Digital Industrial Control Systems: Vulnerabilities and Security Technologies

Main Article Content

Ibrahim Adepoju Adeyanju*
Erhovwosere Donald Emake
Olatayo Moses Olaniyan
Elijah Olusayo Omidiora
Temitope Adefarati
Godwin Obruozie Uzedhe
Nnamdi Stephen Okomba

Abstract

Digital Industrial Control Systems (ICS) are complex electromechanical systems composed of   components such as sensors, actuators, programmable logic controllers and communication devices interconnected to perform monitoring and control tasks in different industries. ICS have many and varied applications in critical infrastructures across the globe.  However, security is an important factor for any ICS operation. In recent times, there have been a myriad of security threats and attacks by malicious elements on ICS, which has become a concern to organizations and researchers. The development of internet and communication systems has also exacerbated such security concerns. Activities of these malicious elements on ICS can result in serious disasters in industrial environments, human casualties and financial loss. Every ICS network element should be protected to avoid threats, attacks and maintain safe reliable infrastructure.  Research efforts have been dedicated to improve ICS security for several decades and are still ongoing. This paper reviews ICS threats, vulnerabilities, cyber-physical attacks and security technologies over the last two decades (2000-2019).


 


Keywords: Industrial Control Systems; security; ICS; vulnerabilities; threats; cyber-attack; security technologies

*Corresponding author: Tel.: +234 813 287 6689


                                            E-mail:  ibrahim.adeyanju@fuoye.edu.ng

Article Details

Section
Review Ariticle

References

Coletta, A. and Armando, A., 2015. Security monitoring for industrial control systems. Proceedings of the 1st Conference on Cybersecurity of Industrial Control Systems, CyberICS 2015, and the First Workshop on the Security of Cyber Physical Systems, WOS-CPS 2015, Vienna, Austria, September 2015, LNCS 9588, 48-62.

Hu, Y., Yang, A. Li, H., Sun, Y. and Sun, L, 2018. A survey of intrusion detection on industrial control systems. International Journal of Distributed Sensor Networks, 14(8), https://doi.org/ 10.1177/1550147718794615

Obodoeze, F., Obiokafor, F.N. and Asogwa, T., 2018. SCADA for national critical infrastructures: Review of the security threats, vulnerabilities and countermeasures. International Journal of Trend in Scientific Research and Development, 2(2), 974-982.

Weiss, J., 2010. Protecting Industrial Control Systems from Electronic Threats. New York: Momentum Press.

Hentea, M., 2008. Improving security for SCADA control systems. Interdisciplinary Journal of Information, Knowledge, and Management, 3, 73-86.

Fan, X., Fan, K., Wang, Y. and Zhou, R., 2015. Overview of Cyber-security of Industrial Control System. [online] Available at: http://toc.proceedings.com/27630webtoc.pdf

Cardenas, A.A., Amin, S. and Shankar, S., 2008. Research Challenges for the Security of Control Systems. [online] Available at: https://people.eecs.berkeley.edu/~sastry/pubs/Pdfs% 20of%202008/CardenasResearch2008.pdf

Uchenna, P., Ani, D., Hongmei, M.H. and Tiwari, A., 2016. Review of cybersecurity issues in industrial critical infrastructure; manufacturing inperspective. Journal of Cyber Security Technology,1(1), 32-74.

Stouffer, K., Falco, J. and Scarfone, K., 2013. Guide to industrial control systems (ICS) security, NIST Special Publication 800-82 Revision 1, http://dx.doi.org/10.6028/NIST.SP.800-82r1

Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M. and Hahn, A., 2015. Guide to industrial control systems (ICS) security. NIST Special Publication 800-82 Revision 2, http://dx.doi.org/ 10.6028/NIST.SP.800-82r2

Alcaraz, C. and Zeadally, S. 2013. Critical control system protection in the 21st century. Computer 46(10), 74-83.

Miller, B. and Rowe, D., 2012. A survey of SCADA and critical infrastructure incidents. Proceedings of the 1st Annual conference on Research in information technology, October 2012, 51-56.

Shaw, W.T., 2006. Cybersecurity for SCADA Systems. Tulsa: PennWell Corp.

Sajid, A., Abbas, H. and Saleem, K., 2016. Cloud-assisted IoT-Based SCADA systems security. A review of the state of the art and future challenges. IEEE Access, 4, 1375-1384.

Radvanovsky, A. and McDougall, R., 2009. Critical Infrastructure: Homeland Security and Emergency Preparedness. 2nd ed. Boca Raton: CRC Press.

