Search Results (60)

Nowadays, the world witnesses cyber attacks daily, and these threats are becoming exponentially sophisticated due to advances in Artificial Intelligence (AI). This progress allows adversaries to accelerate malware development and streamline the exploitation process. The motives vary, and so do the consequences. Unlike Information Technology (IT) breaches, Operational Technology (OT)—such as manufacturing plants, electric grids, or water and wastewater facilities—compromises can have life-threatening or environmentally hazardous consequences. For that reason, this article explores a potential cyber attack against an OT environment—firmware downgrade—and proposes a solution for detection and response by implementing Microsoft Defender for IoT (D4IoT), one of the leading products on the market for OT monitoring. To detect the malicious firmware downgrade activity, D4IoT was implemented in a pre-commissioning (non-production) environment. The solution passively monitored the network, identified the deviation, and generated alerts for response actions. Testing showed that D4IoT effectively detected the firmware downgrade attempts based on a protocol analysis and asset behavior profiling. These findings demonstrate that D4IoT provides valuable detection capabilities against an intentional firmware downgrade designed to exploit known vulnerabilities in the older, less secure version, thereby strengthening the cybersecurity posture of OT environments. The explored attack scenario leverages the symmetry between genuine and malicious firmware flows, where the downgrade mimics the upgrade process, aiming to create challenges in detection. The proposed solution discerns adversarial actions from legitimate firmware changes by breaking this functional symmetry through behavioral profiling. Full article

The convergence of Operational Technology (OT) and Information Technology (IT) networks has become increasingly prevalent with the growth of Industrial Internet of Things (IIoT) applications. This shift, while enabling enhanced automation, remote monitoring, and data sharing, also introduces new challenges related to communication latency and cybersecurity. Oftentimes, legacy OT protocols were adapted to the TCP/IP stack without an extensive review of the ramifications to their robustness, performance, or safety objectives. To further accommodate the IT/OT convergence, protocol gateways were introduced to facilitate the migration from serial protocols to TCP/IP protocol stacks within modern IT/OT infrastructure. However, they often introduce additional vulnerabilities by exposing traditionally isolated protocols to external threats. This study investigates the security and reliability implications of migrating serial protocols to TCP/IP stacks and the impact of protocol gateways, utilizing two widely used OT protocols: Modbus TCP and DNP3. Our protocol analysis finds a significant safety-critical vulnerability resulting from this migration, and our subsequent tests clearly demonstrate its presence and impact. A multi-tiered testbed, consisting of both physical and emulated components, is used to evaluate protocol performance and the effects of device-specific implementation flaws. Through this analysis of specifications and behaviors during communication interruptions, we identify critical differences in fault handling and the impact on time-sensitive data delivery. The findings highlight how reliance on lower-level IT protocols can undermine OT system resilience, and they inform the development of mitigation strategies to enhance the robustness of industrial communication networks. Full article

This paper introduces a configuration and integration model for mobile robots deployed in emergency and special operations scenarios. The proposed method is designed for implementation within the operational technology (OT) domain, enforcing security protocols that ensure both data encryption and network isolation. The primary objective is to establish a dedicated operational environment encompassing a command and control center where the robotic network server resides, alongside real-time data storage from network clients and remote control of field-deployed mobile robots. Building on this infrastructure, operational strategies are developed to enable an efficient robotic response in critical situations. By leveraging remote robotic networks, significant benefits are achieved in terms of personnel safety and mission efficiency, minimizing response time and reducing the risk of injury to human operators during hazardous interventions. Unlike generic IoT or IoRT systems, this work focuses on secure robotic integration within segmented OT infrastructures. The technologies employed create a synergistic system that ensures data integrity, encryption, and safe user interaction through a web-based interface. Additionally, the system includes mobile robots and a read-only application positioned within a demilitarized zone (DMZ), allowing for secure data monitoring without granting control access to the robotic network, thus enabling cyber-physical isolation and auditability. Full article

Industrial Control Systems (ICS) have become increasingly vulnerable to cyber threats due to the growing interconnectivity with enterprise networks and the Industrial Internet of Things (IIoT). Among these threats, Address Resolution Protocol (ARP) spoofing presents a critical risk to the integrity and reliability of Modbus TCP/IP communications, particularly in environments utilizing Siemens S7 programmable logic controllers (PLCs). Traditional defense methods often rely on host-based software solutions or cryptographic techniques that may not be practical for legacy or resource-constrained industrial environments. This paper proposes a novel, lightweight hardware device designed to detect and mitigate ARP spoofing attacks in Modbus TCP/IP networks without relying on conventional computer-based infrastructure. An experimental testbed using Siemens S7-1500 and S7-1200 PLCs (Siemens, Munich, Germany) was established to validate the proposed approach. The results demonstrate that the toolkit can effectively detect malicious activity and maintain stable industrial communication under normal and adversarial conditions. Full article

