SCADvanceXP—an intelligent Polish system for threat detection and monitoring of industrial networks

Twardawa, Mateusz Grzegorz; Smolik, Marek; Rakowski, Franciszek; Kwiatkowski, Jakub; Meyer, Norbert

doi:10.35467/sdq/177655

Powiadomienia systemowe

Sesja wygasła!
Sesja wygasła!
Sesja wygasła!

Artykuł - szczegóły

Tytuł artykułu

SCADvanceXP—an intelligent Polish system for threat detection and monitoring of industrial networks

Autorzy

Twardawa Mateusz Grzegorz , Smolik Marek , Rakowski Franciszek , Kwiatkowski Jakub , Meyer Norbert

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.35467/sdq/177655

Warianty tytułu

Języki publikacji

Abstrakty

SCADvanceXP is an industrial network intrusion detection system that scans and monitors data exchange between engineering stations, field divides, controllers, supervisory control and data acquisition (SCADA), and other elements of the operational technology network in detail. SCADvanceXP has the potential to detect advanced attacks on industrial infrastructures with the use of rulebased, signature-based, and behavioural detection methods, which are supported by sophisticated machine and deep learning models. As a system developed in Poland, it addresses the needs of industry in that region of Europe. The goal of this work was to assess SCADvanceXP’s potential to detect common industrial threats. In order to check SCADvanceXP’s potential, an effort was undertaken to evaluate its functionality on major industrial threats. For that purpose, twelve malware strains interfering with industrial systems were described. Later, the SCADvanceXP functionality was overlapped on malware behavioural and detection markers, pointing out exact mechanisms in SCADvanceXP that would detect analysed threats. The results show that SCADvanceXP is able to detect a wide range of attacks on industrial networks. SCADvanceXP’s rich functionality is able to provide a high standard of security. However, if a threat is affecting systems not directly connected with industrial networks, SCADvanceXP will not be able to detect it. SCADvanceXP only monitors industrial systems; hence, corporate networks must be protected by a different solution to provide the required level of security. Nonetheless, SCADvanceXP is dedicated to operating within industrial networks and does not have access to regular IT networks. It can be concluded that SCADvanceXP is a specialist tool providing desired security for industrial networks.

Słowa kluczowe

malware anomaly detection cybersecurity intrusion detection systems industrial networks

Wydawca

Akademia Sztuki Wojennej

Czasopismo

Security and Defence Quarterly

Rocznik

2024

Tom

Vol. 48, No. 4

Strony

s. 19--39

Opis fizyczny

Bibliogr. 54 poz. rys., tab.

Twórcy

autor

Twardawa Mateusz Grzegorz

mtwardawa@man.poznan.pl

ICT Security Department, Poznań Supercomputing and Networking Center (PSNC), affiliated to the Institute of Bioorganic Chemistry of the Polish Academy of Sciences, Jana Pawła II10, 61-139, Poznań, Poland; Institute of Computing Science, Poznań University of Technology, Piotrowo 2, 60-965, Poznań, Poland

https://orcid.org/0000-0003-0661-0128

autor

Smolik Marek

CTO, ICsec S.A., Wichrowa 1A, 60-449, Poznań, Poland

autor

Rakowski Franciszek

R&D Department, ICsec S.A., Wichrowa 1A, 60-449, Poznań, Poland

https://orcid.org/0000-0001-6133-8900

autor

Kwiatkowski Jakub

ICT Security Department, Poznań Supercomputing and Networking Center (PSNC), affiliated to the Institute of Bioorganic Chemistry of the Polish Academy of Sciences, Jana Pawła II10, 61-139, Poznań, Poland; Institute of Computing Science, Poznań University of Technology, Piotrowo 2, 60-965, Poznań, Poland

https://orcid.org/0000-0001-7000-3862

autor

Meyer Norbert

Data Processing Technologies Division, Poznań Supercomputing and Networking Center (PSNC), affiliated to the Institute of Bioorganic Chemistry of the Polish Academy of Sciences, Z. Noskowskiego 12/14, 61-704, Poznań, Poland

