Dagstuhl Seminar 14292
Network Attack Detection and Defense: Securing Industrial Control Systems for Critical Infrastructures
( Jul 13 – Jul 16, 2014 )
- Marc C. Dacier (Doha, QA)
- Frank Kargl (Universität Ulm, DE)
- Hartmut König (BTU Cottbus, DE)
- Alfonso Valdes (University of Illinois - Urbana Champaign, US)
- Annette Beyer (for administrative matters)
- Dagstuhl Manifesto : Network Attack Detection and Defense : Securing Industrial Control Systems for Critical Infrastructures : pp. 605-607 : article - Dacier, Marc C.; Kargl, Frank; König, Hartmut; Valdes, Alfonso - Berlin : Springer, 2014 - (Informatik Spektrum : 37. 2014, 6).
- Insights on the Security and Dependability of Industrial Control Systems : article : pp. 75-78 - Kargl, Frank; Heijden, Rens W. van der; König, Hartmut; Valdes, Alfonso; Dacier, Marc C. - Los Alamitos : IEEE, 2014 - (IEEE security and privacy : 12. 2014, 6).
The last years have highlighted the fact that security precautions of information and communication technology (ICT) in many critical infrastructures are clearly insufficient, especially if considering targeted attacks carried out by resourceful and motivated individuals or organizations. Critical infrastructures, such as energy or water provisioning, transportation, telecommunication, or health support are relying to an ever-larger extent on ICT, often being monitored or controlled in a semi or fully automated way. Disruption of these control processes may turn out to be disastrous, particularly as many of these systems are cyber-physical systems that interact with the real world through sensors and actuators and can thus have a direct influence on the physical world not mediated by the common sense of a human being. This is especially true for many industrial control systems (ICS) that control vital processes in many areas of industry.
Rendering ICT systems in industrial control systems unusable or malfunctioning can cause huge economic damages or even endanger human lives. The Stuxnet malware that actually damaged around 1000 Uranium enrichment centrifuges in the Iranian enrichment facility in Natanz (which was possibly its goal) is the most well-known examples reported 1. Many similar examples, where industrial control systems have been affected due to insufficient security precautions 2, have been published meanwhile. The proliferation of the sophisticated Stuxnet-like malware (e.g., Duqu, Flame, or Gauss) shows how imminent the threat is and how limited our detection and response countermeasures.
Increased efforts in research are required to protect industrial control systems. This is a consequence of the increasing shift of the industrial ICT to the IP protocol leading to sensible ICT infrastructures which are more vulnerable as the proprietary systems used in the past. A problem is that all malware available in open ICT systems suddenly also becomes available to attackers on industrial control systems and that a lot of known vulnerabilities become exploitable. On the pro side, many established security mechanisms like firewalls, intrusion detection systems, or operating system security mechanisms like malware scanners can be applied. However, you often need to specifically adjust them for the new domain (e.g., by having SCADA-specific signatures for an intrusion detection system). At the same time, the different (dependability) requirements and different applications in industrial control systems often require new or updated approaches, e.g., regarding security updating or security testing methodologies.
The main objective of the seminar will be to discuss new approaches and ideas for securing industrial control systems. The seminar is a merger of two previous Dagstuhl seminars that addressed these issues in the recent past: (1) the series of Dagstuhl seminars Network Attack Detection and Defense 2008 and 2012, and (2) the Dagstuhl seminar Securing Critical Infrastructures from Targeted Attacks held in 2012. In this seminar we want to consider appropriate methods for detecting attacks on industrial control systems and for limiting the impact on the physical components. This is closely coupled to the question if and how reactive security mechanisms can be made more ICS- and process-aware. To some extend it seems possible to adopt existing security approaches from other areas (e.g., conventional networks, embedded systems, sensor networks, robotics). The main question is whether adopting these approaches is enough to reach the desired security level in the specific domain of industrial control systems. Detecting attacks to the physical components and appropriate reactions are new aspects that need to be considered as well.
