CPSIOTSEC'20: Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy

Full Citation in the ACM Digital Library

SESSION: Keynote

Session details: Keynote

Optimize Your Efforts: How to Tailor PhD Research to Real-World Needs - Industrial Perspective on Academic CPS/IoT Research

In industrial circles, academic research is frequently discussed as being disconnected from the real-world security problems and needs. Additionally, the critics highlight that academic research is largely driven by fashionable research topics/ideas and discourages bold innovative thinking. While admittedly this has been a relevant concern and pressing issue in the past, things are slowly changing. One can find more and more innovative and applied security research which makes it to the industrial conference stages and newspapers. Also, companies are closing Non-Disclosure Agreements (NDA) with the academic research groups to work on the security needs of their products and software. This talk will discuss current trends in the cyber security research ecosystem as well as provide suggestions on how to select and formulate real-world applied research problems. Firstly, we will cover the recent changes observed in industrial and academic research. We will argue that industrial research is increasingly becoming more commercial and thus less publicly available, whereas academic research groups are increasingly tackling real-world research topics and attack surface. We then discuss how to select research topics that are relevant to industrial needs and simultaneously offer academic research component. We will also cover successful academic writing and industrial presentation styles.

SESSION: Session 1: Session 1: CPS&IoT Security

Session details: Session 1: Session 1: CPS&IoT Security

Towards a High-Fidelity Network Emulation of IEC 104 SCADA Systems

With the rise of malware targeting industrial control systems, researchers need more tools to develop a better understanding of the networks under attack, the potential behavior of malware, and design possible defenses. One of the most important protocols used in practice today is IEC 104, which is used to monitor and control the Power Grid of several countries, as well as to monitor and control other critical infrastructures such as gas, oil, and water systems. In this paper we present our preliminary results in implementing the IEC 104 industrial protocol standard in Python and integrate it to a network emulation tool supported by Mininet.

Hazard Driven Threat Modelling for Cyber Physical Systems

Adversarial actors have shown their ability to infiltrate enterprise networks deployed around Cyber Physical Systems (CPSs) through social engineering, credential stealing and file-less infections. When inside, they can gain enough privileges to maliciously call legitimate APIs and apply unsafe control actions to degrade the system performance and undermine its safety. Our work lies at the intersection of security and safety, and aims to understand dependencies among security, reliability and safety in CPS/IoT. We present a methodology to perform hazard driven threat modelling and impact assessment in the context of CPSs. The process starts from the analysis of behavioural, functional and architectural models of the CPS. We then apply System Theoretic Process Analysis (STPA) on the functional model to highlight high-level abuse cases. We leverage a mapping between the architectural and the system theoretic(ST) models to enumerate those components whose impairment provides the attacker with enough privileges to tamper with or disrupt the data-flows. This enables us to find a causal connection between the attack surface (in the architectural model) and system level losses. We then link the behavioural and system theoretic representations of the CPS to quantify the impact of the attack. Using our methodology it is possible to compute a comprehensive attack graph of the known attack paths and to perform both a qualitative and quantitative impact assessment of the exploitation of vulnerabilities affecting target nodes. The framework and methodology are illustrated using a small scale example featuring a Communication Based Train Control (CBTC) system. Aspects regarding the scalability of our methodology and its application in real world scenarios are also considered. Finally, we discuss the possibility of using the results obtained to engineer both design time and real time defensive mechanisms.

A Statistical Analysis Framework for ICS Process Datasets

In recent years, several schemes have been proposed to detect anomalies and attacks on Cyber-Physical Systems (CPSs) such as Industrial Control Systems (ICSs). Based on the analysis of sensor data, unexpected or malicious behavior is detected. Those schemes often rely on (implicit) assumptions on temporally stable sensor data distributions and invariants between process values. Unfortunately, the proposed schemes often perform not optimally with Recall scores lower than 70% (e.g., missing 3 alarms every 10 anomalies) for some ICS datasets, with unclear root issues.

In this work, we propose a general framework to check whether a given ICS dataset has specific properties (stable sensor distributions in normal operations, potentially state-dependent), which then allows to determine whether certain Anomaly Detection approaches can be expected to perform well. We apply our framework to three datasets showing that the behavior of actuators and sensors are very different between Training set and Test set. In addition, we present high-level guides to consider when designing an Anomaly Detection System.

Towards Robust Power Grid Attack Protection using LightGBM with Concept Drift Detection and Retraining

In existing literature, various machine learning models have been applied to detect cyber attacks on the power grid. None of them, however, consider the degradation of the model over time due to the distributed and dynamic nature of the power system. At the same time, they also fail to recognize natural events, such as line maintenance, since they are based on binary classification (attack/no attack). In an effort to develop a cyber security protection strategy that will work robustly for an extended period of time, we develop a methodology based on the LightGBM framework, which performs well for a) Training for multi-class events (no attack/natural event/attack), and b) Fast, dynamic retraining with concept drift detection. We use an ensemble learning-based classifier for classifying the events generated through our Real Time Digital Simulatorwith commercial devices in a Hardware-in-The-Loop setup. The proposed novel classification model outperforms binary classifier-based approaches, resulting in an over 97% effectiveness with the inclusion of concept drift detection and retraining.

