Search Results (20)

Nowadays, the world witnesses cyber attacks daily, and these threats are becoming exponentially sophisticated due to advances in Artificial Intelligence (AI). This progress allows adversaries to accelerate malware development and streamline the exploitation process. The motives vary, and so do the consequences. Unlike Information Technology (IT) breaches, Operational Technology (OT)—such as manufacturing plants, electric grids, or water and wastewater facilities—compromises can have life-threatening or environmentally hazardous consequences. For that reason, this article explores a potential cyber attack against an OT environment—firmware downgrade—and proposes a solution for detection and response by implementing Microsoft Defender for IoT (D4IoT), one of the leading products on the market for OT monitoring. To detect the malicious firmware downgrade activity, D4IoT was implemented in a pre-commissioning (non-production) environment. The solution passively monitored the network, identified the deviation, and generated alerts for response actions. Testing showed that D4IoT effectively detected the firmware downgrade attempts based on a protocol analysis and asset behavior profiling. These findings demonstrate that D4IoT provides valuable detection capabilities against an intentional firmware downgrade designed to exploit known vulnerabilities in the older, less secure version, thereby strengthening the cybersecurity posture of OT environments. The explored attack scenario leverages the symmetry between genuine and malicious firmware flows, where the downgrade mimics the upgrade process, aiming to create challenges in detection. The proposed solution discerns adversarial actions from legitimate firmware changes by breaking this functional symmetry through behavioral profiling. Full article

The convergence of Operational Technology (OT) and Information Technology (IT) networks has become increasingly prevalent with the growth of Industrial Internet of Things (IIoT) applications. This shift, while enabling enhanced automation, remote monitoring, and data sharing, also introduces new challenges related to communication latency and cybersecurity. Oftentimes, legacy OT protocols were adapted to the TCP/IP stack without an extensive review of the ramifications to their robustness, performance, or safety objectives. To further accommodate the IT/OT convergence, protocol gateways were introduced to facilitate the migration from serial protocols to TCP/IP protocol stacks within modern IT/OT infrastructure. However, they often introduce additional vulnerabilities by exposing traditionally isolated protocols to external threats. This study investigates the security and reliability implications of migrating serial protocols to TCP/IP stacks and the impact of protocol gateways, utilizing two widely used OT protocols: Modbus TCP and DNP3. Our protocol analysis finds a significant safety-critical vulnerability resulting from this migration, and our subsequent tests clearly demonstrate its presence and impact. A multi-tiered testbed, consisting of both physical and emulated components, is used to evaluate protocol performance and the effects of device-specific implementation flaws. Through this analysis of specifications and behaviors during communication interruptions, we identify critical differences in fault handling and the impact on time-sensitive data delivery. The findings highlight how reliance on lower-level IT protocols can undermine OT system resilience, and they inform the development of mitigation strategies to enhance the robustness of industrial communication networks. Full article

This paper introduces a configuration and integration model for mobile robots deployed in emergency and special operations scenarios. The proposed method is designed for implementation within the operational technology (OT) domain, enforcing security protocols that ensure both data encryption and network isolation. The primary objective is to establish a dedicated operational environment encompassing a command and control center where the robotic network server resides, alongside real-time data storage from network clients and remote control of field-deployed mobile robots. Building on this infrastructure, operational strategies are developed to enable an efficient robotic response in critical situations. By leveraging remote robotic networks, significant benefits are achieved in terms of personnel safety and mission efficiency, minimizing response time and reducing the risk of injury to human operators during hazardous interventions. Unlike generic IoT or IoRT systems, this work focuses on secure robotic integration within segmented OT infrastructures. The technologies employed create a synergistic system that ensures data integrity, encryption, and safe user interaction through a web-based interface. Additionally, the system includes mobile robots and a read-only application positioned within a demilitarized zone (DMZ), allowing for secure data monitoring without granting control access to the robotic network, thus enabling cyber-physical isolation and auditability. Full article

