WaterLeakage: A Stealthy Malware for Data Exfiltration on Industrial Control Systems Using Visual Channels

Alawami

et al. 2023

Sensors

Anomaly detection has been known as an effective technique to detect faults or cyber-attacks in industrial control systems (ICS). Therefore, many anomaly detection models have been proposed for ICS. However, most models have been implemented and evaluated under specific circumstances, which leads to confusion about choosing the best model in a real-world situation. In other words, there still needs to be a comprehensive comparison of state-of-the-art anomaly detection models with common experimental configurations. To address this problem, we conduct a comparative study of five representative time series anomaly detection models: InterFusion, RANSynCoder, GDN, LSTM-ED, and USAD. We specifically compare the performance analysis of the models in detection accuracy, training, and testing times with two publicly available datasets: SWaT and HAI. The experimental results show that the best model results are inconsistent with the datasets. For SWaT, InterFusion achieves the highest F1-score of 90.7% while RANSynCoder achieves the highest F1-score of 82.9% for HAI. We also investigate the effects of the training set size on the performance of anomaly detection models. We found that about 40% of the entire training set would be sufficient to build a model producing a similar performance compared to using the entire training set.

Section: Related Workmentioning

confidence: 99%

A Comparative Study of Time Series Anomaly Detection Models for Industrial Control Systems

Alawami

et al. 2023

Sensors

IEEE Internet Things J.

“…Proposed countermeasures include shielding electronic laptop components, performing I/O operations randomly to mask electromagnetic emissions and, on the mobile phone side, to make it mandatory for applications to request permissions to access magnetic sensors (which has meanwhile been implemented in most recent mobile operating systems). Robles-Durazno et al [12] used two lamps connected to a programmable logic controller (PLC) for data exfiltration from an Industrial Automation and Control System. The inability for humans to detect flickering in the order of 60Hz was taken into account, in order to avoid detection and make it a stealthy process.…”

Section: A Review Of Side Channel Exfiltrationmentioning

confidence: 99%

“…To improve stealthiness, several strategies can be adopted. The most basic is to resort to light fixtures placed in spaces where the blinking would not call the attention of building occupants, or to adjust the blinking frequency to make it imperceptible to the human eye (as explored by [12], in a different scope). A more stealthy approach may be implemented if a dimmer is present.…”

Section: Using the Lighting System To Exfiltrate Datamentioning

confidence: 99%

Using KNX-Based Building Automation and Control Systems for Data Exfiltration

Graveto

Cruz

Simões

2023

When it comes to protecting confidential and/or sensitive information, organizations have a plethora of recommendations, standards, policies and security controls at their disposal, conceived to deal with a wide variety of threats. However, most of them share the same fundamental premise: that weaknesses are inline by nature, as a consequence of infrastructure, social and/or technological gaps that can be detected, controlled, mitigated or constrained. Side channel threats are a different matter, though. Stemming from unconventional intrusion or attack vectors whose existence was inconceivable, unexpected or deemed unfeasible, their successful exploitation may provide attackers with the means to bypass and render most security controls ineffective or even useless. In this paper we address one such case: the use of a KNX-based building automation and control system to exfiltrate data from an air-gapped infrastructure. The introduction of a small device provides connectivity to the existing KNX fieldbus and enables sending data through it or even control other devices, with no interference in the operation of the building automation and control network. We validated the feasibility of this approach by means of an experimental setup, which was used to successfully evaluate two different techniques: inline bus exfiltration and optical transmission, via dimmer control. Finally, some measures for detecting and mitigating this type of attacks are proposed.

“…In the described example, sensitive information were transmitted via memory-mapped peripherals such as LED by copying data from arbitrary memory locations via the DMA controller. Similarly, the Waterleakabe malware [175] relied on the optical side-channel to achieve transmission of the sensor readings from lamps. Note that the lamps should be connected to the digital output of the PLC and the compromised video recorder camera should be placed one meter away.…”

Section: F Side Channel Analysismentioning

confidence: 99%

Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents

Makrakis¹,

Kolias

Kambourakis

et al. 2021

IEEE Access

Critical infrastructures and industrial organizations aggressively move towards integrating elements of modern Information Technology (IT) into their monolithic Operational Technology (OT) architectures. Yet, as OT systems progressively become more and more interconnected, they silently have turned into alluring targets for diverse groups of adversaries. Meanwhile, the inherent complexity of these systems, along with their advanced-in-age nature, prevents defenders from fully applying contemporary security controls in a timely manner. Forsooth, the combination of these hindering factors has led to some of the most severe cybersecurity incidents of the past years. This work contributes a full-fledged and upto-date survey of the most prominent threats and attacks against Industrial Control Systems and critical infrastructures, along with the communication protocols and devices adopted in these environments. Our study highlights that threats against critical infrastructure follow an upward spiral due to the mushrooming of commodity tools and techniques that can facilitate either the early or late stages of attacks. Furthermore, our survey exposes that existing vulnerabilities in the design and implementation of several of the OTspecific network protocols and devices may easily grant adversaries the ability to decisively impact physical processes. We provide a categorization of such threats and the corresponding vulnerabilities based on various criteria. As far as we are aware, this is the first time an exhaustive and detailed survey of this kind is attempted.