-
On Explainability in AI-Solutions: A Cross-Domain Survey
Authors:
Simon Daniel Duque Anton,
Daniel Schneider,
Hans Dieter Schotten
Abstract:
Artificial Intelligence (AI) increasingly shows its potential to outperform predicate logic algorithms and human control alike. In automatically deriving a system model, AI algorithms learn relations in data that are not detectable for humans. This great strength, however, also makes use of AI methods dubious. The more complex a model, the more difficult it is for a human to understand the reasoni…
▽ More
Artificial Intelligence (AI) increasingly shows its potential to outperform predicate logic algorithms and human control alike. In automatically deriving a system model, AI algorithms learn relations in data that are not detectable for humans. This great strength, however, also makes use of AI methods dubious. The more complex a model, the more difficult it is for a human to understand the reasoning for the decisions. As currently, fully automated AI algorithms are sparse, every algorithm has to provide a reasoning for human operators. For data engineers, metrics such as accuracy and sensitivity are sufficient. However, if models are interacting with non-experts, explanations have to be understandable. This work provides an extensive survey of literature on this topic, which, to a large part, consists of other surveys. The findings are mapped to ways of explaining decisions and reasons for explaining decisions. It shows that the heterogeneity of reasons and methods of and for explainability lead to individual explanatory frameworks.
△ Less
Submitted 11 October, 2022;
originally announced October 2022.
-
The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World
Authors:
Simon Daniel Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Daniel Schneider,
Hans Dieter Schotten
Abstract:
Operational Technology (OT)-networks and -devices, i.e. all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitisation of industry, an increasing number of devices and industrial networks is opened up to public networks. This is beneficial for administration and org…
▽ More
Operational Technology (OT)-networks and -devices, i.e. all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitisation of industry, an increasing number of devices and industrial networks is opened up to public networks. This is beneficial for administration and organisation of the industrial environments. However, it also increases the attack surface, providing possible points of entry for an attacker. Originally, breaking into production networks meant to break an Information Technology (IT)-perimeter first, such as a public website, and then to move laterally to Industrial Control Systems (ICSs) to influence the production environment. However, many OT-devices are connected directly to the Internet, which drastically increases the threat of compromise, especially since OT-devices contain several vulnerabilities. In this work, the presence of OT-devices in the Internet is analysed from an attacker's perspective. Publicly available tools, such as the search engine Shodan and vulnerability databases, are employed to find commonly used OT-devices and map vulnerabilities to them. These findings are grouped according to country of origin, manufacturer, and number as well as severity of vulnerability. More than 13000 devices were found, almost all contained at least one vulnerability. European and Northern American countries are by far the most affected ones.
△ Less
Submitted 27 November, 2021;
originally announced November 2021.
-
Knowledge Rocks:Adding Knowledge Assistance to Visualization Systems
Authors:
Anna-Pia Lohfink,
Simon D. Duque Anton,
Heike Leitte,
Christoph Garth
Abstract:
We present Knowledge Rocks, an implementation strategy and guideline for augmenting visualization systems to knowledge-assisted visualization systems, as defined by the KAVA model. Visualization systems become more and more sophisticated. Hence, it is increasingly important to support users with an integrated knowledge base in making constructive choices and drawing the right conclusions. We suppo…
▽ More
We present Knowledge Rocks, an implementation strategy and guideline for augmenting visualization systems to knowledge-assisted visualization systems, as defined by the KAVA model. Visualization systems become more and more sophisticated. Hence, it is increasingly important to support users with an integrated knowledge base in making constructive choices and drawing the right conclusions. We support the effective reactivation of visualization software resources by augmenting them with knowledge-assistance. To provide a general and yet supportive implementation strategy, we propose an implementation process that bases on an application-agnostic architecture. This architecture is derived from existing knowledge-assisted visualization systems and the KAVA model. Its centerpiece is an ontology that is able to automatically analyze and classify input data, linked to a database to store classified instances. We discuss design decisions and advantages of the KR framework and illustrate its broad area of application in diverse integration possibilities of this architecture into an existing visualization system. In addition, we provide a detailed case study by augmenting an it-security system with knowledge-assistance facilities.