Hathaway, O.A., Crootof, R., Levitz, P. Nix, H., Nowlan, A., Perdue, W. and Spiegel, J. 2012. The law of cyber-attack. California Law Review, 100(4), 817-885.

Bernard, T., Hsu, T., Perlroth, N. and Lieber, R., 2017. Equifax Says Cyberattack May Have Affected 143 Million in the U.S. [online] Available at: https://www.nytimes.com/2017/ 09/07/business/equifax-cyberattack.html.

Bisson, D., 2017. 10 of the Most Significant Ransomware Attacks of 2017. [online] Available at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/10-significant-ransomware-attacks-2017/

Lu, T., Guo, X., Li, Y., Peng, Y., Zhang, X., Xie, F. and Gao, Y., 2014. Cyberphysical security for industrial control systems based on wireless sensor networks. International Journal of Distributed Sensor Networks, 10(6), 1-17.

Kim, T.H., 2010. Integration of wireless SCADA through the internet. International Journal of Computers and Communications, 4(4), 75-82.

Kovaliuk, D.O., Huza, K.M. and Kovaliuk, O.O., 2018. Development of SCADA system based on web technologies. International Journal of Information Engineering and Electronic Business, 10(2), 25-32.

ENISA, 2007. A Strategic Approach to Protecting SCADA and Process Control. [online] available at: http://documents.iss.net/whitepapers/SCADA.pdf, 2007

Butts, J. and Shenoi, S., 2014. Critical infrastructure protection VIII. Proceeding of the 8th IFIP WG 11.10 International Conference, ICCIP 2014, Arlington, VA, USA, March 17-19, 2014, 65-78.

Anand, S., Sarkar, S. and Rajendra, S., 2012. Application of distributed control system in automation of process industries. International Journal of Emerging Technology and Advanced Engineering,, 2(4), 377-383.

Kiran, A.R., Sundeep, B., Vardhan, S.C. and Mathews, N., 2013. The principle of programmable logic controller and its role in automation. International Journal of Engineering Trends and Technology, 4(3), 500-502.

Wang, C., Liu, M.X.A. and Zhang, J., 2017. The application of PLC control system in oil and gas pipeline transportation. Proceeding of the 2nd International Conference on Mechanical Control and Automation (ICMCA), doi:10.12783/dtetr/icmca2017/12334

Peng, Y., Wang, Y., Xiang, C., Liu, X., Wen, Z., Chen, D. and Zhang, C., 2015. Cyber-physical attack-oriented industrial control systems (ICS) modeling, analysis and experiment environment. 2015 International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 322-326, doi: 10.1109/IIH-MSP.2015.110

National Institute of Standards and Technology, 2016. Framework for Cyber-Physical Systems. Volume 1, Overview. National Institute of Standards and Technology (NIST) Special Publication 1500-201, US Departemnt of Commerce, USA.

Didier, P., Macias, F., Harstad, J., Antholine, R. and Johnston, S.A. 2011. Converged Plantwide Ethernet (CPwE) Design Implementation Guide. [online] Available at: https://belorg.by/wp-content/uploads/rockwell/td/enet-td001_-en-p.pdf

Rao B.S., Chakravarthi, C.V. and Jawahar, A., 2017. Industrial Control Systems Security and Supervisory Control and Data Acquisition (SCADA). International Journal for Modern Trends in Science and Technology, 3(10), 109-118.

Kang, D., Lee, J., Kim, S. and Park, P., 2009. Analysis on cyber threats to scada systems.. 2009 Transmission & Distribution Conference & Exposition: Asia and Pacific, doi: 10.1109/TD-ASIA.2009.5357008.

DHS, 2009. Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies, Control Systems Security Program. [online] Available at: https://inldigitallibrary.inl.gov/sites/sti/sti/3375141.pdf

NCSD, 2009. Common Cyber Security Vulnerabilities in Industrial Control Systems. [online] Available at: https://www.us-cert.gov/sites/default/files/recommended_practices/DHS_ Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf

Piscitello, D., 2015. Threats, Vulnerabilities and Exploits-Oh My! [online] available at: https://www.icann.org/news/blog/threats-vulnerabilities-and-exploits-oh-my

Zhu, B. and Shankar, S., 2010. SCADA-specific Intrusion Detection/Prevention Systems: A Survey and Taxonomy. [online] Available at: https://pdfs.semanticscholar.org/1027/2f29fff 747d7efccab3b58d64ffd1112c811.pdf?_ga=2.23427642.1638346716.1598251145-10156915 36.1558354618

ENISA, 2011. Protecting Industrial Control System. Recommendations for Europe and Member States. Heraklion: The European Network and Information Security Agency.

