฀฀฀฀฀฀฀฀฀

1

Cyber-Physical Systems Security: Limitations, Issues and Future Trends Jean-Paul A. Yaacoub1, Ola Salman2, Hassan N. Noura1, Nesrine Kaaniche 3, Ali Chehab2, and Mohamad Malli1

1Arab Open University, Department of Computer Sciences, Beirut, Lebanon 2American University of Beirut, Electrical And Computer Engineering, Lebanon 3University of Sheffield, Department of Computer Science, United Kingdom

Abstract—Typically, Cyber-Physical Systems (CPS) involve CPS systems can sense the surrounding environment, with the various interconnected systems, which can monitor and manip- ability to adapt and control the physical world [5]. This is ulate real objects and processes. They are closely related to mainly attributed to their flexibility and capability to change Internet of Things (IoT) systems, except that CPS focuses on the interaction between physical, networking and computation the run-time of system(s) process(es) through the use of real- processes. Their integration with IoT led to a new CPS aspect, time computing [6]. In fact, CPS systems are being used the Internet of Cyber-Physical Things (IoCPT). The fast and in multiple domains (see Fig. 1), and embedded in different significant evolution of CPS affects various aspects in people’s systems such as power transmission systems, communication way of life and enables a wider range of services and applications systems, agricultural/ecological systems, military systems [7], including e-Health, smart homes, e-Commerce, etc. However, interconnecting the cyber and physical worlds gives rise to new [8], and autonomous systems (drones, robotics, autonomous dangerous security challenges. Consequently, CPS security has cars, etc.) [9], [10]. That, in addition to medical care domains attracted the attention of both researchers and industries. This to enhance the medical services [11]. Moreover, CPS can be paper surveys the main aspects of CPS and the corresponding used in supply chain management to enable echo-friendly, applications, technologies, and standards. Moreover, CPS security transient, cost efficient, and safe manufacturing process. vulnerabilities, threats and attacks are reviewed, while the key issues and challenges are identified. Additionally, the existing security measures are presented and analyzed while identifying A. Problem Formulation their main limitations. Finally, several suggestions and recom- mendations are proposed benefiting from the lessons learned Despite their numerous advantages, CPS systems are prone throughout this comprehensive review. to various cyber and/or physical security threats, attacks and challenges. This is due to their heterogeneous nature, their Keywords: Cyber-Physical Systems; Cyber-Security reliance on private and sensitive data, and their large scale Threats, Attacks and Issues; Cyber-Physical Vulnerabilities deployment. As such, intentional or accidental exposures of and Challenges; Security, Privacy and Forensics Solutions; these systems can result into catastrophic effects, which makes Security and Performance Analysis. it critical to put in place robust security measures. However, this could lead to unacceptable network overhead, especially I.INTRODUCTION in terms of latency. Also, zero-day vulnerabilities should be minimized with constant software, applications and operating Cyber Physical Systems (CPS) are designated as essential system updates. components of the Industrial Internet of Things (IIoT), and they are supposed to play a key role in Industry v4.0. CPS enables smart applications and services to operate accurately B. Related Work and in real-time. They are based on the integration of cyber Recently, several research works addressed the different and physical systems, which exchange various types of data security aspects of CPS: the different CPS security goals were and sensitive information in a real-time manner [1]. The listed and discussed in [12], [13], [14], [15]; maintaining CPS development of CPS is being carried out by researchers and security was presented in [16]; CPS security challenges and manufacturers alike [2]. Given that CPS and Industry v4.0 issues were presented in [17], [18]; some of the security issues offer a significant economic potential [3], the German gross were reviewed, including big data security [19], [20], IoT value will be boosted by a cumulative of 267 billion Euros storage issues [21], and Operating System vulnerabilities [22]; by 2025 upon the introduction of CPS into Industry v4.0 [4]. several security and privacy solutions using cryptographic algorithms and protocols were discussed in [23], [24]. How- A CPS is identified as a network of embedded systems ever, none of the existing works presented a comprehensive that interact with physical input and output. In other words, view of CPS security in terms of threats, vulnerabilities, and CPS consists of the combination of various interconnected attacks based on the targeted domain (cyber, physical, or systems with the ability to monitor and manipulate real IoT- hybrid). Hence, this paper presents a detailed overview of the related objects and processes. CPS includes three main central existing cyber, physical and hybrid attacks, and their security components: sensors, aggregators and actuators. Moreover, solutions including cryptographic and non-cryptographic ones. ฀฀฀฀฀฀฀฀฀

2

Moreover, for the first time, CPS forensics are discussed as E. Organization an essential requirement for the investigation of the causes of Aside from the introduction, this paper is divided into six CPS-related crimes and attacks. main sections as follows. Section II presents some background about CPS including their layers, components, and models. C. Motivation Section III discusses and details the key CPS threats, attacks and vulnerabilities in addition to listing and describing several CPS systems have been integrated into critical real-case CPS attacks, and the main persistent challenges and infrastructures (smart grid, industry, supply chain, healthcare, issues. Section V assesses and evaluates the risks associated military, agriculture, etc.), which makes them an attractive with CPS security attacks, especially in a qualitative risk target for security attacks for various purposes including assessment manner. Section V presents and analyzes the economical, criminal, military, espionage, political and main CPS security solutions including cryptographic, non- terrorism as well. Thus, any CPS vulnerability can be targeted cryptographic, and forensics ones. Section VI highlights the to conduct dangerous attacks against such systems. Different lessons learnt throughout this study. Section VII provides key security aspects can be targeted including confidentiality, suggestions and recommendations for a safe and secure CPS integrity, and availability. In order to enable the wide adoption environment. Section VIII concludes the presented work. and deployment of CPS systems and to leverage their benefits, it is essential to secure these systems from any possible II.CPS-BACKGROUND attack, internal or/and external, passive or active. In this section, we present the CPS architecture, its main layers and components, as well as the main CPS models. The main motivation of this work is to identify the main CPS security threats, vulnerabilities and attacks, and to dis- cuss the advantages and limitations of the existing security A. CPS Layers & Components solutions, with the aim to identify the requirements for a The architecture of CPS systems consists of different lay- secure, accurate, reliable, efficient and safe CPS environment. ers and components, which rely on different communication Moreover, the security solutions are analyzed in terms of the protocols and technologies to communicate among each other associated computational complexity. Note that CPS systems across the different layers. require innovative security solutions that can strike a good 1) CPS Layers: The CPS architecture consists of three balance between security level and system performance. main layers, the perception layer, transmission layer, and application layer, which are presented and described in Fig. 2. The analysis of the security issues at the various CPS layers D. Contributions is based on the work in [25]. In this work, we conduct a comprehensive overview and • Perception Layer: It is also known as either the recog- analysis of the different cyber-physical security aspects of nition or the sensing layer [26]. It includes equipment CPS. The contributions entail the following: such as sensors, actuators, aggregators, Radio-Frequency • General Background about CPS including their main IDentification (RFID) tags, Global Positioning Systems layers, components and model types. (GPS) along with various other devices. These devices • Cyber-Physical Attacks are presented in relation to the collect real-time data in order to monitor, track and targeted cyber and/or physical system/device, and the interpret the physical world [27]. Examples of such col- corresponding vulnerabilities of each such domain. lected data include electrical consumption, heat, location, • Risk Assessment: a qualitative risk assessment method chemistry, and biology, in addition to sound and light is presented to evaluate the risk and exposure levels signals [28], depending on the sensors’ type [29]. These for each CPS system, while proposing suitable security sensors generate real-time data within wide and local countermeasures. network domains, before being aggregated and analyzed • Security Measures and their limitations are discussed by the application layer. Moreover, securing actuators de- and analyzed, including recent cryptographic and non- pends on authorized sources to ensure that both feedback cryptographic solutions. and control commands are error-free and protected [30]. • Forensics solutions are also presented and discussed Generally, increasing the security level requires an end- about securely extracting evidence and thus, to improve to-end encryption scheme at each layer [31]. Therefore, forensics investigations. heavyweight computations and large memory require- • Lessons: various lessons are learnt throughout this survey ments would be introduced [32]. In this context, there including how to protect real-time data/information com- is a need for the design of efficient and lightweight munication among resource-constrained CPS devices, and security protocols, which take into consideration the how to achieve protection of CPS security goals such as devices capabilities and the security requirements. confidentiality, integrity, availability and authentication. • Transmission Layer: It is also known as the trans- • Suggestions & Recommendations are presented about port layer or network layer, and it is the second CPS how to mitigate and overcome various cyber, physical layer [29]. This layer interchanges and processes data and hybrid threats, vulnerabilities, attacks, challenges and between the perception and application layers. Data trans- issues for a safe CPS environment. mission and interaction is achieved through the Internet ฀฀฀฀฀฀฀฀฀

3

Fig. 1: CPS Description & Classification

using Local Area Networks (LANs) and communication computing, middleware, and data mining algorithms are protocols including Bluetooth, 4G and 5G, InfraRed used to manage the data at this layer [41]. Protecting and (IR) and ZigBee, Wi-Fi, Long Term Evolution (LTE), preserving privacy requires protecting private data from along with other technologies. For this purpose, various being leaked. The most known protective approaches protocols are used to address the increase in the num- include anonymization, data masking (camouflage) [42], ber of internet-connected devices, such as the Internet [43], privacy-preserving, and secret sharing [31]. More- Protocol version 6 (IPv6) [33]. This layer also ensures over, this layer also requires a strong multi-factor au- data routing and transmission using cloud computing thentication process to prevent unauthorised access and platforms, routing devices, switching and internet Gate- escalation of privilege [44]. Due to the increase in the ways, firewalls and Intrusion Detection/Prevention Sys- number of Internet-connected devices, the size of the gen- tems (IDS/IPS) [34], [35]. Before outsourcing data con- erated data has become a significant issue [21]. Therefore, tents, it is essential to secure their transmission to prevent securing big data calls for efficient protection techniques intrusions and malicious attacks including malware, ma- to process huge amounts of data in a timely and efficient licious code injection [36], Denial of Service/Distributed manner [45]. Denial of Service (DoS/DDoS), eavesdropping, and unau- 2) CPS Components: CPS components are used for sensing thorised access attacks [37]. This introduces a challenge, information [5], or for controlling signals (Fig. 3). In this re- especially for resource-constrained devices due to the gard, CPS components are classified into two main categories: imposed overhead in terms of the required processing and Sensing Components (SC) that collect and sense information, power resources [38]. and Controlling Components (CC) that monitor and control • Application Layer: It is the third and most interactive signals. layer. It processes the received information from the • Sensing Components: are primarily located at the data transmission layer and issues commands, which perception layer and consist of sensors that collect are executed by the physical units including sensors data/information and forward them to aggregators. Then, and actuators [39]. This is done by implementing com- this data/information is sent to the actuators for further plex decision-making algorithms based on the aggregated analysis to ensure accurate decision making. In the fol- data [40]. Moreover, this layer receives and processes lowing, we list the main CPS sensing components. information from the perception layer before determining – Sensors: collect and record real-world data following the rightly invoked automated actions [29]. In fact, cloud a correlation process named "calibration", to assess ฀฀฀฀฀฀฀฀฀

4 ฀฀฀฀฀฀฀฀฀

5

Fig. 3: Infrastructure of CPS

the correctness of the collected data [46]. Sensing nology (OT/IT) [48], Control Loop/Server [49], and data is essential since the decisions that will be made Human-Machine Interface (HMI)/Graphical User Inter- are based on the analysis of this data. face (GUI) [50]) has become highly essential. Next, we – Aggregators: are primarily located at the transmis- list the different types of control systems that are used in sion layer (i.e routers, switches and gateways) to CPS systems: process the received data/information from sensors, • Programmable Logic Controllers (PLC): were initially before issuing the corresponding decision(s). In fact, developed to replace hard-wired relays, and are consid- data aggregation is based on the collected informa- ered as industrial digital computers that control the man- tion about a specific target, where this information ufacturing processes such as robotic devices performance is gathered and summarized following a statistical and/or fault diagnosis processing; hence achieving better analysis. Online Analytical Processing (OLAP) is a flexibility and resiliency. prime data aggregation type used as an online re- • Distributed Control Systems (DCS): are computerized porting mechanism for processing information [46]. control systems that allow the autonomous controllers’ distribution throughout the system using a central op- – Actuators: are located at the application layer to erator supervisory control. As a result of the remote make the information visible to the surrounding envi- monitoring and supervision process, the DCS’s reliability ronment based on the decisions made by the aggrega- is increased, whilst its installation cost is reduced. In tors. Since actuators highly depend on other network some cases, DCS can be similar to Supervisory Control nodes, then each action performed by the CPS relies and Data Acquisition (SCADA) systems. on an earlier data aggregation sequence [5]. Also • Remote Terminal Units (RTU): or “Remote Telemetry in terms of operations, actuators process electrical Unit” [51], are electronic devices controlled by a micro- signals as input and generate physical actions as processor such as the Master Terminal Unit (MTU) [52]. output [46]. Unlike the PLC, they do not support any control loop nor control algorithm(s). Thus, making them more suitable • Controlling Components: are used to control Signals for wireless communications over wider geographical and they play a key role in signal control, monitoring telemetry areas. RTU’s main task is to interface SCADA and management to achieve higher levels of accuracy and to the physical object(s) using a supervisory messaging protection against malicious attacks or accidents, mainly system that controls these objects through the system’s signal jamming, noise and interference. As a result, transmission of telemetry data. the reliance on Programmable Logic Controllers (PLCs) and Distributed Control System (DCSs) along with their In fact, both RTUs and PLCs use a small computerized components (i.e Programmable Automation Controller “artificial brain” (Central Processing Unit (CPU)) to process (PAC) [47], Operational Technology/Information Tech- inputs and outputs from sensing devices and pumping equip- ฀฀฀฀฀฀฀฀฀

6

ment [53]; hence using IEDs (Intelligent Electronic Devices) a real-time hybrid authentication method [64], while a to transmit data flow or trigger an alarm in case of any configurable real-time hybrid structural testing for CPS intrusion. TABLE I presents a comparison of the common was presented by Tidwell et al. in [65]. Finally, an event points and differences between PLCs and RTUs. Concerning driven monitoring of CPS based on hybrid automata was the relation between components and layers, it can be seen presented by Jianhui in [66]. that sensing components are mainly deployed at the perception and transmission layers, while the controlling components are III.CPSVULNERABILITIES,THREATS,ATTACKS & deployed at the application layer. FAILURES In a similar manner to most networking systems, security B. CPS Model Types services were not incorporated into CPS systems by design, CPS models can be divided into three main types: leaving the door open for various vulnerabilities and threats to be leveraged by attackers to launch security attacks. This • Timed Actor CPS: This model focuses on the functional aspects based on behaviour and correctness, along with is also due to the heterogeneous nature of CPS devices since the non-functional aspects that are based on performance they operate in different IoT domains and communicate using and timing. A theory was introduced in [54] with a different technologies and protocols. functional and classical refinement that restricts certain behaviour set, improving efficiency while reducing com- A. CPS Security Threats plexity. The main focus is on the refinement based on CPS security threats can be classified as cyber or physical the “earlier-the-better” principle since it offers the ability threats, as explained below, and if combined, these can result to identify deterministic abstractions of non-deterministic into cyber-physical threats. systems [55]. In fact, these time-deterministic models are 1) Cyber Threats: The main attention on Industrial IoT less prone to state explosion problems, with the ability to security was highly focused on cyber threats rather than derive analytical bounds easier [56]. physical threats for many reasons, as cited in [18]. This • Event-Based CPS: In such models, an event must be includes the electrical grid evolution into an Advanced sensed and detected by the proper CPS components, Metering Infrastructure (AMI), which resulted into the before the actuation decisions are made. However, indi- rise of newly unknown cyber threats aside from SCADA vidual component timing constraints vary depending on vulnerabilities [67], [68], [69]. Electronic attacks are now the non-deterministic system delay, which is caused by easier to launch from any device, unlike physical attacks the different CPS actions including sensing, actuating, that require physical presence and physical tools. Moreover, communication and computing [57]. In [58], Hu et al. the smart meter interfacing and interconnection with other stated that time constraints can be handled through the meters in the Near-me Area Network (NAN) and Home use of an event-based approach, which uses CPS events Area Network (HAN) increase its exposure to various remote to ensure the system’s communication, computation, and threats. Finally, electronic attacks are difficult to mitigate control processes. This allows the CPS to be more suit- and overcome in the absence of the right prevention and able and more useful for spatio-temporal information. defensive countermeasures. For further details on cyber threat • Lattice-Based Event Model In [59], the CPS events are intelligence, a brief survey of CPS security approaches was represented according to the event type, along with the presented in [14]. For further information about cyber security internal and external event attributes. If these events are threats, more details can be found in [70], [71]. combined, they can be used to define a spatio-temporal property of any given event, while also identifying all the Since cyber security is not limited to a single aspect, it can components that were observing the event. be considered from different perspectives, such as: • Hybrid-Based CPS Model Hybrid CPS systems are • heterogeneous systems that are made up of two distinct Centring Information: which requires protecting the interactive system types, continuous state (physical dy- data flow during the storage phase, transmission phase, namic systems) and discrete-state (discrete computing and even the processing phase. • systems) [60], [61]. Both development and evolution Oriented Function: which requires integrating the cyber- depend on the response of discrete transient events physical components in the overall CPS. • represented by finite state machines, and the the dy- Oriented Threat: which impacts data confidentiality, namic behaviour represented by differential/difference integrity, availability, and accountability [70]. equation(s) [62]. Unlike other CPS models, hybrid CPS The above issues make CPS systems prone to: is interconnected via a network, which makes it prone to • Wireless Exploitation: It requires knowledge of the delays. Moreover, hybrid CPS systems do not support any system’s structure and thus, exploiting its wireless ca- hierarchical modeling, and are not suitable for modeling pabilities to gain remote access or control over a system concurrent systems. Hence, hybrid systems modeling or possibly disrupt the system’s operations. This causes challenges caused by CPS were discussed by Benveniste collision and/or loss of control [72]. et al. in [63]. In fact, CPS system network latency • Jamming: In this case, attackers usually aim at changing issues were addressed and solved by Kumar et al. using the device’s state and the expected operations to cause ฀฀฀฀฀฀฀฀฀