The expansion of operation technology (OT) use and its tight integration with classical information and communication technologies have led not only to additional and improved possibilities in monitoring physical/manufacturing processes and the emergency of Industry 4.0 but also to a number of new threats, both related to the security of processed data and the safety of people, affected by physical processes and controlled by OT. Understanding potential threats has caused an increased demand for scientific research in the field, which is still relatively new and lacks established terminology. In this review paper, we aim to identify emerging trends and technologies in OT incident response, attack detection, applications of machine and deep learning for attack recognition, and security of OT protocols. An examination of research patterns from the Web of Science repository is performed to comprehend the panorama of publications and the present state of research in the area of OT security. The analysis shows a notable rise in publications concerning OT security, reflecting an increasing research interest. Proceeding articles and research articles were the predominant types of publications that were analyzed. The analysis further emphasizes the collaborative connections between researchers, academic institutions, and nations. Additionally, co-occurrence and citation analyses are carried out to offer an understanding of the associations between various keywords and/or research subjects. The study is finalized by suggesting future research directions on OT security. The uniqueness of this review lies in its focus on OT rather than the more commonly explored SCADA/ICS topics, attempting to cover a wider range of research topics instead of concentrating on a narrow area/method. Full article

The convergence of IT and OT networks has gained significant attention in recent years, facilitated by the increase in distributed computing capabilities, the widespread deployment of Internet of Things devices, and the adoption of Industrial Internet of Things. This convergence has led to a drastic increase in external access capabilities to previously air-gapped industrial systems for process control and monitoring. To meet the need for remote access to system information, protocols designed for the OT space were extended to allow IT networked communications. However, OT protocols often lack the rigor of cybersecurity capabilities that have become a critical characteristic of IT protocols. Furthermore, OT protocol implementations on individual devices can vary in performance, requiring the comprehensive evaluation of a device’s reliability and capabilities before installation into a critical infrastructure production network. In this paper, the authors define a framework for identifying vulnerabilities within these protocols and their on-device implementations, utilizing formal modeling, hardware in the loop-driven network emulation, and fully virtual network scenario simulation. Initially, protocol specifications are modeled to identify any vulnerable states within the protocol, leveraging the Construction and Analysis of Distributed Processes (CADP) software (version 2022-d “Kista”, which was created by Inria, the French Institute for Research in Computer Science and Automation, in France). Device characteristics are then extracted through automated real-time network emulation tests built on the OMNET++ framework, and all measured device characteristics are then used as a virtual device representation for network simulation tests within the OMNET++ software (version 6.0.1., a public-soucre, open-architecture software, initially developed by OpenSim Limited in Budapest, Hungary), to verify the presence of any potential vulnerabilities identified in the formal modeling stage. With this framework, the authors have thus defined an end-to-end process to identify and verify the presence and impact of potential vulnerabilities within a protocol, as shown by the presented results. Furthermore, this framework can test protocol compliance, performance, and security in a controlled environment before deploying devices in live production networks and addressing cybersecurity concerns. Full article

Private Set Intersection (PSI) is a significant application of interest within Secure Multi-party Computation (MPC), even though we are still in the early stages of deploying MPC solutions to real-world problems. Threshold PSI (tPSI), a variant of PSI, allows two parties to determine the intersection of their respective sets only if the cardinality of the intersection is at least (or less than) a specified threshold t. In this paper, we propose a generic construction for two-party tPSI that extensively utilizes Oblivious Transfer (OT). Our approach is based on lightweight primitives and avoids costly public-key systems such as homomorphic encryption. We start by introducing the secret-sharing private membership test ${}^{\mathrm{ss}}\mathrm{PMT}$ that is based on the secret-sharing private equality test ${}^{\mathrm{ss}}\mathrm{PEQT}$. The ${}^{\mathrm{ss}}\mathrm{PMT}$ enables tPSI to be scaled for a wide range of practical applications, particularly benefiting parties with limited computational resources. Consequently, two distinct two-party tPSI protocols can be efficiently implemented: over-threshold PSI ($t^{\le }\mathrm{PSI}$) and under-threshold PSI $t^{>}\mathrm{PSI}$. In addition, we propose a lightweight two-party tPSI with limited leakage and a generic precomputing OT suitable for phased implementation. Experimental performance demonstrates that our protocols are highly efficient and computationally friendly, thus paving the way for broader deployment of tPSI solutions. Full article