△ Less
Submitted 8 November, 2021; v1 submitted 23 July, 2021;
originally announced July 2021.
-
Secure (S)Hell: Introducing an SSH Deception Proxy Framework
Authors:
Daniel Reti,
David Klaaßen,
Simon Duque Anton,
Hans Dieter Schotten
Abstract:
Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an atta…
▽ More
Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an attack more difficult, as an attacker cannot be sure whether the system does contain deceptive elements or not. Consequently, each action of an attacker could lead to the discovery. In this paper a framework is proposed for placing decoy elements through an SSH proxy, allowing to deploy decoy elements on-the-fly without the need for a modification of the protected host system.
△ Less
Submitted 8 April, 2021;
originally announced April 2021.
-
Investigating the Ecosystem of Offensive Information Security Tools
Authors:
Simon D Duque Anton,
Daniel Fraunholz,
Daniel Schneider
Abstract:
The internet landscape is growing and at the same time becoming more heterogeneous. Services are performed via computers and networks, critical data is stored digitally. This enables freedom for the user, and flexibility for operators. Data is easier to manage and distribute. However, every device connected to a network is potentially susceptible to cyber attacks. Security solutions, such as antiv…
▽ More
The internet landscape is growing and at the same time becoming more heterogeneous. Services are performed via computers and networks, critical data is stored digitally. This enables freedom for the user, and flexibility for operators. Data is easier to manage and distribute. However, every device connected to a network is potentially susceptible to cyber attacks. Security solutions, such as antivirus software or firewalls, are widely established. However, certain types of attacks cannot be prevented with defensive measures alone. Offensive security describes the practice of security professionals using methods and tools of cyber criminals. This allows them to find vulnerabilities before they become the point of entry in a real attack. Furthermore, following the methods of cyber criminals enables security professionals to adapt to a criminal's point of view and potentially discover attack angles formerly ignored. As cyber criminals often employ freely available security tools, having knowledge about these provides additional insight for professionals. This work categorises and compares tools regarding metrics concerning maintainability, usability and technical details. Generally, several well-established tools are available for the first phases, while phases after the initial breach lack a variety of tools.
△ Less
Submitted 16 December, 2020;
originally announced December 2020.
-
Creating it from SCRATCh: A Practical Approach for Enhancing the Security of IoT-Systems in a DevOps-enabled Software Development Environment
Authors:
Simon D Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Hans D Schotten,
Franklin Selgert,
Marcell Marosvölgyi,
Morten Larsen,
Krishna Sudhakar,
Tobias Koch,
Till Witt,
Cédric Bassem
Abstract:
DevOps describes a method to reorganize the way different disciplines in software engineering work together to speed up software delivery. However, the introduction of DevOps-methods to organisations is a complex task. A successful introduction results in a set of structured process descriptions. Despite the structure, this process leaves margin for error: Especially security issues are addressed…
▽ More
DevOps describes a method to reorganize the way different disciplines in software engineering work together to speed up software delivery. However, the introduction of DevOps-methods to organisations is a complex task. A successful introduction results in a set of structured process descriptions. Despite the structure, this process leaves margin for error: Especially security issues are addressed in individual stages, without consideration of the interdependence. Furthermore, applying DevOps-methods to distributed entities, such as the Internet of Things (IoT) is difficult as the architecture is tailormade for desktop and cloud resources. In this work, an overview of tooling employed in the stages of DevOps processes is introduced. Gaps in terms of security or applicability to the IoT are derived. Based on these gaps, solutions that are being developed in the course of the research project SCRATCh are presented and discussed in terms of benefit to DevOps-environments.
△ Less
Submitted 28 October, 2020;
originally announced October 2020.
