A secure fog-based platform for SCADA-based IoT critical infrastructure

The rapid proliferation of Internet of things (IoT) devices, such as smart meters and water valves, into industrial critical infrastructures and control systems has put stringent performance and scalability requirements on modern Supervisory Control and Data Acquisition (SCADA) systems. While cloud computing has enabled modern SCADA systems to cope with the increasing amount of data generated by sensors, actuators, and control devices, there has been a growing interest recently to deploy edge data centers in fog architectures to secure low-latency and enhanced security for mission-critical data. However, fog security and privacy for SCADA-based IoT critical infrastructures remains an under-researched area. To address this challenge, this contribution proposes a novel security “toolbox” to reinforce the integrity, security, and privacy of SCADA-based IoT critical infrastructure at the fog layer. The toolbox incorporates a key feature: a cryptographic-based access approach to the cloud services using identity-based cryptography and signature schemes at the fog layer. We present the implementation details of a prototype for our proposed secure fog-based platform and provide performance evaluation results to demonstrate the appropriateness of the proposed platform in a real-world scenario. These results can pave the way toward the development of a more secure and trusted SCADA-based IoT critical infrastructure, which is essential to counter cyber threats against next-generation critical infrastructure and industrial control systems. The results from the experiments demonstrate a superior performance of the secure fog-based platform, which is around 2.8 seconds when adding five virtual machines (VMs), 3.2 seconds when adding 10 VMs, and 112 seconds when adding 1000 VMs, compared to the multilevel user access control platform.     

SCADA系统信息安全测试床研究进展*

SCADA系统测试床的构建是研究SCADA系统信息安全问题的一项基础性工作,为了构建SCADA系统信息安全测试床,必须充分了解其当前的研究情况.介绍了SCADA系统的结构与组成,分析了各类典型SCADA系统测试床的主要优缺点、关键技术和开发工具,包括全实物复制测试床、半实物仿真测试床、软件联合仿真测试床以及仿真与模拟相结合的混合测试床.最后探讨了SCADA系统信息安全测试床未来的发展方向和有待进一步完善的地方.     

A security and authentication layer for SCADA/DCS applications

Mid 2010, a sophisticated malicious computer worm called Stuxnet targeted major ICS systems around the world causing severe damages to Siemens automation products. Stuxnet proved its ability to infect air-gapped-segregated critical computers control system. After this attack, the whole ICS industry security was thrust into spotlight. Automation suppliers have already started to re-think their business approach to cyber security. The OPC foundation have made also significant changes and improvements on its new design OPC-UA to increase security of automation applications but, what is still missing and seems to be not resolved any time soon is having security in depth for industrial automation applications. In this paper, we propose a simple but strong security control solution to be implemented as a logic level security on SCADA and DCS systems. The method presented in this work enforces message integrity to build trusts between DCS system components, but it should not be viewed as the main nor the only protection layer implemented on an industrial automation system. The proposed solution can be viewed as a low-level security procedure to avoid malicious attacks such as Stuxnet.     

An open virtual testbed for industrial control system security research

Industrial control system security has been a topic of scrutiny and research for several years, and many security issues are well known. However, research efforts are impeded by a lack of an open virtual industrial control system testbed for security research. This paper describes a virtual testbed framework using Python to create discrete testbed components including virtual devices and process simulators. The virtual testbed is designed such that the testbeds are inter-operable with real industrial control system devices and such that the virtual testbeds can provide comparable industrial control system network behavior to a laboratory testbed. Two virtual testbeds modeled upon actual laboratory testbeds have been developed and have been shown to be inter-operable with real industrial control system equipment and vulnerable to attacks in the same manner as a real system. Additionally, these testbeds have been quantitatively shown to produce traffic close to laboratory systems.     

Secure SCADA framework for the protection of energy control systems

Energy distribution systems are becoming increasingly widespread in today's society. One of the elements that are used to monitor and control these systems are SCADA (Supervisory Control and Data Acquisition) systems. In particular, these control systems and their complexities, together with the emerging use of the Internet and wireless technologies, bring new challenges that must be carefully considered. Examples of such challenges are the particular benefits of the integration of those new technologies, and also the effects they may have on the overall SCADA security. The main task of this paper is to provide a framework that shows how the integration of different state‐of‐the‐art technologies in an energy control system, such as wireless sensor networks, mobile ad hoc networks, and the Internet, can bring some interesting benefits, such as status management and anomaly prevention, while maintaining the security of the whole system. Copyright © 2010 John Wiley & Sons, Ltd.     

