M05 Industrial Control Systems Security
Rationale: Cyberattacks on critical infrastructure can have a debilitating effect on national economic security, public health, and safety. The underlying processes of the various critical infrastructure sectors are controlled by Industrial Control Systems (ICS). ICS are transitioning from legacy, electromechanical-based systems to modern information and communication technology-based systems, creating a close coupling between cyber and physical components. This transition greatly expands the attack surface of such systems, as cyberattacks targeting commercial-off-the-shelf hardware and software are well-known.
Abstract: This tutorial introduces basic and advanced topics on industrial control systems security. It starts with operational security, providing guidance on recognizing weaknesses in everyday operations and information which can be valuable to attackers. A comparative analysis between traditional information technology (IT) and control system architectures is also presented, along with security vulnerabilities and mitigation strategies unique to the control system domain. Current trends, threats, and vulnerabilities will be discussed, as well as attacking and defending methodologies for ICS. Case studies on cyberattacks and defenses will be presented for two critical infrastructure sectors: the power grid and the chemical sector. The tutorial also discusses the need for an accurate assessment environment, achieved through the inclusion of Hardware-In-The-Loop testbeds.
Target audience: Academics and professionals working or who want to work on Embedded Systems Security, Professionals working in critical infrastructure.
Topics to be covered:
- Introduction/terminology/historical events
- Operational security
- Differences between Information Technology and Operational Technology
- Current trends/threats/vulnerabilities
- Hardware-in-the-loop testbeds
- Attacks (with a focus on control-theoretic attacks)
- Mitigations (conventional mitigation and domain specific, industrial/academic)
- Economic, computational challenges of mitigations
- Industrial protocols
- Known vulnerabilities of ICS
- Common attacks on ICS and the entry point of those attacks along with impact level
- General strategies for secure design of ICS
- Strategies for attack detection
- Testing strategies for security objectives
- Other aspects: Economic aspect of secure design, trade-off between a secure design and usability, maintenance of features
Why this tutorial: A lot of the embedded security work appearing in recent conferences includes unrealistic assumptions, has no practical applications and fails to address the unique requirements of real-time critical systems. Also, the modernization of critical infrastructure in conjunction with the existence of legacy systems is increasing the attack surface of cyber attacks, so there is an urgent need for state-of-the-art security solutions for embedded systems.