William Knowles’s research while affiliated with Lancaster University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (13)


PCaaD: Towards Automated Determination and Exploitation of Industrial Systems
  • Article

August 2021

·

52 Reads

·

20 Citations

Computers & Security

Benjamin Green

·

William Knowles

·

·

[...]

·

Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application.


Figure 1: Threat Model
Figure 2: Modbus Library Function
Figure 3: Modbus Library Function Data Block requests (e.g. Read, Write, and Upload) as per vendor specifications [31].
Figure 4: Get Block Info Example industrial networks, it would raise a red flag, and could be blocked as part of an environments default security configuration profile. Bulk Transfer (Block Upload) -The second technique we have identified makes use of the inbuilt feature Upload. This is a network function constructed to extract POUs in their entirety from the PLC. With PLCs, it is important to note that in certain situations we talk from the device's perspective. This is industry derived terminology consistent between vendors. Therefore, when using the term upload, we are referring to the PLC uploading data to the user, not the user uploading data to the PLC. In sending a DB Upload request to the PLC, the entire byte-code of that DB will be returned. We examined this byte-code, and found the previously discussed family and header parameters stored in clear text (see Figure 5). Running a parser over the byte-code allows us to clearly identify the DBs related FB.
Figure 6: Email Library Function

+2

PCaaD: Towards Automated Determination and Exploitation of Industrial Processes
  • Preprint
  • File available

February 2021

·

385 Reads

Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e. process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to conduct targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class based on control-logic constructs. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach for system-agnostic exploitation of PLC library functions, leading to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs, by identification of practical attacks.

Download

All That Glitters Is Not Gold: On the Effectiveness of Cyber Security Qualifications

December 2017

·

146 Reads

·

7 Citations

Computer

There has been a proliferation of industry-focused cyber security qualifications, which use different techniques to assess the competencies of cyber security professionals and certify them to employers. There is, however, a lingering question about these qualifications: do they effectively assess the competencies of cyber security professionals? 74 cyber security qualifications were analysed to determine how competency assessment is performed in practice, and five distinct techniques were identified together with the frequency of their use within qualifications. These techniques formed the basis of a large-scale survey of the perceptions of 153 industry stakeholders on the effectiveness of individual techniques and their cost-effectiveness as combinations. Despite a perceived low effectiveness of Multiple Choice Examinations, industry qualifications were found to rely on it heavily, often as a sole technique, and few qualifications utilised the cost-effective combinations identified by stakeholders.


Fig. 2 -Stakeholder composition.
Fig. 5 -Opportunities for improvement within the simulated security assessment ecosystem.
Penetration testing qualifications.
The simulated security assessment ecosystem: Does penetration testing need standardisation?

August 2016

·

318 Reads

·

24 Citations

Computers & Security

Simulated security assessments (a collective term used here for penetration testing, vulnerability assessment, and related nomenclature) may need standardisation, but not in the commonly assumed manner of practical assessment methodologies. Instead, this study highlights market failures within the providing industry at the beginning and ending of engagements, which has left clients receiving ambiguous and inconsistent services. It is here, at the prior and subsequent phases of practical assessments that standardisation may serve the continuing professionalisation of the industry, and provide benefits not only to clients, but the practitioners involved in the provision of these services. These findings are based on the results of 54 stakeholder interviews with providers of services, clients, and coordinating bodies within the industry. The paper culminates with a framework for future advancement of the ecosystem, which includes three recommendations for standardisation.