Byres, E., Kay, J. and Carter, J., 2003. The Myths and Facts Behind Cyber Security and Industrial Control. [online] Available at: https://www.controlglobal.com/assets/Media/ Media Manager/ The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf

Sullivan, J.E. and Kamensky, D., 2017. How cyber-attacks in Ukraine show the vulnerability of the U.S. power grid. The Electricity Journal, 30(3), 30-35.

Newman, L.H., 2016. What We Know About Friday’s Massive East Coast Internet Outage. [online] Available at: https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/

Langner, R., 2011. Stuxnet: Dissecting a cyber warfare weapon. IEEE Security Privacy, 9(3), 49-51.

Knapp, E.D. and Langill J.T., 2014. Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems. 2nd ed. Amsterdam: Elsevier.

Katina, P.F., Despotou, G., Calida, B.Y., Kholodkov, T. and Keating, C.B., 2014. Sustainability of systems of systems. International Journal of System of Systems Engineering, 5(2), 93-113.

Dewangan, B.K., Agarwal, A. and Venkatadri, M., 2019. Energy-aware autonomic resource scheduling framework for cloud. International Journal of Mathematical, Engineering and Management Sciences, 4(1), 41-55.

Oberoi, P., Mittal, S., Gujral, K.R., 2019. ADRCN: A framework to detect and mitigate malicious Insider Attacks in Cloud-Based environment on IaaS. International Journal of Mathematical, Engineering and Management Sciences, 4(3), 654-670.

Boppana, R.V. and Su, X., 2007. Secure Routing Techniques to Mitigate Insider Attacks in Wireless Ad Hoc Networks. [online] Available at: https://pdfs.semanticscholar.org/ 2885/ 0ddfbf73c09118fd8e14d1c6c1dc34141c74.pdf

Omar, M., Mohammed, D. and Nguyen, V., 2017. Defending against malicious insiders: a conceptual framework for predicting, detecting, and deterring malicious insiders. International Journal of Business Process Integration and Management, 8(2), 114-119.

Gao, J., Chai, S., Zhang, B. and Xia, Y., 2019. Research about DoS attack against ICPS. Sensors, 19(7), 1542, https://doi.org/10.3390/s19071542

Morris, T., Srivastava, A., Reaves, B., Gao, W., Pavurapu, K. and Reddi, R., 2011. A control system testbed to validate critical infrastructure protection concepts. International Journal of Critical Infrastructure Protection, 4(2), 88-103.

Morris, T.H. and Geo, W., 2013. Industrial Control System Cyber Attacks. 1st International Symposium for ICS & SCADA Cyber Security Research (ICSCSR), September 16-17, 22-29.

Silberschatz, A., Galvin, P.B. and Gagne, G., 2013. Operating System Concepts. 9th ed. New Jersey: John Wiley & Sons.

Varalakshmi, P. and Selvi, S.T., 2013. Thwarting DDoS attacks in grid using information divergence. Future Generation Computer Systems, 29(1), 429-441.

Naoum, S., Chehab, A., Elhajj, I. H. and Kayss, I., 2013. Internal security attacks on SCADA systems. Proceeding of the 3rd International Conference on Communications and Information Technology (ICCIT-2013): Digital Information Management & Security, Beirut, 22-27.

Naedele, M., 2007. Addressing IT Security for Critical Control Systems. Proceedings of the 40th Hawaii International Conference on Systems Science (HICSS-40 2007): IEEE Computer Society, Waikoloa, USA, 3-6 January, 2007, 40.

Niland, M., 2003. Computer Virus Brings Down Train Signals. [online] Available at: http://www.informationweek.com/news/13100807.