7

TABLE I: PLC Vs. RTU PLC (Programmable Logic Controller) RTU (Remote Terminal/Telemetry Units) Sold with RTU like features Sold with PLC-like features Digital computers designed for output arrangements and multiple inputs Electronic device controlled by a microprocessor Automates electro-mechanical processes Interfaces SCADA physical objects Physical media with process, relays, motion control and networking Uses supervisory system messages to control objects Does support control loops and algorithms Does not support control loops and algorithms Immune to electrical noise, resistant to vibration Low to null immunity against electrical noise and vibration Suitable for local geographical areas Suitable for wider geographical telemetry areas Mainly IEC Standards Wired/Wireless Communications

damage by launching waves of de-authentication or wire- are well protected. This is due to the fact that these less jamming signals, which would result into denial of stations are well-manned and well-guarded based on device and system services [73]. the implementation of access controls, authorisation and • Reconnaissance: An example of such a threat is where authentication mechanisms such as usernames and pass- intelligence agencies continuously perform operations tar- words, access cards, biometrics and video surveillance. geting a nation’s Computational Intelligence (CI) and In- However, the main concern is related to the less protected dustrial Control System (ICS) mainly through a malware power-generating sub-stations since transmission lines are spread [74]. This results in violating data confidentiality vulnerable to sabotage attacks and disruption. In fact, due to the limitation of traditional defenses [75], [76]. smart meters are also vulnerable to a number of threats as • Remote Access: This is mainly done by trying to gain explained in [83]. To address this problem, smart meters remote access to the CPS infrastructure, for example, must be tamper-resistant by relying on outage detection causing disturbances, financial losses, blackouts, as well or even host-based intrusion detection. However, it is as industrial data theft and industrial espionage [77]. almost impossible to prevent physical tampering or theft Moreover, Havex Trojans are among the most dangerous by adversaries (such as Advanced Persistent Threats malware against ICSs, as they can be weaponized and (APTs)), except that it is possible to mitigate the risk used as part of cyber-warfare campaign management and reduce its impact. against a nation’s CPS [78]. • Loss: the most worrying scenario is having more than a • Disclosure of Information: Hackers can disclose any single substation failure caused by a malicious attacker. In private/personal information through the interception of case of a severe damage in the smart grid, a total black- communication traffic using wireless hacking tools [16], out of major metropolitan areas may occur for several violating both privacy and confidentiality [79]. hours [84]. A real-case scenario includes the cascading • Unauthorised Access: Attackers try to gain an unautho- blackout that managed to hit the U.S. on August 14th, rized access through either a logical or physical network 2003 [85], caused by the People Liberation Army (PLA), breach and to retrieve important data, leading to a privacy which is a Chinese politically-motivated group [86]. breach [80]. • Repair: it can be based on a self-healing process [87], • Interception: Hackers can intercept private conversa- which is based on the ability to either sense faults or tions through the exploitation of already existing or new disruptions, whilst isolating the problem and sending vulnerabilities leading to another type of privacy and alerts to the corresponding control system to automati- confidentiality breach [72]. cally reconfigure the back-up resources in order to con- • GPS Exploitation: Hackers can track a device or even a tinuously provide the necessary service. The aim is to car by exploiting (GPS) navigation systems, resulting in ensure a fast recovery in as short of a time as possible. a location privacy violation [81], [72]. However, critical components do suffer from either a lack • Information Gathering: software manufacturers or a limited backup capability. Therefore, self-healing can covertly gather files and audit logs stored on any given respond faster to a severe damage. device in order to sell this huge amount of personal Some of the threats associated with CPS systems include: information for marketing and commercial purposes in an illegal manner. • Spoofing: it consists of masquerading the identity of a trusted entity by a malicious unknown source. In this 2) Physical Threats: CPS systems are recently evolving case, attackers are capable of spoofing sensors, for ex- into the industrial domain by introducing an Advanced Meter- ample, by sending misleading and/or false measurements ing Infrastructure (AMI), and Neighbourhood Area Networks to the control center. (NANs), along with data meter management systems to main- • Sabotage: Sabotage consists of intercepting the legal tain the robustness of CPS in industrial domains [82]. In fact, communication traffic and redirecting it to malicious physical threats might be classified according to the following third party or disrupting the communication process. For three factors: example, attackers can sabotage physically exposed CPS • Physical Damage: since different facility types im- components across the power grid, to cause a service plement different levels of protection, power-generating disruption or even denial of service that leads to either stations (E.g power grid, power plants, base stations) total or partial blackout. ฀฀฀฀฀฀฀฀฀

8

• Service Disruption or Denial: Attackers are capable of • Bad Practice: is primarily related to a bad coding/weak physically tampering with any device to disrupt a service skills that lead to the code to execute infinite loops, or to or to change the configuration. This has serious effects, become too easy to be modified by a given attacker. especially in the case of medical applications. • Spying: CPS systems are also prone to • Tracking: Since devices are physically exposed, an at- spying/surveillance attacks, mainly by using spyware tacker can gain access to a given device, and/or even (malware) types that gain a stealthy access and attach a malicious device or track the legal ones. remain undetected for years with the main task to In the following, we present the main CPS vulnerabilities eavesdrop, steal and gather sensitive/confidential data that can be targeted by the above-mentioned threats. and information. • Homogeneity: similar cyber-physical system types suffer B. CPS Vulnerabilities from the same vulnerabilities, which once exploited, can affect all the devices within their vicinity, a prime A vulnerability is identified as a security gap that can be example is the Stuxnet worm attack on Iranian nuclear exploited for industrial espionage purposes (reconnaissance or power plants [94]. active attacks). Hence, a vulnerability assessment includes the • Suspicious Employees: can intentionally or inadvertently identification and analysis of the available CPS weaknesses, damage or harm CPS devices, by sabotaging and modi- while also identifying appropriate corrective and preventive fying the coding language, or granting remote access to actions to reduce, mitigate or even eliminate any vulnerabil- hackers through the opening of closed ports or plugging ity [88]. in an infected USB/device. In fact, CPS vulnerabilities are divided into three main Thus, CPS vulnerabilities can be of three types, including categories: cyber, physical, and when combined, they result into a cyber- • Network Vulnerabilities: include weaknesses of the physical threat. protective security measures, in addition to compro- 1) Cyber Vulnerabilities: Since ICS heavily relies on open mising open wired/wireless communication and connec- standard protocols including Inter-Control Center Commu- tions, including man-in-the-middle, eavesdropping, re- nications Protocol (ICCP) [95] and Transmission Control play, sniffing, spoofing and communication-stack (net- Protocol/Internet Protocol (TCP/IP) [96], ICS applications work/transport/application layer) [89], back-doors [90], are prone to security attacks. In fact, ICCP suffers from a DoS/DDoS and packet manipulation attacks [91]. critical buffer overflow vulnerability [89] and also lacks the • Platform Vulnerabilities: include hardware, software, basic security measures [97]. In fact, the Remote Procedure configuration, and database vulnerabilities [36]. Call (RPC) protocol [98] and ICSs are prone to various • Management Vulnerabilities: include lack of security vulnerabilities including the Stuxnet (1 & 2) [99], [100], [101] guidelines, procedures and policies. and Duqu malware (1.0, 1.5 & 2.0) attack types [102], [103], Vulnerabilities occur due to many reasons. However, there [104], Gauss malware [105], [106], [102], and RED October are three main causes of vulnerabilities: malware [107], [108], as well as Shamoon Malware (1, 2 & • Assumption and Isolation: It is based on the “security 3) [109], [110], [111], Mahdi malware [112], [113], [114], and by obscurity” trend in most CPS designs. Therefore, the Slammer Worm [115]. focus here is to design a reliable and safe system, taking Open/Non-secure wired/wireless communications such as into consideration the implementation of necessary secu- Ethernet are vulnerable to interception, sniffing, eavesdrop- rity services, without assuming that systems are isolated ping, wiretapping and wardialing and wardriving attacks [116], from the outside world. [117], [118] and meet-in-the-middle attacks [119]. Short-range • Increasing Connectivity: More connectivity increases wireless communications are also vulnerable, since they can the attack surfaces. Since CPS systems are more con- be captured, analysed, damaged, deleted or even manipulated nected nowadays, manufacturers have improved CPS by insiders [120]. Moreover, employees’ connected devices through the implementation and usage of open networks to ICS wireless network, if not secure, are prone to botnet, and open wireless technologies. Most ICS attacks were remote access Trojan and rootkit attacks, where their devices based on internal attacks up until 2001. This was before will be remotely controlled by an attacker [121]. Long-range utilizing the internet which shifted attacks to external wireless communications are vulnerable to eavesdropping, ones [92]. replay attacks, and unauthorized access attacks. Yet, SQL • Heterogeneity: CPS systems include heterogeneous third injection remains the most Web-related vulnerability since party components which are integrated to build CPS attackers can access any server database without authorization applications. This has resulted in CPS becoming a multi- through the injection of a malicious code that keeps on running vendor system, where each product is prone to different endlessly once executed without the user’s knowledge [122]. security problems [93]. Since many medical devices heavily rely on wireless com- • USB Usage: this is a main cause of CPS vulnerabilities, munications, they are prone to a large number of wireless such as the case of the Stuxnet attack that targeted Iranian attacks including jamming, modification and replay attacks power plants, since the malware is inside the USB. Upon due to the lack of encryption. Moreover, GPS and the device’s plugging it, the malware spread across several devices microphone are now becoming a tracking tool, allowing the through exploitation and replication. identification of the target’s location, or intercepting the in-car ฀฀฀฀฀฀฀฀฀

9

conversations through eavesdropping [13]. of physical components is exposed without physical secu- By default, ICS relies on Modbus and DNP3 protocols to rity, making them prone to physical destruction. Therefore, monitor and send control commands to sensors and actuators. in [136], Mo et al. stressed on detection and prevention In [16], Humayed et al. stated that the Modbus protocol lacks solutions. In [16], Humayed et al. stated that medical devices basic security measures such as encryption, authentication are vulnerable to physical access along with the possibility of and authorization. This has made it prone to eavesdropping, installing malware into them, or even modifying the device’s wiretapping, and port-scan [123], with the risk of the controller configurations, risking the patient’s health. Moreover, a phys- being spoofed through false data injection [124]. The DNP3 ical access to any medical device is also a vulnerability since protocol is also prone to the same vulnerabilities and attacks, an attacker can retrieve the device’s serial number to launch with one main difference which is the integration of Cyclic targeted attacks [131]. Redundancy Check (CRC) as an integrity measure [125]. As listed above, CPS systems suffer from various vulnera- Moreover, Windows Server Services were vulnerable to re- bilities making them prone to different types of attacks, which mote code execution [99], with more attacks being achieved are discussed next. through the exploitation of buffer overflow vulnerabilities in any running Operating System (OS). C. Cyber-Physical System Attacks Moreover, power system infrastructure of smart grids is In this section, we present the different types of attacks that prone to the same vulnerabilities as ICS, Modbus and DNP3, target the different aspects of CPS systems, including cyber since they are based on the same protocols. As a result, and physical ones: IEC 61850 protocol was introduced in substations’ com- 1) Physical Attacks: Physical attacks were more active in munications, which lack security properties and are prone past years, especially against industrial CPS systems [137], to eavesdropping attacks. Therefore, leading to interference [138]. Many of these attacks were already presented in [139]. attacks [126], or false information injection attacks [127]. Nonetheless, this paper presents a broader range of physical In [128], Santamarta et al. analysed the available documen- attack types: tation of smart meters, and located a “factory login” account • Infected Items: this includes infected CDs, USBs, used to perform basic configurations. This gives the user full devices and drives such as the case of the Stuxnet control over a smart meter and leads to power disruption, worm [140], which upon their insertion into a cyber- wrong decision making and targeting neighbouring smart physical device, a covert malware is installed containing meters within the same network. In addition, many devices a malicious software. are prone to battery exhausting attacks [73]. • Abuse of Privilege: this attack occurs when rogue or Gollakota et al. [129] and Halperin et al. [130] exploited unsatisfied employees access the server rooms and instal- the Implantable Cardioverter Defibrillator (ICD) wireless vul- lation areas within the CPS domain. This allows them to nerabilities through injection attacks. The authors also showed insert a rogue USB for infection through the installation that Smart cars are vulnerable to various attack types. In [131], of malicious malware/code or as keystroke, or to capture Radcliffe, revealed another vulnerability with Continuous Glu- confidential data. cose Monitoring (CGM) devices being vulnerable to replay • Wire Cuts/Taps/Dialing: since communication lines in- attacks. The CGM device was spoofed with the injection of cluding telephony and Wi-Fi of many cyber-physical incorrect values. This is due to the fact that security considera- headquarters (HQs) are still physically visible, attackers tions were not made when the smart cars were designed [132]. can cut the wires or wiretap into them to intercept the In fact, the Controller Area Network (CAN) protocol suffers communicated data [117]. from many vulnerabilities, which if exploited could result in • Fake Identity: this attack occurs when attackers mas- attacks against smart cars. This will increase the likelihood of a querade themselves as legitimate employees, with enough DoS attack [133]. A Tire-Pressure Monitoring System (TPMS) experience to fool the others. They mainly act as cleaners is also vulnerable to eavesdropping and spoofing due to the to gain an easier access and better interaction with lack of encryption [134]. In addition, Adaptive Cruise Control other employees. A prime example of that is Australia’s (ACC), which forms a part of the CAN network can be directly Maroochy Water Breach in 2000 [141]. exploited [13]. In fact, a well-equipped attacker is able to • Stalkers: these are usually legal employees who act interrupt ACC sensors’ operations by adding noise or spoofing. curious (with malicious intents) by being on the shoulder Thus, controlling the car by either reducing, increasing its of CPS administrators and engineers to acquire their speed or even causing collisions. credentials to blackmail or sell them to other competing 2) Physical Vulnerabilities: Physical tampering may result CPS organisations. into misleading data in cyber-physical components. In fact, • CCTV Camera Interception: this includes intercepting physical attacks with cyber impact were studied in [135]. the footage of Closed-circuit television cameras that are The physical exposure of ICS components is classified as a securing entry and key points within CPS areas. This can vulnerability due to the insufficient physical security provided be done by distorting the signals of cameras, cutting off to these components. Thus, making them prone to physical the communication wires, deleting the footage, gaining tampering, alteration, modification or even sabotage. CPS field access to the remote control and monitoring area, etc., devices (i.e smart grids, power grids, supply chains etc.) are before performing a physical attack in an undetected prone to the same ICS vulnerabilities since a large number manner. ฀฀฀฀฀฀฀฀฀