https://orcid.org/0000-0003-4020-5329

Bibliografia

1. Alcaraz, C., Fernandez, G. and Carvajal, F. (2012) ‘Security aspects of SCADA and DCS environments’, in Lopez, J., Setola, R. and Wolthusen, S. (eds.) Critical infrastructure protection: Information infrastructure models, analysis, and defense. Berlin: Springer, pp. 120–149. doi: 10.1007/978-3-642-28920-0.
2. Belding, G. (2020) Malware spotlight: Ekans, infosec: Malware analysis. Available at: https://resources. infosecinstitute.com/topic/malware-spotlight-ekans/ (Accessed: 24 March 2023).
3. Burgess, M. (2022) ‘A mysterious satellite hack has victims far beyond Ukraine’, Wired, 23 March. Available at: https://www.wired.co.uk/article/viasat-internet-hack-ukraine-russia (Accessed: 20 October 2022).
4. Byres, E. (2013) ‘"Rip and replace” approach to SCADA security is unrealistic’, TOFINO security blog, 30 January. Available at: https://www.tofinosecurity.com/blog/%E2%80%9Crip-and-replace%E2%80%9Dapproach-scada-security-unrealistic (Accessed: 17 October 2022).
5. Byres, E., Carter, J., Elramly, A. and Hoffman, D. (2002) ‘Worlds in collision-ethernet and the factory floor’, in ISA emerging technologies conference, Instrumentation Systems and Automation Society, Chicago, IL.
6. CAN in Automation (CiA) (2011) CANopen application layer and communication profile, DS-301, version 4.02, technical documentation. Erlangen: CiA.
7. Cherepanov, A. and Lipovsky, R. (2018) ‘New telebots backdoor: First evidence linking industroyer to NotPetya’, WeLiveSecurity (ESET Research), 11 October. Available at: https://www.welivesecurity.com/2018/10/11/ new-telebots-backdoor-linking-industroyer-notpetya/ (Accessed: 2 March 2023).
8. Cimpanu, C. (2020) ‘Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption’, ZD NET Tech., 8 July. Available at: https://www.zdnet.com/article/conti-ransomware-uses-32-simultaneous-cputhreads-for-blazing-fast-encryption/ (Accessed: 24 March 2023). Common Vulnerabilities and Exposures (CVE) Program (n.d.)
9. Common vulnerabilities and exposures database. Available at: https://www.cve.org (Accessed: 26 March 2023).
10. De Andrade, R., Hodel, K.N., Justo, J.F., Lagana, A.M., Santos, M.M. and Gu, Z. (2018) ‘Analytical and experimental performance evaluations of CAN-FD BUS’, IEEE Access, 6, pp. 21287–21295. doi: 10.1109/ ACCESS.2018.2826522.
11. Di Pinto, A. (Nozomi Networks) (2019) GreyEnergy: Dissecting the malware from maldoc to backdoor, research paper. Available at: https://uploads-ssl.webflow.com/645a4534705010e2cb244f50/649131e3441ad51e4b0da155_ Nozomi-Networks-GreyEnergy-Dissecting-the-Malware.pdf (Accessed: 6 September 2023).
12. Dobski, M., Frankowski, G., Meyer, N., Pilc, M. and Twardawa, M. (2018) ‘Zastosowanie metod uczenia maszynowego i zaawansowanego przetwarzania zdarzeń dla ochrony przemysłowych sieci infrastruktury krytycznej’, Przegląd Policyjny, 4(132), pp. 79–93. doi: 10.5604/01.3001.0013.668.
13. Dragos Inc. (n.d.) ELECTRUM threat group operations. Available at: https://www.dragos.com/threat/electrum/ (Accessed: 2 March 2023).
14. Eaton, C. and Volz, D. (2021) ‘Colonial pipeline CEO tells whyhe paid hackers a $4.4 million ransom’, The Wall Street Journal, 19 May. Available at: https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paidhackers-a-4-4-million-ransom-11621435636 (Accessed: 20 October 2022).
15. Greenberg, A. (2018) ‘The untold story of NotPetya, the most devastating cyber attack in history’, Wired, 22 August. Available at: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-theworld/ (Accessed: 11 November 2022).
16. Hajda, J., Jakuszewski, R. and Ogonowski, S. (2021) ‘Security challenges in industry 4.0 PLC systems’, Applied Sciences, 11(21), 9785. doi: 10.3390/app11219785.
17. HeadMind Partners (2022) Pipedream/Incontroller: ICS-specific malware attacks. Available at: https://www. headmind.com/fr/pipedream-incontroller-ics-specific-malware-attacks/ (Accessed: 23 March 2023).
18. Hemsley, K.E. and Fisher, R.E. (2018) History of industrial control system cyber incidents. Idaho Falls, ID: Idaho National Laboratory. Available at: https://www.osti.gov/servlets/purl/1505628 (Accessed: 22 March 2023).
19. ICsec S.A. (n.d.) SCADvanceXP (website). Available at: https://icsec.pl/en/scadvance/ (Accessed: 31 March 202).
