Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

ICS-Sniper: A Targeted Blackhole Attack on Encrypted ICS Traffic (2312.06140v1)

Published 11 Dec 2023 in cs.CR

Abstract: Operational Technology (OT) networks of industrial control systems (ICS) are increasingly connected to the public Internet, which has prompted ICSes to implement strong security measures (e.g., authentication and encryption) to protect end-to-end control communication. Despite the security measures, we show that an Internet adversary in the path of an ICS's communication can cause damage to the ICS without infiltrating it. We present ICS-Sniper, a targeted blackhole attack that analyzes the packet metadata (sizes, timing) to identify the packets carrying critical ICS commands or data, and drops the critical packets to disrupt the ICS's operations. We demonstrate two attacks on an emulation of a Secure Water Treatment (SWaT) plant that can potentially violate the operational safety of the ICS while evading state-of-the-art detection systems.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. Malicious Control System Cyber Security Attack Case Study: Maroochy Water Services, Australia. URL: https://www.mitre.org/publications/technical-papers/malicious-control-system-cyber-security-attack-case-study-maroochy-water-services-australia, Last accessed: Dec 6, 2023.
  2. Acromag. Introduction to MODBUS TCP/IP. URL: https://www.prosoft-technology.com/kb/assets/intro_modbustcp.pdf, Last accessed: Dec 6, 2023.
  3. Securing RPL routing protocol from blackhole attacks using a trust-based mechanism. In International Telecommunication Networks and Applications Conference (ITNAC), pages 115–120. IEEE, 2016.
  4. Industrial control systems: Cyberattack trends and countermeasures. Computer Communications, 155:1–8, 2020.
  5. Oxana Andreeva. Industrial Control Systems and their Online Availability. URL: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190427/KL_REPORT_ICS_Availability_Statistics.pdf, Last accessed: Dec 6, 2023.
  6. MiniCPS: A toolkit for security research on CPS networks. In ACM workshop on cyber-physical systems-security and/or privacy, pages 91–100, 2015.
  7. Real Time Automation. An Introduction to MODBUS TCP/IP. URL: https://www.rtautomation.com/technologies/modbus-tcpip/, Last accessed: Dec 6, 2023.
  8. Real Time Automation. EtherNet/IP. URL: https://www.rtautomation.com/technologies/ethernetip/, Last accessed: Dec 6, 2023.
  9. Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis. In International Conference on Computer Communications and Networks (ICCCN), pages 1–9. IEEE, 2021.
  10. Practical batch process management. Elsevier, 2004.
  11. The SCION Internet Architecture. Communications of the ACM, 60(6), 2017.
  12. Kaspersky ICS CERT. Threat Landscape for Industrial Automation Systems. URL: https://ics-cert.kaspersky.com/publications/reports/2023/03/06/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2022/, Last accessed: Dec 6, 2023.
  13. Yuqi Chen. SWaT Logic. URL: https://github.com/yuqiChen94/Swat_Simulator, Last accessed: Dec 6, 2023.
  14. Website Fingerprinting Defenses at the Application Layer. In Privacy Enhancing Technologies Symposium (PETS), 2017.
  15. Protocols and network security in ICS infrastructures. Technology Report, 2015.
  16. On the edge realtime intrusion prevention system for DoS attack. In International Symposium for ICS & SCADA Cyber Security Research, pages 84–91, 2018.
  17. Dave Lundgren. Purdue 2.0: Exploring a New Model for IT/OT Management. URL: https://www.redseal.net/purdue-2-0-exploring-a-new-model-for-it-ot-management/, Last accessed: Dec 6, 2023.
  18. Encryption in ICS networks: A blessing or a curse? In International Conference on Smart Grid Communications (SmartGridComm), pages 289–294. IEEE, 2017.
  19. A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems. In NDSS, 2019.
  20. Mining periodic patterns with a MDL criterion. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 535–551. Springer, 2018.
  21. The amplification threat posed by publicly reachable BACnet devices. Journal of Cyber Security and Mobility, pages 77–104, 2017.
  22. Manufacturing cycle time reduction for batch production in a shared worker environment. International Journal of Production Research, 51(1):1–8, 2013.
  23. IETF. The Transport Layer Security (TLS) Protocol Version 1.3. URL: https://datatracker.ietf.org/doc/html/rfc8446, Last accessed: Dec 6, 2023.
  24. SUTD iTrust. Secure Water Treatment (SWaT) Test-bed, SUTD, Singapore. URL: https://itrust.sutd.edu.sg/itrust-labs-home/itrust-labs_swat/, Last accessed: Dec 6, 2023.
