TY - GEN
T1 - Characterization of Cyberattacks Aimed at Integrated Industrial Control and Enterprise Systems
T2 - 17th IEEE International Symposium on High Assurance Systems Engineering, HASE 2016
AU - Borges Hink, Raymond C.
AU - Goseva-Popstojanova, Katerina
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/3/1
Y1 - 2016/3/1
N2 - Industrial control system (ICS) security has been a topic of research for several years now and the growing interconnectedness with enterprise systems (ES) is exacerbating the existing issues. Research efforts, however, are impeded by the lack of data that integrate both types of systems. This paper presents an empirical analysis of malicious activities aimed at integrated ICS and ES environment using the dataset created and released by the SANS Institute. The contributions of our work include classification of the observed malicious activities according to several criteria, such as the number of steps (i.e., single-step vs. multi-step), targeted technology (i.e., ICS, ES or both), types of cyber-probes and cyberattacks (e.g., port scan, vulnerability scan, information disclosure, code injection, and SQL injection), and protocols used. In addition, we quantified the severity of the attacks' impact on systems. The main empirical findings include: (1) More sophisticated multi-step attacks which leveraged multiple vulnerabilities had higher success rate and led to more severe consequences than single-step attacks, (2) Most malicious cyber activities targeted the embedded servers running on ICS devices rather than the ICS protocols. Specifically, cyber activities based only on ICS protocols accounted for a mere 2% of the total malicious traffic. We conclude the paper with a description of a sample of cybersecurity controls that could have prevented or weakened most of the observed attacks.
AB - Industrial control system (ICS) security has been a topic of research for several years now and the growing interconnectedness with enterprise systems (ES) is exacerbating the existing issues. Research efforts, however, are impeded by the lack of data that integrate both types of systems. This paper presents an empirical analysis of malicious activities aimed at integrated ICS and ES environment using the dataset created and released by the SANS Institute. The contributions of our work include classification of the observed malicious activities according to several criteria, such as the number of steps (i.e., single-step vs. multi-step), targeted technology (i.e., ICS, ES or both), types of cyber-probes and cyberattacks (e.g., port scan, vulnerability scan, information disclosure, code injection, and SQL injection), and protocols used. In addition, we quantified the severity of the attacks' impact on systems. The main empirical findings include: (1) More sophisticated multi-step attacks which leveraged multiple vulnerabilities had higher success rate and led to more severe consequences than single-step attacks, (2) Most malicious cyber activities targeted the embedded servers running on ICS devices rather than the ICS protocols. Specifically, cyber activities based only on ICS protocols accounted for a mere 2% of the total malicious traffic. We conclude the paper with a description of a sample of cybersecurity controls that could have prevented or weakened most of the observed attacks.
KW - Attack characterization
KW - Enterprise system security
KW - Industrial control system security
KW - SCADA testbed
KW - Severity
UR - http://www.scopus.com/inward/record.url?scp=84962891391&partnerID=8YFLogxK
U2 - 10.1109/HASE.2016.49
DO - 10.1109/HASE.2016.49
M3 - Conference contribution
AN - SCOPUS:84962891391
T3 - Proceedings of IEEE International Symposium on High Assurance Systems Engineering
SP - 149
EP - 156
BT - Proceedings - 17th IEEE International Symposium on High Assurance Systems Engineering, HASE 2016
A2 - Babiceanu, Radu
A2 - Waeselynck, Helene
A2 - Xu, Jie
A2 - Paul, Raymond A.
A2 - Cukic, Bojan
PB - IEEE Computer Society
Y2 - 7 January 2016 through 9 January 2016
ER -