QoS guaranteeing robust scheduling in attack resilient cloud integrated cyber physical system

In this paper, we propose a security framework based on the semi-network form game in unison with a robust and attack resilient scheduling mechanism for a cloud integrated Cyber Physical System (CPS). As CPS moves from the traditional Sensing Control and Data Acquisition (SCADA) systems with limited on-board processing units, the need to use cloud computing arises owing to the ever increasing processing demands of heterogeneous CPS applications. In such systems, system stability and critical operational capability have the highest priority. This multi-system coupling can have security vulnerabilities which can cripple the speed and effectiveness of data processing, which is unacceptable in time and resource critical CPS applications owing to the need for satisfying the stringent Quality of Service (QoS) requirements. Therefore, a robust scheduling mechanism invulnerable to security attacks is needed to efficiently utilize the scalable processing components as provided by a cloud computing platform. However, scalability brought in by the cloud integration and data migration increases the attack space of an attacker due to an increase in available access points. To address this issue, we developed a new method of learning procedure using Bayesian Networks for the semi-network form game to aid our scheduling algorithm. We employ game theoretic principles to proactively understand the behavior of an attacker based on the strategic decisions made by the defender. This helps us in building a robust scheduling mechanism that schedules tasks based on the decisions made from the output of the game.     

A novel framework for software defined based secure storage systems

The Software Defined Systems (SDSys) paradigm has been introduced recently as a solution to reduce the overhead in the control and management operations of complex computing systems and to maintain a high level of security and protection. The main concept behind this technology is around isolating the data plane from the control plane. Building a Software Defined System in a real life environment is considered an expensive solution and may have a lot of risks. Thus, there is a need to simulate such systems before the real-life implementation and deployment. In this paper we present a novel experimental framework as a virtualized testbed environment for software defined based secure storage systems. Its also covers some related issues for large scale data storage and sharing such as deduplication. This work builds on the Mininet simulator, where its core components, the host, switch and the controller, are customized to build the proposed experimental simulation framework. The developed emulator, will not only support the development and testing of SD-based secure storage solutions, it will also serve as an experimentation tool for researchers and for benchmarking purposes. The developed simulator/emulator could also be used as an educational tool to train students and novice researchers.     

On the use of open-source firewalls in ICS/SCADA systems

ABSTRACT

Firewalls are one of the most widely used security devices to protect a communications network. They help secure it by blocking unwanted traffic from entering or leaving the protected network. Several commercial vendors have extended their firewall capabilities to support SCADA protocols or designed SCADA-specific firewalls. Although open-source firewalls are used successfully in IT networks, their use in SCADA networks has not been properly investigated. In this research we investigate the major open-source firewalls for their use in SCADA networks and identify Linux iptables’ potential as an effective SCADA firewall. Iptables is a powerful open-source firewall solution available as part of most Linux distributions in use today. In general, use of iptables as a network-level firewall for SCADA systems has been limited to basic port and host filtering, without further inspection of control messages. We propose and demonstrate a novel methodology to use iptables as an effective firewall for SCADA systems. This is achieved by utilizing advanced iptables features that allow for dynamic inspection of packet data. It is noteworthy to mention that the proposed solution does not require any modification to the netfilter/iptables framework, making it possible to turn a Linux system into an effective SCADA firewall. The approach has been tested by defining filtering rules for the Modbus TCP protocol and validating its ability to defend against various attacks on the protocol.     

Energy Optimization of Security-Critical Real-Time Applications with Guaranteed Security Protection

Designing energy-efficient applications has become of critical importance for embedded systems, especially for battery-powered systems. Additionally, the emerging requirements on both security and real-time make it much more difficult to produce ideal solutions. In this work, we address the emerging scheduling problem existed in the design of secure and energy-efficient real-time embedded systems. The objective is to minimize the system energy consumption subject to security and schedulability constraints. Due to the complexity of the problem, we propose a dynamic programming based approximation approach to find efficient solutions under given constraints. The proposed technique has polynomial time complexity which is half of existing approximation approaches. The efficiency of our algorithm is validated by extensive experiments and a real-life case study. Comparing with other approaches, the proposed approach achieves energy-saving up to 37.6% without violating the real-time and security constraints of the system.     

一种通用安全攻击测试平台

目前针对缓冲区溢出和格式化字符串漏洞攻击已经提出了很多种解决方法。然而到目前为止,几乎没有一种方法可以解决所有的缓冲区漏洞攻击,绝大多数的方法只能够防范某一些方面的漏洞攻击。另一方面针对已经存在的防范方法缺乏统一的评价标准,没有一种通用的测试程序可以评估所有的安全防范方法的防范效果。为此,论文提出并实现了一个相对完善的通用的安全攻击测试平台,通过它可以测试各种缓冲区溢出防范方法的防范效果。     

TREET: the Trust and Reputation Experimentation and Evaluation Testbed

To date, trust and reputation systems have often been evaluated using methods of their designers’ own devising. Recently, we demonstrated that a number of noteworthy trust and reputation systems could be readily defeated, revealing limitations in their original evaluations. Efforts in the trust and reputation community to develop a testbed have yielded a successful competition platform, ART. This testbed, however, is less suited to general experimentation and evaluation of individual trust and reputation technologies. In this paper, we present TREET, an experimentation and evaluation testbed based directly on that used in our investigations into security vulnerabilities in trust and reputation systems for marketplaces. We demonstrate the advantages of TREET, towards the development of more thorough, objective evaluations of trust and reputation systems.     