Specific questions to be addressed during the seminar may include:
- How can existing approaches for detection, reaction, and analysis be enhanced or better adapted for industrial control systems?
- How can reactive security mechanisms be made more system- and process-aware and how will this be leveraged for enhancing security?
- How can security systems be made more reactive, adaptive, and self-defending?
- How can the negative effects of successful attacks be contained?
- How can industrial control systems be made resilient to attack, and able to maintain critical (possibly degraded) function in the presence of attack?
- What are likely attack scenarios and how can one cope with targeted attacks that are by there very nature almost impossible to predict?
- How can technical solutions and organizational policies be aligned and enhanced in a consistent way?
- How do the approaches of academia and industry in addressing targeted attacks on industrial control systems differ?
The seminar will provide a forum for the exchange about ideas and approaches pursued in academic research and the demands and experience of industry practitioners.
- Critical infrastructure protection
- Detecting attacks on industrial control systems
- Security in SCADA networks
- Reaction to attacks on industrial control systems and damage containment
- Analyzing targeted attacks on industrial control systems
- Future attack scenarios and attacker models
- Design of attack resilient industrial control systems
- Sharing of information and return on experience related to past attacks against industrial control systems
From July 13--16, 2014, more than 30 researchers from the domain of critical infrastructure security met at Schloss Dagstuhl to discuss the current state of security in industrial control systems.
Recent years have highlighted the fact that security precautions of information and communication technology (ICT) in many critical infrastructures are clearly insufficient, especially if considering targeted attacks carried out by resourceful and motivated individuals or organizations. This is especially true for many industrial control systems (ICS) that control vital processes in many areas of industry that are relying to an ever-larger extent on ICT for monitoring and control in a semi or fully automated way. Causing ICT systems in industrial control systems to malfunction can cause huge economic damages or even endanger human lives. The Stuxnet malware that actually damaged around 1000 Uranium enrichment centrifuges in the Iranian enrichment facility in Natanz is the most well-known reported example of an ICT attack impacting ICS.
This situation led to increased efforts in research which also resulted in a number of Dagstuhl seminars related to this topic of which this seminar is a follow-up event, namely two Dagstuhl seminars on "Network Attack Detection and Defense" in 2008 and 2012 and one on "Securing Critical Infrastructures from Targeted Attacks" held in 2012. The main objective of our this latest seminar was to discuss new approaches and ideas on how to detect attacks on industrial control systems and how to limit the impact on the physical components. This is closely coupled to the question of whether and how reactive security mechanisms like Intrusion Detection Systems (IDS) can be made more ICS- and process-aware. To some extent it seems possible to adopt existing security approaches from other areas (e.g., conventional networks, embedded systems, or sensor networks) and one of the questions is whether adopting these approaches is enough to reach the desired security level in the specific domain of industrial control systems, or if approaches specifically tailored for ICS or even single installations provide additional benefits.
The seminar brought together junior and senior experts from both industry and academia, covering different scenarios including electrical grids, but also many other control systems like chemical plants and dike or train control systems. Apart from the detection and prevention of attacks by both security and safety mechanisms, there was an extensive discussion on whether or not such systems should be coupled more strongly from a security perspective. It was also argued that there exists a very diverse space of application domains, many of which have not yet been subject to much study by security researchers, for various reasons. Many of these discussions were triggered by plenary or short talks, covering topics from the state of the art in ICS security, forensics in ICS, security assessments, and the new application domain of flood management.
Apart from talks and subsequent discussions, a number of working groups were organized during the seminar, intended to address specific issues in the field. In total, there were four working groups, each of which provided a summary of their results included in this report. The first was on forensics, discussing how attacks can be detected and analyzed after the fact. A second working group addressed the issue of security and risk management, analyzing why existing IT security approaches do not work for ICS and discussing potential improvements. Industry 4.0 and the wide range of new and non-classical ICS use cases was the topic of a third working group, which discussed the new security challenges arising from these emerging research topics. Finally, there was a working group on the detection of cyber-physical attacks; a core question here were advantages and disadvantages of process-aware intrusion detection mechanisms. The group also discussed the interaction between intrusion detection, intrusion response, and security management.