SESSION: Session 2: Real Case Studies and Demos

Session details: Session 2: Real Case Studies and Demos

A (in)Secure-by-Design IoT Protocol: the ESP Touch Protocol and a Case Study Analysis from the Real Market

The number of IoT devices designed and marketed in these last years is continuously growing. These smart things are more often managed through the cloud, therefore more and more devices are connected both to the customer's local networks and to the Internet. Among the several network pairing mechanisms designed for the IoT domain, we examined the Smart Config family of protocols, a clever technology that allows an IoT device to be associated with an existing WiFi network by receiving special packets from an already network-paired smartphone. We investigate the threats and the technical details behind the ESP Touch protocol, a Smart Config implementation developed by Espressif Systems for its ESP32/8266 family of chips. Additionally, we present a security analysis of the same protocol implemented by the ITEAD Sonoff smart switches (and also by many other ESP-based devices), that we conducted by reverse-engineering the eWeLink mobile companion application. In conclusion, we describe a vulnerability (published as CVE-2020-12702) we found in the Quick Pairing mode of the eWeLink SDK that leads to a full WiFi credential disclosure during the device pairing process.

Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures

Industrial Control Systems (ICS) are central to the operation of critical national infrastructure (CNI) such as oil and gas, water treatment, power generation and transport systems. Effective risk management to mitigate large-scale disruption to societies and economies depends on both timely information about vulnerabilities and the consistency of this information. The longer the vulnerabilities remain "in the wild" or a lack of consistency in vulnerability reporting, the greater the impact on CNI operators' ability to systematically understand and mitigate the risks. In this paper, we focus on vulnerabilities identified and reported in Siemens ICS devices, which hold the largest share of the market. We undertake an in-depth analysis of 207 CVEs, identifying the time over which vulnerabilities were 'in the wild' before being discovered and advisories issued, and examine issues with the correctness of CVE information. We find that, on average, a vulnerability is 'in the wild' for 5.3 years, and that many CVEs do not correctly reflect and state the affected devices as Common Platform Enumerations (CPEs). Based on our findings, we propose a set of guidelines to improve the reporting and consistency of ICS CVE information.

Privacy in the Mobile World: An Analysis of Bluetooth Scan Traces

Bluetooth-enabled smartphones, wearable devices, as well as consumer electronics devices, are pervasive nowadays. Due to the low power consumption of Bluetooth hardware, users often leave Bluetooth enabled on their personal devices all the time. We find that even though the devices themselves may be protected against unauthorized connections, neighboring Bluetooth signals may still leak personal information. More specifically, a malicious smartphone application can easily obtain permission to perform Bluetooth scanning and then build a temporal trace of the number of active Bluetooth devices in the vicinity of a user. By collecting and analyzing data from 49 smartphone users over two weeks, we found that traces from different devices have little overlap and can, therefore, be used to identify a device with high likelihood. Moreover, Bluetooth advertisements from nearby devices can reveal what products the user may own making her susceptible to targeted advertisements. By comparing Bluetooth traces from multiple devices, the adversary can learn a user's location even if she does not give explicit permission to share her location. We also analyzed a public Bluetooth dataset to find similarities and differences with the conclusions drawn from our dataset. Our dataset has been publicly released for the scientific community.

DEMO: Gone in 20 Seconds - Overview of a Password Vulnerability in Siemens HMIs

Industrial control systems (ICS) are the systems responsible for the control and operation of both critical national infrastructure (CNI), including oil and gas, water treatment and power generation, aswell as manufacturing processes. ICS are made up of many speciality devices, including programmable logic controllers (PLCs), remote telemetry units (RTUs) and human-machine interfaces (HMIs), with major manufacturers including Siemens, Allen Bradley, Honeywell, Schneider Electric and General Electric. These systems are often referred to as Operational Technology (OT). In ICS, safety is the number one concern, with devices designed to operate reliably for many years. The security of such devices was largely physical - they were designed to sit without an Internet connection behind locked doors. In modern times, however, this is not the case with devices regularly being connected to the Internet. Incidents such as the Stuxnet and Triton malware, which specifically target industrial systems, and legislation such as the European Network and Information Systems (NIS) directive have put the cyber security of industrial systems very much in the focus. As part of this, there are an increasing number of vulnerabilities being discovered, and eventually patched, in industrial devices.

Human machine interfaces (HMIs) primarily refer to a physical device which is designed to be installed in physical proximity to an industrial process. HMI screens are programmed to both provide a display of information relating to the physical process below and allow operators to provide inputs to the control system to control and manage physical processes. These screens can vary from a few inches in size up to 'full size' monitors, with modern devices usually featuring a touchscreen, and in some cases a set of physical inputs including buttons and knobs. Most ICS manufacturers produce some range of HMI screens, including Siemens who produce a wide range of these devices.