SCADA security in the light of Cyber-Warfare

Supervisory Control and Data Acquisition (SCADA) systems are deployed worldwide in many critical infrastructures ranging from power generation, over public transport to industrial manufacturing systems. Whilst contemporary research has identified the need for protecting SCADA systems, these information are disparate and do not provide a coherent view of the threats and the risks resulting from the tendency to integrate these once isolated systems into corporate networks that are prone to cyber attacks. This paper surveys ongoing research and provides a coherent overview of the threats, risks and mitigation strategies in the area of SCADA security.     

Real Time Automation and Ratio Control Using PLC & SCADA in Industry 4.0

Industrial Control Systems (ICS) and SCADA (Supervisory Control and Data Acquisition) systems play a critical role in the management and regulation of critical infrastructure. SCADA systems brings us closer to the real-time application world. All process and equipment control capability is typically provided by a Distributed Control System (DCS) in industries such as power stations, agricultural systems, chemical and water treatment plants. Instead of control through DCS, this paper proposes a SCADA and PLC (Programmable Logic Controller) system to control the ratio control division and the assembly line division inside the chemical plant. A specific design and implementation method for development of SCADA/PLC based real time ratio control and automated assembly line system in a chemical plant is introduced. The assembly line division is further divided into sorting stage, filling stage and the auxiliary stage, which includes the capping unit, labelling unit and then the storage. In the ratio control division, we have defined the levels inside the mixer and ratio of the raw materials through human machine interface (HMI) panel. The ratio of raw materials is kept constant on the basis of flow rates of wild stream and manipulated stream. There is a flexibility in defining new levels and the ratios of the raw materials inside the mixer. But here we taken the predefined levels (low, medium, high) and ratios (3:4, 2:1, 2:5). Control valves are used for regulating the flow of the compositions. In the assembly line division, the containers are sorted on the basis of size and type of material used i.e., big sized metallic containers and small sized non-metallic containers by inductive and capacitive proximity sensors. All the processes are facilitated with laser beam type or reflective type sensors on the conveyor system. Building a highly stable and dependable PLC/SCADA system instead of Distributed Control System is required to achieve automatic management and control of chemical industry processes to reduce waste manpower and physical resources, as well as to improve worker safety.     

Physical process resilience-aware network design for SCADA systems

The fact that modern Supervisory Control And Data Acquisition (SCADA) systems depend omunication Technologies (ICT), is well known. Although many studies have focused on the security of these systems, today we still lack an efficient method to design resilient SCADA systems. In this paper we propose a novel network segmentation methodology that separates control hardware regulating input product flows from control hardware regulating output product flows of the associated industrial processes. Consequently, any disturbances caused by compromised network segments could be compensated by legitimate control code running on non-compromised segments. The proposed method consists of a graph-based representation of the physical process and a heuristic algorithm which generates network designs with a minimum number of segments that satisfy a set of conditions provided by a human expert. The validity of the approach is confirmed by results from two attack scenarios involving the Tennessee–Eastman chemical process.     

B2B collaboration through web services-based multi-agent system

Web services open a door for better B2B collaboration in large distributed environment such as Internet. Process-oriented systems like workflow management systems have been taking the main role for web service-based B2B collaboration in such an environment. However, conventional workflow management systems don’t offer complete solutions for B2B collaborations considering many unsolved issues such as security, trust and complex and flexible interaction handling. In this paper, we propose a web service-based multi-agent platform, which can be used as a complementary solution for B2B collaborations. It fits naturally into the B2B interaction model and provides a very loosely coupled open system architecture.     