-
Intrusion Detection in Binary Process Data: Introducing the Hamming-distance to Matrix Profiles
Authors:
Simon D Duque Anton,
Hans Dieter Schotten
Abstract:
The digitisation of industry provides a plethora of novel applications that increase flexibility and reduce setup and maintenance time as well as cost. Furthermore, novel use cases are created by the digitisation of industry, commonly known as Industry 4.0 or the Industrial Internet of Things, applications make use of communication and computation technology that is becoming available. This enable…
▽ More
The digitisation of industry provides a plethora of novel applications that increase flexibility and reduce setup and maintenance time as well as cost. Furthermore, novel use cases are created by the digitisation of industry, commonly known as Industry 4.0 or the Industrial Internet of Things, applications make use of communication and computation technology that is becoming available. This enables novel business use cases, such as the digital twin, customer individual production, and data market places. However, the inter-connectivity such use cases rely on also significantly increases the attack surface of industrial enterprises. Sabotage and espionage are aimed at data, which is becoming the most crucial asset of an enterprise. Since the requirements on security solutions in industrial networks are inherently different from office networks, novel approaches for intrusion detection need to be developed. In this work, process data of a real water treatment process that contains attacks is analysed. Analysis is performed by an extension of Matrix Profiles, a motif discovery algorithm for time series. By extending Matrix Profiles with a Hammingdistance metric, binary and tertiary actuators can be integrated into the analysis in a meaningful fashion. This algorithm requires low training effort while providing accurate results. Furthermore, it can be employed in a real-time fashion. Selected actuators in the data set are analysed to highlight the applicability of the extended Matrix Profiles.
△ Less
Submitted 17 July, 2020;
originally announced July 2020.
-
Security in Process: Visually Supported Triage Analysis in Industrial Process Data
Authors:
Anna-Pia Lohfink,
Simon D. Duque Anton,
Hans Dieter Schotten,
Heike Leitte,
Christoph Garth
Abstract:
Operation technology networks, i.e. hard- and software used for monitoring and controlling physical/industrial processes, have been considered immune to cyber attacks for a long time. A recent increase of attacks in these networks proves this assumption wrong. Several technical constraints lead to approaches to detect attacks on industrial processes using available sensor data. This setting differ…
▽ More
Operation technology networks, i.e. hard- and software used for monitoring and controlling physical/industrial processes, have been considered immune to cyber attacks for a long time. A recent increase of attacks in these networks proves this assumption wrong. Several technical constraints lead to approaches to detect attacks on industrial processes using available sensor data. This setting differs fundamentally from anomaly detection in IT-network traffic and requires new visualization approaches adapted to the common periodical behavior in OT-network data. We present a tailored visualization system that utilizes inherent features of measurements from industrial processes to full capacity to provide insight into the data and support triage analysis by laymen and experts. The novel combination of spiral plots with results from anomaly detection was implemented in an interactive system. The capabilities of our system are demonstrated using sensor and actuator data from a real-world water treatment process with introduced attacks. Exemplary analysis strategies are presented. Finally, we evaluate effectiveness and usability of our system and perform an expert evaluation.
△ Less
Submitted 23 July, 2021; v1 submitted 10 December, 2019;
originally announced December 2019.
-
Discussing the Feasibility of Acoustic Sensors for Side Channel-aided Industrial Intrusion Detection: An Essay
Authors:
Simon D. Duque Anton,
Anna Pia Lohfink,
Hans Dieter Schotten
Abstract:
The fourth industrial revolution leads to an increased use of embedded computation and intercommunication in an industrial environment. While reducing cost and effort for set up, operation and maintenance, and increasing the time to operation or market respectively as well as the efficiency, this also increases the attack surface of enterprises. Industrial enterprises have become targets of cyber…
▽ More
The fourth industrial revolution leads to an increased use of embedded computation and intercommunication in an industrial environment. While reducing cost and effort for set up, operation and maintenance, and increasing the time to operation or market respectively as well as the efficiency, this also increases the attack surface of enterprises. Industrial enterprises have become targets of cyber criminals in the last decade, reasons being espionage but also politically motivated. Infamous attack campaigns as well as easily available malware that hits industry in an unprepared state create a large threat landscape. As industrial systems often operate for many decades and are difficult or impossible to upgrade in terms of security, legacy-compatible industrial security solutions are necessary in order to create a security parameter. One plausible approach in industry is the implementation and employment of side-channel sensors. Combining readily available sensor data from different sources via different channels can provide an enhanced insight about the security state. In this work, a data set of an experimental industrial set up containing side channel sensors is discussed conceptually and insights are derived.
