RITICS Fest 2024
The Research Institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) was thrilled to announce the launch of an annual workshop series. The event offers a unique platform to showcase and discuss the latest advancements in the security of Industrial Control and Cyber-Physical Systems across the UK.
Presentation Summaries
In the evolving landscape of Industrial Control Systems (ICS) security, the deployment of honeypots has emerged as a proactive defence mechanism to detect, deceive, and study potential attackers. However, the effectiveness of traditional honeypots is at risk as adversaries become more aware of them and develop fingerprinting techniques to identify and avoid these traps. Once attackers identify a system as a honeypot, they are less likely to interact with it. To prevent honeypots from being identified and to reduce honeypot characteristics in a system, significant investment is needed, making honeypots a more expensive solution. This presentation introduces an innovative obfuscation technique designed to enhance ICS security by making Programmable Logic Controllers (PLCs) mimic honeypots, turning a potential weakness of honeypots into a strength. This technique reduces the investment necessary to reduce honeypot characteristics while providing an additional benefit: encouraging attackers to avoid the operational system.
This technique not only enhances the security of individual PLCs but also has the potential to significantly improve the overall security posture of ICS environments by creating a sense of uncertainty for attackers, potentially deterring them from engaging with any part of the network.
The talk will delve into the development and evaluation of this novel deception architecture, which uses software-defined networking (SDN) to dynamically present real PLCs as honeypots to attackers. Although we developed and tested this system using a PLC as an example, it can be used with other OT systems as well. This approach deters direct attacks on critical ICS components and facilitates threat intelligence collection on adversaries if they decide to interact with the system without compromising the system’s operational integrity. This approach represents a shift in ICS security, moving from a purely defensive stance to a more rounded approach including deception-based strategy, which could influence future standards and best practices in the field.
Key takeaways include:
1. Understanding the limitations of traditional honeypots in ICS security and the benefits of deception with honeypots.
2. Insights into the technical implementation and design of the (PLC) obfuscator honeypot, leveraging SDN to enhance security without disrupting system operations.
3. Practical guidance on deploying and integrating the obfuscator in real-world ICS environments, focusing on system availability, resilience, and overall security enhancement.
Cyber security incident response playbooks are critical for establishing an effective incident response capability within organizations. We identify a significant conceptual gap in the current research and practice of cyber security playbook design: the lack of ability to communicate the operational impact of an incident and of incident response on an organization. Specifically, this gap is of high significance in Cyber-Physical Systems (CPS) and Critical National Infrastructure (CNI) contexts.
We present a mechanism to address the identified gap by introducing the operational context into an incident response playbook. We shift from playbooks that consist only of process models to playbooks that consist of process models closely linked with a model of operations. We describe a novel approach to embed a model of operations into the incident response playbook and link it with the playbook’s incident response activities. This allows to reflect, in an accurate and systematic way, the interdependencies and mutual influences of incident response activities on operations and vice versa. The approach includes the use of a new metric for evaluating the change in operations in coordination with critical thresholds, supporting decision-making during cyber security incident response.
We demonstrate the application of the proposed approach in the context of incident response to a CNI ransomware attack, using a newly developed open-source tool (https://github.com/CardiffUniCOMSC/SecMoF/) and based on a previously-developed, configurable dependency model of a SCADA system.
The talk will discuss the benefits of post-incident reviews and how we can implement them in a better way to enhance overall cyber resilience.
A successful incident is a series of minor misses. This talk will cover how independent post-incident reviews can benefit our security program and IR process by investigating attacks from start to finish. We will discuss the case studies where we will split the successful ransomware breach into pre-incident, during-incident, and post-incident stages. We will delve into the methodology of conducting independent post-incident reviews, identifying flaws and weaknesses across incident stages, and preparing reports for better-informed decisions.
We further explain how the PIR studies may be used for tabletop exercises (TTX), crisis plans, and IR drills.