OT (operational technology) protocols such as DNP3/TCP, commonly used in the electrical utility sector, have become a focal point for security researchers. We assess the applicability of attacks previously published from theoretical and practical points of view. From the theoretical point of view, previous work strongly focuses on transcribing protocol details (e.g., list fields at the link, transport, and application layer) without providing the rationale behind protocol features or how the features are used. This has led to confusion about the impact of many theoretical DNP3 attacks. After a detailed analysis around which protocol features are used and how, a review of the configuration capabilities for several IEDs (Intelligent Electrical Devices), and some testing with real devices, we conclude that similar results to several complex theoretical attacks can be achieved with considerably less effort. From a more practical point of view, there is existing work on DNP3 man-in-the-middle attacks; however, research still needs to discuss how to overcome a primary hardening effect: IEDs can be configured to allow for communication with specific IP addresses (allow list). For purely scientific purposes, we implemented a DNP3 man-in-the-middle attack capable of overcoming the IP allow-list restriction. We tested the attack using real IEDs and network equipment ruggedized for electrical environments. Even though the man-in-the-middle attack can be successful in a lab environment, we also explain the defense-in-depth mechanisms provided by industry in real life that mitigate the attack. These mechanisms are based on standard specifications, capabilities of the OT hardware, and regulations applicable to some electrical utilities. Full article

Fifth-generation networks promise wide availability of wireless communication with inherent security features. The 5G standards also outline access for different applications requiring low latency, machine-to-machine communication, or mobile broadband. These networks can be advantageous to numerous applications that require widespread and diverse communications. One such application is found in smart grids. Smart grid networks, and Operational Technology (OT) networks in general, utilize a variety of communication protocols for low-latency control, data monitoring, and reporting at every level. Transitioning these network communications from wired Wide Area Networks (WANs) to wireless communication through 5G can provide additional benefits to their security and network configurability. However, introducing these wireless capabilities may also result in a degradation of network latency. In this paper, we propose utilizing 5G for smart grid communications, and we evaluate the latency impacts of encapsulating GOOSE, Modbus, and DNP3 for transmission over a 5G network. The OpenAirInterface open-source library is utilized to deploy an in-lab 5G Core Network and gNB for testing with off-the-shelf User Equipment (UE). This creates an effective 5G test platform for experimenting with different OT protocols such as GOOSE. The results are validated by measuring two different Intelligent Electronic Devices’ contact closure times for each network configuration. These tests are also conducted for varying packet sizes in order to isolate different sources of network latency. Our study outlines the latency impact of communication over 5G for time-critical and non-critical applications regarding their transition toward private 5G-based OT network implementations. The conducted experiments illustrate that in the case of GOOSE packets, simple encapsulation may exceed the protocol’s time-critical nature, and, therefore, additional measures must be taken to ensure a viable transition of GOOSE to 5G services. However, non-critical applications are shown to be viable for migration to 5G. Full article

Industrial Control Systems (ICS) are increasingly integrated with Information Technology (IT) systems, blending Operational Technology (OT) and IT components. This evolution introduces new cyber-attack risks, necessitating specialized security measures like Intrusion Detection Systems (IDS). This paper presents our work on both developing an experimental protocol and conducting tests of various IDS types in a digital substation hardware in the loop (HIL) testbed, offering insights into their performance in realistic scenarios. Our findings reveal significant variations in IDS effectiveness against industrial-specific cyber-attacks, with IT-specific IDSs struggling to detect certain attacks and changing testlab conditions affecting the assessment of ICS-specific IDSs. The challenges faced in creating valid and reliable evaluation metrics underscore the complexities of replicating operational ICS conditions. This research enhances our understanding of IDS effectiveness in ICS settings and underscores the importance of further experimental research in HIL testlab environments. Full article

With the rapid development of edge computing and the Internet of Things, the problem of information resource sharing can be effectively solved through multi-party collaboration, but the risk of data leakage is also increasing. To address the above issues, we propose an efficient multi-party private set intersection (MPSI) protocol via a multi-point oblivious pseudorandom function (OPRF). Then, we apply it to work on a specific commercial application: edge caching. The proposed MPSI uses oblivious transfer (OT) together with a probe-and-XOR of strings (PaXoS) as the main building blocks. It not only provides one-sided malicious security, but also achieves a better balance between communication and computational overhead. From the communication pattern perspective, the client only needs to perform OT with the leader and send a data structure PaXoS to the designated party, making the protocol extremely efficient. Moreover, in the setting of edge caching, many parties hold a set of items containing an identity and its associated value. All parties can identify a set of the most frequently accessed common items without revealing the underlying data. Full article

