1

In this paper, we first define a notion of attack “cost” focusing on the required CPS-specific attacker knowledge. We then identify several context factors that may influence this cost and, finally, provide a methodology to analyze the relation between attack cost and CPS-context factors using past cyberattacks. To validate the methodology in a reproducible way, we apply it to publicly reported CPS incidents with physical impact. Though this constitutes only a small set of attacks, our methodology is able to find correlations between context factors and the attack cost, as well as significant differences in context factors between CPS domains.

In this paper, we profile a new threat actor, referred to as the unspecialized OT attacker, who performs targeted, OT-related cyber-attacks with at most basic generic knowledge. We show the relevance of this threat actor by identifying past OT-related cyber-attacks that match this threat actor profile’s capabilities; we do so by mapping the types of tools used during these cyber-attacks and the knowledge required to use them. To further substantiate our analysis, we investigate readily-available tools that can assist threat actors in performing OT-related cyber-attacks. The combination of our findings highlights the present-day lowered entry level requirements to attack OT environments while limiting the scope of current assumptions.

In this paper, we study two pieces of malware that attempted to create blackouts in Ukraine. Our findings include new malware behavior not previously documented (such as the detailed algorithm for the MMS protocol payload) and an illustration of how attacking different targets will produce different effects.

This paper dissects operational SCADA networks of three essential services: power grids, gas distribution, and water treatment systems. Our analysis reveals some distinct and shared behaviors of these networks, shedding light on their operation and network configuration.

In this paper we introduce ICSvertase, a novel framework allowing for structural reasoning about ICS honeypots. ICSvertase integrates several existing components from the ATT&CK for ICS and Engage frameworks provided by MITRE and extends them with novel elements. ICSvertase provides a novel approach to helping companies and users in several real-world use cases, such as choosing the most suitable existing ICS honeypot, designing new ICS honeypots, and classifying existing ones in a more fine-grained way. To show ICSvertase’s benefits, we provide examples for these real-world use cases and compare them to their traditional counterparts.

In this work we collaborate with a commercial SOC to devise a 4-stage (network) process to support the collection and analysis of relevant information for threat analysis. We conduct an experiment with ten T1 analysts employed in the SOC and show that analysts following the proposed process are 2.5 times more likely to produce an accurate assessment than analysts who do not.

In this work, we present the first collection of publicly disclosed security incidents involving Building Automation Systems (BAS). We then provide a qualitative study of attackers targeting BAS and unveil their main characteristics and differences to traditional CPS attackers. We learn that BAS attackers show a lower sophistication level and that most BAS attacks target the smart IoT components present in modern build- ings. Further, access to the BAS is often not the attacker’s final goal but “just” a mean to achieve their actual goal. Lastly, we do not observe any advanced, state-sponsored BAS attacks hinting that these play less of a role in BAS (compared to CPS).

In this paper, we conduct the first openly available network measurement study of the SCADA network of an operational large-scale natural gas distribution network. With a total of 154 remote substations communicating through the SCADA system with a Control Room and over 98 days of observation, this is, to the best of our knowledge, the most extensive dataset of this kind analyzed to date.

In this paper, we introduce a novel, PLC-compatible control-flow integrity (CFI) mechanism named ECFI to protect such devices from control-flow hijacking attacks. Our CFI approach is the first system for real-time PLCs and considers the runtime operation of the PLC as the highest priority.

In this paper, we investigate the security implications of the PLC pin control system. In particular, we show how an attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.