Operational Technology (OT) includes the software and hardware used to control and monitor industrial processes. Companies using OT operate in many sectors, including water, energy, and transport. Over the past decades, OT’s increased digitalisation and connectivity, along institutional pressures like regulation have made OT cybersecurity a necessity, and have encouraged companies using OT to improve their cybersecurity practices.
One socio-technical approach to enhance a company’s cybersecurity is the development of a security culture, aiming to positively affect employees’ cybersecurity attitudes and behaviours, and facilitating the implementation of security management systems. As OT cybersecurity is in its early maturity stages, developing a security culture in OT environments is an ongoing challenge, and little research has been carried out in this area.
As such, we have conducted 72 interviews with practitioners having OT-security related roles from various sectors on the subject of security culture development. Roles include CISOS, OT managers, consultants, security service providers, and regulators from sectors including energy, transport, water, manufacturing, and oil and gas.
Our findings indicate a number of enablers and challenges when it comes to OT security culture development, which are analysed at three different levels: the institutional level, the organisational level, and the operational level. At the institutional level, many OT companies face pressures stemming from regulatory actions and the evolving cybersecurity threat landscape, which shape OT cybersecurity practices. Additionally, the security industry is also influential in these companies’ security culture and practices through the provision of consultancy, services and products.
At the organisational level, our results highlight the role of the senior management in supporting security culture change through their involvement and leadership. Additionally, our analysis shows that most companies face three common organisational barriers between the OT and IT functions responsible for OT cybersecurity: governance and accountability, lack of communication and collaboration, and the lack of OT cybersecurity expertise.
Moving closer to the operational level, our findings demonstrate that the successful development of safety culture in OT companies informs security practitioners’ views with respect culture development practices. Additionally, our results demonstrate a number of factors that shape OT personnel’s mindsets. These include the prioritisation of other operational values such as safety, operational realities and challenges, and their occupational and educational pathways. In turn, these factors affect how cybersecurity is perceived by OT personnel, and we highlight some common security misperceptions.
Overall, our research has demonstrated various challenges faced by companies using at three levels: institutional, organisational, and operational. Namely, it has highlighted how external pressures are highly influential in organisational cybersecurity practices. Finally, by demonstrating the common challenges faced at the intersection of IT and OT with respect to OT cybersecurity, we conclude with some recommendations for OT companies, and avenues for future research.
Behavior-based Secure and Resilient Industrial Control Systems
In this talk, we introduce a design methodology to develop reliable and secure industrial control systems (ICSs) based on the behavior of their computational resources (i.e., process/application) and underlying physical resources (e.g., the controlled plant). The methodology has three independent, but complementary, components that employ novel approaches and techniques in the design of reliable and secure ICSs. First, we introduce reliable-and-secure-by-design development of secure industrial control applications through stepwise sound refinement of an executable specification, employing deductive synthesis to enforce ICS applications’ functional and nonfunctional (e.g., security and safety) properties. Second, we present a runtime security monitor at the middleware level of ICSs that protects ICS operation in the field by comparing the application execution and the application specification execution in real time; the runtime security monitor can be synthesized from the executable specification. Finally, based on the specification, we perform a vulnerability analysis for false data injection (FDI) attacks, which leads to ICS application designs that are resilient to this type of attack. We demonstrate the methodology through its application to a basic and typical ICS example application, describing all the tools used and ARMET. This middleware monitor constitutes the core component of the methodology.
Security vulnerabilities are a major threat to the trustworthiness of systems. A vulnerability is a weakness or flaw in a system’s design, implementation, or configuration that could be exploited by attackers to compromise the confidentiality, integrity, or availability of the system or its data. Vulnerabilities can manifest in various components of a system, including software, hardware, network infrastructure, and human processes. They can range from simple programming errors to complex design flaws. They may be unintentionally introduced during development or result from external factors.