10

• Key-Card Hijacking: this includes cloning legitimate countries like Lebanon [158], [159]. cards that are stolen from employees, or creating look- 2) Cyber Attacks: In recent years, there was a rise in alike genuine copies to gain full/partial access and to the rate of cyber-attacks targeting CPS and IoCPT with very compromise the CPS domain. devastating consequences. According to current studies carried • Physical Breach: this attack requires gaining an illegal out by [160], [161], CPS is highly prone to malicious code physical access to the system, mainly through a physical injection attacks [162] and code-reuse attacks [163], along breach such as the case of the Springfield Pumping with fake data injection attacks [164], zero-control data at- Station in 2011 [142], a backdoor such as the case tacks [165], and finally Control-Flow Attestation (C-FLAT) of US Georgia Water Treatment Plant in 2013 [143], attacks [160]. Such attacks can result into a total blackout or an exploited security gap such as the case of the targeting CPS industrial devices and systems as presented in Canadian Telvent Company in 2012 [144]. This allows TABLE II. an attacker to damage and shut-down network-connected • Eavesdropping: eavesdropping includes the interception manufacturing systems and CPS devices, resulting into of non-secure CPS network traffic to obtain sensitive in- loss of availability and productivity. formation (passwords, usernames, or any other CPS infor- • Malicious Third Party Software Provider: the main mation). Eavesdropping can take two main forms:passive purpose of this attack is to target the company’s CPS by listening to CPS network message transmission, and by compromising the legitimate “Industrial Control Sys- active by probing, scanning or tampering the message by tems” software, such as the case of the Georgia Nuclear claiming to be a legitimate source. Power Plant Shutdown in 2008 [145]. This includes • Cross-Site Scripting: or XSS occurs when third-party replacing legitimate files in their repositories with a web resources are used to run malicious scripts in the malware that will be installed to offer remote access targeted victim’s web browser (mainly a targeted CPS functionalities to control or compromise a given system. engineer, contractor, workers, etc. ) by injecting malicious • Abuse of Privilege: is mainly led by insiders or “whistle- Coding Script into a website’s database. XSS can achieve blowers” to perform or help perform a (cyber)-attack from session hijacking, and in some cases, can log key strokes within. Such high privilege grants them the ability to along and remotely accesses a victim’s machine. conduct these attacks by exposing valuable knowledge on • SQL Injection: or SQLi targets CPS database-driven CPS systems’ vulnerabilities and weaknesses. This abuse websites to read and/or modify sensitive data, along pos- of privilege can take many forms. sibly executing administrative operations such as database – Physical Tampering: including gaining unautho- shutdown, especially when CPS systems are still relying rised or masqueraded authorised access to restricted on SQL for data management [166]. areas to damage CPS systems, devices, modify their • Password Cracking: aim to target the authenticity operational mode, inject malicious data/information of CPS users[167], [168] (mainly engineers and man- or steal confidential documents. agers) by trying to crack their passwords using brute- – Unauthorised Activities: are based on performing force [169], dictionary [170] (mitigated by using key suspicious tasks, such as opening/closing pumping exchange [171]), rainbow table [172], birthday (mitigated stations, increasing/decreasing power voltage, open- by hashing) [173] or online/offline password guessing ing closed ports, communicating with an external attacks [174] to gain access to the password database, entity, network traffic redirection or information or to the incoming/outgoing network traffic. Therefore, leakage. it is important to prevent such escalation from taking place [175], [176]. • Social Engineering: can take many deceptive forms [91] • Phishing: has many types such as e-mail phishing, vish- such as reverse engineering (impersonating a techy- ing, spear phishing or whaling that target some or all savvy), baiting (selling malicious USBs or software), CPS users (such as engineers, specialists, businessmen, tailgating (following authorised personnel) or Quid Pro Chief Executive Officers (CEOs), Chief Operations Of- Quo (impersonating technical support teams), and is ficers (COO), or/and Chief Financial Officers (CFO)), based on the art of manipulating people (either mentally through impersonation of business colleagues or service or emotionally) to reveal confidential information by providers. manipulating their emotions to gain their trust to reveal • Replay: includes intercepting transmitted/received pack- sensitive information related to a CPS, PLC or ICS ets between ICSs, RTUs, and PLCs through imperson- system. ation to cause delays that affect CPS’s real-time opera- Recently, CPS systems became the new target of hack- tions and affect their availability. In some cases, these ers for espionage, sabotage, warfare, terrorism, and service intercepted packets can be modified, which would seri- theft [146], mainly as part of cyber-warfare [147], cyber- ously hinder normal operations. crimes [148], [149], (cyber)-terrorism [150], [151], [152], • DoS/DDoS: DoS attacks target the cyber-physical system (cyber)-sabotage [153] (such as cyber-attacks against Esto- resources and are launched from a large number of locally nia in 2007 [154], and Georgia in 2008 [155]), or (cyber)- infected devices. DDoS attacks are usually exploited by espionage [156], [157]. The lack of (cyber)-security revealed Botnets, whereby a large number of infected devices a serious issue with possibly drastic effects [12], especially in simultaneously launch a DDoS attack from different geo- ฀฀฀฀฀฀฀฀฀

11

graphical locations. DoS attacks can take many forms (i.e (2001) [200], Triton (2017 [201])). blackhole [177], teardrop [178]), while DDoS can take – Rootkit: is designed to remotely and covertly access the following forms (i.e ping-of-death [179], smurf [180] or control a computer to execute files, access/steal and Black Energy series (BE-1, BE-2 and BE-3 [181], information or modify system configurations (i.e [182], [183]), all targeting CPS systems. Moonlight Maze (1999) [202], and Blackhole exploit – TCP SYN Flood: exploits the TCP handshake kit (2012) [203]). process by constantly sending requests without re- – Polymorphic Malware: constantly and frequently sponding back to the server, causing the server to changes its identifiable to evade being detected to constantly allocate space awaiting a reply [184]. This become unrecognizable against any pattern-matching leads to a buffer overflow and causes the cyber- detection technique. physical system to crash. – Spyware: is a malicious software covertly installed on a device without the user or authorization knowl- • Malicious Third Party: includes software that covertly edge, for spying purposes (e.g surveillance, recon- exploit data aggregation network and compromises them, naissance, or scanning). In fact, they can be used mainly using botnets, Trojans or worms to infiltrate infor- for future cyber-attack purposes (i.e ProjectSauron mation through a CPS encrypted channel from an internal (2011) [204], Dark Caracal (2012) [205], Red Oc- system (i.e PLC, ICS or RTU) through the reliance on tober (2013) [107], WarriorPride (2014) [206], Fin- Trusted Third Party in disguise, to a botnet Command- Fisher (2014) [207], and COVID-19 spyware.) and-Control server. Thus, targeting CPSs [185] and – Ransomware: is a malicious software that holds AMIs [186]. and encrypts CPS data as a ransom by exploiting • Watering-hole Attack: The attacker scans for any cyber- CPS vulnerabilities, targeting oil refineries, power physical security weakness. Once a weakness is iden- grids [208], manufacturing facilities, medical cen- tified, the chosen CPS website will be manipulated by ters and encrypting all data-backups until a ransom a “watering hole”, where a malware will delivered by has been paid. A prime example of that is the exploiting the targeted CPS system mainly through back- Siskey (2016), SamSam (2016), Locky (2016), Jig- door, rootkits or zero-day exploit [187]. saw (2016) [209], Hitler-Ransomware (2016) [210], • Malware: is used to compromise CPS devices in order WannaCry (2017), Petya (2017), Bad-Rabbit (2017), to steal/leak data, harm devices or bypass access control Maze (2019) and Ekans (2020) ransomware [211], systems. The malware can take many forms, however, [212], [213], [214]. the main forms that target CPS are briefly listed and • Side-Channel: is based on the information gained from presented in the following. the implemented CPS system such as timing information, – Botnets: this includes exploiting CPS devices vul- power consumption and electromagnetic leaks that can be nerabilities to turn them into bots or zombies, mainly exploited. to conduct hardly-traceable DDoS attacks (i.e Ram- For this reason, some of the most infamous cyber-attacks nit (2015) [188], Mirai (2016) [189], Smominru deserve being mentioned (TABLE II). Moreover, for further botnet (2017) [188], Mootbot (2020) [190], Wild- details, you can refer to [139]. In fact, Do et al. presented Pressure and VictoryGate (2020).) a much more detailed attack description as early as 1980s – Trojan: is a disguised malware that seems legitimate in [142]. However, this paper aims to classify the occurrence and tricks users to download it. Upon download, the of these attacks as early as 2000 and based on, but not limited Trojan infects the device and offers a remote access to, political, religious, and criminal motives. to steal data credentials and monitor users activities. After reviewing the main CPS attacks, it is essential to This also includes Remote Access Trojans which in assess their associated risks to design the convenient counter- turn, can be used to turn a device into a bot (i.e Turla measures. In the next section, the risks associated with the (2008) [191], MiniPanzer/MegaPanzer (2009) [192], different CPS security attacks are evaluated. Gh0st RAT (2009) [193], Shylock (2011) [194], Coreflood (2011) [195], DarkCornet (2012) [196], MEMZ (2016) [197], TinyBanker (2016) [198] and D. CPS Failures Banking.BR Android Botnet (2020)). – Virus: it can replicate and spread to other devices Given the different threats, attacks and vulnerabilities that through human/non-human intervention. Viruses the CPS domain suffers from, it is important to highlight the spread by attaching themselves to other executable main failures than CPs systems suffer from. These failures can codes and programs to harm CPS devices and steal either be minor (limited damage) or major (severe damage). information. In fact, further details can be found in [222], where Avizienis – Worms: spread by exploiting operating system vul- et al. presented a well-defined and detailed explanation in this nerabilities to harm host networks by carrying pay- regards. loads to steal, modify and delete data, or overload • Content Failure: means that the content of the delivered to web-servers (aside Stuxnet, Flame and Duqu, information is inaccurate, which would result into some i.e aCode Red/Code Red II (2001) [199], Nimda functional system failure. Content failure can be ei- ฀฀฀฀฀฀฀฀฀

12

TABLE II: Real CPS Attacks Country Target Attack Nature Type Date Motives United States of America Ohio Nuke Plant Network [215] Slammer Worm Malware-DoS January 25, Criminal 2003 Taum Sauk Hydroelectric Power Station Sensors Failure Accident December 14, N/A Failure [216] 2005 Georgia Nuclear Power Plant Shut- Installed Undefined Soft- March 7, 2008 Unclear down [145] Software ware Update US Electricity Grid [217] Reconnaissance Undefined Soft- April 8, 2009 Political ware Programs Springfield Pumping Station [142] Backdoor Unauthorised November 8, Criminal Access 2011 Georgia Water Treatment Plant [143] Physical Breach Unauthorised April 26, 2013 Criminal Access Iran Iranian nuclear facilities Stuxnet [218] Worm November, 2007 Political

power plant and other industries Stuxnet-2 worm December 25, Political 2012 Iranian Infrastructure (nuclear,oil) and DDoS Disruptive October 03, Political communications companies 2012 Iranian key oil facilities Computer Virus Malware April 23, 2012 Political Saudi Arabia Saudi infrastructure in the energy indus- Shamoon-1 Malware August 15-17, Religio-Political try 2012 Saudi government computers and targets Shamoon-2 Malware November 17, Religio-Political 2016 Tasnee and other petrochemical firms, Shamoon-3 Malware January 23, Religio-Political National Industrialization Company, 2017 Sadara Chemical Company Qatar Qatar’s RasGas Shamoon Malware August 30, 2012 Political United Arab Emirates UAE energy sector Trojan Laziok Malware January- Political February 2015 Australia Maroochy Water Breach [141] Remote Access Unauthorised March, 2000 Criminal Access Canada Telvent Company [144] Security Breach Exploited September 10, Criminal Vulnerability 2012 Ukraine Ukrainian Power-grids [219] BlackEnergy DDoS December 23, Political Malware 2015 Ukramian Electricity Firms [220] Petya [221] Ransomware June 27, 2017 Political

ther numerical or non-numerical (i.e alphabets, graphics, through the service interface and affects its decision sounds or colours). making or/and normal performance ability. This failure • Timing Failure: means that the timing of information can either cause a partial or full CPS system failure either delivery (transmission/receiving) is delayed or interrupted temporarily or permanently. (received/transmitted too early or too late). This would • Consistent/Inconsistent Failures: a consistent failure affect the decision making process and may cause data occurs when a given service is identically perceived by management issues. all CPS users. An inconsistent failure takes place when • Sensors Failure: means that the sensors are no longer all CPS users differently perceive an incorrect service functioning properly, and would seriously hinder the de- (i.e bohrbugs, mandelbugs, heisenbugs and Byzantine cision making process due to misinformation, or bringing failures) [223]. a CPS system to a sudden halt. A similar case occurred in 2005, at Taum Sauk Hydroelectric Power Station [216]. IV. EVALUATING RISKS • Silent Failure: occurs when there is no message sent or Evaluating risks is essential to assess the risk’s economic received in a distributed system. impact of an attack on any CPS system, before managing it. • Babbling Failure: occurs when the information is deliv- Such management is based on assessing and analysing the risk ered, causing the system to malfunction and to operate in before mitigating it, then deploying the right security measures a babbling manner. according to the level of severity and risk impact (see Fig. 4). • Budget Failure: occurs when the cost of implementing a cyber-physical system outweighs the budget set, before ever reaching the testing level. This is mainly caused by A. Risk Identification & Management: poor planning. Risk Management is implemented in order to identify, • Schedule Failure: occurs when the schedule set for analyse, rank, evaluate, plan and monitor any possible risk planning, testing and evaluating a given CPS is not through risk assessment. achieved due to further upgrades, additional testing, or • Identifying Risks: identification is based on uncover- inadequacy for users needs. ing and recognising risks that can negatively affect a • Service Failure: occurs when having an error propagates project/project outcome and describing it [224]. ฀฀฀฀฀฀฀฀฀

13

Fig. 4: CPS Risk Evaluation

• Analysing Risks: risks likelihood and consequence must B. Risk Assessment: be determined once they are identified, to understand the nature of a risk. • Ranking Risks: risks rank is evaluated according to the Risk Assessment is implemented to minimize the impact risk magnitude, based on the combination of both risk of a given attack [225]. In fact, risks are evaluated based on likelihood and consequence in case it occurred. calculating the average loss in each occurring event [226]. • Evaluating Risks: based on their ranks, risks are either Additionally, several risk assessment methods, as well as deemed as acceptable or require serious treatment and various techniques to secure CPS were revealed in [25]. In urgent attention. fact, since most studies are focused on securing enterprise • Planning Risks Response: highest ranked risks are systems in order to assess risks, security became an emerging assessed to treat, modify and mitigate them to once again issue that imposes a serious risk on CPS [227]. As a result achieve an acceptable risk level. Therefore, risk mitiga- in [228], [229], Lu et al. presented an adequate risk assessment tion strategies are created, along with the deployment of method. The main security focus was based on transferring it preventive and contingency plans. from risk assessment, to Computer Risk Assessment (CRA), to • Monitoring and Reviewing Risks: risks are constantly Network Risk Assessment (NRA) with a heavy reliance on the monitored, tracked and reviewed. In case of any suspi- internet [230]. Asset Identification: is also important, since cious activity, these risks are mitigated before any serious it is a resource value that can either be tangible, or intangible threat occurs. that impacts daily transactions and services [231]. In fact, CPS assets can be divided between cyber assets, physical assets, and cyber-physical assets. Finally, since asset quantization is estimated from both direct and indirect economic losses [232], it is important to determine the Asset Value (AV). ฀฀฀฀฀฀฀฀฀

14

C. Risk Impact: Systems (ICMs) can lead to huge loss of information Risk is assessed based on its possible impact on CPS beyond recovery if the backup is not maintained, or if systems. It is divided into three main types: the ransom is not paid. This leads to huge financial losses over short and long terms especially if the information is • High Impact: in case the risk has occurred, this can result in devastating and damaging effects on CPS systems. deleted beyond recovery. CPS systems might take months It is used to evaluate and mitigate persistent advanced and even years to recover. • Additional Spending: threats [233]. may be required to tackle the advanced persistent threat attempts and zero-day attacks, • Medium Impact: in case of its occurrence, the impact is less severe. However, it also imposes a serious threat which require additional spending in terms of security against CPS. It is used to evaluate and mitigate advanced protection in a defense-in-depth manner. • Loss of Life: threats [234]. can be the result of flooding, radioactivity, fire or electric shock due to hazardous or intentional acts. • Low Impact: in case this risk has occurred, its impact • Disclosure of Information: is not severe, nor has damaging effects. As a result, its can affect CPS businesses impact is very limited and can be easily mitigated. It is and business trades and put the privacy of users at risk used to evaluate and mitigate basic threats [235]. of having their personal information being exposed. Before proceeding any further, it is important to classify CPS components as critical, moderate and non-critical, to D. Risk Mitigation: identify the risk of an event occurrence (malicious/hazard) Risk mitigation requires the adaptation and implementation along its impact to define the proper security measures (basic, of a well-built management strategy in addition to cyber and standard or advanced), as seen in Fig. 5. physical security in order to counter-espionage, theft, or/and While adopting all possible security measures might be terrorist attacks. Such a mitigation model also requires, data costly in all terms (i.e. complexity, financial cost, delay, etc.), security and protection, as well as anti-counterfeit and supply risk management is key for selecting the convenient security chain risk management [236]. These models should also be solutions. In the next section, the different security solutions supported by both forensic and recovery plans. This can help proposed to defend the security issues are reviewed. While in analyzing cyber-attacks whilst coordinating and cooperating these security solutions aim at preventing, detecting or cor- with the responsible agencies to identify external cyber-attack recting system damage, the CPS forensics aim at knowing the vectors [237]. Therefore, preventive, detective, repressive and system issues causes, which help in reducing and preventing corrective logical security measures can be adopted. future attacks. Thus, the main CPS forensics solutions are also As a result, a qualitative risk assessment table is presented reviewed. (see TABLE III) where the exposure is either Low (L), Moderate (M) or High (H), the risk level is either Major (Ma), V. SECURING CPS Minor (Mi) or Critical (Cr), and the security measures are Detective (D), Repressive (R), Preventive (P) and Corrective Securing CPS is not a straightforward task. For this reason, (C), respectively. various existing solutions are mentioned and discussed in this 1) Attack Cost & Impact: The cost of security attacks can section. Already existing testing tools are also introduced. All take many forms, and the main ones are highlighted as follows: of these schemes are presented to protect CPS domains against attacks that target the confidentiality, integrity, availability, • Delays: CPS systems may be prone to service delays, authentication and privacy of both data and systems as seen which may affect their performance and render them in Fig. 6. inactive (blackout, burnout) until the issue is sorted either through maintenance or back up. • Affected Performance: system delays due to a malicious A. CPS Security Requirements (cyber-attack)/non-malicious (accident) event can gradu- According to National Institute of Standards and Technol- ally affect the CPS performance and cause it to operate ogy (NIST) guidelines [243], [244], ensuring trust between in an abnormal manner which can seriously affect the IoT and CPS, should consist of various multi-factors. This is decision making process. due to both IoT and CPS systems relying on safety, security, • Cascading Failures: such as sensor failures, software privacy, consistency, dependability, resiliency, reliability, in- bugs or nuclear power plant overheating, which can teraction and coordination, all of which are combined to form cause environmental catastrophes such as the case of a well-designed and trustworthy system. If this condition is Chernobyl (1986) and Fukushima (2011), natural gas satisfied, a perfect CPS mechanism is achieved. As a result, pipeline explosion in Belgium (2004), series of Tran- several CPS testing tools were used to evaluate the security sCanada Corporation’s natural gas leakage and explosion of Industrial Control devices upon their development (see in Canada (between 2000 and 2018) [241] as well as TABLE IV). For further details, these tools are explained similar incidents in the US [242], Mexico, China and in [245]. Moreover, several security certifications are also other countries, oil spilling, water pipeline incidents, discussed, reviewed, analysed and compared according to their flooding, blackouts, and so on. different aspects [245] (see TABLE V). • Financial Losses: malware attacks such as ransomware In the following, the main CPS security requirements are (i.e Ekans snake malware) targeting Industrial Control defined and discussed. ฀฀฀฀฀฀฀฀฀