△ Less
Submitted 9 September, 2019;
originally announced September 2019.
-
Security in Process: Detecting Attacks in Industrial Process Data
Authors:
Simon D. Duque Anton,
Anna Pia Lohfink,
Christoph Garth,
Hans Dieter Schotten
Abstract:
Due to the fourth industrial revolution, industrial applications make use of the progress in communication and embedded devices. This allows industrial users to increase efficiency and manageability while reducing cost and effort. Furthermore, the fourth industrial revolution, creating the so-called Industry 4.0, opens a variety of novel use and business cases in the industrial environment. Howeve…
▽ More
Due to the fourth industrial revolution, industrial applications make use of the progress in communication and embedded devices. This allows industrial users to increase efficiency and manageability while reducing cost and effort. Furthermore, the fourth industrial revolution, creating the so-called Industry 4.0, opens a variety of novel use and business cases in the industrial environment. However, this progress comes at the cost of an enlarged attack surface of industrial companies. Operational networks that have previously been phyiscally separated from public networks are now connected in order to make use of new communication capabilites. This motivates the need for industrial intrusion detection solutions that are compatible to the long-term operation machines in industry as well as the heterogeneous and fast-changing networks. In this work, process data is analysed. The data is created and monitored on real-world hardware. After a set up phase, attacks are introduced into the systems that influence the process behaviour. A time series-based anomaly detection approach, the Matrix Profiles, are adapted to the specific needs and applied to the intrusion detection. The results indicate an applicability of these methods to detect attacks in the process behaviour. Furthermore, they are easily integrated into existing process environments. Additionally, one-class classifiers One-Class Support Vector Machines and Isolation Forest are applied to the data without a notion of timing. While Matrix Profiles perform well in terms of creating and visualising results, the one-class classifiers perform poorly.
△ Less
Submitted 9 September, 2019;
originally announced September 2019.
-
Anomaly-based Intrusion Detection in Industrial Data with SVM and Random Forests
Authors:
Simon D. Duque Anton,
Sapna Sinha,
Hans Dieter Schotten
Abstract:
Attacks on industrial enterprises are increasing in number as well as in effect. Since the introduction of industrial control systems in the 1970's, industrial networks have been the target of malicious actors. More recently, the political and warfare-aspects of attacks on industrial and critical infrastructure are becoming more relevant. In contrast to classic home and office IT systems, industri…
▽ More
Attacks on industrial enterprises are increasing in number as well as in effect. Since the introduction of industrial control systems in the 1970's, industrial networks have been the target of malicious actors. More recently, the political and warfare-aspects of attacks on industrial and critical infrastructure are becoming more relevant. In contrast to classic home and office IT systems, industrial IT, so-called OT systems, have an effect on the physical world. Furthermore, industrial devices have long operation times, sometimes several decades. Updates and fixes are tedious and often not possible. The threats on industry with the legacy requirements of industrial environments creates the need for efficient intrusion detection that can be integrated into existing systems. In this work, the network data containing industrial operation is analysed with machine learning- and time series- based anomaly detection algorithms in order to discover the attacks introduced to the data. Two different data sets are used, one Modbus-based gas pipeline control traffic and one OPC UA-based batch processing traffic. In order to detect attacks, two machine learning-based algorithms are used, namely \textit{SVM} and Random Forest. Both perform well, with Random Forest slightly outperforming SVM. Furthermore, extracting and selecting features as well as handling missing data is addressed in this work.
△ Less
Submitted 24 July, 2019;
originally announced July 2019.
-
Using Temporal and Topological Features for Intrusion Detection in Operational Networks
Authors:
Simon D. Duque Anton,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems…
▽ More
Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.
△ Less
Submitted 9 July, 2019;
originally announced July 2019.