Cyber-Physical Systems (CPS) are integrated systems that combine software and physical components. CPS has experienced rapid growth over the past decade in fields as disparate as telemedicine, smart manufacturing, autonomous vehicles, the Internet of Things, industrial control systems, smart power grids, remote laboratory environments, and many more. With the widespread integration of Cyber-Physical Systems (CPS) in various aspects of contemporary society, the frequency of malicious assaults carried out by adversaries has experienced a substantial surge in recent times. Incidents targeting vital civilian infrastructure, such as electrical power grids and oil pipelines, have become alarmingly common due to the expanded connectivity to the public internet, which significantly expands the vulnerability of CPS. This article presents a comprehensive review of existing literature that examines the latest advancements in anomaly detection techniques for identifying security threats in Cyber-Physical Systems. The primary emphasis is placed on addressing life safety concerns within industrial control networks (ICS). A total of 296 papers are reviewed, with common themes and research gaps identified. This paper makes a novel contribution by identifying the key challenges that remain in the field, which include resource constraints, a lack of standardized communication protocols, extreme heterogeneity that hampers industry consensus, and different information security priorities between Operational Technology (OT) and Information Technology (IT) networks. Potential solutions and/or opportunities for further research are identified to address these selected challenges. Full article

Supervisory control and data acquisition (SCADA) attacks have increased due to the digital transformation of many industrial control systems (ICS). Operational technology (OT) operators should use the defense-in-depth concept to secure their operations from cyber attacks and reduce the surface that can be attacked. Layers of security, such as firewalls, endpoint solutions, honeypots, etc., should be used to secure traditional IT systems. The three main goals of IT cybersecurity are confidentiality, integrity, and availability (CIA), but these three goals have different levels of importance in the operational technology (OT) industry. Availability comes before confidentiality and integrity because of the criticality of business in OT. One of the layers of security in both IT and OT is honeypots. SCADA honeypots are used as a layer of security to mitigate attacks, known attackers’ techniques, and network and system weaknesses that attackers may use, and to mitigate these vulnerabilities. In this paper, we use SCADA honeypots for early detection of potential malicious tampering within a SCADA device network, and to determine threats against ICS/SCADA networks. An analysis of SCADA honeypots gives us the ability to know which protocols are most commonly attacked, and attackers’ behaviors, locations, and goals. We use an ICS/SCADA honeypot called Conpot, which simulates real ICS/SCADA systems with some ICS protocols and ICS/SCADA PLCs. Full article

Private set intersection (PSI) is a valuable technique with various practical applications, including secure matching of communication packets in the Internet of Things. However, most of the currently available two-party PSI protocols are based on the oblivious transfer (OT) protocol, which is computationally expensive and results in significant communication overhead. In this paper, we propose a new coding method to design a two-party PSI protocol under the semi-honest model. We analyze possible malicious attacks and then develop a PSI protocol under the malicious model using the Paillier cryptosystem, cut-and-choose, zero-knowledge proof, and other cryptographic tools. By adopting the real/ideal model paradigm, we prove the protocol’s security under the malicious model, which is more efficient compared to the existing related schemes. Full article

In this paper, a universally composable 1-out-of-N oblivious transfer protocol with low communication is built. This protocol obtained full simulation security based on the modulo learning with rounding (Mod-LWR) assumption. It can achieve universally composable security in the random oracle machine (ROM) model by combining random OT based on the key exchange protocol with the authentication encryption algorithm. It can be proven to resist static adversary attacks by simulating all corruption cases. Based on computer simulation and detailed mathematical derivation, this protocol was practicable and had better efficiency and lower communication. Full article

The Zero Trust concept is being adopted in information technology (IT) deployments, while human users remain to be the main risk for operational technology (OT) deployments. This article proposes to enhance the new Modbus/TCP Security protocol with authentication and authorization functions that guarantee security against intentional unauthorized access. It aims to comply with the principle of never trusting the person who is accessing the network before carrying out a security check. Two functions are tested and used in order to build an access control method that is based on a username and a password for human users with knowledge of industrial automation control systems (IACS), using simple means, low motivation, and few resources. A man-in-the-middle (MITM) component was added in order to intermediate the client and the server communication and to validate these functions. The proposed scenario was implemented using the Node-RED programming platform. The tests implementing the functions and the access control method through the Node-RED software have proven their potential and their applicability. Full article