15 Authent- ication X X X X X X X X X X X X X X X Availability X X X X X X X X X X X X X X X Integrity X X X X X X X X X X X X X X X Targeted Security Goals Confident- iality X X X X X X X X X X X X X X X Countermeasures IDS,Malware, Firewalls, Anti-Virus Anti-Spyware, Defence Anti- in Depth Honeypot,Backup/Update,Learnt Lesson Verified IDS, Anti-Malware Backups, Secondaryvices, De- IDS,Clouds Leverage to HTTPS/SSH Encryption, PersonalVPNs [238] Ultra-Low Firewalls, Processors,Cage,Timing/Power Faraday Power Information [239] Real-Time Obfuscating Threat Intelli- gence, Rapid Incident Re- sponse Teams,Updates Constant Hybrid IDS, ML,Policy [240] BYOD EmployeeAwareness TrainingIDS, & Anti-Phshingware/Training Soft- Password Policy, Periodic Password Changing Timestamp,Random Session Keying Filtering, Validate & SanitizeInput User Least Privilege,Code, Whitelisting Strong Qualitative CPS Risk Assessment Risk Mitigation Security Measures D, P, C & R D, P & R D, R & C D, C & P D, P & R D&P D, P & R D, C & R D, P & C D&P D&P P&C D&P D&P D, C & P TABLE III: Evaluation Risk Level Ma/Cr Ma/Mi Ma/Cr Ma Ma/Mi Mi Ma Cr Ma Mi Ma Ma Mi Cr Ma/Mi Unprotected H H H H H H H H H M/H H M M H H System/Data Exposure Protected L/M/H M M/H M/L H L M/L H L L L L L L L Impact High Moderate High High High Low Moderate High Moderate Low Moderate Moderate Low High Moderate Attack Type Malware Spyware Ransomware Botnets DoS/DDoS Eavesdrop Side- Channel Zero-Day Malicious Data Injection Social Engi- neering Phishing Password Cracking Replay XSS SQLi ฀฀฀฀฀฀฀฀฀

16

Fig. 6: Targeting CPS Security Goals

• Privacy: In CPS, a huge data collection process is and their information disclosure [258], [259]. constantly taking place, and this is what most people are • Dependability: Intelligent Physical World (IPW) ensures not aware of [256], [257]. Therefore, a person has the that the CPS adaptive behaviour is achieved to bring right to access his own data, along with being given the a higher dependability and ensure the right Quality of right to know what type of data is being collected about Service (QoS) through the adoption of fault-tolerance them by data collectors, and to whom these data is being mechanisms in a timely manner. Dependability includes given or sold to. However, this also requires preventing two other qualities, safety and reliability. Safety is of- the illegal/unauthorised access to the user’s personal data ten an objective defined in terms of the organisation’s ฀฀฀฀฀฀฀฀฀

17

TABLE IV: CPS Testing Tools Tools Origins Nature Description Achilles [246] uniquely designed for embedded and uses Wurldtech proprietary fuzzing algorithms to generate tests of industrial control devices known and unknown vulnerabilities, provides the analysis of the attack impact, monitors the whole system BreakingPoint [247] designed as the industry’s first cyber a 4 RU rack-mountable, modular system that accurately recreates a tomography machine live network environment and identifies network devices “Breaking- Points”. It measures and hardens the resiliency of CI component against crippling attacks beSTORM [248] automated tool programmed to make an excessive search of all possible input combinations, tests any product for potential weaknesses Codenomicon Defensics [249] a specialized fuzzing tool which supports sends to the system invalid or unexpected inputs that expose software the security of industrial protocols defects and vulnerabilities, ensures a broader test coverage, can be used to test digital media, wireless infrastructures and network protocols. Easy integration. Proactive testing. Integrated online docu- mentation Mu-8000 [250] Mu Studio Security, built on a pow- consists of four types of tests, Protocol Mutation Tests including DNP3, erful automation platform that pro- IEC 61850, MMS, and MODBUS/TCP industrial protocols, generates vides extensive automation, monitors test cases packets containing protocol mutations secure targets handles hardware/software-based restarters, and them successfully, non-secure targets might respond abnormally reports capabilities Peach [251] Smart Fuzzing tool that performs gen- requires the creation of PeachPit files to define the structure and type eration and mutation based fuzzing of information in the to be fuzzed data, allows the configuration of a fuzzing run including data transport and interface logging Sully [252] is a fuzzer development and fuzz testing It consists of multiple extensible components, it also supports ICCP, framework modbus and DNP3 fuzzing modules SPIKE [253] designed to focus on finding exploitable It is a fuzzer creation kit, it provides an API to allow users to create bugs their own fuzzer for network based protocols, allows the use of the C programming language

TABLE V: CPS Security Certifications CPS Security Certifications Certification Name Levels Description WST Achilles Certification [246] 1 includes basic testing Layer 2-4 Industrial Protocols 2 includes in-depth testing Layer 2-4 Industrial Protocols Exida Certification [254] N/A includes three main types which are functional safety, functional integrity, and cyber security ISASecure EDSA Certification [255] N/A consists of Functional security assessment (FSA), Software development security assessment (SDSA), MuDynamics MUSIC Certification [250] Foundation includes various protocols such as ARP, IPv4, TCP, UDP, and IEEE 802.lp/Q Advanced includes various protocols such as DNP3, FTP, HTTP, MODBUS/TCP, and Telnet

goals [243]. This is due to the negative impact of cyber- of Carshark software tools that control a car in [133], security risks, where vulnerabilities can be compromised along with the successful design of a virus in 2010 and exploited by a hacker, or due to CPS failure. Hence, which attacked Siemens plant-control systems [261], safety is of a high concern for IoT, CPS and (Internet along with how hackers broke into the United States of Cyber-Physical Things) IoCPT users alike. While Federal Aviation Administration (US FAA) air traffic reliability is based on the ability to adapt to changing control system in 2009 [262]. Resiliency is achieved by conditions to overcome and recover from any possible each CPS component in a Base Architecture (BA) pre- disruption either based on cyber or/and physical attacks sented in [263], where each communication and physical led by adversaries, in addition to natural disasters [243]. connection path between elements is granted access by Physical systems rely on timing and proper functionality. the BA’s connectors. This requires the BA system to know However, in case of any possible mismatch, unreliability and identify every possible path, while overcoming any and uncertainty can cause problems and disruptions for connection disruption. Moreover, in case the elements CPS services. Therefore, maintaining a high reliability were inconsistent, a multi-view editor will be deployed requires reducing the uncertainty levels. In fact, it is also to make corrections. recommended to implement error-correction algorithms • Interaction and Coordination: are essential to maintain to sort electronic components imperfect reliability [260]. an all-time operational CPS security. In [58], Hu et al. As a result, Rajamaki et al. in [260] stated that CPS stated that CPS interaction and coordination between behaviour can be predictable through the implementation cyber and physical system elements are a key aspect. In and use of artificial intelligence or/and even Machine fact, the main physical world characteristics are based on Learning (ML) schemes. This allows the prediction of the constant system change over time. However, the cyber the so called “next-time system state”. world characteristics are based on sequence series with • Resiliency: CPS must be resilient to overcome accidents no temporal semantics. Moreover, two basic approaches and malicious attacks. Therefore, CPS logical and phys- are presented to study and analyse this problem. These ical systems are prone to cyber security vulnerabilities approaches are based on the “cyberizing” the physical from a security aspect. This included the demonstration (CtP) aspect through the introduction of cyber-properties ฀฀฀฀฀฀฀฀฀

18

and interfaces into physical systems, and “physicalizing” an overall system integrity [270]. Therefore, it is essential the cyber (PtC) where cyber-software components are to to set the right privileges (task-based, role-based, rule- be represented in real-time [264]. based, etc..) and strong password complexity policies in • Operational Security (OpSec): Operational Security order to enhance the security level. Moreover, this also (OpSec) was introduced in 1988 to ensure physical se- includes getting rid of old unused accounts and open yet curity, information security, and personnel security [265] unused ports to reduce the exposure to remote wireless through careful planning, risk assessment and risk man- attacks. As a result, CPS nature must be considered before agement [266]. Its primary task is to ensure operational achieving any design. In [136], Mo et al. presented a effectiveness by denying any adversary access to pub- Cyber-Physical security by combining systems-theoretic lic/private information; hence controlling information and with Cyber-Physical security controls. observable actions about a given cyber-physical system, especially in hostile environments/areas [265]. One of its key benefits is providing means to develop cost-effective B. CPS Security Challenges security measures to overcome a given threat. To achieve this task, OPSEC involves five main steps: The adoption of security measures has many benefits when it comes to protecting CPS components, layers and domains. – Critical Information Identification: includes iden- However, despite these advantages, CPS systems are impacted tifying which information, if targeted, can effectively by the application of these security measures, which can be degrade a CPS’s operational effectiveness or place its summarized as follows: potential organizational success at risk, and develop an initial plan to protect it. • Reduced Performance: security measures can partially – Threat Analysis: includes determining an adver- or fully affect the performance of a given CPS, in the sary’s potential and capabilities to gather, process, absence of careful consideration for a balanced security- analyze, and use the needed information. performance trade-off. This can affect normal operations – Vulnerability Analysis: includes studying the weak- and requires more human interventions to manually as- nesses of a given cyber-physical system and the sign services and domains. strengths of an adversary. Thus, building a possible • Higher Power Consumption: is a serious issue, espe- view over how a potential adversary might exploit cially for resource-constrained and battery-limited CPS this security gap to perform a security breach. end devices. A higher power consumption means a – Risk Assessment: risks are assessed based on the shorter lifespan and a higher cost to maintain their threat and vulnerability levels combined, depending availability. on how high or how low these levels are. Risk • Transmission Delays: transmitted/received data is prone assessment levels include evaluating the cost of im- to delays due to the additional encryption process that is plementing the right security measures by ensuring being added to thwart passive/active eavesdropping and a trade-off between the effective cost and benefit sniffing attacks. Despite the protective advantage that is balance. offers, this is unacceptable in a real-time CPS systems. – Appropriate Application Countermeasures: once • Higher Cost: higher security levels are associated with the trade-off is achieved in the earlier phase, the ap- higher computational costs, which are not limited to the propriate countermeasures are then developed to of- initial capital spending phase, but also include training, fer the best protection of CPS against these ongoing update, and operational phases. threats in terms of feasibility, cost, and effectiveness. • Compatibility Issues: some CPS systems are not com- patible with the employed security measures and vice • System Hardening: System hardening can be used to versa. This can be due to the software in-use, firmware, defend a wider range of threats. Therefore, it is highly Operating System, etc. recommended to isolate critical applications that lack • Operational Security Delays: upon the deployment the proper security measures, from any OS that is not of any security service, there is a training phase that trusted in order to boost the IoCPT and CPT secu- precedes the full operational security mode, and during rity. In [267], Shepherd et al. analysed different trust- which the service is temporarily ineffective or basic and computing technologies along with their applications thus, prone to attacks. in the CPS domain. According to [268], such analysis included a Trusted Platform Module (TPM), Trusted Execution Environments (TEE), Secure Elements (SE), C. CPS Security Solutions and Encrypted Execution Environment (E3), to increase the OS’s integrity. Moreover, the authors’ work in [269] Maintaining a secure CPS environment is not an easy task has successfully achieved a higher security level in the due to the constant increase of challenges, integration issues presence of untrustworthy components. This allowed the and limitation of the existing solutions including the lack improvement of CPS by enhancing system’s integrity. of security, privacy and accuracy. Nonetheless, this can be However, if the Graph-based optimization was combined mitigated through different means including cryptographic and with parameters, it can provide a reasoning basis to ensure non-cryptographic solutions as seen in Fig. 7. ฀฀฀฀฀฀฀฀฀

19

Fig. 7: Protecting CPS Layers, Components & Personnel

1) CPS Criticality: CPS systems can be divided into four IoCPT due to power and size constraints. As a result, the main types based on the aspect of their criticality: main focus should be limited to data security alone, instead it should maintain and ensure the efficiency of the overall system • Safety Critical: in such a CPS type, an attack can process along. Therefore, various solutions were presented. lead to loss of life or to chronic deadly diseases, with In [23] Kocabas et al. conducted their own survey which was significant damage to the environment such as fire, floods, dedicated to conventional and emerging encryption schemes radioactivity (e.g. Chernobyl in 1986 and Fukushima in which could be employed to offer secure data storage and 2011) incidents [271], [272]. sharing. In [24], Lai et al. reviewed and discussed prominent • Mission Critical: for this type of CPS, an attack can cryptographic authentication and encryption methods [275] to result into a fatal/non-fatal, total/partial failure of a CPS secure Distributed Energy Resources (DER) systems, while to achieve its objectives [273]. providing recommendations on applying cryptography to DER • Business Critical: in such a CPS type, an attack can systems. In [276], Ding et al. presented an overview of result into huge financial and economic losses, damaged recent advances on security control and attack detection of reputation and loss of CPS contractors and clients. industrial CPS, especially against denial-of-service, replay, and • Security Critical: for this type of CPS, an attack can deception attacks. In [15], Sklavos et al. presented a tutorial result into a security breach of the cyber-physical system that discusses the implementation efficiency of communica- (security gap, exploitable vulnerability, rootkits, back- tions confidentiality, user authentication, data integrity and doors, etc.). services availability, along attacks and modern threats with 2) Cryptographic-based Solutions: Cryptographic mea- their countermeasures. sures are mainly employed to secure the communication chan- Many solutions were presented to maintain a secure CPS nel from active/passive attacks, along any unauthorized access environment by fulfilling its main security goals. In [277], and interception, especially in SCADA systems [274]. In fact, Adam et. al. presented a novel framework to understand traditional cryptography approaches based on utilizing ciphers cyber-attacks and CPS risks. Their framework offers a novel and hash function are not easily applied to CPS including approach to ensure a comprehensive study of CPS attack ฀฀฀฀฀฀฀฀฀

20

elements, including the attacker and his objectives, cyber Attribute Based Encryption Scheme (LABE) for mobile exploitation, control-theoretic and physical system proper- cloud-assisted CPS. Security analysis revealed that LABE ties. In [232], Stouffer et al. provided a comprehensive ICS is secure with fine grained access control and users security guideline that is related to technical controls in- revocation capability, with low overhead. In [292], Zhao cluding Intrusion Detection Systems (IDS), Access Controls et al. presented a new architecture called Secure Pub- (AC), firewalls, and operational controls including training, Sub (SPS) that is based on blockchain. Hybrid encryption awareness and personnel security. In [97], security experts was used to ensure data confidentiality. Therefore, ensur- were able to gain the employees’ credentials due to their ing data confidentiality and reliability, while achieving lack of awareness and training, using phishing and social anonymity of subscribers and payment fairness between engineering techniques through a simulated attack. In [34], subscribers and publishers. In [293], Sepulveda et al. Sommestad et al. conducted a keyword mining comparison, presented a feasible post-quantum enhanced Datagram and concluded that the main focus was either on operational Transport Layer security (DTLS) by using Public Key controls, or technical controls only. In [278], Sharma et al. Cryptography (PKC) based on traditional Elliptic-Curves presented a novel multi-level Network Security Evaluation (ECC) to secure communication channels between differ- Scheme (NSES) that represent five different levels of security. ent parties. Therefore, providing a holistic view over whether NSES is • Integrity: maintaining the integrity of CPS devices re- suitable for Wireless Sensor Networks (WSN) security for quire preventing any physical or logical modification IoT/CPS/IoCPT applications. NSES offers recommendation of incoming/outgoing real-time data. Hence, different for network administrators on early design phases to achieve solutions are presented. In [294], Omkar et. al. addressed the right security needs. As a result, this paper classifies these the problems of software reconfiguration and network solutions in terms of them fulfilling one of the following attacks on ICS through the description of their pre- security goals: sented approach called Trustworthy Autonomic Interface Guardian Architecture (TAIGA). TAIGA offers protection • Confidentiality: securing CPS communication lines is against the attacks that originate from both supervisory essential. As a result, various cryptographic solutions and plant control nodes, whilst integrating a trusted were presented. In [279], the authors presented a solu- safety-preserving backup controller. In [295], Tiago et al. tion based on the use of compression techniques before introduced the Shadow Security Unit “SSU” as a low-cost being encrypted. Their solution reduces the overhead and device used in parallel with a PLC or Remote Terminal mitigates the problem. Since, lightweight cryptography Unit (RTU) to secure SCADA systems [296]. became the centre of attention with various lightweight SSU is complementary to the existing SIEM architec- block ciphers being presented by different authors, in- tures, and it can transparently intercept its communi- cluding an ultra-lightweight block cipher by Bogdanov cation control channels along with its physical process et al. [280] and a low-latency block cipher for pervasive Input/Output lines to constantly assess both security and computing applications [281]. This was due to their low- operational status of PLC or RTU. Another approach was cost and low-latency with the ability to provide cryp- also presented in [297], by Asem et. al to overcome tographic blocks for any resource constrained, normal, MITM, replay and command modification attacks by industrial, or even medical devices. In [282], Shahzad, providing an encryption level for the transferred packets, et al. suggested the installation of encryption-decryption along with the use of hardware cipher models. In [298], modules at both ends of non-secure Modbus commu- Cao et al. presented a layered approach with the aim of nication to protect its connection from confidentiality protecting sensitive data. Their techniques relied on hash attacks. Thus, requiring an additional overhead to convert chains that provide a layered protection for both high plaintexts into ciphertexts and vice versa. In [283], The and low security levels zones along with a lightweight American Gas Association (AGA) presented its AGA- key management mechanism. Thus, preventing attackers 12 standard to provide “bump-in-the-wire” encryption from intercepting data from a higher security level zone. services for CPS, but at the expense of large latency Therefore, ICS applications vendors should work on re- overheard [284]. In [285], Vegh et al. described a hi- leasing compatible versions of their applications to ensure erarchical cryptosystem method obtained through the that the ICS operators will not resort to older versions of ElGamal algorithm that protects CPS communications. To vulnerable OS [22]. fix decryption issues, WSO2 Complex Event Processor • Availability: maintaining the availability of CPS devices (WSO2-CEP) was presented in [286], [287] and used in is a must. Hence, different solutions are presented to miti- to sort different challenges. Results ensure the ability to gate and overcome availability issues. For this reason, the ensure confidentiality, privacy and availability in a secure Tennessee-Eastman Process Control System (TE-PCS) and reliable CPS environment. model is used to test integrity and DoS attacks [299]. In [288], Zhou et al. presented a novel lightweight Upon testing, this model reveals how DoS attacks are encryption scheme for real-time requirement in CPS ineffective against sensor networks. Thus, requesting to including Vehicular ad hoc networks (VANETs) [289], prioritize security defences against integrity attacks due [290]. Results revealed that this scheme is secure, reliable to their effectiveness to overcome DoS attacks only [300]. and efficient. In [291], He et al. presented a Lightweight In [39], Gao et al. designed and presented the network ฀฀฀฀฀฀฀฀฀