Based on the talks, discussions and working groups, the Dagstuhl seminar was closed with a final plenary discussion which summarized again the results from the working groups and led to a compilation of a list of open issues that participants consider necessary to be addressed. Those issues partly overlap with the list of open issues identified in the seminar proposal but also uncovered many new challenges that may become highly relevant research topics and may lead to a new agenda for future research. Those issues are discussed at the end of this report.
- Ali Abbasi (University of Twente, NL) [dblp]
- Magnus Almgren (Chalmers UT - Göteborg, SE) [dblp]
- Nils Aschenbruck (Universität Osnabrück, DE) [dblp]
- Gunnar Björkman (ABB - Mannheim, DE) [dblp]
- Damiano Bolzoni (University of Twente, NL) [dblp]
- Alvaro Cárdenas Mora (University of Texas at Dallas, US) [dblp]
- Marco Caselli (University of Twente, NL) [dblp]
- Jorge R. Cuéllar (Siemens AG - München, DE) [dblp]
- Hervé Debar (Télécom & Management SudParis - Evry, FR) [dblp]
- Sven Dietrich (City University of New York, US) [dblp]
- Ulrich Flegel (Infineon Technologies - München, DE) [dblp]
- Dina Hadziosmanovic (TU Delft, NL) [dblp]
- Frank Kargl (Universität Ulm, DE) [dblp]
- Stefan Katzenbeisser (TU Darmstadt, DE) [dblp]
- Richard A. Kemmerer (University of California - Santa Barbara, US) [dblp]
- Stephan Kleber (Universität Ulm, DE) [dblp]
- Hartmut König (BTU Cottbus, DE) [dblp]
- Marina Krotofil (TU Hamburg-Harburg, DE) [dblp]
- Pavel Laskov (Universität Tübingen, DE) [dblp]
- Michael Meier (Universität Bonn, DE) [dblp]
- Simin Nadjm-Tehrani (Linköping University, SE) [dblp]
- Heiko Patzlaff (Siemens AG - München, DE)
- Andreas Paul (BTU Cottbus, DE) [dblp]
- Konrad Rieck (Universität Göttingen, DE) [dblp]
- Rene Rietz (BTU Cottbus, DE) [dblp]
- Robin Sommer (ICSI - Berkeley, US) [dblp]
- Radu State (University of Luxembourg, LU) [dblp]
- Jens Tölle (Fraunhofer FKIE - Wachtberg, DE) [dblp]
- Alfonso Valdes (University of Illinois - Urbana Champaign, US) [dblp]
- Rens van der Heijden (Universität Ulm, DE) [dblp]
- Alexander von Gernler (genua GmbH - Kirchheim bei München, DE) [dblp]
- Stephen Wolthusen (Royal Holloway University of London, GB & Gjovik University College, NO) [dblp]
- Emmanuele Zambon (SecurityMatters B.V. - Enschede, NL) [dblp]
- Dagstuhl Seminar 12502: Securing Critical Infrastructures from Targeted Attacks (2012-12-09 - 2012-12-12) (Details)
- Dagstuhl Seminar 16361: Network Attack Detection and Defense - Security Challenges and Opportunities of Software-Defined Networking (2016-09-04 - 2016-09-09) (Details)
- Dagstuhl Seminar 23431: Network Attack Detection and Defense – AI-Powered Threats and Responses (2023-10-22 - 2023-10-27) (Details)
- security / cryptology
- Intrusion Detection
- Critical Infrastructures
- Industrial Control Systems
- Vulnerability Analysis
- Malware Assessment
- Attack Response and Countermeasures