The digital transformation of manufacturing through OT, IoT, and AI integration has created extensive networked sensor ecosystems, introducing critical cybersecurity vulnerabilities at IT-OT interfaces. This might particularly challenge the detection component of the NIST cybersecurity framework. To address this concern, the authors designed a diverse machine learning-based intrusion detection system framework for industrial control systems (DICS). DICS implements a sophisticated dual-module architecture. The screening analysis module initially categorizes network traffic as either unidentifiable or recognized packets, while the classification analysis module subsequently determines specific attack types for identifiable traffic. When unrecognized zero-day attack traffic accumulates in a buffer and reaches a predetermined threshold, the agile training module incorporates these patterns into the system, which enables continuous adaptation. During experimental validation, the authors rigorously assess dataset industrial relevance and strategically divide the datasets into four distinct groups to accurately simulate diverse network traffic patterns characteristic of real industrial environments. Moreover, the authors highlight the system’s alignment with IEC 62443 requirements for industrial control system security. In conclusion, the comprehensive analysis demonstrates that DICS delivers superior detection capabilities for malicious network traffic in industrial settings. Full article

The maritime industry plays a key role in the global supply chain. Advanced digital technologies bring significant economic benefits to ports and shipowners, but at the same time increase the risks of cyber threats and attacks. This article aims to provide guidelines and examples of good practice that will help in the effective implementation of cyber risk assessment, cyber resilience and cyber sustainability, which are the products of increasingly pronounced challenges. The interconnection of ports requires operators to achieve and maintain a baseline level of cybersecurity to ensure security across the entire port ecosystem. The development of new technologies in areas such as the Internet of Things, cloud computing, artificial intelligence, etc., contributes to the fact that monitoring and control systems in the maritime industry are becoming increasingly exposed to cyber threats and various forms of cyberattacks. The connection of vessels with systems on land in real time presents a necessary element in meeting the intended goals in the digital transformation of the maritime sector. This results in increasingly frequent work on specific software solutions within the maritime sector. With the adoption of new operational technologies (OT) and information technologies (IT), the desire for more efficient supply chains and operations of shipping in general has been realized, but at the same time the level of cybersecurity has decreased. The research results aim to encourage port operators and shippers to develop a series of good practices in order to develop an appropriate level of cybersecurity, resilience, and sustainability. Full article

The extensive interconnection and intelligent collaboration of multi-source heterogeneous devices in the industrial Internet environment have significantly improved the efficiency of industrial production and resource utilization. However, at the same time, the deployment characteristics of open-network architecture and the promotion of the concept of deep integration of OT/IT have led to an exponential growth of attacks on the industrial Internet. At present, most of the detection methods for industrial internet attacks use deep learning. However, due to the black-box characteristics caused by the complex structure of deep learning models, the explainability of industrial internet detection results generated based on deep learning is low. Therefore, we proposed an industrial internet intrusion response method xIIRS based on explainable deep learning. Firstly, an explanation method was improved to enhance the explanation by approximating and sampling the historical input and calculating the dynamic weighting for the sparse group lasso based on the evaluation criteria for the importance of features between and within feature groups. Then, we determined the defense rule scope based on the obtained explanation results and generated more fine-grained defense rules to implement intrusion response in combination with security constraints. The proposed method was experimented on two public datasets, TON_IoT and Gas Pipeline. The experimental results show that the explanation effect of xIIRS is better than the baseline method while achieving an average malicious traffic blocking rate of about 95% and an average normal traffic passing rate of about 99%. Full article

The expansion of operation technology (OT) use and its tight integration with classical information and communication technologies have led not only to additional and improved possibilities in monitoring physical/manufacturing processes and the emergency of Industry 4.0 but also to a number of new threats, both related to the security of processed data and the safety of people, affected by physical processes and controlled by OT. Understanding potential threats has caused an increased demand for scientific research in the field, which is still relatively new and lacks established terminology. In this review paper, we aim to identify emerging trends and technologies in OT incident response, attack detection, applications of machine and deep learning for attack recognition, and security of OT protocols. An examination of research patterns from the Web of Science repository is performed to comprehend the panorama of publications and the present state of research in the area of OT security. The analysis shows a notable rise in publications concerning OT security, reflecting an increasing research interest. Proceeding articles and research articles were the predominant types of publications that were analyzed. The analysis further emphasizes the collaborative connections between researchers, academic institutions, and nations. Additionally, co-occurrence and citation analyses are carried out to offer an understanding of the associations between various keywords and/or research subjects. The study is finalized by suggesting future research directions on OT security. The uniqueness of this review lies in its focus on OT rather than the more commonly explored SCADA/ICS topics, attempting to cover a wider range of research topics instead of concentrating on a narrow area/method. Full article