Some HMIs support remote access, which allows operators in a central location to access screens that human operators are unable to access. This provides obvious benefits, allowing engineers to correct issues remotely as well as monitor and control processes. Device manufacturers provide their own methods for this remote access. Communication is usually achieved over network connections, with most modern devices featuring an ethernet port and/or wireless connectivity. In the case of Siemens, the primary method is through the use of the VNC-based Sm@rtServer system available on most of their HMI range, which provides access through a Sm@rtClient application (available for PC, Android and iOS), as well as through third party VNC clients.

We discovered a vulnerability in Siemens HMI products that allows an attacker to be able to brute force the Sm@rtServer password. On basic devices, we find that there is no protection against brute forcing the Sm@rtServer, allowing for the use of existing online password cracking tools. We discover that on higher end devices, the Sm@rtServer employs a form of brute-force prevention, which we were able to evade allowing for slightly slower, but still overall successful, brute force attempts. Successfully guessing this password could in some cases grant an attacker full control over the HMI screen, and therefore control over the underlying process, causing a potentially dangerous, life threatening situation. Further, due toca limitation in the VNC protocol, passwords longer than 8 characters are truncated by the clients, which allows an attacker to successfully authenticate to the device with a longer password as long as the first 8 characters are correct, potentially aiding in the brute force attempt.

After disclosure to Siemens, this vulnerability has been assigned 2 CVEs - CVE-2020-15786 for the brute force issue and CVE-2020- 15787 for the password truncation issue, both addressed in Siemens Security Advisory (SSA) 524525.

A detailed technical report that supplements this demonstration is available on arXiv [1].

DEMO: Trustworthy Cyberphysical Energy Systems: Time-Delay Attacks in a Real-Time Co-Simulation Environment

In this work, we present the impact of time-delay attacks in cyberphysical energy systems. The evaluation is performed in a real-time co-simulation environment that captures the interdependency between the system's cyber and physical models.

SESSION: Session 3: CPS&IoT Robustness

Session details: Session 3: CPS&IoT Robustness

MAC-Layer Spoofing Detection and Prevention in IoT Systems: Randomized Moving Target Approach

MAC-layer spoofing, also known as identity spoofing, is recognized as a serious problem in many practical wireless systems. IoT systems are particularly vulnerable to this type of attack, as IoT devices (due to their various limitations) are often incapable of deploying advanced MAC-layer spoofing prevention and detection techniques - such as cryptographic authentication. Signal-level device fingerprinting is an approach to identity spoofing detection that is highly suitable for sensor-based IoT networks, but can be also utilized in many other types of wireless system. Unfortunately, the previous research works on signal-level device fingerprinting have been based on rather simplistic assumptions about both - the adversary's behavior as well as the operation of the defense system. The goal of our work was to examine the effectiveness of a novel system that combines signal-level device fingerprinting with the principles of Randomized Moving Target Defense (RMTD) when dealing with a very advanced adversary. The obtained results show that our RMTD-enhanced signal-level device fingerprinting technique exhibits far superior defense performance over the non-RMTD techniques previously discussed in the literature, and as such could be of great value for practical wireless systems subjected to identity spoofing attacks.

Skip to Secure: Securing Cyber-Physical Control Loops with Intentionally Skipped Executions

We consider the problem of provably securing a given control loop implementation in the presence of adversarial interventions on data exchange between plant and controller. Such interventions can be thwarted using continuously operating monitoring systems and also cryptographic techniques, both of which consume network and computational resources. We provide a principled approach for intentional skipping of control loop executions which may qualify as a useful control-theoretic countermeasure against stealthy attacks which violate message integrity and authenticity. As can be seen, such an approach helps in lowering the resource consumption caused by monitoring/cryptographic security measures.

Voice Command Fingerprinting with Locality Sensitive Hashes

Smart home speakers are deployed in millions of homes around the world. These speakers enable users to interact with other IoT devices in the household and provide voice assistance such as telling the weather and reminding appointments. Although smart home speakers facilitate many aspects of our life, security and privacy concerns should be analyzed and addressed. In this paper, we show that an attacker sniffing the network traffic of smart speakers can infer voice commands and compromise the privacy of users. Specifically, we propose a method that utilizes the network traffic of the speakers to fingerprint the voice commands of users without a need for extracting traffic features with machine learning algorithms. We evaluated the proposed method on traffic traces of 100 different voice commands on smart home speakers. Our approach correctly infers 42% of voice commands while machine learning models infer 22% to 34%. We also evaluated the effectiveness of the padding method recommended for preventing voice command fingerprinting and observed that the accuracy of proposed fingerprinting method drops down to 15% and accuracy of machine learning methods ranges from 6% to 15% with traffic padding.