21

ICS testbed based on Emulation, Physical, and Simulation technique on big power CPS data. Results revealed (EPS-ICS testbed) as a control process for corporate and that ICA is more secure without breaching confi- SCADA network emulations through the use of PLCs, dential data and offers a better privacy preserva- RTUs, and DCS controllers to interact with the process. tion and data utility. In [312], J. Feng et al. pre- In [301], Thiago et. al. combined an open source PLC sented a lightweight privacy-preserving high-order with a machine learning-based IPS design to secure the Bi-Lanczos scheme in integrated edge-fog-cloud ar- OpenPLC version and render it immune against a wide chitectural paradigm for big data processing. User’s range of attacks. Their presented approach revealed the privacy is achieved using an homomorphic cryp- ineffectiveness of interception, injection and denial of tosystem, while computation overheads are offloaded service attacks, along with the ability of their OpenPLC using privacy-preserving tensor protocols. In [313], project to overcome man-in-the-middle attacks through Ye et al. presented a secure and efficient outsourc- data encryption, without interfering with its own real-time ing Differential Privacy (DP) scheme to solve data characteristics. providers issues related to being vulnerable to pri- • Authentication: authentication is the first line of defense vacy attacks. In [314], Zhang et al. presented a that should be well-built, designed and maintained [302], practical lightweight identity-based proxy-oriented [303], [259], [304]. As a result, in [130], Halperin et al. outsourcing with public auditing scheme in cloud- presented a public key-exchange authentication mecha- based MCPS, by using elliptic curve cryptography nism to prevent unauthorized parties from gaining ac- to achieve storage correctness guarantee and proxy- cess. Their mechanism relies on external radio frequency oriented privacy-preserving property. rather than batteries as an energy source. In fact, out-of- – Homomorphic Encryption: for a better data confi- band authentication were deployed in certain wearable dentiality and privacy protection, homomorphic en- devices, where the authentication mechanism uses addi- cryption techniques were adopted. In [315], Zhang et tional channels including audio and visual channels [73]. al. presented a Secure Estimation based on Kalman On the other hand, Medical CPS (MCPS) biometrics, Filtering (SEKF) using a multiplicative homomor- including mainly heart rates and blood pressure [305], can phic encryption scheme with a modified decryp- possibly be used to generate a key to encrypt and secure tion algorithm to reduce network overhead and en- the body sensor network communication [73]. In [306], hance the confidentiality of the communicated data. Ankarali et al. presented a physical layer authentication In [316], Kim et al. a fully homomorphic encryption technique which relies on pre-equalization. In [307], (FHE) as an advanced cryptographic scheme to di- Ibrokhimov et al. presented a five high-level features rectly enable arithmetic operations on the encrypted categories of user authentication in the gadget-free world, variables without decryption. Moreover, a tree-based including security, privacy, and usability aspects. computation of sequential matrix multiplication is In [308], Chen et al. presented an authentication scheme introduced to slow down the decrease of the lifespan. that applies Authenticated Identity-Based Cryptography In [317], Min et al. presented a parallel fully homo- Without Key-Escrow (AIBCwKE) mechanism to pro- morphic encryption algorithm that supports floating- tect user’s privacy and property from illegal attacks on point numbers to achieve an efficient ciphertext op- Machine-to-Machine (M2M) communications. Making it eration without decryption. Results revealed that the secure and suitable for safe sessions between mobile de- ability to limited application problems while meeting vices with an acceptable overhead. In [309], Haroon et. al. the efficient homomorphic encryption requirements detailed how recent versions of PLCs (2016) are prone to in cloud computing environment. various vulnerabilities, especially password-based mech- 3) Non-Cryptographic-based Solutions: Many non- anisms. The authors revealed that passwords stored in cryptographic solutions were also presented to mitigate and a PLC memory can be intercepted and cracked. Thus, eliminate any possible cyber-attack or malicious event. This allowing them to carry out advanced attacks including was done by implementing Intrusion Detection Systems replay attacks and memory corruption attacks. In [310], (IDS), firewalls and honeypots. As a result, various solutions Choi et al. presented an ICS-specific key management presented by various authors are mentioned and discussed. solution with no delays. • Privacy Preserving Preserving the privacy of users’ big • Intrusion Detection Systems data is not an easy task. As a result, various privacy Various IDS methodology types are available due to preserving techniques were presented to solve this issue the availability of different network configurations [318]. including differential privacy and homomorphic encryp- Each IDS methodology is characterised by its own ad- tion. vantages and drawbacks when it comes to detection, configuration, cost, and their placement in the network. – Differential Privacy: limits the disclosure of pri- In [268], Almohri et al. stated that various research activ- vate real-time big-data and information during its ities were implemented to detect attacks against the CPS. transmission. in [311], Keshk et al. studied the fea- These attacks are split into two main models. Physics- ture reduction role along privacy protection levels Based model, which defines normal CPS operations in using Independent Component Analysis (ICA) as a CPS through anomaly detection. Cyber-Based model ฀฀฀฀฀฀฀฀฀

22

which is used in order to recognize potential attacks Wireless Personal Area Networks (6LoWPAN) for as listed in [319], [320]. In fact, existing approaches IoT" (INTI), which combines their concepts of were mainly designed to detect specific attacks against trust and reputation with the watchdogs nodes to specific applications, including Unmanned Aerial Vehi- mainly detect and mitigate sinkhole attacks. This cles (UAV) [321], Industrial Control Processes [322], included the node’s role possibly changing every and smart grids [323]. In [324], Zimmer et al. exploited time a network is reconfigured or an attack event the possibility of a worst case execution time, through has occurred. obtaining information using a static application analysis ∗ Centralized IDS: C-IDS is mainly deployed in in order to detect malicious code injection attacks in centralized components. This allows all data to CPS. In [325], Mitchell et al. analysed a behaviour-rule be gathered and transmitted by the LLN to the specification-based technique to employ IDS mainly in Internet across the border. Therefore, Centralised Medical CPS. The authors also presented the transfor- IDS can analyse all of the exchanged traffic be- mation of behaviour rules in a state machine, which can tween the LLN and the Internet. In fact, it is detect any suspicious deviation initiated from any medical not enough to only detect attacks involving nodes device behaviour specification. within the LLN, since it is difficult to monitor each – Intrusion Detection System Placement: IDS can node during an occurring attack [330]. In [331], be placed at the border router of any given IoT Cho et al. presented their solution which is based network, in one or many given hosts, or in every on analysing all the packets that pass through physical object to ensure the required detection of the border router between physical and network attacks. Simultaneously, IDS may be able to generate domains. However, the main task is based on a communication overhead between the LLN (Low how to overcome a botnet attack. In [332], [333], Power Lossy Networks) nodes and the border router Kasinathan et al. deployed a centralized placement due to the IDS ability to frequently query the network that allows them to take into consideration the state. In fact in [326], Zarpel at al. described three possibility of overcoming DoS attacks, where in main IDS placement strategies (see Fig. 8): case of a DoS attack, the IDS data transmission would not be affected. In [334], Wallgren et al. employed their centralized approach which is placed in the border router to detect the attacks that target the physical domain. ∗ Hybrid IDS: H-IDS utilizes both concepts of cen- tralized and distributed placements, by combining their advantages and overcoming their drawbacks. The initial approach allows the network to be organised into clusters with the main node of each cluster being able to host an IDS instance before taking the responsibility for monitoring other neighbouring nodes. Therefore, Hybrid IDS placements can be designed in order to consume more resources than a distributed IDS placement. In [335], Le et al. followed the same approach, Fig. 8: IDS Structure through the use of a hybrid placement using a relatively small number of “watchdogs” nodes ∗ Distributed IDS: D-IDSs are being employed covering the network. This offered them the ability in every physical LLN object, whilst being opti- to sniff the communication of its surrounding mized in each resource-constrained node. There- neighbours in order to indicate whether a node fore, a lightweight distributed IDS was presented. was compromised or not. Therefore, reducing the In [327], Oh et al. identified a lightweight al- communication overhead. In [336], Le et al. also gorithm matching the attack signatures, and the managed to organize the network into smaller packet payloads, while suggesting other tech- clusters with a cluster head for each, using the niques that require less matching numbers to same number of nodes. This allowed an IDS in- detect any possible attack. In [328], Lee et al. sug- stance to be placed in each cluster head, with each gested their own lightweight method that allows cluster member reporting its own related infor- them to monitor a node’s energy consumption mation and other neighbours related information by assigning nodes to monitor their neighbours to the cluster head. In the second approach, IDS in the distributed placement. These nodes are modules were placed in, both the border router defined as “watchdogs”. In [329], Cervantes et and other network nodes with the presence of a al., presented a solution called "Intrusion detection central component. In [337], Raza et al. presented of Sinkhole attacks on IPv6 over Low -Power their own IDS named as SVELTE, where the ฀฀฀฀฀฀฀฀฀

23

border router hosts are given the task of processing the main objective of reducing the false alarm rate. intensive IDS modules that are responsible for In [333], Kasinathan et al. presented a signature- detecting any intrusion attempt by analysing the based approach as an extension of their presented Routing Protocol Low-power and Lossy device’s approach in [332]. (RPL) network data. Based on Pongle et al.’s ∗ Behaviour Based: Behaviour Based can be clas- work [338], network nodes were responsible for sified as a set of rules and thresholds implemented any detectable changes in their neighbourhood. to define the expected behaviour of the network’s Moreover, network nodes were also responsible components including both nodes and protocols. for sending information about their surrounding This approach is capable of detecting any intru- neighbours to their centralized module which is sion as soon as the network behaviour deviates deployed in the border router having the main from its original behaviour. Behaviour-based acts assigned responsibility of storing and analysing in the same way as the Anomaly-based detection data. Thus, making it easier to detect and intrusion with a slight difference from specification-based while identifying attacks in their early stages. systems where a human expert is needed to manu- In [339], Thanigaivelan et al. presented an IDS, ally define each specification rule. Thus, providing which allocates different responsibilities to the a lower false-positive rate than the anomaly based network nodes and also to the router’s border. detection [343], [344]. Therefore, there will be no Thus, ensuring a cooperative combined work need for any training phase, since they are imple- amongst them, with the IDS module monitoring mented to operate instantly. However, such an ap- neighbouring nodes, detecting any intrusion at- proach is not fit for all scenarios, and may become tempt, and sending notifications to the IDS mod- time consuming and error prone. In [345], Misra ules. et al. presented their new approach to protect the IoT middleware from DDoS attacks, by triggering – Intrusion Detection Methods: The four main an alert whenever the request number exceeds IDS methods are signature-based, anomaly-based, the threshold line. In [335], Le et al. presented behaviour-based and hybrid based. In fact in [326], a different specification-based approach, aimed these methods were presented, while testing methods at detecting RPL attacks [346], by specifying and techniques were classified into five main cate- the RPL behaviour through network monitoring gories, depending on their detection mechanism . operation and malicious action detection. ∗ Signature Based: Such a detection technique is In [336], Le et al.’s work was extended. Their very fast and easy to configure. However, it is experimentation resulted in a high true-positive only effective for detecting known threats. Thus, rate, where false positive rates were low through- showing a high weakness against unknown threats out their experimentation, whilst also causing an mainly polymorphic malwares and crypting ser- energy overhead compared to a typical RPL net- vices. Despite its limited capability, Signature work as stated in [326]. In [347], Amaral et al. Based IDS is very accurate, and also very effective presented a specification-based IDS that grants the at detecting known threats, with an easy way to network administrator the ability to create and understand mechanism. However, this approach is maintain rules in order to detect any potential ineffective against the detection of both new and attack. Whenever the rule is violated, the IDS variants of known attacks, due to their matching would right away send an alert to the Event signature remaining unknown, and constantly up- Management System (EMS) that correlates these dating its signature patches [340], [341]. In [327], alerts for different available nodes in a given Oh et al.’s aimed to reduce the computational cost network. The success of Misra et al. [345] and by comparing attack signatures and packet pay- Amaral et al. [347] approaches highly relied on loads. In [342], Liu et al. presented a signature- the expertise of the network administrator, as well based IDS that employs an “Artificial Immune as his experience and skills combined. Therefore, System” (AIS) mechanism with detectors being in case of any wrong specifications, it will cause modelled as immune cells with an ability to clas- an excessively high false-positive rate and/or a sify any datagram as malicious or non-malicious high false-negative rate, leading to a possibly according to the matching signature. Such ap- serious risk that threatens the network’s security. proach can evolve into the adaptation ability new ∗ Anomaly Based: This type compares system’s conditions in new environments that are being activities instantly with the ability to generate an monitored. In [332], Kasinathan et al. integrated a alert whenever a deviation from normal behaviour signature-based IDS into the network framework, is detected. However, such a detection method with the objective of being able to detect DoS suffers from a high false positive rate [343], Attacks against 6LoWPAN-based networks. This [348], [349]. In [331], Cho et al. presented a IDS was implemented through the adaptation of botnet detection scheme using the anomaly-based “Suricata4” used for 6LoWPAN networks, with method, by computing an average for each three ฀฀฀฀฀฀฀฀฀