20. Jayalaxmi, P., Saha, R., Kumar, G., Kumar, N. and Kim, T.-H. (2021) ‘A taxonomy of security issues in industrial internet-of-things: Scoping review for existing solutions, future implications, and research challenges’, IEEE Access, 9, pp. 25344–25359. doi: 10.1109/ACCESS.2021.3057766.
21. Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N. and Glyer, C. (2017) ‘Attackers deploy new ICS attack framework “TRITON” and cause operational disruption to critical infrastructure’, MANDIANT Blog, 14 December. Available at: https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attackframework-triton (Accessed: 31 March 2023).
22. Josephs, L. (2021) ‘Pipeline outage forces American airlines to add stopsto some long-haul flights, southwest flies in fuel’, CNBC, 10 May. Available at: https://www.cnbc.com/2021/05/10/colonial-pipeline-shutdownforces-airlines-to-consider-other-ways-to-get-fuel.html (Accessed: 20 October 2022).
23. Kaouk, M., Flaus, J.-M., Potet, M.-L. and Groz, R. (2019) ‘A review of intrusion detection systems for industrial control systems’, in 2019 6th International conference on control, decision and information technologies (CoDIT), Le Cnam, Paris, France, IEEE, pp. 1699–1704. doi: 10.1109/CoDIT.2019.8820602.
24. Kapellmann-Zafra, D., Leong, R., Sistrunk, C., Proska, K., Hildebrandt,C., Lunden, K. and Brubaker, N. (2022) ‘INDUSTROYER.V2: Old malware learns new tricks’, MANDIANT Blog, 25 April. Available at: https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks (Accessed: 31 March 2023).
25. Khan, R., Maynard, P., McLaughlin, K., Laverty, D. and Sezer, S. (2016) ‘Threat analysis of BlackEnergy malware for synchrophasor based real-time control and monitoring in smart grid’, in Proceedings of the 4th international symposium for ICS & SCADA cyber security research 2016, pp. 53–63. doi: 10.14236/ewic/ICS2016.7.
26. Kim, B., Alawami, M.A., Kim, E., Oh, S., Park, J. and Kim, H. (2023) ‘A comparative study of time series anomaly detection models for industrial control systems’, Sensors, 23(3), 1310. doi: 10.3390/s23031310.
27. Kleinmann, A., Amichay, O., Wool, A., Tenenbaum, D., Bar, O. and Lev, L. (2018) ‘Stealthy deception attacks against SCADA systems’, in Katsikas, S.K., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Anton, A. and Gritzalis, S. (eds.), Computer security. SECPRE CyberICPS 2017, lecture notes in computer science, 10683. Cham: Springer, pp. 93–109. doi: 10.1007/978-3-319-72817-9_7.
28. Knapp, E.D. and Langill, J.T. (2015) ‘Industrial cyber security history and trends’, in Knapp, E.D. and Langill, J.T. (eds.), Industrial network security, 2nd edn. Boston, MA: Syngress, Chap. 3, pp. 41–57.
29. Kovacs, E. (2018) ‘Triton malware linked to Russian government research institute’, SecurityWeek, 23 October. Available at: https://www.securityweek.com/triton-malware-linked-russian-government-research-institute (Accessed: 24 October 2022).
30. Krotofil, M., Larsen, J. and Gollmann, D. (2015) ‘The process matters: Ensuring data veracity in cyber-physical systems’, in ASIA CCS '15: Proceedings of the 10th ACM symposium on information, computer and communications security, Association for Computing Machinery, New York, NY, pp. 133–144. doi: 10.1145/2714576.271459.
31. Kumar, R., Narra, B., Kela, R. and Singh, S. (2022) ‘AFMT: Maintaining the safety-security of industrial control systems’, Computers in Industry, 136, 103584. doi: 10.1016/j.compind.2021.103584.
32. Langner, R. (2013) To kill a centrifuge—A technical analysis of what Stuxnet’s creators tried to achieve. The Langner Group, Hamburg. Available at: https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf (Accessed: 2 December 2022).
33. Lee, R.M., Assante, M.J. and Conway, T. (2014) German steel mill cyber attack, ICS: Defense use case. SANS Industrial Control Systems, Rockville, MD. Available at: https://assets.contentstack.io/v3/assets/ blt36c2e63521272fdc/bltc79a41dbf7d1441e/607f235775873e466bcc539c/ICS-CPPE-case-Study-2-GermanSteelworks_Facility.pdf (Accessed: 2 December 2022).
34. Lee, R.M., Assante, M.J. and Conway, T. (2016) Analysis of the cyber attack on the Ukrainian power grid: Defense use case. SANS Industrial Control Systems. Available at: https://media.kasperskycontenthub.com/wp-content/ uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf (Accessed: 2 December 2022).
35. Lin, Z. and Pearson, S. (2018) An inside look at industrial ethernet communication protocols. Texas Instruments. Available at: https://www.ti.com/lit/wp/spry254b/spry254b.pdf?ts=1693988436464 (Accessed: 12 December 2022).
