Abnormal Traffic Detection Mechanism for Protecting IIoT Environments

Kim, Byoungkoo; Kang, Young-Shik

doi:10.1109/ictc.2018.8539533

Cited by 5 publications

(4 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These devices cannot always be patched to protect against known vulnerabilities, and therefore require continuous monitoring. An example of this is the IDS proposed by Kim and Kang [189], which specifically targets the Modbus protocol, a widely used industrial control protocol, and a good example of an existing protocol severely lacking in security mechanisms. Similarly, the MQTT protocol has been covered like this [178].…”

Section: G Security Monitoringmentioning

confidence: 99%

A Systematic Survey of Industrial Internet of Things Security: Requirements and Fog Computing Opportunities

Tange

Donno

Fafoutis

et al. 2020

IEEE Commun. Surv. Tutorials

243

103

View full text Add to dashboard Cite

A key application of the Internet of Things (IoT) paradigm lies within industrial contexts. Indeed, the emerging Industrial Internet of Things (IIoT), commonly referred to as Industry 4.0, promises to revolutionize production and manufacturing through the use of large numbers of networked embedded sensing devices, and the combination of emerging computing technologies, such as Fog/Cloud Computing and Artificial Intelligence. The IIoT is characterized by an increased degree of inter-connectivity, which not only creates opportunities for the industries that adopt it, but also for cyber-criminals. Indeed, IoT security currently represents one of the major obstacles that prevent the widespread adoption of IIoT technology. Unsurprisingly, such concerns led to an exponential growth of published research over the last few years. To get an overview of the field, we deem it important to systematically survey the academic literature so far, and distill from it various security requirements as well as their popularity. This paper consists of two contributions: our primary contribution is a systematic review of the literature over the period 2011-2019 on IIoT Security, focusing in particular on the security requirements of the IIoT. Our secondary contribution is a reflection on how the relatively new paradigm of Fog computing can be leveraged to address these requirements, and thus improve the security of the IIoT.

show abstract

Section: G Security Monitoringmentioning

confidence: 99%

A Systematic Survey of Industrial Internet of Things Security: Requirements and Fog Computing Opportunities

Tange

Donno

Fafoutis

et al. 2020

IEEE Commun. Surv. Tutorials

243

103

View full text Add to dashboard Cite

show abstract

“…When N is compromised, the attacker, m or s , sends Q and/or R to a device or uses any compromised element in M or S to do so. Unfortunately, there are no publicly recorded incidents of such nature; thus, we use this literature-sourced scenario [96]. In this scenario, A N , the attacker is oblivious to the substation's architecture and as a result, requires cyber attacks to identify S before transmitting Q and/or R .…”

Section: Compromised Network a Nmentioning

confidence: 99%

A Trust-Influenced Smart Grid: A Survey and a Proposal

Boakye-Boateng

Ghorbani

Lashkari

2022

JSAN

View full text Add to dashboard Cite

A compromised Smart Grid, or its components, can have cascading effects that can affect lives. This has led to numerous cybersecurity-centric studies focusing on the Smart Grid in research areas such as encryption, intrusion detection and prevention, privacy and trust. Even though trust is an essential component of cybersecurity research; it has not received considerable attention compared to the other areas within the context of Smart Grid. As of the time of this study, we observed that there has neither been a study assessing trust within the Smart Grid nor were there trust models that could detect malicious attacks within the substation. With these two gaps as our objectives, we began by presenting a mathematical formalization of trust within the context of Smart Grid devices. We then categorized the existing trust-based literature within the Smart Grid under the NIST conceptual domains and priority areas, multi-agent systems and the derived trust formalization. We then proposed a novel substation-based trust model and implemented a Modbus variation to detect final-phase attacks. The variation was tested against two publicly available Modbus datasets (EPM and ATENA H2020) under three kinds of tests, namely external, internal, and internal with IP-MAC blocking. The first test assumes that external substation adversaries remain so and the second test assumes all adversaries within the substation. The third test assumes the second test but blacklists any device that sends malicious requests. The tests were performed from a Modbus server’s point of view and a Modbus client’s point of view. Aside from detecting the attacks within the dataset, our model also revealed the behaviour of the attack datasets and their influence on the trust model components. Being able to detect all labelled attacks in one of the datasets also increased our confidence in the model in the detection of attacks in the other dataset. We also believe that variations of the model can be created for other OT-based protocols as well as extended to other critical infrastructures.