Co-engineering Cyber-Physical Systems (CPS) with explicit safety and cyber-security requirements has been a challenging task despite the significant public and private investment in the recent decade in improving the design process and making it cost-effective. The main problem is the existence of safety and security “silos”, practiced in industry despite the wide recognition the status quo ought to change. The industrial practice and standardisation does not seem to be improving. Over the last few years, we have seen evidence that practices proven successful at alleviating the impact of silos on quality of CPS designs, are dropped in favour of practices aligned with the current status quo. An example is ISO/SAE 21434, which superseded SAE J3061, and abandoned the “communication points” proposed in J3061 as a light – touch, but a mandatory, alignment of the safety and security development processes.
We studied the impact of silos on CPS designs extensively in a number of research and innovation projects (SESAMO, AQUAS, RITICS – I3S and “Intel’s Collaborative Research institute ICRI – SAVe”) and developed in detail a method of “co-engineering” CPS for safety and security based on “interaction points” – points in the development process where safety and security experts are expected to work together and take a holistic view on the designed system conducting a thorough “combined” analysis of the complex (inter)dependencies between accidental faults (in design and operation) and malicious behaviour by adversaries exploiting vulnerabilities in system design.
An essential part of this method is “design space” exploration applying quantification of the system properties of interest, e.g. system safety in the presence of cyber-attacks. Such models are expected to be applied at “interaction points” and to provide the design teams with useful insight about how the design decisions – some taken by the safety and some by the security experts – may affect the system properties of interest. The quantitative methods, supported by suitable tools, encourage the effective communication by the safety and security experts and thus can lead to better designs, reducing the likelihood of serious design faults due to overlooking hazards due to accidental faults and malicious behaviour.
The talk will cover the method of modelling stochastic dependencies between successful attacks and the properties affecting the system’s safety (e.g. reliability of the compromised components). We will present results from applying the method for assessing safety and resilience of critical systems of different complexity under cyber-attacks ranging from embedded systems (industrial automation, drones used for surveillance) to large interdependent critical infrastructures. Recently, we studied the Automated Driving Systems, ADS, too, and the impact of cyber-attacks on ADS perception, an example of a component based on machine learning, and on safety monitors.
We demonstrate that the proposed method might be a useful aid to CPS designers allowing them to compare quantitatively different system architectures and to select the one which offers the best system properties (e.g. highest system safety under cyber – attacks, etc.). The method allows one to compare the effectiveness of different cyber-control, too, e.g. IDS/IPS vs. intrusion tolerance with proactive recovery, in a specific system architecture.
The talk is based on a number of publications listed below. The results related to ADS are new and papers with these new results are either under review or at advanced stage of preparation for submission.
Ransomware does not work in the cyber-physical world because data exfiltration and encryption simply don’t translate to OT. A viable modus operandi for ransomware would be a watershed for OT security. This session will introduce Dead Man’s PLC, an entirely novel technique for ransoming OT networks. Appreciating the practical reality of such an attack can thus better prepare to counter it.
With the advent of modern smart farming and agritech technology, farms are increasingly becoming an example of a cyber-physical system (CPS). For example, a modern dairy farm will feature internet-of-things (IoT) devices for monitoring animals and fully automated milking parlours. When considering the cyber security of CPS, we often talk about critical national infrastructure (CNI) with a focus on heavy industries such as energy generation, water treatment, and manufacturing, which all have a long history of digitization. Food supply is also considered part of CNI, so it is essential to consider it. A cyber attack on a farm can impact food supply, reduce revenue for farmers, and impact animal welfare. The security of smart farming has not been widely explored, and there is a lack of realistic testbeds that evaluate the security of agritech devices.
In the first part of this talk, we discuss the design of such a testbed, focusing on the dairy farming sector. We provide an overview of the testbed and discuss the challenges and lessons learned during the design and build process.
We then present an overview of the vulnerabilities and security issues that we have so far discovered on the devices within our testbed. In particular, we show the results of a comprehensive analysis of the security of collars used for health monitoring of cows in a smart dairy farm. This is the first practical cyber security analysis of such devices that are currently in use on farms. We have been able to successfully reverse-engineer the wireless protocol and demonstrate the ability to inject false data into the system, posing as one of the sensors. Testing has shown that both the system to receive signals from the sensors and the data endpoint software are vulnerable to data injection.