24

metrics composing the normal behaviour profile. ∗ Radio-Frequency Based: In [353], Stone et al. This was achieved before the system monitors the presented a Radio-frequency based anomaly de- network’s traffic and raises the alert whenever a tection method for programmable logic controllers metric violates the already defined computed av- in the critical infrastructure [354]. Their exper- erages. In [350], Gupta et al. presented their own imental results have demonstrated that the use architecture for a wireless IDS, by applying the of a single collected waveform response provides necessary Computational Intelligence algorithms sufficient separability to enable the differentiation which are used in order to a construct normal between anomalous and normal operational con- profile behaviour. Moreover, a distinct normal ditions. However, in case of using multi-time do- behaviour profile will be implemented for each main waveform response, their performance sig- different IP address being assigned. In [328], Lee nificantly degrades. To solve this problem, the au- et al. suggested that energy consumption should thors presented anomaly detection method based be classified as parameter in order to be used in on RF fingerprint feature retrieved from the wave- analyzing each node’s behaviour. Thus, defining form amplitude, phase, and frequency response a regular energy consumption model for each to ensure a qualitative differentiation between an mesh-under routing scheme and route-over routing anomalous and normal operating conditions. scheme, where each node will monitor its own In [355], Stone et al. also presented an RF-based energy consumption. In case the node deviates, the methodology to detect anomalous programmable IDS classifies the node as malicious and removes logic controller behaviours with a superior time- it. domain RF emissions performance. The Cincin- In [351], Summerville et al. successfully man- nati Bell Any Distance (CBAD) approach reached aged to develop a deep-packet anomaly detection a Threat Agent Detection and Response (TADR) approach aimed at reducing the run on resource detection rate higher than 90% benchmark realised constrained IoT devices, by using a bit-pattern at an Signal Power Ratio (SNR) higher or equal matching technique which performs a feature se- to 0 dB. Despite these results, this approach is lection. In their experimental evaluation, they used prone to RF noise, signal degradation and cod- internet enabled devices against four main attack ing loops. In [356], Stephen et al. presented a types (including SQLi, worms, etc..), and results timing-based side channel analysis technique to have shown low false-positive rates. In [339], help control system operators in detecting any Thanigaivelan et al. successfully introduced an firmware and ladder logic programs modification IoT distributed internal anomaly detection system, to the programmable logic controllers. This ap- that monitors the node’s data rate and packet size. proach allows a field device to be fingerprinted Moreover , in [338] Pongle and Chavan presented upon deployment to create an supplicate base- an IDS that is designed specifically in order to line fingerprint. Various fingerprints of the device detect wormhole attacks in IoT devices, in addi- are taken and compared to the baseline in order tion to presenting three main algorithms to detect to detect and alert operators of both intentional network anomalies. As a result, their experiment and unintentional modifications in programmable revealed that the system has achieved a true pos- logic controllers. itive rate of 94% when tested against wormhole ∗ Hybrid Based: It is based on using a detection, whilst scoring an 87% when it came specification-based techniques of signature-based, to detecting both, the attack, and the attacker and anomaly-based detection in order to maximize launching it. In [352], K. Demertzis et al. pre- their advantage whilst minimizing their draw- sented an advanced Spiking One-Class Anomaly backs. In [337], Raza et al. presented a hybrid Detection Framework (SOCCADF) based on the IDS known as SVELTE which offers the right evolving Spiking Neural Network algorithm. This trade-off between storage cost of signature-based algorithm implements a One-class classification methods, and computational cost of anomaly- methodology in an innovative applicable way, due based methods. In [357], Krimmling et al. tested to it being exclusively trained with data to char- their anomaly and signature-based IDS using the acterise normal ICS operations. Moreover, this IDS evaluation framework that they presented. algorithm can detect any divergence in behaviours Their results revealed the failure of each approach and abnormalities that are associated with APT at- in detecting certain attacks alone. As a result, tacks. The authors stated that SOCCADF is highly the authors combined these approaches to cover suitable for difficult problems, and applications and detect a wider attack range. In [329], Cer- with a huge amount of data. According to their vantes et al. presented the Intrusion Detection results, the authors stated that SOCCADF has a of SiNkhole attacks on 6LoWPAN for Internet better performance at a very fast learning speed, of Things (INTI), to detect and isolate sinkhole with higher accuracy, reliability, and efficiency, attacks by combining the anomaly-based approach and it outperforms the other approaches. which ensures a packet exchange between these ฀฀฀฀฀฀฀฀฀

25

nodes. This was done by using the specification- pot specifically designed for networked robotic systems. based method in order to extract the evaluation Simulations reveal that HoneyBot can fool attackers into node based on both trust and reputation. However, believing that their exploits are successful. when comparing SVELTE [337] to INTI IDS, In [367], Fraunholz et al. set up a medium interaction Cervantes et al. simulated a scenario where INTI honeypot offering telnet and Secure Shell (SSH) services IDS achieved a sinkhole detection with a rate up to to capture data from attack sessions. This data was 92%. In case of a fixed scenario, the rate has only analysed to allow the classification of attacker types and reached 75%. Either ways, it has shown a low rate sessions, respectively. In [368], Tian et al. presented of false-positives and false-negatives compared to a honeypot game model with both low/high-interaction SVELTE. modes to mainly improve CPS security. Simulation re- sults revealed that optimal human analysis cost alloca- • Firewalls Firewalls saw rare use of employment in CPS tion and defensive strategy are obtained. Making their domain due to the advancement of IDS and Artificial method suitable for CPS data protection. In [369], Duan Intelligence technologies. Therefore, a handful number of et al. presented a framework called "CONCEAL" as a firewall-based solutions were presented. In [358], Jiang new deception as a service paradigm that is effective et al. mentioned the use of paired Firewalls between and scalable. This was done by combining m-mutation enterprise and manufacturing zones to enhance the cyber for address anonymization, k-anonymity for fingerprint security of servers. Their choice of paired firewalls is due anonymization, and l-diversity for configuration diver- to the stringent security and clear management separation. sification. CONCEAL’s proxies save can reach as high In [359], Nivethan et al. presented a novel methodology as 90%. In [370], Bernieri et al. presented a modular that uses iptables as an effective powerful open-source framework called Deep Detection Architecture (DDA) to network-level firewall for SCADA systems that inspects provide cyber-physical security for industrial control sys- and filters SCADA protocol messages. In [360], Adepu et tems. A cyber-physical simulation methodology was also al. presented Argus as a framework for defending a public presented and exploited to analyse the security modules utility against cyber-physical attacks. Its implementation under several different attack scenarios. Moreover, DDA tests revealed its effectiveness in detecting single and will be extensively used for the next ICS generation and complex multi-component deception attacks. In [361], implemented into the Industry v4.0 paradigm. In [371], Ghosh et al. presented their approach towards predict- Sayin et al. introduced a deceptive signalling framework ing real-time failures of network devices including load as a new defence measure against advanced adversaries balancers and firewalls using event data. Their focus was in CPS. This framework relies on information that is on raw device event data. Results revealed that a low strategically accessible to adversaries to indirectly control failure rate of devices, while achieving a precision rate their actions. of 77% and recall network device failure prediction of 67%. In [362], Javed et al. presented a novel security architecture that localizes the cyber-attack in a timely D. CPS Forensics manner, and simultaneously recovers the affected cyber- It is not enough to encrypt, detect and protect against passive physical system functionality. Results revealed its effec- and active attacks. In fact, aside from identifying the source tiveness against system availability attacks only. of the attack, it is also important to know how the attack was • Honeypots & Deception Techniques Deception is a key performed despite of the challenges [372]. Hence, there an defensive security measure that CPS rely on as a decoy urgent need for the forensics domain to enhance the forensics to hide and protect their system. This can be mainly tools and techniques to retrieve and analyze logs of events that done using honeypots. However, other deceptive solutions took place before, during and after the incident. In fact, CPS also exist. In [363], Cohen presented how honeypot forensic analysis is still in its early stages of development, deception can be made more effective upon employment, due to the ICS specialized nature along with its proprietary while discussing different ranges of deception tactics. and poorly documented protocols [373]. In [374], Awad et In [364], Antonioli et al. presented the design of a virtual, al. surveyed the digital forensics applied to SCADA systems high-interaction, server-based ICS honeypot to ensure a and covered the challenges that surround them. Therefore, realistic, cost-effective, and maintainable ICS honeypot presenting the current state-of-the-art device and network- that captures the attackers activities. Such implementation specific tools. In [375], Grispos et al. presented a forensic- aims to target Ethernet/IP based ICS honeypots. In [365], by-design framework that ensure the integration of forensics Litchfield et al. presented HoneyPhy, a physics-aware principles and concepts in MCPS. In [376], H. Al-Khateeb framework for complex CPS honeypots that monitor et al. shed a light on a new approach where a Blockchain- the originating behaviour from the CPS process and based Chain-of-Custody may be simultaneously established the device that controls the CPS itself. Results reveal to the generated preidentified data (data of interest) by an that HoneyPhy can be employed to simulate these be- IoT device. In [377], Chan et al. described a novel security haviours in a real-time manner. In [366], Irvene et al. block method for detecting memory variable changes that leverage HoneyPhy framework to create the HoneyBot. may affect the integrity of programmable logic controllers and HoneyBot is the first software hybrid interaction honey- efficiently and effectively enhancing security and forensics. ฀฀฀฀฀฀฀฀฀

26

This is done by by adding monitoring and logging mechanisms Authors also stated that their proof-of-concept tool, "Cutter", to PLCs. Therefore, ensuring faster anomaly detection with which is capable of parsing the content of PCCC messages, higher accuracy, less overhead and adjustable impact. extracts and presents digital artifacts in a human-readable form In [378], Ahmadi et al. presented a federated Blockchain such as Simple Mail Transfer Protocol (SMTP) configuration. (BC) model that achieves forensic-readiness by establishing Moreover, the SMTP configuration can be retrieved from the a digital Chain-of-Custody (CoC) and a CPS collaborative network log and can be parsed, too. environment to qualify as Digital Witnesses (DW) to support In [377], Chan et. al. presented a novel security block post-incident investigations. In [379], Parry et al. presented method that enhances ICS security and forensics by adding a high speed hardware-software network forensics tool that monitoring and logging mechanisms to PLCs, and ICS’s key was specifically designed for capturing and replaying data components. Their results demonstrated that their approach traffic in SCADA systems. Experimental results guaranteed increased the anomaly detection range, speed and accuracy preserving the original packet ordering with improvement in with a slight performance impact and a reduced network data capture and replay capabilities. In [380], Cebe et al. overhead. Thus, ensuring a more enhanced, efficient and presented a blockchain infrastructure by integrating a Vehicu- effective forensic investigation procedure. In [388], Yua et lar Public Key Infrastructure (VPKI) to achieve membership al. described the design and implementation of a novel PLC establishment and privacy along a fragmented ledger related logging system. To overcome the inadequacy of information to detailed vehicular data. Moreover, identities pseudonyms in forensics investigations, their logging system is used to were used to preserve users’ privacy. In [381], P. Taveras extract data from Siemens S7 communications protocol traffic. presented a high level software application that detects critical This logging system also helps in recording the evidence situations like abnormal changes of sensor reads and traffic based on the exchanged data between the PLC and other over the communication channel, mainly. Therefore, helping network devices. Thus, providing key information about the by improving critical infrastructure protection and providing attack source, actions and timelines. The choice of Simatic appropriate SCADA forensics tools for incident response and S7 PLC is due to their widespread use [389] and successful forensics analysis. In [382], Ahmed et. al. presented a testbed exploitation by insidious Stuxnet malware. In [390], Chan et of three IPPs (Industrial Physical Processes) using real-world al. focused on the logging mechanism of a Siemens PLC, industrial equipment including PLC. The authors stated that including the Siemens Total Integrated Automation Portal V13 their presented testbed is useful in cyber-security, education program (Siemens TIA Portal, known as Siemens Step-7). (SCADA systems) and forensics research including PLC anal- The author’s methodology performs an effective and practical ysis and programming. Moreover, their testbed includes fully forensics analysis of the PLC. Moreover, it focuses on Siemens functional physical processes which are deemed very essential PLC along with an installed computer workstation with the for both research and pedagogical efforts. Siemens TIA Portal (previously targeted by Stuxnet). In [383], Yau and Chow presented a novel methodology which logs relevant memory address values, that are being E. Limitations used by programmable logic controller programs, in addition to their timestamps. This methodology can be extremely During the evaluation and analysis of the existing presented valuable in a forensic investigation in case of an ICS incident. security solutions, several limitations can be deduced, pre- This is realized by applying machine learning techniques to the sented and discussed as follows: logged data in order to identify any anomalous programmable • Asymmetric Cryptography: introduces overhead in logic controller operation. In [384] Saman et. al. combined terms of latency and resources. The asymmetric nature symbolic execution with model checking to analyse any mali- of certain cryptographic work [285], [292] leaves CPS’s cious PLC code bound injection. Their combined approach can real-time communication prone to network latency and also be used for forensic purposes including the identification overhead due to delays in the encryption/decryption pro- of the areas where the code injection took place, along with cess. which part of the code caused its execution. In [385], McMinn • Weak Device/User Authentication Scheme: many of et al. presented a firmware verification tool used for the the presented authentication techniques [130], [73], [306], forensics analysis of trials of the altered firmware codes to [308] are not very suitable for a secure appliance, due to gain unauthorised access over ICS networks. Such verification the lack of multi-factor authentication schemes to protect is achieved either though the analysis of the PLC’s captured CPS systems from unauthorised users and access. data to check whether the PLC’s firmware is modified or • CPS Forensics Field: are still prone to many challenges not. In [386], Kleinmann et al. presented an accurate IDS including the lack of tools, skills and responses against that utilizes a deterministic finite automaton that models the any potential anti-forensics activity [372], [373]. network traffic with a 99.26% accuracy, after analysing and • Inefficient Honeypot & Deception System: despite of observing the highly periodic network traffic of Siemens S7 the recently proposed techniques in [366], [368], [370], PLC. In [387], Saranyan et al. provided a comprehensive [371], there are no appropriate honeypot techniques that forensic analysis of network traffic generated by the PCCC can be specifically adopted to protect CPS systems, (Programmable Controller Communication Commands) proto- especially in the wake of Industry v4.0. col, and also presented prototype tool that extracts updates of • Lack of Firewall Protection: firewall solutions includ- the programmable logic and crucial configuration information. ing [358], [359] are not very applicable and suitable ฀฀฀฀฀฀฀฀฀

27

for employment into the CPS domain, nor they offer an modern digital forensics solutions should define new effective protection. The best solution requires dynamic countermeasures to preserve digital forensics logs. firewalls, as well as application and next generation 4) Enhancing Security Policy: in many cases, CPS at- firewall types. tacks occurred by insiders (by accident or on purpose). • Inefficient Intrusion Detection Systems: despite the Accordingly, all employees must undergo a screening availability of various IDS types such as anomaly- process before recruitment, and have their privileges based [352], behaviour-based [345] and signature- suspended outside working hours and monitored their based [333], these are generally applied within IoT-based actions in the case of advanced tasks. This means that domains and not specifically designed to protect CPS CPS security policy should be contain new rules to limit systems. access and to reduce the potential damage. 5) Smart Cooperation with non-cryptographic solu- VI.LEARNT LESSONS tions: Intrusion detection systems should be hybrid in all terms and should be coordinated in an efficient manner To secure CPS, many lessons were learnt as how to with firewalls and dynamic honeypot systems. maintain and achieve their required security goals. Among 6) Enforcing Compliance: by respecting users’ privacy such lessons: through ensuring data access regulatory compliance that 1) Maintaining Security Services: new lightweight cryp- processes CPS’s big data via clouds, especially when tographic solutions are required to secure CPS and stored by utility providers (Trusted Third Party (TTP)) IoCPT in real-time operations but with minimum com- to prevent any data leakage and users privacy violations. putational complexity. These cryptographic solutions can Therefore, maintaining a suitable trade-off between users help ensure the following security services: privacy and systems’ security and performance, while • Confidentiality: there is a need for a new class also ensuring firmer accountability measures [405], of lightweight block or stream cipher algorithms to [406]. secure CPS resource-constrained real-time commu- 7) Achieving Trade-Off: is essential for maintaining sys- nications. Recently, a new approach was presented, tems’ availability, safety and security [407], [408]. and it is based on the dynamic key-dependent cipher Therefore, such a trade-off must be achieved based structure and it requires two or one iteration with on the combination of these three key requirements few operations [391], [392], [393], [394]. A set while taking into consideration available budget and cost of these solutions can be applied at the physical requirements in terms of risk assessment: layer [395], [393], [394]. • Message/Device Integrity: this includes the pro- • Availability & Safety: both features are linked tection of CPS data and devices’ integrity from any together since issues related to the safety of a CPS physical/logical alteration(s). This can be done by system also affect its operational availability. To ensuring that the Operating System, applications, ensure this trade-off, verified back-ups of compu- and software are securely designed and without tational devices must always be considered in the any flaws to prevent tampering, with strong cryp- planning phase, as a second line of defense to tographic hash functions (SHA256, SHA384 and handle any sudden service/system disruption (power SHA512). In this end, a new lightweight hash cuts, blackouts, pumping stoppage), or maintenance function was presented in [396] and it requires a (updates, renovation, installation, etc.). single round compared to the existing ones. • Availability & Security: since availability is very • Device/Data Availability: requires the need for crucial for all real-time CPS operations, securing computational resources along with verified back- them is a top priority. For this reason, a trade-off is ups, and a self-healing ability of CPS in such a to be established between availability and security way to recover immediately from availability attack (Frequency Hopping/Shifting, Signal-to-Noise Ra- types. Also, maintaining data availability is as nec- tion, Backup devices, Firewalls, IDS, Traffic Mon- essary [397], and this can be done by defining a itoring, etc.) especially against wireless jamming multi-secure connection [398]-[403]. attacks. 2) Strong Device/user Authentication: An efficient de- • Safety & Security: having a secure CPS does vice/user mutual multi-factor authentication scheme is not always mean that it is protected. In fact, a necessary,along with enhancing verification and identifi- trade-off must be achieved to maintain both safety cation phases based on attribute access-control privileges and security features in any CPS domain, where a (least-privilege) to ensure non-repudiation and stronger safety feature is meant to protect the CPS from any accountability. accidental failure/hazard (system failure, miscalcu- 3) Protecting Digital Evidences: this is highly important lations, abnormal activities, etc.), while a security since most of the advanced attacks focus on eliminating feature (IDS, Firewalls, Artificial Intelligence (AI), any source of evidence that traces back to the attack etc.) ensures protection against intentional cyber- source, such as the case of Shamoon, Duqu, Flame and physical attacks. Stuxnet malware types [404], [109], [75]. Furthermore, ฀฀฀฀฀฀฀฀฀