show abstract

“…For instance, the article [20], proposes a special smart fuzzing technology for Modbus TCP/IP which satisfies the requirement of the vulnerability detection for Modbus TCP/IP. In addition, an abnormal traffic detection mechanism by tracing Modbus TCP/IP transactions is proposed by [21]. The proposed method ([21]) enables a response immediate and fast, not only to Denial-of-Service (DoS) attacks, but also to various types of malfunctions, such as routing loops, misconfigured devices and human mistakes.…”

Section: Related Workmentioning

confidence: 99%

“…In addition, an abnormal traffic detection mechanism by tracing Modbus TCP/IP transactions is proposed by [21]. The proposed method ([21]) enables a response immediate and fast, not only to Denial-of-Service (DoS) attacks, but also to various types of malfunctions, such as routing loops, misconfigured devices and human mistakes. In addition, an authentication model, based upon the one-way property of cryptographic hash functions is proposed by [17].…”

Section: Related Workmentioning

confidence: 99%

A Role-Based Access Control Model in Modbus SCADA Systems. A Centralized Model Approach

Figueroa-Lorenzo

Añorga

Arrizabalaga

2019

Sensors

View full text Add to dashboard Cite

Industrial Control Systems (ICS) and Supervisory Control systems and Data Acquisition (SCADA) networks implement industrial communication protocols to enable their operations. Modbus is an application protocol that allows communication between millions of automation devices. Unfortunately, Modbus lacks basic security mechanisms, and this leads to multiple vulnerabilities, due to both design and implementation. This issue enables certain types of attacks, for example, man in the middle attacks, eavesdropping attacks, and replay attack. The exploitation of such flaws may greatly influence companies and the general population, especially for attacks targeting critical infrastructural assets, such as power plants, water distribution and railway transportation systems. In order to provide security mechanisms to the protocol, the Modbus organization released security specifications, which provide robust protection through the blending of Transport Layer Security (TLS) with the traditional Modbus protocol. TLS will encapsulate Modbus packets to provide both authentication and message-integrity protection. The security features leverage X.509v3 digital certificates for authentication of the server and client. From the security specifications, this study addresses the security problems of the Modbus protocol, proposing a new secure version of a role-based access control model (RBAC), in order to authorize both the client on the server, as well as the Modbus frame. This model is divided into an authorization process via roles, which is inserted as an arbitrary extension in the certificate X.509v3 and the message authorization via unit id, a unique identifier used to authorize the Modbus frame. Our proposal is evaluated through two approaches: A security analysis and a performance analysis. The security analysis involves verifying the protocol’s resistance to different types of attacks, as well as that certain pillars of cybersecurity, such as integrity and confidentiality, are not compromised. Finally, our performance analysis involves deploying our design over a testnet built on GNS3. This testnet has been designed based on an industrial security standard, such as IEC-62443, which divides the industrial network into levels. Then both the client and the server are deployed over this network in order to verify the feasibility of the proposal. For this purpose, different latencies measurements in industrial environments are used as a benchmark, which are matched against the latencies in our proposal for different cipher suites.

show abstract

Abnormal Traffic Detection Mechanism for Protecting IIoT Environments

Cited by 5 publications

References 3 publications

A Systematic Survey of Industrial Internet of Things Security: Requirements and Fog Computing Opportunities

A Systematic Survey of Industrial Internet of Things Security: Requirements and Fog Computing Opportunities

A Trust-Influenced Smart Grid: A Survey and a Proposal

A Role-Based Access Control Model in Modbus SCADA Systems. A Centralized Model Approach

Contact Info

Product

Resources

About