Roberts, P.F.Z., 2005. PnP Worms Slam 13 DaimlerChrysler Plants. [online] Available at: http://www.eweek.com/c/a/Security/Zotob-PnP-WormsSlam-13-DaimlerChrysler-Plants/

Velagapalli, A. and Ramkumar, M., 2011. Minimizing the TCB for securing SCADA systems. Proceedings of the 7th Annual Workshop on Cyber Security and Information Intelligent Research (CSIIRW'11), October 12-14, 2011. Article No.19, https://doi.org/10.1145/ 2179298.2179319

Heckman, M., Schell, R. and Reed, E., 2011. Using a high assurance TCB for infrastructure security. Proceedings of the 7th Annual Workshop on Cyber Security and Information Intelligence Research-CSIIRW, October 12-14, 2011, Article No. 55, https://doi.org/10.1145/ 2179298.2179359

Hewett, R. and Kijsanayothin, P., 2013. Securing system controllers in critical infrastructures. Proceedings of the 8th Annual Cyber Security and Information Intelligence Research Workshop-CSIIRW, January 2013, 1-4.

Aesec, 2007. GemSeal Guard. [online]. Available at: http://aesec.com/guards/Aesec-GemSeal-SCADAConcept-070220.pdf .

Azimi, M., Sami, A. and Khalili, A., 2014. A security test-bed for industrial control system. Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation- MoSEMInA, New York, 2014, 26-31.

Shahzad, A. and Musa, S.A., 2014. A review: Industrial control system (ICS) and their secuity issues. American Journal of Applied Sciences, 11(8), 1398-1404,

Jie, P. and Li, L., 2012. Analysis of information security for industrial control system. Process Automation Instrumentation, 33(12), 36-39.

Yasakethu, S. and Jiang, J., 2013. Intrusion detection via machine learning for SCADA system protection. Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research. Leicester, UK , September 16, 2013, 101-105.

Valdes, A. and Cheung, S., 2009. Intrusion monitoring in process control systems. Proceedings of the 42nd Hawaii International Conference on System Sciences. Washington, DC., USA, January, 2009, 1-7.

Drias, Z., Serhrouchni, A. and Vogel, O., 2015 . Analysis of cyber security for industrial control systems. 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC), Shanghai, China, August, 2015, 1-8.

Wang, X., Pang, L., Pei, Q. and Li, X., 2010. A scheme for fast network traffic anomaly detection. 2010 International Conference on Computer Application and System Modeling (ICCASM 2010), Taiyuan, China, 2010, V1-592-V1-596.

Androulidakis, G., Chatzigiannakis, V. and Papavassiliou, S., 2009. Network anomaly detection and classification via opportunistic sampling. IEEE/ACM Transaction on Networking, 23(1), 6-12.

Scheirer, W. and Chuah, M. C., 2008. Syntax vs. semantics: competing approaches to dynamic network intrusion detection. International Journal of Security and Networks, 3(1), 24-35.

Chakraborty, S., Sarkar, S. and Ray, A., 2008. Symbolic identification and anomaly detection in complex dynamical systems. Proceedings for the American Control Conference(ACC), Seattle, USA, 11-13 June, 2008, 2792-2797.

Thottan, M. and Ji, C., 2003. Anomaly detection in IP networks. IEEE Transactions on Signal Processing, 51(8), 2191-2204.

Tan, K. and Maxion, R., 2003. Determining the operational limits of an anomaly-based intrusion detector. IEEE Journal on Selected Areas in Communications, 21(1), 96-110.

Liu, C.-C., Ten, C.-W. and Hong, J., 2011. Anomaly detection for cybersecurity of the substations. IEEE Transactions on Smart Grid, 2(4), 865-873.

Debar, H., Marc, D. and Wespi, A., 2000. A revised taxonomy for intrusiondetection systems. Annales Des Telecommunications, 55(7-8), 361-378.

Mitchell, R., & Chen, I.-R. (2014). A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys, 46(4), 1-29.

Takano, M., 2014. ICS Cybersecurity incident response and the troubleshooting process. Proceedings of the SICE Annual Conference, Hokkaido University, Sapporo, Japan, 827-832.

Conrad, E., Misenar, S. and Feldman, J., 2013. Eleventh Hour CISSP. 2nd ed. Amsterdam: Elsevier.

Ning, P., Cui, Y. and Reeves, D. S., 2002. Constructing Attack Scenarios through Correlation of Intrusion Alerts. Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C., 2002, 245-254.

Bartman, T. and Carson, K., 2016. Securing communications for SCADA and critical industrial systems. 69th Annual Conference for Protective Relay Engineers (CPRE), College Station, TX, USA, April 4-6, 2016, 1-10.

Fielder, A., Li, T. and Hankin, C., 2016. Defense-in-depth vs. critical component defense for industrial control systems. 4th International Symposium for ICS & SCADA Cyber Security Research (ICS-CSR), Queen's Belfast University, UK, August 23-25, 2016, 1-10.