Information Assurance Techniques: Perceived Cost Effectiveness

April 2016

·

697 Reads

·

36 Citations

Computers & Security

The assurance technique is a fundamental component of the assurance ecosystem; it is the mechanism by which we assess security to derive a measure of assurance. Despite this importance, the characteristics of these assurance techniques have not been comprehensively explored within academic research from the perspective of industry stakeholders. Here, a framework of 20 "assurance techniques" is defined along with their interdependencies. A survey was conducted which received 153 responses from industry stakeholders, in order to determine perceptions of the characteristics of these assurance techniques. These characteristics include the expertise required, number of people required, time required for completion, effectiveness and cost. The extent to which perceptions differ between those in practitioner and management roles is considered. The findings were then used to compute a measure of cost-effectiveness for each assurance technique. Survey respondents were also asked about their perceptions of complementary assurance techniques. These findings were used to establish 15 combinations, of which the combined effectiveness and cost-effectiveness was assessed.



Figure 1: A Conceptual Model of an ICS: Safety and Security Goals (Adapted from [3, 8]) 
Figure 2: The Terminology of Assurance 
Figure 3: Audit Evidence Determines Conformity Based on Organisational Risk Posture 
Figure 4: Study Methodology 
Assurance Techniques for Industrial Control Systems (ICS)

October 2015

·

1,787 Reads

·

17 Citations

Assurance techniques generate evidence that allow us to make claims of assurance about security. For the purpose of certification to an assurance scheme, this evidence enables us to answer the question: are the implemented security controls consistent with organisational risk posture? This paper uses interviews with security practitioners to assess how ICS security assessments are conducted in practice, before introducing the five "PASIV" principles to ensure the safe use of assurance techniques. PASIV is then applied to three phases of the system development life cycle (development; procurement; operational), to determine when and when not, these assurance techniques can be used to generate evidence. Focusing then on the operational phase, this study assesses how assurances techniques generate evidence for the 35 security control families of ISO/IEC 27001:2013.


A survey of cyber security management in industrial control systems

March 2015

·

1,216 Reads

·

319 Citations

International Journal of Critical Infrastructure Protection

Contemporary industrial control systems no longer operate in isolation, but use other networks (e.g., corporate networks and the Internet) to facilitate and improve business processes. The consequence of this development is the increased exposure to cyber threats. This paper surveys the latest methodologies and research for measuring and managing this risk. A dearth of industrial-control-system-specific security metrics has been identified as a barrier to implementing these methodologies. Consequently, an agenda for future research on industrial control system security metrics is outlined. The “functional assurance” concept is also introduced to deal with fail-safe and fail-secure industrial control system operations.



Quality Evaluation in Peer-to-Peer IPTV Services

January 2013

·

24 Reads

·

4 Citations

Lecture Notes in Computer Science

Modern IPTV services are comprised of multiple comprehensive service elements in the entire content delivery chain to maximise the efficiency in networking. Audio-visual content may experience various types of impairments during content ingest, processing, distribution and reception. While some impairments do not cause noticeable distortions to the delivered content, many others such as the network transmission loss can be highly detrimental to the user experience in content consumption. In order to optimise service quality and to provide a benchmarking platform to evaluate the designs for future audio-visual content distribution system, a quality evaluation framework is essential. We introduce such an evaluation framework to assess video service with respect of user perception, while supporting service diagnosis to identify root-causes of any detected quality degradation. Compared with existing QoE frameworks, our solution offers an advanced but practical design for the real-time analysis of IPTV services in multiple service layers.


Citations (11)


... VetPLC [52] PLC Sleuth [21,25]. In future work, we will extend the SAIN runtime monitor to validate sensor-to-PLC and PLC-toactuator communication with state-aware invariants, under a more advanced threat model. ...

Reference:

SAIN: Improving ICS Attack Detection Sensitivity via State-Aware Invariants
PCaaD: Towards Automated Determination and Exploitation of Industrial Systems
  • Citing Article
  • August 2021

Computers & Security

... RAIM cybersecurity platform for critical infrastructure [12] implemented modules based on real-time monitoring and anomaly detection using vulnerability index computing. Another framework for such a real-time cyber security risk assessment was presented in [7] and takes into consideration the process components level, human factor level and a real-time metrics assessment level. ...

