Emmanuele Zambon

Assistant Professor

Eindhoven University of Technology

Biography

I am an Assistant Professor at the Security Group of the Eindhoven University of Technology, in the Netherlands. I investigate the security of Industrial Control Systems (ICS) to improve their defense capabilities. My research focuses in the areas of network intrusion detection and incident response. I collaborate with the Eindhoven Security Hub Security Operations Center initiative.

I was one of the three founders of the spin-off SecurityMattters, with the goal of bringing to the market SilentDefense, a platform for network monitoring, asset inventory and network intrusion detection for Industrial Control Systems. At SecurityMatters I served as the CTO, and I was responsible of the company’s R&D.

Download my resumé.

Interests

Industrial Control System Security
Intrusion Detection

Education

PhD in Computer Science, 2011
University of Twente
MSc in Computer Science, 2005
Ca’ Foscari University of Venice
BSc in Computer Science, 2002
Ca’ Foscari University of Venice

Experience

Researcher

Eindhoven University or Technology

Jan 2021 – Present Eindhoven

Sr. Director of OT Technology

Forescout Technologies BV

Nov 2018 – Dec 2020 Eindhoven

Responsibilities include:

Senior advisor for product architecture and engineering.
Supervision of a team of elite engineers (6 engineers).
Network security and operation analysis for top customers.
Analysis of Industrial Control System network protocols and vulnerabilities.
Product development of OT technology support and of new detection mechanisms.

CTO

SecurityMatters BV

Jan 2011 – Nov 2018 Eindhoven

Responsibilities include:

Research and engineering of new and cutting edge network monitoring and intrusion detection solutions for Operational Technology networks.
Product vision, architecture and design.
Analysis of Industrial Control System network protocols and vulnerabilities.
Management of the product engineering team (20+ engineers).
Network security and operation analysis for customer production environments.
Coordinator of activities and tasks within national and international research projects.

Postdoc Researcher (part-time)

University of Twente

Jan 2011 – Sep 2016 Enschede (NL)

Responsibilities include:

Principal contributor of several national and EU successful research projects.
New EU project proposals
Supervision of PhD student
OT security research

IT Consultant

ValueTeam SpA

Apr 2005 – Aug 2006 Mestre (IT)

Technical and Architectural consulting, design of distributed architectures for accessing the telephone traffic data of Telecom Italia SpA.

IT Security Consultant

KPMG Italy SpA

Sep 2003 – Sep 2004 Treviso (IT)

Penetration Testing and IT Risk Assessment.

Projects

DEFRAUDify

Detect Fraudulent Activities in dark web and clear web to protect your business.

INTERSCT

Towards an Internet of Secure Things.

DEPICT

DEep Packet Intelligence for industrial ConTrol systems.

PREEMPTIVE

Preventive Methodology and Tools to Protect Utilities – CLOSED.

CRISALIS

CRitical Infrastructure Security AnaLysIS – CLOSED.

Featured Publications

Luis Salazar, Sebastian Castro, Juan Lozano, Keerthi Koneru, Emmanuele Zambon, Bing Huang, Ross Baldick, Marina Krotofil, Alonso Rojas, Alvaro Cardenas

January, 2024 In S&P 2024

A Tale of Two Industroyers: It was the Season of Darkness

In this paper, we study two pieces of malware that attempted to create blackouts in Ukraine. Our findings include new malware behavior not previously documented (such as the detailed algorithm for the MMS protocol payload) and an illustration of how attacking different targets will produce different effects.

Leon Kersten, Tom Mulders, Emmanuele Zambon, Chris Snijders, Luca Allodi

August, 2023 In SOUPS 2023

'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center

In this work we collaborate with a commercial SOC to devise a 4-stage (network) process to support the collection and analysis of relevant information for threat analysis. We conduct an experiment with ten T1 analysts employed in the SOC and show that analysts following the proposed process are 2.5 times more likely to produce an accurate assessment than analysts who do not.