28

VII.SUGGESTIONS &RECOMMENDATIONS the entity authentication scheme since any entity authen- tication attack can lead to confidentiality, integrity and/or Different security measures could be adopted and enhanced availability attack. Recently, the concept of multi-factor to enhance the protection against various threats and attacks. authentication was applied by combining two or more These include: factors: 1) "you are" which includes device fingerprint, • Prioritization & Classification: of critical CPS com- user fingerprint, hand geometry, iris scan, retina scan, etc., ponents and assets before assessing, managing and and 2) "you have" which includes cryptographic keys to analysing risks to ensure the proper budget spending on increase its robustness against authentication attacks such the right choice of security measures (basic, standard or as the ones described in [411], [412]. This mechanism advanced) in accordance to their costs compared to the should be an essential requirement in CPS systems, in likelihood of the occurrence of a given incident and its addition to the use of the geographical location. The impact. advantage of these solutions is their ability to reduce false • Careful Financial Planning & Management: must positives, and to complicate the authentication attacks be conducted in terms of available budget and needed since several factors should be broken instead of one. costs/resources to protect critical/non-critical CPS assets Consequently, this limits the access only to authorised and components. entities and personnel (devices/users). • Lightweight Dynamic Key Dependent Cryptographic • Strong Password & dynamic Hashing Process: Pass- Algorithms: These solutions can be used to to ensure words are considered as the "you know" authentication several security services such as message confidentiality, factor. However, several attacks such as rainbow and hash integrity and authentication, which are mandatory during table attacks can be applied. In order to prevent them any secure CPS communications. This can be done by from occurring, after a periodic interval, passwords must using new generation of cryptographic algorithms, which be re-hashed with a new dynamic Nonce for each user. were presented in [392], [409], [410]. The advantage of Moreover, a secure cryptographic hash function should these solutions that it can reach a good balance between be used such as SHA-3 and SHA-2 (variant 512). This security and performance level. The robustness against avoids birthday attacks and reduces rainbow/hash table attacks were proved since a dynamic key is used per attacks. message (or a set of messages; depend of application • Secure and Protected Audit: can be done by using an constraints and requirements). Moreover, this dynamic Audit manager system that collects and stores logs in a key is used to produce a set of cryptographic primitives distributed system. A possible solution that can be applied and update cryptographic primitives. This means different in this context was presented recently in [413]. This limits ciphertext can be obtained for the same plaintext since any insider attempt against a cyber-physical system and different cryptographic primitives are used. While, the it preserves the digital evidence of internal and external effectiveness is validates since these algorithms require attacks to trace them back. only one round iteration and uses simple operations in • Enhanced Non-Cryptographic Solutions: require the addition to avoid diffusion operation. The new generation need for hybrid IDS/IPS systems or AI-based IDS/IPS of these cryptographic algorithms reduce the required (using Machine Learning algorithms), along with ad- latency, resources and computation overhead, which help vanced firewalls (i.e Application and Next Generation CPS devices to preserve better their main functionalities. Firewalls) [414], and dynamic honeypots [415] to prevent • Defining Privileges: This should be considered as any future security breach based on a vulnerability ex- the most suitable access control policy, which as- ploit. This can be done by employing lightweight IDS/IPS signs permissions and rights depending on the users’ and especially the anomaly-based ones. In fact, one roles/tasks/attributes when it comes to accessing CPS, and should select the anomaly detection algorithm according removing these access rights upon completing the task or to the CPS device constraints, which can be statistical upon the employee’s leave. This also includes the use for limited ones or based on machine algorithm, such as of the least privilege policy. Therefore, the definition of random forest, for powerful CPS devices. On the other privilege should be done based on Attribute Based Access hand, signature-based techniques can be applied at the Control (ABAC), where policies combined with attributes Gateway (GW) where all network traffic can be analyzed. specify access authorizations. Note that ABAC makes • Secure & Verified Backups: this is essential to maintain access control decisions based on Boolean conditions of the CPS data availability and to avoid data destruction attribute values. It provides a high level of granularity, or alteration by ensuring robustness against DoS/DDoS which is necessary to make CPS control access scheme and Ransowmare attacks, especially that such attacks may more secure. result in total blackouts as in the case of the US. This • Strong Entity Multi-Factor Authentication: Unfortu- can be done by using lightweight data protection solutions nately, entity authentication schemes that are based on such as the ones presented in [399]. a single factor of authentication (you have, you know, • Forensic Efforts: are essential to retrieve the traces of you do or you are) are not resistant enough against any occurring attack. Also, new solutions against anti- authentication attacks, which are increasingly becoming forensic techniques should be introduced to preserve any more dangerous. The first line of defense in any system is digital evidence [413]. This is realized by recovering logs ฀฀฀฀฀฀฀฀฀

29

and monitoring network and system behaviour, which can • Up-to-Date Systems: cyber-physical systems must be successfully limit various reconnaissance attempts. How- kept up-to-date in terms of software, firmware and hard- ever, the newly introduced forensics tools must be com- ware through constant verified patches and updates [422]. patible with different CPS devices’ software/hardware, Moreover, such systems must be secured at different especially resource constrained devices, and must also levels of their implementations (layered protection), with be resistant against anti-forensics attempts. the ability to mitigate and tackle a given attack to reduce • Enhanced Incident Response: includes the ability to its impact and prevent further escalation and damage. identify, alert and respond to a given incident. More- Furthermore, USB ports must be physically and log- over, incident recovery and incident investigation plans ically removed to prevent any payload injection, and should be put in place to mitigate attacks. This provides PLC systems behaviour and activities must be constantly protection against non-intentional technical and opera- monitored for any suspicious/abnormal behaviour [422]. tional failures (power shortage, blackout) through back- • AI Security Solutions: Artificial Intelligence is used up plans, and from intentional failures (cyber-attacks), in IDS/IPS anomaly detection schemes or in "you are" through CERT (Computer Emergency Response) [416], or "you do" entity authentication schemes. In fact, AI CSIRT (Computer Security Incident Response) [417], is now being considered as a game-changing solution and IRCF (Incident Response And Computer Forensics) against a variety of cyber-physical attacks targeting CPS teams [418], [419]. As such, CPS scientists and engineers systems, devices and communication points. Despite the must undergo further education and training to ensure an time consuming process of training an AI system, the enhanced and efficient cyber, physical and computational accuracy of detection and prevention are much higher environment with secure computing and communications. than any human intervention. Recent advancements in • Real time Monitoring: running real-time systems using machine learning, and especially in deep learning, can specialised forensics or non-forensics tools and methods make CPS systems more secure, robust and resistant is essential to prevent any cyber-physical system acci- against cyber-physical attacks. dental or non-accidental failure. This enables constant • Defense In-Depth: most of the existing solutions offer checking and monitoring of CPS devices’ behaviour and protection against a single attack aspect or a security hence, the detection of any cyber-attack attempt in its requirement. Instead, there is need for a multi-purpose se- early stages. curity solution that ensures the best protection at each op- • Security Check: and employee screening must be done erational layer (perception, transmission and application) for each employee before and during the job to elimi- of CPS. For example, the two most known international nate and contain any possible insider/whistle-blower at- standards for functional safety in the automotive industry, tempt. Therefore, signing agreements [420] such as Non- the ISO 26262 [423] and IEC 61508/Edition2 [424], Disclosure Agreement (NDA), Confidentiality Agreement [425] should be respected and applied. This ensures (CA), Confidential Disclosure Agreement (CDA), Propri- a safe CPS implementation based on the Functional etary Information Agreement (PIA) or Secrecy Agree- safety, which includes the Safety Integrity Level (SIL) ment (SA) is highly recommended. Such security checks basics [426] which in turn, rely on the Probability of are essential especially in critical areas such as nuclear Failure on Demand (PoFoD) and the Risk Reduction Fac- power plants [421]. tor (RRF) to ensure a much more accurate and efficient • Periodic Employee Training: includes periodic aware- Hazard and Risk Analysis (HRA) [426], [424], mainly in ness training of ICS and PLC employees on the best the Electronic Control Units (ECU) [427], [428]). cyber-security practices based on their level and knowl- • CPS Security & Privacy Life-cycle: finally, to sum up edge, with the ability to detect any suspicious behaviour this work, our paper presents a combined Operational or activity. Moreover, employees must be trained over and Functional Safety/Security (OFSS) life-cycle that various security threats and wrong practices such as ensures a successful and safe CPS employment as seen avoiding the installation of any software update, how to in Fig. 9). This framework is derived from ISO 26262 counter social-engineering and phishing attempts, while and IEC 61508/Edition2 protocols and their approach also maintaining accountability in case of wrong doings. towards ensuring the CPS Functional safety/security. The • Periodic Pen Testing & Vulnerability Assessment: framework consists of six main phases: must be maintained in a periodic manner to enforce sys- tem auditing, detecting threats, and mitigating them in a – Phase 1: Devising a plan to design a CPS system by real-time manner before they are discovered and exploited following a well-defined time-table and schedule in by an attacker under the zero-day exploit conditions. accordance to the needed budget and corresponding • Periodic Risk Assessment: must also be enforced to costs. This also requires the assistance of humans study the likelihood and impact of a given risk against (businessmen, engineers, workers, etc.) and non- a critical/non-critical cyber-physical system based on human assets (vehicles, machines, etc.). a qualitative or/and quantitative risk assessment and a – Phase 2: requires a careful risk and hazard analysis, Cost–Benefit Analysis (CBA), to classify the risk based which consists of a proper risk management and on acceptable/non-acceptable level and to mitigate it as asset classification, as well as the mutual connection early as possible. between the two to ensure an accurate decision- ฀฀฀฀฀฀฀฀฀

30

making over the adoption of the right security REFERENCES measures/counter-measures. – Phase 3: defines the right functional safety, security [1] Jay Lee, Behrad Bagheri, and Hung-An Kao. A cyber-physical systems architecture for industry 4.0-based manufacturing systems. and dependability requirements along their key com- Manufacturing letters, 3:18–23, 2015. ponents/mechanisms that are essential to mitigate a [2] Yang Lu. Industry 4.0: A survey on technologies, applications and risk/hazard and to reduce their likelihood and impact open research issues. Journal of Industrial Information Integration, in case of their occurrence. 6:1–10, 2017. [3] Jay Lee, Edzel Lapira, Shanhu Yang, and Ann Kao. Predictive – Phase 4: consists of evaluating the performance manufacturing system-trends of next-generation production systems. of CPS in terms of the recently introduced func- IFAC Proceedings Volumes, 46(7):150–156, 2013. tional safety, security and dependability measures in [4] Stefan Heng. Industry 4.0: Huge potential for value creation waiting to be tapped. Deutsche Bank Research, pages 8–10, 2014. an operational manner where a performance man- [5] Stefan Gries, Marc Hesenius, and Volker Gruhn. Cascading data agement and analysis will be conducted to en- corruption: About dependencies in cyber-physical systems: Poster. In sure a proper/mutual security-performance, safety- Proceedings of the 11th ACM International Conference on Distributed and Event-based Systems, pages 345–346. ACM, 2017. performance and dependability-performance trade- [6] A Di Ferdinando, P Ezhilchelvan, M Dales, and J Crowcroft. Ninth ieee offs. international symposium on object and component-oriented real-time – Phase 5: once the performance is evaluated, the distributed computing. cyber-physical system is tested and validated to de- [7] Ingeol Chun, Jeongmin Park, Wontae Kim, Woochun Kang, Haeyoung Lee, and Seungmin Park. Autonomic computing technologies for tect any remaining software/hardware bug, security cyber-physical systems. In 2010 The 12th International Conference gap, or performance issue to apply the required mod- on Advanced Communication Technology (ICACT), volume 2, pages ifications before being commissioned. If the testing is 1009–1014. IEEE, 2010. [8] Ciprian-Radu Rad, Olimpiu Hancu, Ioana-Alexandra Takacs, and Ghe- unsuccessful, the process restarts again to find where orghe Olteanu. Smart monitoring of potato crop: a cyber-physical sys- the issue took place. If successful, the CPS will tem architecture model in the field of precision agriculture. Agriculture head towards further commissioning before being and Agricultural Science Procedia, 6:73–79, 2015. [9] Tamás Haidegger, Gurvinder S Virk, Carol Herman, Roger Bostelman, officially deployed. Péter Galambos, György Györök, and Imre J Rudas. Industrial – Phase 6: upon successful testing, the deployed CPS and medical cyber-physical systems: Tackling user requirements and system will undergo a trial phase to evaluate its challenges in robotics. In Recent Advances in Intelligent Engineering, pages 253–277. Springer, 2020. operational status, while monitoring its behaviour [10] B Siddappaji and KB Akhilesh. Role of cyber security in drone and performance before becoming fully operational. technology. In Smart Technologies, pages 169–178. Springer, 2020. [11] Jean-Paul A Yaacoub, Mohamad Noura, Hassan N Noura, Ola Salman, Elias Yaacoub, Raphaël Couturier, and Ali Chehab. Securing internet VIII.CONCLUSION of medical things systems: Limitations, issues and recommendations. Future Generation Computer Systems, 105:581–606, 2020. CPS systems are key components of Industry v4.0, and they [12] Thomas M Chen. Survey of cyber security issues in smart grids. In Cyber Security, Situation Management, and Impact Assessment II; and are already transforming how humans interact with the phys- Visual Analytics for Homeland Defense and Security II, volume 7709, ical environment by integrating it with the cyber world. The page 77090D. International Society for Optics and Photonics, 2010. aim of implementing CPS systems, either within or outside [13] Charlie Miller and Chris Valasek. A survey of remote automotive attack IoT (IoCPT), is to enhance the products’ quality and systems’ surfaces. black hat USA, 2014:94, 2014. [14] Elias Bou-Harb. A brief survey of security approaches for cyber- availability and reliability. However, CPS systems suffer from physical systems. In 2016 8th IFIP International Conference on New various security and privacy issues that can degrade their Technologies, Mobility and Security (NTMS), pages 1–5. IEEE, 2016. reliability, safety, efficiency, and possibly hindering their wide [15] Nicolas Sklavos and Ioannis D Zaharakis. Cryptography and security in internet of things (iots): Models, schemes, and implementations. In deployment. In this paper, we first overview all components 2016 8th IFIP International Conference on New Technologies, Mobility within CPS systems and their interconnections including IoT and Security (NTMS), pages 1–2. IEEE, 2016. systems, and we focus on the main CPS security threats, [16] Abdulmalik Humayed, Jingqiang Lin, Fengjun Li, and Bo Luo. Cyber- physical systems security—a survey. IEEE Internet of Things Journal, vulnerabilities and attacks, as related to the components and 4(6):1802–1831, 2017. communication protocols being used. Then, we discuss and [17] Hyunguk Yoo and Taeshik Shon. Challenges and research directions for analyze the recently available CPS security solutions, which heterogeneous cyber–physical system based on iec 61850: Vulnerabili- ties, security requirements, and security architecture. Future generation can be categorized as cryptographic and non-cryptographic computer systems, 61:128–136, 2016. solutions. Next, we highlight the important lessons learnt [18] Rasim Alguliyev, Yadigar Imamverdiyev, and Lyudmila Sukhostat. throughout, and accordingly, we present suggestions and rec- Cyber-physical systems and their security issues. Computers in ommendations with respect to the various security aspects, Industry, 100:212–223, 2018. [19] Haina Ye, Xinzhou Cheng, Mingqiang Yuan, Lexi Xu, Jie Gao, and services, and best practices that must be put in place to Chen Cheng. A survey of security and privacy in big data. In ensure resilient and secure CPS systems, while maintaining Communications and Information Technologies (ISCIT), 2016 16th the required performance and quality of service. International Symposium on, pages 268–272. IEEE, 2016. [20] Haina Ye, Xinzhou Cheng, Mingqiang Yuan, Lexi Xu, Jie Gao, and Chen Cheng. A survey of security and privacy in big data. ACKNOWLEDGEMENT [21] J Sathish Kumar and Dhiren R Patel. A survey on internet of things: Security and privacy issues. International Journal of Computer This paper is supported with funds from the Maroun Semaan Applications, 90(11), 2014. [22] Robert E Johnson. Survey of scada security challenges and potential Faculty of Engineering and Architecture at the American attack vectors. In Internet Technology and Secured Transactions University of Beirut. (ICITST), 2010 International Conference for, pages 1–5. IEEE, 2010. ฀฀฀฀฀฀฀฀฀

