CYBERSECURITY OF INDUSTRIAL CONTROL SYSTEM : INNOVATIVE SOLUTIONS TO ENHANCE THE SECURITY POSTURE

Abstract

ndustrial control systems (ICSs) are changing rapidly to satisfy requests of higher interconnectivity (e.g., connection between enterprise and process zone) and introduction of additional features that can boost up the governance (e.g., IT-typical components and data analytics process). This revolution exposes these systems to a new infection vectors from which is challenging to protect considering the complexity of deploying new components, especially in the pro cess zone. Common protections adopted by ICSs seem not to be effective against innovative attacks (e.g., Advanced Persistent Threats) performed by high-profile and motivated attachers who aim at penetrating into target-systems with a traf fic that looks like legitimate. An analysis of techniques used by such innovative attacks targeting ICS suggested the USB thumb drives are effective infection vectors that can be used to bypass the first perimeter of defence and jump directly into the critical part of the system (i.e., critical machines) that has to be carefully protected. Leveraging a USB thumb drive allows attackers to compromised also system that are strongly isolated by means of air-gap. We propose techniques that, along with traditional defences, can enhance the improvement of the cyber security posture of ICS. Especially, we show methods and hardware-based solutions that are able to prevent malware infection, also due to zero-days, spread through USB thumb drives without changing the us ability perceived by end-users. We protect both against infection coming from software (e.g., script embedded in files) and against modified-firmware that aim at impersonating a different USB peripheral like, for instance, a mouse of a keyboard. We also introduce a methodology and a software architecture, based on Software Defined Networking paradigm, that allow an ICS operator to use the spare bandwidth that might be available in over-provisioned networks to forward replicas of traffic streams towards a single intrusion detection system placed at an arbitrary location. Furthermore, we present an overview of a solution developed within the con text of an European project (Preemptive) devised to improve the cyber security of ICSs adopting an innovative approach. This solution encompasses several detection and prevention tools. Each of them aims at addressing a specific se curity aspect and use data collected in different part of the system. All data are integrated and correlate in order to decrease false positives and increase the chance to detect also APT-like attacks. Then, we show a protocol for a key-value storage service that provides ADS enabled integrity-protected queries and updates without impairing scalability, even in the presence of large network latencies between trusted clients and an untrusted server. This solution could be valuable in industrial control systems context where many unintelligent devices (e.g., sensors) store data in a remote private cloud. In this case, the integrity of data store in the cloud is guaranteed while maintaining the possibility to achieve high throughput keeping limited latency.