Secured cloud SCADA system implementation for industrial applications

The proposed Remote SCADA System (RSS) is a smarter, faster and more reliable way to control high power machines and monitor their sensors, data, and failures. The proposed system focuses mainly on building our own complete SCADA software and not using open-source SCADA software. The proposed RSS can use unlimited number of added Remote Terminal Units (RTU) nodes and each of them can handling unlimited number of input/output and can be used under different operating systems like Windows and Android. Using RSS all machines can be monitored and controlled by a single click from anywhere at any time. By doing this a real-time response from RSS system can be achieved. It’s mainly based on standard communication techniques between remote nodes and single server-side application that talk to each node with its own ID and modify its instant database. So that every time accessing this web application, a real-time access to these nodes data and a virtual control room controls each General Purpose Input/Output (GPIO) in the selected node can be gotten. When a new event is happened in server-side program, it will be broadcasted to all related. On RSS there are two main points to deal with, the request latency and security of the system. This paper studied how the system latency and security are improved to obtain the needed values. The proposed RSS is a very secure program which have 4 security levels; authentication, authorization, RSA and CBC encryption system. Also, the encryption algorithms used in RSS are RSA and CBC block cipher encryption system. It is mixed way to prevent any attacker from breaking the cipher. First of all, RSA generates the public and private keys, and then CBC generates its Initialization vector and a random encryption key. Then a special function sends all of these keys encrypted with a pre-stored token in the data base and node memory which varied from node to another. Finally, node generates its private key from loaded public key. With this combination the speed of symmetric encryption system and the security of asymmetric encryption system can be achieved. On the other hand, the level of security firewalls needed to be Brocken by the attacker to brock the cipher is increased. The proposed system achieved low cost comparing with reported work; it is lower than Arduino + WIFI method by five times and 13 times lower than Raspberry-PI method. The proposed system is applied in educational systems, where it is used for teaching unlimited number of students Online.

     

面向访问验证保护级的安全VMM形式化原型系统设计和实现

操作系统是计算机软件系统的基础,具有控制逻辑复杂、安全性和可靠性要求高等特点。在国内外高等级安全操作系统的规范和标准中,都提出了对内核进行形式化规范和验证的要求。近年来国内相关研究机构相继开发了满足GB 17859-1999“强制访问控制级”和“结构化保护级”的安全操作系统原型,但对更高级别的安全操作系统的研发尚属空白。在“面向访问验证保护级安全操作系统”课题的研究中,设计并实现了一个基于Haskell的安全VMM原型系统—CASVisor.CASVisor严格定义了系统的形式化规范,可用于指导高性能的C程序的实现,并为形式化的分析和验证打下基础,同时CASVisor具备模拟功能,以便实施基于快速原型的开发方法。     

A testbed for performance evaluation of load‐balancing strategies for Web server systems

To improve response time of a Web site, one replicates the site on multiple servers. The effectiveness of a replicated server system will depend on how the incoming requests are distributed among replicas. A large number of load‐balancing strategies for Web server systems have been proposed. In this paper we describe a testbed that can be used to evaluate the performance of different load‐balancing strategies. The testbed uses a general architecture which allows different load‐balancing approaches to be supported easily. It emulates a typical World Wide Web scenario and allows variable load generation and performance measurement. We have performed some preliminary experiments to measure the performance of a few policies for load balancing using this testbed. Copyright © 2003 John Wiley & Sons, Ltd.     

RPKI中CA资源分配风险及防护技术

边界网关协议在安全方面存在严重的缺陷,容易导致路由劫持这一互联网安全威胁. 为此,国际互联网工程任务组提出了资源公钥基础设施（Resource Public Key Infrastructure,RPKI）以防止路由劫持的发生. 然而随着RPKI技术的发展及其在全球范围内的部署,与RPKI中认证权威相关的安全问题逐渐突显,并受到广泛关注. 对RPKI中认证权威的资源分配过程进行研究分析,通过实验测试,验证了认证权威在资源分配的过程中资源重复分配和未获授权资源分配两种潜在的安全风险,并分析了两种风险对资源持有者可能造成的不良影响. 此外,针对这两种安全风险,提出并实现了一种用于保证RPKI中认证权威资源分配安全性和准确性的“事前控制”机制,该机制可以有效地防止资源重复分配和未获授权资源分配两种操作风险的发生,减少了由于认证权威的错误操作所导致的故障恢复等待时间. 最后,通过进一步的实验测试,验证、分析了这种“事前控制”机制的有效性和可行性.     

Distributed data mining on Agent Grid: Issues,platform and development toolkit

Centralized data mining techniques are widely used today for the analysis of large corporate and scientific data stored in databases. However, industry, science, and commerce fields often need to analyze very large datasets maintained over geographically distributed sites by using the computational power of distributed systems. The Grid can play a significant role in providing an effective computational infrastructure support for this kind of data mining. Similarly, the advent of multi-agent systems has brought us a new paradigm for the development of complex distributed applications. During the past decades, there have been several models and systems proposed to apply agent technology building distributed data mining (DDM). Through a combination of these two techniques, we investigated the critical issues to build DDM on Grid infrastructure and design an Agent Grid Intelligent Platform as a testbed. We also implement an integrated toolkit VAStudio for quickly developing agent-based DDM applications and compare its function with other systems.