The increasing adoption of the Industrial Internet of Things (IIoT) has led to significant improvements in operational efficiency but has also brought new challenges for cybersecurity. To address these challenges, a number of standards have been introduced over the years. One of the best-known series of standards for this purpose is ISA/IEC 62443. This paper examines the applicability of the ISA/IEC 62443 series of standards, traditionally used for securing industrial automation and control systems, to the IIoT environment. For each requirement described in the ISA/IEC 62443 standards, relevant research on that subject is reviewed and presented in a table-like manner. Based on this table, areas for future research are identified, including system hardening, asset inventory, safety instrumented system isolation, risk assessment methodologies, change management systems, data storage security, and incident response procedures. The focus on future improvement is performed for the area of system hardening, for which research and guidelines already exist but not for the specific area of IIoT environments. Full article

The food and agriculture sector is a cornerstone of critical infrastructure (CI), underpinning global food security, public health, and economic stability. However, the increasing digitalization and connectivity of operational technologies (OTs) in this sector expose it to significant cybersecurity risks. Blockchain technology (BT) has emerged as a transformative solution for addressing these challenges by enhancing network security, traceability, and system resilience. This study presents a comprehensive review of BT applications in OT security for food and agriculture CI, employing bibliometric and content analysis methods. A total of 124 relevant articles were identified from six databases, including the Web of Science Core Collection and MEDLINE^®. Bibliometric analysis was conducted across five dimensions: publication year, literature type, journal distribution, country contributions, and keyword trends. The findings are meticulously organized through tables, charts, and graphs. The year 2018 marked a surge in research within this domain, with the IEEE Internet of Things Journal and IEEE ACESS emerging as the most prolific journals, each boasting nine publications. The United States, China, and India are at the forefront in terms of journal citation counts. Our analysis determined that a reference count of 37 serves as an appropriate threshold. Otoum Safa stands out as the author with the highest number of published articles, totaling four. Keywords such as “blockchain”, “internet of things”, “smart contract”, “security”, and “critical infrastructure” appear with significant frequency. The statistics, trends, and insights gleaned from this bibliometric analysis can guide researchers in the OTCI field to forge a coherent and logical research trajectory. Content analysis further identified six key research areas within this domain: identity authentication and data verification, secure access control, attack detection and perception, data security and protection, data backup and recovery, and attack assessment and attribution. Based on these insights, a general framework is proposed to guide future research and practical applications of BT in securing OT within food and agriculture CI. This study systematically analyzes the current research landscape, challenges, and opportunities for BT in securing the OT critical to food and agriculture CI. By bridging the gap between blockchain innovations and the operational needs of the food and agriculture sector, this work contributes to advancing strategic implementation and improving the security of CI systems. Full article

The convergence of IT and OT networks has gained significant attention in recent years, facilitated by the increase in distributed computing capabilities, the widespread deployment of Internet of Things devices, and the adoption of Industrial Internet of Things. This convergence has led to a drastic increase in external access capabilities to previously air-gapped industrial systems for process control and monitoring. To meet the need for remote access to system information, protocols designed for the OT space were extended to allow IT networked communications. However, OT protocols often lack the rigor of cybersecurity capabilities that have become a critical characteristic of IT protocols. Furthermore, OT protocol implementations on individual devices can vary in performance, requiring the comprehensive evaluation of a device’s reliability and capabilities before installation into a critical infrastructure production network. In this paper, the authors define a framework for identifying vulnerabilities within these protocols and their on-device implementations, utilizing formal modeling, hardware in the loop-driven network emulation, and fully virtual network scenario simulation. Initially, protocol specifications are modeled to identify any vulnerable states within the protocol, leveraging the Construction and Analysis of Distributed Processes (CADP) software (version 2022-d “Kista”, which was created by Inria, the French Institute for Research in Computer Science and Automation, in France). Device characteristics are then extracted through automated real-time network emulation tests built on the OMNET++ framework, and all measured device characteristics are then used as a virtual device representation for network simulation tests within the OMNET++ software (version 6.0.1., a public-soucre, open-architecture software, initially developed by OpenSim Limited in Budapest, Hungary), to verify the presence of any potential vulnerabilities identified in the formal modeling stage. With this framework, the authors have thus defined an end-to-end process to identify and verify the presence and impact of potential vulnerabilities within a protocol, as shown by the presented results. Furthermore, this framework can test protocol compliance, performance, and security in a controlled environment before deploying devices in live production networks and addressing cybersecurity concerns. Full article