Ali Abbasi, Thorsten Holz, Emmanuele Zambon, Sandro Etalle

December, 2017 In ACSAC2017

ECFI: Asynchronous control flow integrity for programmable logic controllers

In this paper, we introduce a novel, PLC-compatible control-flow integrity (CFI) mechanism named ECFI to protect such devices from control-flow hijacking attacks. Our CFI approach is the first system for real-time PLCs and considers the runtime operation of the PLC as the highest priority.

Marco Caselli, Emmanuele Zambon, Johanna Amann, Robin Sommer, Frank Kargl

August, 2016 In USENIX Security 16

Specification Mining for Intrusion Detection in Networked Control Systems

This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules.

Dina Hadžiosmanović, Robin Sommer, Emmanuele Zambon, Pieter H. Hartel

December, 2014 In ACSAC2014

Through the eye of the PLC: semantic security monitoring for industrial processes

Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems. Specifically, current systems fail to detect recent process control attacks. In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity.

Ali Abbasi, Jos Wetzels, Wouter Bokslag, Emmanuele Zambon, Sandro Etalle

September, 2014 In RAID2014

On Emulation-Based Network Intrusion Detection Systems

In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

Dina Hadžiosmanović, Lorenzo Simionato, Damiano Bolzoni, Emmanuele Zambon, Sandro Etalle

September, 2012 In RAID2012

N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols

In this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

Recent Publications

Luis Salazar, Sebastian Castro, Juan Lozano, Keerthi Koneru, Emmanuele Zambon, Bing Huang, Ross Baldick, Marina Krotofil, Alonso Rojas, Alvaro Cardenas (2024). A Tale of Two Industroyers: It was the Season of Darkness. In S&P 2024.

PDF Cite Project

Neil Ortiz, Martin Rosso, Emmanuele Zambon, Jerry den Hartog, Alvaro Cardenas (2024). From Power to Water: Dissecting SCADA Networks Across Different Critical Infrastructures. In PAM 2024.

PDF Cite Project

Stash Kempinski, Shuaib Ichaarine, Savio Sciancalepore, Emmanuele Zambon (2023). ICSvertase: A Framework for Purpose-based Design and Classification of ICS Honeypots. In ARES ‘23.

PDF Cite DOI

Leon Kersten, Tom Mulders, Emmanuele Zambon, Chris Snijders, Luca Allodi (2023). 'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center. In SOUPS 2023.

PDF Cite

Forescout VedereLabs, Emmanuele Zambon (2022). Industroyer2 and INCONTROLLER - In-depth Technical Analysis of the Most Recent ICS-specific Malware. Forescout.

PDF Cite

See all publications

Teaching

Intrusion Detection Laboratory (2IMS40)

The goal of this course is to provide students with a platform to get in-depth, hands-on experience on all three of the building blocks of cyber security monitoring: network-based, host-based and log-based intrusion detection.

To do so, the course adopts a reverse classroom setup: the course starts by providing students with material covering practical and theoretical elements of security monitoring and additional material and pointers covering all three pillars, and their relationship. The students then form groups, and are able to choose one of the building blocks to explore in depth by developing a fully-fledged laboratory activity for the other students of the course to attend. The lab activities require the analysis of realistic threat scenarios and systems, with the goal of developing effective detection techniques accounting for the specificities of the proposed scenario.

The lab activities are run and coordinated, in class, by the very students that developed them. The development and delivery of these lab sessions in class is also the final examination of the course for the group of students handling it.

Syllabus.

For details contact me.

Contact

Download my PGP key. Fingerprint: AF58 B421 3E79 08FC 0ACE BE6D 3F45 80EA 5293 0E70.

‘’

e <dot> zambon <at> tue <dot> nl
+31 040 247 2853
P.O. Box 513, Eindhoven, Noord-Brabant 5600 MB
Enter the MetaForum (MF) building and take the elevator to the 6th Floor to Office 6.072
Tuesday 10:00 to 17:00
Thursday 10:00 to 17:00