-
Highly Scalable and Flexible Model for Effective Aggregation of Context-based Data in Generic IIoT Scenarios
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Janis Zemitis,
Frederic Pohl,
Hans Dieter Schotten
Abstract:
Interconnectivity of production machines is a key feature of the Industrial Internet of Things (IIoT). This feature allows for many advantages in producing. Configuration and maintenance gets easier, as access to the given production unit is not necessarily coupled to physical presence. Customized production of goods is easily possible, reducing production times and increasing throughput. There ar…
▽ More
Interconnectivity of production machines is a key feature of the Industrial Internet of Things (IIoT). This feature allows for many advantages in producing. Configuration and maintenance gets easier, as access to the given production unit is not necessarily coupled to physical presence. Customized production of goods is easily possible, reducing production times and increasing throughput. There are, however, also dangers to the increasing talkativeness of industrial production machines. The more open a system is, the more points of entry for an attacker exist. Furthermore, the amount of data a production site also increases rapidly due to the integrated intelligence and interconnectivity. To keep track of this data in order to detect attacks and errors in the production site, it is necessary to smartly aggregate and evaluate the data. In this paper, we present a new approach for collecting, aggregating and analysing data from different sources and on three different levels of abstraction. Our model is event-centric, considering every occurrence of information inside the system as an event. In the lowest level of abstraction, singular packets are collected, correlated with log-entries and analysed. On the highest level of abstraction, networks are pictured as a connectivity graph, enriched with information about host-based activities. Furthermore, we describe our work in progress of evaluating our aggregation model on two different system settings. In the first scenario, we verify the usability of our model in a remote maintenance application. In the second scenario, we evaluate our model in the context of network sniffing and correlation with log-files. First results show that our model is a promising solution to cope with increasing amounts of data and to correlate information from different types of sources.
△ Less
Submitted 28 May, 2019;
originally announced June 2019.
-
Implementing SCADA Scenarios and Introducing Attacks to Obtain Training Data for Intrusion Detection Methods
Authors:
Simon Duque Antón,
Michael Gundall,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
There are hardly any data sets publicly available that can be used to evaluate intrusion detection algorithms. The biggest threat for industrial applications arises from state-sponsored and criminal groups. Often, formerly unknown exploits are employed by these attackers, so-called 0-day exploits. They cannot be discovered with signature-based intrusion detection. Thus, statistical or machine lear…
▽ More
There are hardly any data sets publicly available that can be used to evaluate intrusion detection algorithms. The biggest threat for industrial applications arises from state-sponsored and criminal groups. Often, formerly unknown exploits are employed by these attackers, so-called 0-day exploits. They cannot be discovered with signature-based intrusion detection. Thus, statistical or machine learning based anomaly detection lends itself readily. These methods especially, however, need a large amount of labelled training data. In this work, an exemplary industrial use case with real-world industrial hardware is presented. Siemens S7 Programmable Logic Controllers are used to control a real world-based control application using the OPC UA protocol: A pump, filling and emptying water tanks. This scenario is used to generate application specific network data. Furthermore, attacks are introduced into this data set. This is done in three ways: First, the normal process is monitored and captured. Common attacks are then synthetically introduced into this data set. Second, malicious behaviour is implemented on the Programmable Logic Controller program and executed live, the traffic is captured as well. Third, malicious behaviour is implemented on the Programmable Logic Controller while still kee** the same output behaviour as in normal operation. An attacker could exploit an application but forge valid sensor output so that no anomaly is detected. Sensors are employed, capturing temperature, sound and flow of water to create data that can be correlated to the network data and used to still detect the attack. All data is labelled, containing the ground truth, meaning all attacks are known and no unknown attacks occur. This makes them perfect for training of anomaly detection algorithms. The data is published to enable security researchers to evaluate intrusion detection solutions.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
Putting Things in Context: Securing Industrial Authentication with Context Information
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Christoph Lipps,
Khurshid Alam,
Hans Dieter Schotten
Abstract:
The development in the area of wireless communication, mobile and embedded computing leads to significant changes in the application of devices. Over the last years, embedded devices were brought into the consumer area creating the Internet of Things. Furthermore, industrial applications increasingly rely on communication through trust boundaries. Networking is cheap and easily applicable while pr…
▽ More
The development in the area of wireless communication, mobile and embedded computing leads to significant changes in the application of devices. Over the last years, embedded devices were brought into the consumer area creating the Internet of Things. Furthermore, industrial applications increasingly rely on communication through trust boundaries. Networking is cheap and easily applicable while providing the possibility to make everyday life more easy and comfortable and industry more efficient and less time-consuming. One of the crucial parts of this interconnected world is sound and secure authentication of entities. Only entities with valid authorisation should be enabled to act on a resource according to an access control scheme. An overview of challenges and practices of authentication is provided in this work, with a special focus on context information as part of security solutions. It can be used for authentication and security solutions in industrial applications. Additional information about events in networks can aid intrusion detection, especially in combination with security information and event management systems. Finally, an authentication and access control approach, based on context information and - depending on the scenario - multiple factors is presented. The combination of multiple factors with context information makes it secure and at the same time case adaptive, so that the effort always matches, but never exceeds, the security demand. This is a common issue of standard cyber security, entities having to obey strict, inflexible and unhandy policies. This approach has been implemented exemplary based on RADIUS. Different scenarios were considered, showing that this approach is capable of providing flexible and scalable security for authentication processes.