Additive Manufacturing (AM), more popularly known as 3D printing, is disrupting many manufacturing processes. Nevertheless, the incorporation of AM in industrial processes raises important cybersecurity issues. In this presentation, I will present a comprehensive threat analysis of cyber-attacks on the AM supply chain and suggest some ways to create an effective risk assessment framework to mitigate these kinds of threats.
The presentation includes the following topics:
Introduction to Additive Manufacturing and Cybersecurity: The presentation begins with an overview of AM technology and its applications across various industries. It highlights the current cybersecurity landscape within AM, emphasising the critical need for robust security measures to protect against evolving threats.
Identifying Cyber and Physical Threats in Additive Manufacturing: I conduct a detailed analysis of potential cyber-attacks, including unauthorised access, malware infections, and ransomware attacks. Additionally, the presentation examines physical threats such as tampering with hardware and unauthorised access to production facilities, which can compromise the integrity of AM processes.
Impact of Cyber and Physical Attacks on AM Processes: The presentation assesses cyber-attacks consequences on product integrity, production efficiency, and intellectual property. Real-world case studies illustrate the impacts of these incidents on AM operations, providing a clear understanding of the risks involved.
Qualitative and Quantitative Risk Assessment: Through expert-driven assessments, structured interviews, and surveys, we identify prevalent threat vectors and vulnerabilities in AM systems. This qualitative analysis focuses on human, organisational, and technical factors contributing to security risks. The presentation utilises statistical models and simulation techniques to quantify the likelihood and impact of identified threats. This quantitative analysis provides a data-driven basis for risk prioritisation and resource allocation, ensuring a systematic approach to managing risks in the AM supply chain.
Experimental Results: The presentation highlights experimental results focusing on high-impact threats and associated risks. We simulate the risk assessment model using the MITRE dataset, demonstrating the effectiveness of our framework in identifying and mitigating significant threats.
Achievements and Outcomes: Our comprehensive threat analysis and risk assessment framework provide a holistic approach to securing the AM supply chain. By combining qualitative insights with quantitative rigor, we offer practical strategies for identifying, evaluating, and mitigating cyber threats. This research contributes to the broader understanding of cybersecurity in AM and provides actionable recommendations for enhancing the security and resilience of AM operations.
Increased dynamic drone usage has increased complexity in aerial navigation and often demands distributed local deconfliction. Due to the high velocities and few landmarks,
robust deconfliction relies on precise positioning and synchronization. However, intentional spoofing attacks aimed at inducing navigation conflicts threaten the reliability of conventional techniques. A baseline on the impact of novel conflict-inducing spoofing attacks has been studied with respect to existing geometric navigation methods. Based on the impact of the attacks on the navigation, reinforcement learning (RL) strategy is used to counter the effects of spoofing attacks. In order to counter the effect of spoofing in randomized dynamic airspace conditions, a zero-sum action-robust (ZSAR) RL based
on mixed Nash equilibrium objective is utilized. The proposed methodology yields an improved number of conflict-free paths while reducing average conflicts compared to existing state of the art RL strategies, thus making it suitable for deploying autonomous aircrafts. The above technique is extended to develop antifragile techniques are studied where the continual techniques of policy consolidation and experience sampling is used where the previous experience of dealing with the attacks are considered to anticipate the adaptivity of the unknown black-box and white-box attacks to protect the UAV autonomy from colliding with dynamic obstacles.
This talk will focus on cyber security threats from IoT-enabled energy smart appliances (ESAs) such as smart heat pumps, electric vehicle chargers, etc., to power grid operations. It will present an in-depth analysis of the demand side threats, including (i) an overview of the vulnerabilities in ESAs and the wider risk from the demand-side response (DSR) ecosystem, (ii) key factors influencing the attack impact on power grid operations, (iii) measures to improve the cyber-physical resilience of power grids, putting them in the context of ongoing efforts from the industry and regulatory bodies worldwide.