1

In this paper we take a critical look at the pro’s and con’s of traffic encryption in ICS. We come to the conclusion that encrypting this kind of network traffic may actually result in a reduction of the security and overall safety. As such, sensible versus non-sensible use of encryption needs to be carefully considered both in developing ICS standards and systems.

In this paper, we present 𝜇Shield, a memory corruption exploitation mitigation system for embedded COTS binaries with configurable protection policies that do not rely on any hardware-specific feature. Our evaluation shows that 𝜇Shield provides its protection with a limited performance overhead.

This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules.

Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems.

Our paper discusses a specific type of semantic attack involving “sequences of events”. Common network intrusion detection systems (NIDS) generally search for single, unusual or “not permitted” operations. In our case, rather than a malicious event, we show how a specific series of “permitted” operations can elude standard intrusion detection systems and still damage an infrastructure.

Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems. Specifically, current systems fail to detect recent process control attacks. In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity.

In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

In this paper we provide an overview of standard device fingerprinting techniques and an assessment on the application feasibility in ICS infrastructures. We identify challenges that fingerprinting has to face and mechanisms to be used to obtain reliable results. Finally, we provide guidelines for implementing reliable ICS fingerprinters.

In this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.

CRAC is an IT-infrastructure-based method for assessing and comparing confidentiality risks of distributed IT systems. The method …