△ Less
Submitted 29 May, 2019;
originally announced May 2019.
-
Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set
Authors:
Simon Duque Anton,
Suneetha Kanoor,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial contro…
▽ More
In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial control by making systems easier to manage, set up and configure. Unfortunately, most attack surfaces of home and office environments are introduced into industrial applications as well, which usually have very few security mechanisms in place. Over the last years, several technologies tackling that issue have been researched. In this work, machine learning-based anomaly detection algorithms are employed to find malicious traffic in a synthetically generated data set of Modbus/TCP communication of a fictitious industrial scenario. The applied algorithms are Support Vector Machine (SVM), Random Forest, k-nearest neighbour and k-means clustering. Due to the synthetic data set, supervised learning is possible. Support Vector Machine and k-nearest neighbour perform well with different data sets, while k-nearest neighbour and k-means clustering do not perform satisfactorily.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
The Dos and Don'ts of Industrial Network Simulation: A Field Report
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Dennis Krummacker,
Christoph Fischer,
Michael Karrenbauer,
Hans Dieter Schotten
Abstract:
Advances in industrial control lead to increasing incorporation of intercommunication technologies and embedded devices into the production environment. In addition to that, the rising complexity of automation tasks creates demand for extensive solutions. Standardised protocols and commercial off the shelf devices aid in providing these solutions. Still, setting up industrial communication network…
▽ More
Advances in industrial control lead to increasing incorporation of intercommunication technologies and embedded devices into the production environment. In addition to that, the rising complexity of automation tasks creates demand for extensive solutions. Standardised protocols and commercial off the shelf devices aid in providing these solutions. Still, setting up industrial communication networks is a tedious and high effort task. This justifies the need for simulation environments in the industrial context, as they provide cost-, resource- and time-efficient evaluation of solution approaches. In this work, industrial use cases are identified and the according requirements are derived. Furthermore, available simulation and emulation tools are analysed. They are mapped onto the requirements of industrial applications, so that an expressive assignment of solutions to application domains is given.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
A Question of Context: Enhancing Intrusion Detection by Providing Context Information
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Stephan Teuber,
Hans Dieter Schotten
Abstract:
Due to the fourth industrial revolution, and the resulting increase in interconnectivity, industrial networks are more and more opened to publicly available networks. Apart from the huge benefit in manageability and flexibility, the openness also results in a larger attack surface for malicious adversaries. In comparison to office environments, industrial networks have very high volumes of data. I…
▽ More
Due to the fourth industrial revolution, and the resulting increase in interconnectivity, industrial networks are more and more opened to publicly available networks. Apart from the huge benefit in manageability and flexibility, the openness also results in a larger attack surface for malicious adversaries. In comparison to office environments, industrial networks have very high volumes of data. In addition to that, every delay will most likely lead to loss of revenue. Hence, intrusion detection systems for industrial applications have different requirements than office-based intrusion detection systems. On the other hand, industrial networks are able to provide a lot of contextual information due to manufacturing execution systems and enterprise resource planning. Additionally, industrial networks tend to be more uniform, making it easier to determine outliers. In this work, an abstract simulation of industrial network behaviour is created. Malicious actions are introduced into a set of sequences of valid behaviour. Finally, a context-based and context-less intrusion detection system is used to find the attacks. The results are compared and commented. It can be seen that context information can help in identifying malicious actions more reliable than intrusion detection with only one source of information, e.g. the network.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
Putting Together the Pieces: A Concept for Holistic Industrial Intrusion Detection
Authors:
Simon D. Duque Antón,
Hans Dieter Schotten
Abstract:
Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attack…
▽ More
Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means.