This paper provides the complete details of current challenges and solutions in the cybersecurity of cyber-physical systems (CPS) within the context of the IIoT and its integration with edge computing (IIoT–edge computing). We systematically collected and analyzed the relevant literature from the past five years, applying a rigorous methodology to identify key sources. Our study highlights the prevalent IIoT layer attacks, common intrusion methods, and critical threats facing IIoT–edge computing environments. Additionally, we examine various types of cyberattacks targeting CPS, outlining their significant impact on industrial operations. A detailed taxonomy of primary security mechanisms for CPS within IIoT–edge computing is developed, followed by a comparative analysis of our approach against existing research. The findings underscore the widespread vulnerabilities across the IIoT architecture, particularly in relation to DoS, ransomware, malware, and MITM attacks. The review emphasizes the integration of advanced security technologies, including machine learning (ML), federated learning (FL), blockchain, blockchain–ML, deep learning (DL), encryption, cryptography, IT/OT convergence, and digital twins, as essential for enhancing the security and real-time data protection of CPS in IIoT–edge computing. Finally, the paper outlines potential future research directions aimed at advancing cybersecurity in this rapidly evolving domain. Full article

Private Set Intersection (PSI) is a significant application of interest within Secure Multi-party Computation (MPC), even though we are still in the early stages of deploying MPC solutions to real-world problems. Threshold PSI (tPSI), a variant of PSI, allows two parties to determine the intersection of their respective sets only if the cardinality of the intersection is at least (or less than) a specified threshold t. In this paper, we propose a generic construction for two-party tPSI that extensively utilizes Oblivious Transfer (OT). Our approach is based on lightweight primitives and avoids costly public-key systems such as homomorphic encryption. We start by introducing the secret-sharing private membership test ${}^{\mathrm{ss}}\mathrm{PMT}$ that is based on the secret-sharing private equality test ${}^{\mathrm{ss}}\mathrm{PEQT}$. The ${}^{\mathrm{ss}}\mathrm{PMT}$ enables tPSI to be scaled for a wide range of practical applications, particularly benefiting parties with limited computational resources. Consequently, two distinct two-party tPSI protocols can be efficiently implemented: over-threshold PSI ($t^{\le }\mathrm{PSI}$) and under-threshold PSI $t^{>}\mathrm{PSI}$. In addition, we propose a lightweight two-party tPSI with limited leakage and a generic precomputing OT suitable for phased implementation. Experimental performance demonstrates that our protocols are highly efficient and computationally friendly, thus paving the way for broader deployment of tPSI solutions. Full article

OT (operational technology) protocols such as DNP3/TCP, commonly used in the electrical utility sector, have become a focal point for security researchers. We assess the applicability of attacks previously published from theoretical and practical points of view. From the theoretical point of view, previous work strongly focuses on transcribing protocol details (e.g., list fields at the link, transport, and application layer) without providing the rationale behind protocol features or how the features are used. This has led to confusion about the impact of many theoretical DNP3 attacks. After a detailed analysis around which protocol features are used and how, a review of the configuration capabilities for several IEDs (Intelligent Electrical Devices), and some testing with real devices, we conclude that similar results to several complex theoretical attacks can be achieved with considerably less effort. From a more practical point of view, there is existing work on DNP3 man-in-the-middle attacks; however, research still needs to discuss how to overcome a primary hardening effect: IEDs can be configured to allow for communication with specific IP addresses (allow list). For purely scientific purposes, we implemented a DNP3 man-in-the-middle attack capable of overcoming the IP allow-list restriction. We tested the attack using real IEDs and network equipment ruggedized for electrical environments. Even though the man-in-the-middle attack can be successful in a lab environment, we also explain the defense-in-depth mechanisms provided by industry in real life that mitigate the attack. These mechanisms are based on standard specifications, capabilities of the OT hardware, and regulations applicable to some electrical utilities. Full article

Modern ICT infrastructures, i.e., cyber-physical systems and critical infrastructures relying on interconnected IT (Information Technology)- and OT (Operational Technology)-based components and (sub-)systems, raise complex challenges in tackling security and safety issues. Nowadays, many security controls and mechanisms have been made available and exploitable to solve specific security needs, but, when dealing with very complex and multifaceted heterogeneous systems, a methodology is needed on top of the selection of each security control that will allow the designer/maintainer to drive her/his choices to build and keep the system secure as a whole, leaving the choice of the security controls to the last step of the system design/development. This paper aims at providing a comprehensive methodological approach to design and preliminarily implement an Open Platform Architecture (OPA) to secure the cyber-physical systems of critical infrastructures. Here, the Open Platform Architecture (OPA) depicts how an already existing or under-design target system (TS) can be equipped with technologies that are modern or currently under development, to monitor and timely detect possibly dangerous situations and to react in an automatic way by putting in place suitable countermeasures. A multifaceted use case (UC) that is able to show the OPA, starting from the security and safety requirements to the fully designed system, will be developed step by step to show the feasibility and the effectiveness of the proposed methodology. Full article