Emmanuele Zambon @ TU/e
Emmanuele Zambon @ TU/e
Home
Projects
Publications
Teaching
Contact
Light
Dark
Automatic
1
ICSvertase: A Framework for Purpose-based Design and Classification of ICS Honeypots
In this paper we introduce ICSvertase, a novel framework allowing for structural reasoning about ICS honeypots. ICSvertase integrates several existing components from the ATT&CK for ICS and Engage frameworks provided by MITRE and extends them with novel elements. ICSvertase provides a novel approach to helping companies and users in several real-world use cases, such as choosing the most suitable existing ICS honeypot, designing new ICS honeypots, and classifying existing ones in a more fine-grained way. To show ICSvertase’s benefits, we provide examples for these real-world use cases and compare them to their traditional counterparts.
Stash Kempinski
,
Shuaib Ichaarine
,
Savio Sciancalepore
,
Emmanuele Zambon
PDF
Cite
DOI
'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center
In this work we collaborate with a commercial SOC to devise a 4-stage (network) process to support the collection and analysis of relevant information for threat analysis. We conduct an experiment with ten T1 analysts employed in the SOC and show that analysts following the proposed process are 2.5 times more likely to produce an accurate assessment than analysts who do not.
Leon Kersten
,
Tom Mulders
,
Emmanuele Zambon
,
Chris Snijders
,
Luca Allodi
PDF
Cite
Characterizing Building Automation System Attacks and Attackers
In this work, we present the first collection of publicly disclosed security incidents involving Building Automation Systems (BAS). We then provide a qualitative study of attackers targeting BAS and unveil their main characteristics and differences to traditional CPS attackers. We learn that BAS attackers show a lower sophistication level and that most BAS attacks target the smart IoT components present in modern build- ings. Further, access to the BAS is often not the attacker’s final goal but “just” a mean to achieve their actual goal. Lastly, we do not observe any advanced, state-sponsored BAS attacks hinting that these play less of a role in BAS (compared to CPS).
Martino Tommasini
,
Martin Rosso
,
Emmanuele Zambon
,
Luca Allodi
,
Jerry den Hartog
PDF
Cite
Project
You Can't Protect What You Don't Understand: Characterizing an Operational Gas SCADA Network
In this paper, we conduct the first openly available network measurement study of the SCADA network of an operational large-scale natural gas distribution network. With a total of 154 remote substations communicating through the SCADA system with a Control Room and over 98 days of observation, this is, to the best of our knowledge, the most extensive dataset of this kind analyzed to date.
Xi Qin
,
Martin Rosso
,
Alvaro A. Cardenas
,
Sandro Etalle
,
Jerry den Hartog
,
Emmanuele Zambon
PDF
Cite
Project
ECFI: Asynchronous control flow integrity for programmable logic controllers
In this paper, we introduce a novel, PLC-compatible control-flow integrity (CFI) mechanism named ECFI to protect such devices from control-flow hijacking attacks. Our CFI approach is the first system for real-time PLCs and considers the runtime operation of the PLC as the highest priority.
Ali Abbasi
,
Thorsten Holz
,
Emmanuele Zambon
,
Sandro Etalle
PDF
Cite
DOI
Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation
In this paper, we investigate the security implications of the PLC pin control system. In particular, we show how an attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.
Ali Abbasi
,
Majid Hashemi
,
Emmanuele Zambon
,
Sandro Etalle
Cite
DOI
Encryption in ICS networks: A blessing or a curse?
In this paper we take a critical look at the pro’s and con’s of traffic encryption in ICS. We come to the conclusion that encrypting this kind of network traffic may actually result in a reduction of the security and overall safety. As such, sensible versus non-sensible use of encryption needs to be carefully considered both in developing ICS standards and systems.
Davide Fauri
,
Bart de Wijs
,
Jerry den Hartog
,
Elisa Costante
,
Emmanuele Zambon
,
Sandro Etalle
PDF
Cite
DOI
𝜇Shield: Configurable Code-Reuse Attacks Mitigation For Embedded Systems
In this paper, we present 𝜇Shield, a memory corruption exploitation mitigation system for embedded COTS binaries with configurable protection policies that do not rely on any hardware-specific feature. Our evaluation shows that 𝜇Shield provides its protection with a limited performance overhead.
Ali Abbasi
,
Jos Wetzels
,
Wouter Bokslag
,
Emmanuele Zambon
,
Sandro Etalle
Cite
Code
DOI
Specification Mining for Intrusion Detection in Networked Control Systems
This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules.
Marco Caselli
,
Emmanuele Zambon
,
Johanna Amann
,
Robin Sommer
,
Frank Kargl
PDF
Cite
Project
DOI
Modeling Message Sequences for Intrusion Detection in Industrial Control Systems
Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems.
Marco Caselli
,
Emmanuele Zambon
,
Jonathan Petit
,
Frank Kargl
PDF
Cite
DOI
«
»
Cite
×