Dit is een nieuwe pagina.


This is an article Translated by Priscilla translated from English to Dutch, oorspronkelijke tekst van uclouvain.be  https://uclouvain.be/en/research-institutes/icteam/ingi/news/a-two-level-intrusion-detection-system-for-industrial-control-system-networks-using-p4-overview.html Published on September 01, 2018

Industriële besturingssystemen (ICS) kunnen worden gedefinieerd als alle systemen die worden gebruikt voor het bewaken en besturen van industriële processen, zoals die in energiecentrales of waterzuiveringsinstallaties. Ze zijn meestal samengesteld in verschillende subnetwerken, die elk hun eigen doel hebben. Het bedrijfsnetwerk is waar het zakelijke deel van het bedrijf zich bevindt, het besturingsnetwerk is waar de Master Terminal Unit, die verantwoordelijk is voor monitoring en controle, zich bevindt en het veldnetwerk omvat de Programmable Logic Controllers (PLC) verbonden met actuatoren en sensoren die op elkaar inwerken met de fysieke wereld.


Historisch gezien waren ICS geïsoleerde en bedrijfseigen systemen, maar tegenwoordig zijn ze geëvolueerd naar sterk onderling verbonden systemen die afhankelijk zijn van IP-gebaseerde netwerkcomponenten. Deze overgang leidde tot de ontdekking van veel kwetsbaarheden in de ICS-netwerken. ICS-netwerkprotocollen waren oorspronkelijk bedrijfseigen, dus de enige beveiliging die ze boden, was door obscurity. Ze hadden geen beveiligingsmechanismen zoals authenticatie of codering. Hoewel ze zijn aangepast aan IP-technologieën, is dit nog steeds het geval.



Vanwege hun aard heeft het ICS-netwerk beperkingen die de manier om ze te beveiligen bemoeilijken. Ze vereisen bijvoorbeeld extreme beschikbaarheid, dus het patchen en updaten van apparatuur is moeilijk, in de mate dat veel ICS verouderde hardware en software gebruiken. Dit is een van de redenen waarom netwerkgebaseerd intrusion detection-systeem (IDS) een bevoorrechte oplossing is voor onderzoekers omdat het geen aanpassing van endhosts vereist (bijv. PLC's).


In het originele artikel stelden we een introductiedetectiesysteem op twee niveaus voor. Onze IDS maakt gebruik van de whitelisting-aanpak, die bestaat uit een lijst toegestane communicatie en Software Defined-Networking (SDN), een netwerkwerkparadigma waarbij de routeringsbeslissing wordt genomen door een gecentraliseerde eenheid die de controller wordt genoemd in plaats van te worden genomen door netwerkapparaten.

Read more


 A Two-level Intrusion Detection System for Industrial Control System Networks using P4 

Published on September 01, 2018







The world has changed dramatically in the last 20 years. Nearly everything is driven by digital systems. This has made our systems easier to control, more precise and easier to communicate with, but has also made them more vulnerable.


Imagine this scenario. Two nations are at war. One nation has the capability to manipulate and even DoS (Denial of Service) the other's industrial infrastructure such as the electrical grid, water and sewage systems, oil refineries, etc. How long can a nation and war effort be sustained without these critical services? An even scarier scenario can be imagined where manipulation and control of these industrial systems could itself become a weapon. How many people would die if a pressure valve in an oil refinery or nuclear power plant were controlled remotely and maliciously?


SCADA/ICS is Different

Most of us in the field of cyber security are accustomed to working with traditional IT systems. These systems use TCP/IP and other communication protocols as part of that suite that includes UDP, DNS, SMB, SMTP etc. The protocols used by SCADA/ICS systems are different. SCADA/ICS protocols were originally developed to run over serial connections and use different packets and systems for communication internally. Most now have been ported to communicate over TCP/IP externally, but internally these use such obscure protocols as MODBUSDNP3, OPC, PROFINET, etc.


If you are to protect or attack these systems you must be familiar with these protocols and the specialized tools to work with them. For instance, because the packets are different, most off-the-shelf perimeter defense systems such IDS's won't work in a SCADA/ICS environment and most AV software is ineffective in detecting attacks against them.

to be continued

Each of the many industries included in this broad category of SCADA/ICS is seeking people with the knowledge and skill to protect their valuable systems.


Setting Yourself Apart

It is useful to know what people to approach and who to avoid. For example, secretaries often know a lot about what is happening in a company. Their knowledge can be of tremendous value. However, because they know a lot about what is happening in the company, a good story that is well supported is a prerequisite when you approach them. Complete improvisation may be like a game of Russian roulette and result in a premature and undesired end of the test. 


https://www.compact.nl/articles/social-engineering-the-art-of-deception/

https://www.phoenixcontact.com/online/portal/us?1dmy&urile=wcm%3apath%3a/usen/web/main/resources/subcategory_pages/White_papers/8c36d5e0-334d-4d28-9f86-dd2d69cbd334


to be continued



PLCBlockMon: Data Logging and Extraction on PLCs for Cyber Intrusion Detection

https://ewic.bcs.org/upload/pdf/ewic_icscsr18_paper4.pdf

https://uclouvain.be/en/research-institutes/icteam/ingi/news/a-two-level-intrusion-detection-system-for-industrial-control-system-networks-using-p4-overview.html


POWER STORAGE PROTECTION FRAMEWORK 

PSP is an infinite horizon two-player zero-sum Partially Observable Stochastic Game (zs-POSG) with one-sided partial observability. We fix the attack strategy of the attacker and model the problem as a POMDP (Chen, J., & Zhu, Q. 2017) from the perspective of the defender. The main idea behind this approach is that defender does not perform any action if there is no contingency. If the system is working fine, the defender performs NO ACTION. The model is partially observable because the defender does not know about the true state of the system. He has no idea what attacks happen. The game is zero-sum because attacker wants to perform attacks that destabilize the power grid and maximize defender's cost. For each attacker action, defender performs an action which incurs some cost. And defender wants to decide which action to take at every time step that stabilizes the grid and minimizes the cost. PSP POMDP model 

Smart Grid, Distributed Generation, Security Planning, Cyber-Physical Security, Energy Storage Systems