  25. Malware injection in operational technology networks. In International Conference on Computing, Communication and Networking Technologies (ICCCNT), pages 1–6. IEEE, 2020.
  26. CPS: Driving cyber-physical systems to unsafe operating conditions by timing DoS attacks on sensor signals. In Computer Security Applications Conference, pages 146–155, 2014.
  27. Understanding IEC-60870-5-104 traffic patterns in SCADA networks. In ACM Workshop on Cyber-Physical System Security, pages 51–60, 2018.
  28. Loic Lefebvre. pyModbusTCP 0.2.0 . URL: https://pypi.org/project/pyModbusTCP/, Last accessed: Dec 6, 2023.
  29. John Matherly. Shodan. URL: https://www.shodan.io/, Last accessed: Dec 6, 2023.
  30. SWaT: A water treatment testbed for research and training on ICS security. In International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater), pages 31–36. IEEE, 2016.
  31. Efficient modelling of ICS communication for anomaly detection using probabilistic automata. In International Symposium on Integrated Network Management (IM), pages 81–89. IEEE, 2021.
  32. Pacer: Comprehensive Network Side-Channel Mitigation in the Cloud. In USENIX Security, 2022.
  33. ditto: WAN Traffic Obfuscation at Line Rate. In Network and Distributed System Security Symposium (NDSS), 2022.
  34. Mininet. Mininet. URL: http://mininet.org/, Last accessed: Dec 6, 2023.
  35. Mitre. Cisco DPC3928SL vulnerability. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5135, Last accessed: Dec 6, 2023.
  36. Mitre. Cisco IOS XE Software vulnerability, 2020. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3513, Last accessed: Dec 6, 2023.
  37. Mitre. Juniper Networks Junos OS vulnerability, 2023. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28983, Last accessed: Dec 6, 2023.
  38. Iot device fingerprinting: Machine learning based encrypted traffic analysis. In Wireless Communications and Networking Conference (WCNC), pages 1–8. IEEE, 2019.
  39. Exploiting the Temporal Behavior of State Transitions for Intrusion Detection in ICS/SCADA. IEEE Access, 10:111171–111187, 2022.
  40. Protecting Industrial Control Systems. URL: https://www.enisa.europa.eu/publications/protecting-industrial-control-systems.-recommendations-for-europe-and-member-states, Last accessed: Dec 6, 2023.
  41. Position paper: Safety and security monitoring in ics/scada systems. In Symposium for ICS & SCADA Cyber Security Research (ICS-CSR), pages 61–66, 2014.
  42. EtherNet/IP: Industrial Protocol White Paper. URL: https://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp001_-en-p.pdf, Last accessed: Dec 6, 2023.
  43. Openvswitch.org. Open vSwitch Manual. URL: https://www.openvswitch.org//support/dist-docs/ovs-ofctl.8.txt, Last accessed: Dec 6, 2023.
  44. A survey on encrypted network traffic analysis applications, techniques, and countermeasures. ACM Computing Surveys (CSUR), 54(6):1–35, 2021.
  45. Analysis of Vulnerability Trends and Attacks in OT Systems. In International Congress on Information and Communication Technology, pages 127–142. Springer, 2022.
  46. John S Rinaldi. EtherNet/IP and Transport Layer Security. URL: https://www.rtautomation.com/rtas-blog/ethernet-ip-and-transport-layer-security/, Last accessed: Dec 6, 2023.
  47. NetShaper: A Differentially Private Network Side-Channel Mitigation System. In USENIX Security, 2024.
  48. Exposed infrastructures: Discovery, attacks and remediation of insecure ics remote management devices. In IEEE Symposium on Security and Privacy (SP), pages 2379–2396. IEEE, 2022.
  49. Inc. Schneider Electric USA. Modbus/tcp security. URL: https://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf, Last accessed: Dec 6, 2023.
  50. Sergiu Gatlan. Over 19,000 end-of-life Cisco routers exposed to RCE attacks. URL: https://www.bleepingcomputer.com/news/security/over-19-000-end-of-life-cisco-routers-exposed-to-rce-attacks/, Last accessed: Dec 6, 2023.
  51. Ex-Employee Remotely Hacks Kansas Water Treatment Plant. URL: https://www.governing.com/security/ex-employee-remotely-hacks-kansas-water-treatment-plant.html, Last accessed: Dec 6, 2023.
  52. Guide to Industrial Control Systems (ICS) Security. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf, Last accessed: Dec 6, 2023.
  53. Effective attacks and provable defenses for website fingerprinting. In USENIX Security, pages 143–157, 2014.
  54. Wireshark. tshark: Terminal-based Wireshark. URL: https://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html, Last accessed: Dec 6, 2023.
  55. Statistical similarity of critical infrastructure network traffic based on nearest neighbor distances. In Research in Attacks, Intrusions, and Defenses (RAID), 2018.

Summary

We haven't generated a summary for this paper yet.