△ Less
Submitted 28 May, 2019;
originally announced May 2019.
-
Devil in the Detail: Attack Scenarios in Industrial Applications
Authors:
Simon D. Duque Anton,
Alexander Hafner,
Hans Dieter Schotten
Abstract:
In the past years, industrial networks have become increasingly interconnected and opened to private or public networks. This leads to an increase in efficiency and manageability, but also increases the attack surface. Industrial networks often consist of legacy systems that have not been designed with security in mind. In the last decade, an increase in attacks on cyber-physical systems was obser…
▽ More
In the past years, industrial networks have become increasingly interconnected and opened to private or public networks. This leads to an increase in efficiency and manageability, but also increases the attack surface. Industrial networks often consist of legacy systems that have not been designed with security in mind. In the last decade, an increase in attacks on cyber-physical systems was observed, with drastic consequences on the physical work. In this work, attack vectors on industrial networks are categorised. A real-world process is simulated, attacks are then introduced. Finally, two machine learning-based methods for time series anomaly detection are employed to detect the attacks. Matrix Profiles are employed more successfully than a predictor Long Short-Term Memory network, a class of neural networks.
△ Less
Submitted 24 May, 2019;
originally announced May 2019.
-
Two Decades of SCADA Exploitation: A Brief History
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Christoph Lipps,
Frederic Pohl,
Marc Zimmermann,
Hans D. Schotten
Abstract:
Since the early 1960, industrial process control has been applied by electric systems. In the mid 1970's, the term SCADA emerged, describing the automated control and data acquisition. Since most industrial and automation networks were physically isolated, security was not an issue. This changed, when in the early 2000's industrial networks were opened to the public internet. The reasons were mani…
▽ More
Since the early 1960, industrial process control has been applied by electric systems. In the mid 1970's, the term SCADA emerged, describing the automated control and data acquisition. Since most industrial and automation networks were physically isolated, security was not an issue. This changed, when in the early 2000's industrial networks were opened to the public internet. The reasons were manifold. Increased interconnectivity led to more productivity, simplicity and ease of use. It decreased the configuration overhead and downtimes for system adjustments. However, it also led to an abundance of new attack vectors. In recent time, there has been a remarkable amount of attacks on industrial companies and infrastructures. In this paper, known attacks on industrial systems are analysed. This is done by investigating the exploits that are available on public sources. The different types of attacks and their points of entry are reviewed in this paper. Trends in exploitation as well as targeted attack campaigns against industrial enterprises are introduced.
△ Less
Submitted 21 May, 2019;
originally announced May 2019.
-
Modern Problems Require Modern Solutions: Hybrid Concepts for Industrial Intrusion Detection
Authors:
Simon D. Duque Anton,
Mathias Strufe,
Hans Dieter Schotten
Abstract:
The concept of Industry 4.0 brings a disruption into the processing industry. It is characterised by a high degree of intercommunication, embedded computation, resulting in a decentralised and distributed handling of data. Additionally, cloud-storage and Software-as-a-Service (SaaS) approaches enhance a centralised storage and handling of data. This often takes place in third-party networks. Furth…
▽ More
The concept of Industry 4.0 brings a disruption into the processing industry. It is characterised by a high degree of intercommunication, embedded computation, resulting in a decentralised and distributed handling of data. Additionally, cloud-storage and Software-as-a-Service (SaaS) approaches enhance a centralised storage and handling of data. This often takes place in third-party networks. Furthermore, Industry 4.0 is driven by novel business cases. Lot sizes of one, customer individual production, observation of process state and progress in real-time and remote maintenance, just to name a few. All of these new business cases make use of the novel technologies. However, cyber security has not been an issue in industry. Industrial networks have been considered physically separated from public networks. Additionally, the high level of uniqueness of any industrial network was said to prevent attackers from exploiting flaws. Those assumptions are inherently broken by the concept of Industry 4.0. As a result, an abundance of attack vectors is created. In the past, attackers have used those attack vectors in spectacular fashions. Especially Small and Mediumsized Enterprises (SMEs) in Germany struggle to adapt to these challenges. Reasons are the cost required for technical solutions and security professionals. In order to enable SMEs to cope with the growing threat in the cyberspace, the research project IUNO Insec aims at providing and improving security solutions that can be used without specialised security knowledge. The project IUNO Insec is briefly introduced in this work. Furthermore, contributions in the field of intrusion detection, especially machine learning-based solutions, for industrial environments provided by the authors are presented and set into context.
