanzieri
  • T C Schmidt
  • M Wählisch
P. Kietzmann, L. Boeckmann, L. Lanzieri, T. C. Schmidt, and M. Wählisch, "A performance study of crypto-hardware in the low-end IoT," in Proceedings of the 2021 international conference on embedded wireless systems and networks, USA, 2021, pp. 79-90.
Malicious Control System Cyber Security Attack Case Study-Maroochy Water Services, Australia
  • M Abrams
  • J Weiss
M. Abrams and J. Weiss, "Malicious Control System Cyber Security Attack Case Study-Maroochy Water Services, Australia," MITRE, Aug. 2008.
Update-Pflicht für digitale Geräte: Was haben Kunden davon? (Mandatory updates for digital devices: What's in it for customers?)
  • M Henschke
M. Henschke, "Update-Pflicht für digitale Geräte: Was haben Kunden davon? (Mandatory updates for digital devices: What's in it for customers?)," Hamburger Abendblatt, Jun. 27, 2021. [Online]. Available: https://www.abendblatt.de/ratgeber/article232640687/updatepflicht-digitale-geraete-smartphone-verbraucher.html [accessed: 2021-12-01]
  • S Miller
  • N Brubaker
  • D Kapellmann Zafra
  • D Caban
S. Miller, N. Brubaker, D. Kapellmann Zafra, and D. Caban, "TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping," FireEye, April 10, 2019. [Online].
Industroyer: Biggest threat to industrial control systems since Stuxnet
  • A Cherepanov
  • R Lipovsky
A. Cherepanov and R. Lipovsky, "Industroyer: Biggest threat to industrial control systems since Stuxnet," welivesecurity, June 12th, 2017. [Online]. Available: https://www.welivesecurity.com/2017/06/ 12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/ [accessed: 2021-12-01]
Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store
  • C Xiao
C. Xiao, "Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store," paloaltonetworks.com, Sep. 17, 2015. https://unit42.paloaltonetworks.com/novel-malware-xcodeghostmodifies-xcode-infects-apple-ios-apps-and-hits-app-store/ [accessed: 2021-12-01]
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
  • J Boone
J. Boone, "TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus," NCC Group, White Paper, Mar. 2018. [Online]. Available: https://github.com/nccgroup/TPMGenie/blob/master/docs/ NCC Group Jeremy Boone TPM Genie Whitepaper.pdf [accessed: 2021-12-01]
INFRA:HALT -Jointly discovering and mitigating large-scale OT vulnerabilities
  • D Santos
  • S Dashevskyi
  • A Amri
  • J Wetzels
  • A Karas
  • S Menashe
  • D Vozniuk
D. dos Santos, S. Dashevskyi, A. Amri, J. Wetzels, A. Karas, S. Menashe, and D. Vozniuk, "INFRA:HALT -Jointly discovering and mitigating large-scale OT vulnerabilities," Forescout, 2021. [Online]. Available: https://www.forescout.com/resources/infrahalt-discoveringmitigating-large-scale-ot-vulnerabilities/ [accessed: 2021-12-01]
NAME:WRECK -Breaking and fixing DNS implementations
  • D Santos
  • S Dashevskyi
  • A Amri
  • J Wetzels
  • S Oberman
  • M Kol
D. dos Santos, S. Dashevskyi, A. Amri, J. Wetzels, S. Oberman, and M. Kol, "NAME:WRECK -Breaking and fixing DNS implementations," Forescout, 2021. [Online]. Available: https://www.forescout.com/company/resources/namewreck-breakingand-fixing-dns-implementations/ [accessed: 2021-12-01]
AMNESIA:33 -How TCP/IP Stacks Breed Critical Vulnerabilities in IoT, OT and IT Devices
  • D Santos
  • S Dashevskyi
  • J Wetzels
  • A Amri
D. dos Santos, S. Dashevskyi, J. Wetzels, and A. Amri, "AMNESIA:33 -How TCP/IP Stacks Breed Critical Vulnerabilities in IoT, OT and IT Devices," Forescout, 2020. [Online]. Available: https://www.forescout.com/company/resources/amnesia33-how-tcp-ipstacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/ [accessed: 2021-12-01]
Smart nest thermostat a smart spy in your home
  • G Hernandez
  • D Buentello
G. Hernandez and D. Buentello, "Smart nest thermostat a smart spy in your home," 2014.
Threat modeling: designing for security
  • A Shostack
A. Shostack, Threat modeling: designing for security. Indianapolis, IN: Wiley, 2014.