36. Liu, Y., Ning, P. and Reiter, M.K. (2011) ‘False data injection attacks against state estimation in electric power grids’, ACM Transactions on Information and System Security 14(1), pp. 1–33. doi: 10.1145/1952982.1952995/.
37. Mitchell, R.W. (2003) PROFIBUS: A pocket guide. Pittsburgh, PA: International Society of Automation, pp. 1–20.
38. Modbus Organization Inc. (2012) MODBUS application protocol specification V1.1b3. Available at: https:// modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf (Accessed: 11 December 2022).
39. National Institute of Standards and Technology (n.d.) Official common platform enumeration (CPE) dictionary, national vulnerability database. Available at: https://nvd.nist.gov/products/cpe (Accessed: 23 January 2023).
40. Paganini, P. (2019) Duqu 2.0: The most sophisticated malware ever seen. Malware analysis. Infosec Resources, Madison, WI. Available at https://resources.infosecinstitute.com/topic/duqu-2-0-the-most-sophisticatedmalware-ever-seen/ (Accessed: 31 March 2023).
41. Pei, C., Xiao, Y., Liang, W. and Han, X. (2018) ‘Trade-off of security and performance of lightweight block ciphers in industrial wireless sensor networks’, EURASIP Journal on Wireless Communications and Networking, 117(2018), pp. 1–18. doi: 10.1186/s13638-018-1121-6.
42. Policja.pl (2008) ‘14-latek przestawiał zwrotnice’, 09 January. Available at: https://policja.pl/pol/ aktualnosci/13278,14-latek-przestawial-zwrotnice.html (Accessed: 20 February 2023).
43. Przetacznik, J. and Tarpova, S. (2022) Russia’s war on Ukraine: Timeline of cyber-attacks. Briefing PE 733.549. Brussels: European Parliamentary Research Service.
44. Repository of Industrial Security Incidents (RISI) (2015) The repository of industrial security incidents. Available at: https://www.risidata.com/ (Accessed: 13 October 2022).
45. Slay, J. and Miller, M. (2008) ‘Lessons learned from the Maroochy water breach’, in Goetz, E. and Shenoi, S. (eds.), Critical infrastructure protection. Boston, MA: Springer, pp. 73–82. doi: 10.1007/978-0-387-75462-8_6.
46. Slowik, J. (2021) ‘The baffling berserk bear: A decade’s activity targeting critical infrastructure, report’, Virus Bulletin Conference October 2021. Available at: https://vblocalhost.com/uploads/VB2021-Slowik.pdf (Accessed: 14 December 2022).
47. Soltero, M., Zhang, J., Cockril, C., Zhang, K., Kinnaird, C. and Kugelstadt, T. (2002) RS-422 and RS-485 standards overview and system configurations. Texas Instruments, pp. 3–12. Available at: https://www.ti.com/lit/ an/slla070d/slla070d.pdf?ts=1693930089541 (Accessed: 6 September 2023).
48. Spurgeon, C.E. (2000) ‘The evolution of ethernet’, in Stone, M. and Toporek, C. (eds.) Ethernet: the definitive guide. Sebastopol, CA: O’Reilly& Associates, pp. 3–22.
49. Stewart, J. (2010) ‘BlackEnergy version 2 threat analysis’, Secure works: Threat intelligence research, 3 March. Available at: https://www.secureworks.com/research/blackenergy2 (Accessed: 24 March 2023).
50. Taherdoost, H. (2022) ‘Understanding cybersecurity frameworks and information security standards—A review and comprehensive overview’, Electronics 11(14), pp. 1–20. doi: 10.3390/electronics11142181.
51. Trend Micro Inc. (2016) Malware discovered in German nuclear power plant. Available at: https://www. trendmicro.com/vinfo/pl/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant (Accessed: 8 March 2023).
52. Viasat Inc. (2022) ‘KA-SAT network cyber attack overview’, Viasat Corporate News, 30 March. Available at: https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview (Accessed: 20 October 2022).
53. Williams T.J. (1994) ‘The Purdue enterprise reference architecture’, Computers in Industry, 24(2), pp. 141–158. doi: 10.1016/0166-3615(94)90017-5.
54. Yask and Kumar, B.S. (2019) ‘A review of model on malware detectionand protection for the distributed control systems (industrial control systems) in oil & gas sectors’, Journal of Discrete Mathematical Sciences and Cryptography 22(4), pp. 531–540. doi: 10.1080/09720529.2019.1642623.

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr POPUL/SP/0154/2024/02 w ramach programu "Społeczna odpowiedzialność nauki II" - moduł: Popularyzacja nauki i promocja sportu (2025).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-aebcdd0b-c1fe-44e3-b5a2-dfd38558cf0f