△ Less
Submitted 16 May, 2019; v1 submitted 15 May, 2019;
originally announced May 2019.
-
Time is of the Essence: Machine Learning-based Intrusion Detection in Industrial Time Series Data
Authors:
Simon Duque Anton,
Lia Ahrens,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial I…
▽ More
The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial IT-security is needed. In this work, emulated industrial network data is transformed into a time series and analysed with three different algorithms. The data contains labeled attacks, so the performance can be evaluated. Matrix Profiles perform well with almost no parameterisation needed. Seasonal Autoregressive Integrated Moving Average performs well in the presence of noise, requiring parameterisation effort. Long Short Term Memory-based neural networks perform mediocre while requiring a high training- and parameterisation effort.
△ Less
Submitted 20 September, 2018;
originally announced September 2018.
-
Demystifying Deception Technology:A Survey
Authors:
Daniel Fraunholz,
Simon Duque Anton,
Christoph Lipps,
Daniel Reti,
Daniel Krohmer,
Frederic Pohl,
Matthias Tammen,
Hans Dieter Schotten
Abstract:
Deception boosts security for systems and components by denial, deceit, misinformation, camouflage and obfuscation. In this work an extensive overview of the deception technology environment is presented. Taxonomies, theoretical backgrounds, psychological aspects as well as concepts, implementations, legal aspects and ethics are discussed and compared.
Deception boosts security for systems and components by denial, deceit, misinformation, camouflage and obfuscation. In this work an extensive overview of the deception technology environment is presented. Taxonomies, theoretical backgrounds, psychological aspects as well as concepts, implementations, legal aspects and ethics are discussed and compared.
△ Less
Submitted 17 April, 2018;
originally announced April 2018.
-
Angriffserkennung für industrielle Netzwerke innerhalb des Projektes IUNO
Authors:
Simon Duque Anton,
Daniel Fraunholz,
Hans Dieter Schotten
Abstract:
The increasing interconnectivity of industrial networks is one of the central current hot topics. It is adressed by research institutes, as well as industry. In order to perform the fourth industrial revolution, a full connectivity between production facilities is necessary. Due to this connectivity, however, an abundance of new attack vectors emerges. In the National Reference Project for Industr…
▽ More
The increasing interconnectivity of industrial networks is one of the central current hot topics. It is adressed by research institutes, as well as industry. In order to perform the fourth industrial revolution, a full connectivity between production facilities is necessary. Due to this connectivity, however, an abundance of new attack vectors emerges. In the National Reference Project for Industrial IT-Security (IUNO), these risks and threats are addressed and solutions are developed. These solutions are especially applicable for small and medium sized enterprises that have not as much means in staff as well as money as larger companies. These enterprises should be able to implement the solutions without much effort. The security solutions are derived from four use cases and implemented prototypically. A further topic of this work are the research areas of the German Research Center for Artificial Intelligence that address the given challenges, as well as the solutions developed in the context of IUNO. Aside from the project itself, a method for distributed network data collection aggregation is presented, as a prerequisite for anomaly detection for network security.
△ Less
Submitted 21 November, 2017; v1 submitted 27 September, 2017;
originally announced September 2017.