Towards Real-Time Assessment of Industrial Control Systems (ICSs): A Framework for Future Research

... The NERC critical infrastructure protection standards (NERC, 2018b), mentioned in the previous section are an example of a body of knowledge. Knowles, Gouglidis, Misra, and Rashid (2017) identified 74 cybersecurity-related certifications issued by 14 organizations. One of the 74 certifications identified is the Certified Information Systems Security Professional (CISSP) certification discussed in Chapter 1. ...

All That Glitters Is Not Gold: On the Effectiveness of Cyber Security Qualifications
  • Citing Article
  • December 2017

Computer

... Among all, it defines a PT methodology model based on four phases: planning, discovery, attack, reporting. Despite the recent growing adoption of PT in several contexts and the availability of several PT methodologies and frameworks (e.g., PTES 3 , OWASP Testing Guide 4 , OSSTMM 5 , PTS 6 , ISSAF), there is no state-of-the-art standard dedicated to the description of PT activities [9], while it is currently heavily dependent on testers' skills and experience. The main problem with PT is the long time necessary to test even a medium-size system: in fact, nowadays security consultants (pentesters) typically perform time-boxed assessments, which represents a limited and, often, very small attempt to address security at the end of the development cycle. ...

The simulated security assessment ecosystem: Does penetration testing need standardisation?

Computers & Security

... The attackers identify the exploitable vulnerabilities and potential weaknesses of different enterprises instead of concentrating on a particular organisation to interrupt a business. Small and medium-sized enterprises (SMEs) are the target of more general attacks [3] considering multiple factors, i.e., lack of or cybersecurity remediation plan, lack of technical expertise and training. ...

Information Assurance Techniques: Perceived Cost Effectiveness
  • Citing Article
  • April 2016

Computers & Security

... Hill et al. [32] analyzed the tweets produced in response to the advertisements aired during the 2012 Super Bowl, and showed that the level of online consumer engagement, measured by the number of new followers on Twitter during the Super Bowl, can be linked to whether the advertised brand has a social media strategy or not. Knowles et al. [33] showed that quizzes are positively perceived by viewers and highlighted that the viewers' perception depends on the TV content. Hill et al. [32] found that social media platforms become an outlet for TV viewers who are looking to express themselves while watching their favorite TV programs [32]. ...

Improving Interactive TV Experience Using Second Screen Mobile Applications

... Conducting such engagements helps organisations understand both the psychological factors and the techniques employed during genuine cyber attacks. In doing so, underlying vulnerabilities can be detected and patched, and incident response teams can be trained by being kept updated about tools and techniques used by modern attackers [42]. ...

Assurance Techniques for Industrial Control Systems (ICS)

... Although, the metric is domain specific. Knowles et al., (2015) conducted a survey of cyber security management in industrial control systems and concluded that there is a lack of guidance on how to address the area of quantitative and qualitative cyber security metrics which hinders the efforts to implement proper security in the critical infrastructure industry (Mouatassim & Ibenrissoul, 2015). ...

A survey of cyber security management in industrial control systems
  • Citing Article
  • March 2015

International Journal of Critical Infrastructure Protection

... IPTV service has become a key product for Internet Service Providers (ISP), offering several benefits both to ISP and end-users [5]. The mass usage of IPTV makes the service economically meaningful to TV providers as well as Internet providers and advertisers [6,7]. For that reason, the sociological agencies perform monitoring and measuring of various parameters of IPTV usage. ...

Quality Evaluation in Peer-to-Peer IPTV Services
  • Citing Chapter
  • January 2013

Lecture Notes in Computer Science

... The 20% most popular programs get 84% of the views. Mu et al. [5] perform a program popularity characterization for a Catch-up TV service. Although in general programs quickly lose popularity over time, they show that each program has a different behaviour, i.e. some programs might not have been watched in Live TV and then gain popularity over time in Catch-up TV, while others are only watched in Live TV. ...

Understanding Your Needs: An Adaptive VoD System