31

Fig. 9: CPS-OFSS Life-cycle Framework

[23] Ovunc Kocabas, Tolga Soyata, and Mehmet K Aktas. Emerging [31] Qi Jing, Athanasios V Vasilakos, Jiafu Wan, Jingwei Lu, and Dechao security mechanisms for medical cyber physical systems. IEEE/ACM Qiu. Security of the internet of things: perspectives and challenges. transactions on computational biology and bioinformatics, 13(3):401– Wireless Networks, 20(8):2481–2501, 2014. 416, 2016. [32] Anthony D Wood and John A Stankovic. Security of distributed, [24] Christine Lai, Patricia Cordeiro, Adarsh Hasandka, Nicholas Jacobs, ubiquitous, and embedded computing platforms. Wiley Handbook of Shamina Hossain-McKenzie, Deepu Jose, Danish Saleem, and Maurice Science and Technology for Homeland Security, pages 1–1, 2008. Martin. Cryptography considerations for distributed energy resource [33] Miao Wu, Ting-Jie Lu, Fei-Yang Ling, Jing Sun, and Hui-Ying Du. systems. In 2019 IEEE Power and Energy Conference at Illinois Research on the architecture of internet of things. In 2010 3rd Inter- (PECI), pages 1–7. IEEE, 2019. national Conference on Advanced Computer Theory and Engineering [25] Yosef Ashibani and Qusay H Mahmoud. Cyber physical systems (ICACTE), volume 5, pages V5–484. IEEE, 2010. security: Analysis, challenges and solutions. Computers & Security, [34] Teodor Sommestad, Göran N Ericsson, and Jakob Nordlander. Scada 68:81–97, 2017. system cyber security—a comparison of standards. In Power and [26] Rwan Mahmoud, Tasneem Yousuf, Fadi Aloul, and Imran Zualkernan. Energy Society General Meeting, 2010 IEEE, pages 1–8. IEEE, 2010. Internet of things (iot) security: Current status, challenges and prospec- [35] Bonnie Zhu and Shankar Sastry. Scada-specific intrusion detec- tive measures. In 2015 10th International Conference for Internet tion/prevention systems: a survey and taxonomy. In Proceedings of Technology and Secured Transactions (ICITST), pages 336–341. IEEE, the 1st workshop on secure control systems (SCS), volume 11, page 7, 2015. 2010. [27] Nishanth Gaddam, G Sudha Anil Kumar, and Arun K Somani. Securing [36] Venkatraman Sridharan. Cyber security in power systems. PhD thesis, physical processes against cyber attacks in cyber-physical systems. Georgia Institute of Technology, 2012. In Proc. Nat. Workshop Res. High-Confidence Transp. Cyber-Phys. [37] Joseph Weiss. Protecting industrial control systems from electronic Systems, Autom., Aviation Rail, pages 1–3, 2008. threats. Momentum Press, 2010. [28] Kai Zhao and Lina Ge. A survey on the internet of things security. [38] Wei Hu, Jason Oberg, Janet Barrientos, Dejun Mu, and Ryan Kastner. In 2013 Ninth international conference on computational intelligence Expanding gate level information flow tracking for multilevel security. and security, pages 663–667. IEEE, 2013. IEEE Embedded Systems Letters, 5(2):25–28, 2013. [29] Rafiullah Khan, Sarmad Ullah Khan, Rifaqat Zaheer, and Shahid Khan. [39] Haihui Gao, Yong Peng, Kebin Jia, Zhonghua Dai, and Ting Wang. Future internet: the internet of things architecture, possible applications The design of ics testbed based on emulation, physical, and simulation and key challenges. In 2012 10th international conference on frontiers (eps-ics testbed). In 2013 Ninth International Conference on Intelligent of information technology, pages 257–260. IEEE, 2012. Information Hiding and Multimedia Signal Processing, pages 420–423. [30] YANG Geng, Chun-ming Rong, Christian Veigner, Jiang-Tao Wang, IEEE, 2013. and Hong-Bing Cheng. Identity-based key agreement and encryption [40] A Saqib, RAJA WASEEM Anwar, OMAR KHADEER Hussain, Mu- for wireless sensor networks. The Journal of China Universities of dassar Ahmad, Md Asri Ngadi, Mohd Murtadha Mohamad, ZOHAIR Posts and Telecommunications, 13(4):54–60, 2006. Malki, C Noraini, BOKOLO ANTHONY Jnr, RNH Nor, et al. Cyber ฀฀฀฀฀฀฀฀฀

32

security for cyber physcial systems: A trust-based approach. J Theor [62] Yang Yalei and Zhou Xingshe. Cyber-physical systems modeling Appl Inf Technol, 71(2):144–152, 2015. based on extended hybrid automata. In 2013 International Conference [41] Bing Zhang, Xin-Xin Ma, and Zhi-Guang Qin. Security architecture on Computational and Information Sciences, pages 1871–1874. IEEE, on the trusting internet of things. Journal of Electronic Science and 2013. Technology, 9(4):364–367, 2011. [63] Albert Benveniste, Timothy Bourke, Benoıt Caillaud, and Marc [42] James Clause and Alessandro Orso. Camouflage: automated Pouzet. Hybrid systems modeling challenges caused by cyber- anonymization of field data. In 2011 33rd International Conference physical systems. Cyber-Physical Systems (CPS) Foundations and on Software Engineering (ICSE), pages 21–30. IEEE, 2011. Challenges. Available on-line: http://people. rennes. inria. fr/Albert. [43] Steven Patrick Pomroy, Robert Raymond Lake, and Trevor Anthony Benveniste/pub/NIST2012. pdf, 2013. Dunn. Data masking system and method, July 5 2011. US Patent [64] Pratyush Kumar, Dip Goswami, Samarjit Chakraborty, Anuradha An- 7,974,942. naswamy, Kai Lampka, and Lothar Thiele. A hybrid approach to cyber- [44] Charalambos Konstantinou, Michail Maniatakos, Fareena Saqib, physical systems verification. In DAC Design Automation Conference Shiyan Hu, Jim Plusquellic, and Yier Jin. Cyber-physical systems: 2012, pages 688–696. IEEE, 2012. A security perspective. In 2015 20th IEEE European Test Symposium [65] Terry Tidwell, Xiuyu Gao, Huang-Ming Huang, Chenyang Lu, Shirley (ETS), pages 1–8. IEEE, 2015. Dyke, and Christopher Gill. Towards configurable real-time hybrid [45] Shahid Raza. Lightweight security solutions for the internet of things. structural testing: a cyber-physical system approach. In 2009 IEEE PhD thesis, Mälardalen University, Västerås, Sweden, 2013. International Symposium on Object/Component/Service-Oriented Real- [46] Jayavardhana Gubbi, Rajkumar Buyya, Slaven Marusic, and Time Distributed Computing, pages 37–44. IEEE, 2009. Marimuthu Palaniswami. Internet of things (iot): A vision, architectural [66] Mao Jianhui. Event driven monitoring of cyber-physical systems elements, and future directions. Future generation computer systems, based on hybrid automata. National University of Defense Technology 29(7):1645–1660, 2013. Changsha, 2011. [47] David C Mazur, Ryan D Quint, and Virgilio A Centeno. Time [67] Chee-Wooi Ten, Chen-Ching Liu, and Govindarasu Manimaran. Vul- synchronization of automation controllers for power applications. In nerability assessment of cybersecurity for scada systems. IEEE Trans- 2012 IEEE Industry Applications Society Annual Meeting, pages 1–8. actions on Power Systems, 23(4):1836–1846, 2008. IEEE, 2012. [68] Roberto Godreau. SCADA systems and their vulnerabilities within the [48] Umberto Morelli, Lorenzo Nicolodi, and Silvio Ranise. An open and Smart Grid: Can they be defended from a cyber attack. PhD thesis, flexible cybersecurity training laboratory in it/ot infrastructures. In Utica College, 2013. Computer Security, pages 140–155. Springer, 2019. [69] Kyle Coffey, Richard Smith, Leandros Maglaras, and Helge Janicke. [49] Stephen R Vogel and Steven Jeffrey Zack. Method and apparatus Vulnerability analysis of network scanning on scada systems. Security providing remote reprogramming of programmable logic devices using and Communication Networks, 2018, 2018. embedded jtag physical layer and protocol, December 26 2006. US [70] Frances M Cleveland. Cyber security issues for advanced metering Patent 7,155,711. infrasttructure (ami). In Power and Energy Society General Meeting- [50] Aitor Ardanza, Aitor Moreno, Álvaro Segura, Mikel de la Cruz, Conversion and Delivery of Electrical Energy in the 21st Century, 2008 and Daniel Aguinaga. Sustainable and flexible industrial human IEEE, pages 1–5. IEEE, 2008. machine interfaces to support adaptable applications in the industry 4.0 [71] Anthony R Metke and Randy L Ekl. Smart grid security technology. paradigm. International Journal of Production Research, 57(12):4045– In Innovative Smart Grid Technologies (ISGT), 2010, pages 1–7. IEEE, 4059, 2019. 2010. [51] James R Saunders. Automated remote telemetry paging system, [72] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Ander- August 8 1989. US Patent 4,856,047. son, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, [52] Keith Stouffer and Joe Falco. Guide to supervisory control and data Franziska Roesner, Tadayoshi Kohno, et al. Comprehensive experi- acquisition (SCADA) and industrial control systems security. National mental analyses of automotive attack surfaces. In USENIX Security institute of standards and technology, 2006. Symposium, pages 77–92. San Francisco, 2011. [53] Richard E Zapolin. Remote terminal industrial control communication [73] Michael Rushanan, Aviel D Rubin, Denis Foo Kune, and Colleen M system, June 16 1992. US Patent 5,122,948. Swanson. Sok: Security and privacy in implantable medical devices [54] Marc Geilen, Stavros Tripakis, and Maarten Wiggers. The earlier the and body area networks. In 2014 IEEE Symposium on Security and better: a theory of timed actor interfaces. In Proceedings of the 14th Privacy (SP), pages 524–539. IEEE, 2014. international conference on Hybrid systems: computation and control, [74] Robson de Oliveira Albuquerque, Luis Javier García Villalba, Ana pages 23–32. ACM, 2011. Lucila Sandoval Orozco, Rafael Timóteo de Sousa Júnior, and Tai- [55] Pascal A Vicaire, Enamul Hoque, Zhiheng Xie, and John A Stankovic. Hoon Kim. Leveraging information security and computational trust Bundle: A group-based programming abstraction for cyber-physical for cybersecurity. The Journal of Supercomputing, 72(10):3729–3763, systems. IEEE Transactions on Industrial Informatics, 8(2):379–392, 2016. 2012. [75] Kate Munro. Deconstructing flame: the limitations of traditional [56] Arquimedes Canedo, Eric Schwarzenbach, and Mohammad Abdullah defences. Computer Fraud & Security, 2012(10):8–11, 2012. Al Faruque. Context-sensitive synthesis of executable functional [76] Bill Miller and Dale Rowe. A survey scada of and critical infrastructure models of cyber-physical systems. In Proceedings of the ACM/IEEE incidents. In Proceedings of the 1st Annual conference on Research in 4th International Conference on Cyber-Physical Systems, pages 99– information technology, pages 51–56. ACM, 2012. 108. ACM, 2013. [77] Patrick McDaniel and Stephen McLaughlin. Security and privacy [57] Zhenkai Zhang, Joseph Porter, Emeka Eyisi, Gabor Karsai, Xenofon challenges in the smart grid. IEEE Security & Privacy, (3):75–77, Koutsoukos, and Janos Sztipanovits. Co-simulation framework for 2009. design of time-triggered cyber physical systems. In Proceedings of the [78] Jan Vávra and Martin Hromada. An evaluation of cyber threats to ACM/IEEE 4th International Conference on Cyber-Physical Systems, industrial control systems. In International Conference on Military pages 119–128. ACM, 2013. Technologies (ICMT) 2015, pages 1–5. IEEE, 2015. [58] Fei Hu, Yu Lu, Athanasios V Vasilakos, Qi Hao, Rui Ma, Yogendra [79] Daniel Halperin, Thomas S Heydt-Benjamin, Kevin Fu, Tadayoshi Patil, Ting Zhang, Jiang Lu, Xin Li, and Neal N Xiong. Robust Kohno, and William H Maisel. Security and privacy for implantable cyber–physical systems: concept, models, and implementation. Future medical devices. IEEE pervasive computing, (1):30–39, 2008. generation computer systems, 56:449–475, 2016. [80] Insup Lee, Oleg Sokolsky, Sanjian Chen, John Hatcliff, Eunkyoung [59] Ying Tan, Mehmet C Vuran, Steve Goddard, Yue Yu, Miao Song, and Jee, BaekGyu Kim, Andrew King, Margaret Mullen-Fortino, Soojin Shangping Ren. A concept lattice-based event model for cyber-physical Park, Alexander Roederer, et al. Challenges and research directions in systems. In Proceedings of the 1st ACM/IEEE International Conference medical cyber–physical systems. Proceedings of the IEEE, 100(1):75– on Cyber-physical Systems, pages 50–60. ACM, 2010. 90, 2012. [60] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A [81] RR Brooks, S Sander, J Deng, and J Taiber. Automotive system secu- Henzinger, Pei-Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph rity: challenges and state-of-the-art. In Proceedings of the 4th annual Sifakis, and Sergio Yovine. The algorithmic analysis of hybrid systems. workshop on Cyber security and information intelligence research: Theoretical computer science, 138(1):3–34, 1995. developing strategies to meet the cyber security and information [61] Panos J Antsaklis, James A Stiver, and Michael Lemmon. Hybrid intelligence challenges ahead, page 26. ACM, 2008. system modeling and autonomous control systems. In Hybrid systems, [82] Hossein Zeynal, Mostafa Eidiani, and Dariush Yazdanpanah. Intelligent pages 366–392. Springer, 1992. substation automation systems for robust operation of smart grids. In ฀฀฀฀฀฀฀฀฀

33

2014 IEEE Innovative Smart Grid Technologies-Asia (ISGT ASIA), Apt28, red october, and regin. In Critical Infrastructure Security and pages 786–790. IEEE, 2014. Resilience, pages 221–244. Springer, 2019. [83] Thomas M Chen, Juan Carlos Sanchez-Aarnoutse, and John Buford. [109] Sami Zhioua. The middle east under malware attack dissecting cyber Petri net modeling of cyber-physical attacks on smart grid. IEEE weapons. In 2013 IEEE 33rd International Conference on Distributed Transactions on Smart Grid, 2(4):741–749, 2011. Computing Systems Workshops, pages 11–16. IEEE, 2013. [84] S Massoud Amin. Securing the electricity grid. The Bridge, 40(1):19– [110] Zakariya Dehlawi and Norah Abokhodair. Saudi arabia’s response 20, 2010. to cyber conflict: A case study of the shamoon malware incident. [85] Task Force. Final report on the august 14, 2003 blackout in the united In 2013 IEEE International Conference on Intelligence and Security states and canada: Causes and recommendations, us-canada power Informatics, pages 73–75. IEEE, 2013. system outage task force, 2004. [111] Afnan Alabdulatif. Cybercrime and Analysis of Laws in Kingdom of [86] Yong-Soo Eun and Judith Sita Aßmann. Cyberwar: Taking stock Saudi Arabia. PhD thesis, 2018. of security and warfare in the digital age. International Studies [112] Kenneth Geers, Darien Kindlund, Ned Moran, and Rob Rachwald. Perspectives, 17(3):343–360, 2016. World war c: Understanding nation-state motives behind today’s ad- [87] Charles M Davidson and Michael J Santorelli. Realizing the smart grid vanced cyber attacks. FireEye, Milpitas, CA, USA, Tech. Rep., Sep, imperative. 2011. 2014. [88] John Moteff. Risk management and critical infrastructure protection: [113] Gaute Wangen. The role of malware in reported cyber espionage: a Assessing, integrating, and managing threats, vulnerabilities and conse- review of the impact and mechanism. Information, 6(2):183–211, 2015. quences. Library of Congress Washington DC Congressional Research [114] Michele Gaietta. The Trajectory of Iran’s Nuclear Program. Springer, Service, 2005. 2016. [89] Bonnie Zhu, Anthony Joseph, and Shankar Sastry. A taxonomy of [115] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart cyber attacks on scada systems. In 2011 International conference on Staniford, and Nicholas Weaver. Inside the slammer worm. IEEE internet of things and 4th international conference on cyber, physical Security & Privacy, (4):33–39, 2003. and social computing, pages 380–388. IEEE, 2011. [116] Andrew Simmonds, Peter Sandilands, and Louis Van Ekert. An [90] Troy Nash. Backdoors and holes in network perimeters. Online]: ontology for network security attacks. In Asian Applied Computing http://ics-cert. us-cert. gov/controlsystems, 2005. Conference, pages 317–323. Springer, 2004. [91] Saurabh Amin, Xavier Litrico, Shankar Sastry, and Alexandre M [117] G Francia III, D Thornton, and T Brookshire. Cyberattacks on scada Bayen. Cyber security of water scada systems—part i: Analysis and systems. In Proc. 16th Colloquium Inf. Syst. Security Educ, pages 9–14, experimentation of stealthy deception attacks. IEEE Transactions on 2012. Control Systems Technology, 21(5):1963–1970, 2012. [118] Patrick S Ryan. War, peace, or stalemate: Wargames, wardialing, [92] Eric Byres and Justin Lowe. The myths and facts behind cyber wardriving, and the emerging market for hacker ethics. Va. JL & Tech., security risks for industrial control systems. In Proceedings of the 9:1, 2004. VDE Kongress, volume 116, pages 213–218, 2004. [119] Hüseyin Demirci and Ali Aydın Selçuk. A meet-in-the-middle attack on [93] Saurabh Amin, Galina A Schwartz, and Alefiya Hussain. In quest of 8-round aes. In International Workshop on Fast Software Encryption, benchmarking security risks to cyber-physical systems. IEEE Network, pages 116–126. Springer, 2008. 27(1):19–24, 2013. [120] Anita D’Amico, Christina Verderosa, Christopher Horn, and Timothy [94] Emilio Iasiello. Cyber attack: A dull tool to shape foreign policy. In Imhof. Integrating physical and cyber security resources to detect 2013 5th International Conference on Cyber Conflict (CYCON 2013), wireless threats to critical infrastructure. In Technologies for Homeland pages 1–18. IEEE, 2013. Security (HST), 2011 IEEE International Conference on, pages 494– [95] Vehbi C Gungor, Dilan Sahin, Taskin Kocak, Salih Ergut, Concettina 500. IEEE, 2011. Buccella, Carlo Cecati, and Gerhard P Hancke. Smart grid technolo- gies: Communication technologies and standards. IEEE transactions [121] Guillermo Francia III, David Thornton, and Thomas Brookshire. Wire- on Industrial informatics, 7(4):529–539, 2011. less vulnerability of scada systems. In Proceedings of the 50th Annual [96] Jacob W Jorgensen. Transmission control protocol/internet protocol Southeast Regional Conference, pages 331–332. ACM, 2012. (tcp/ip) packet-centric wireless point to multi-point (ptmp) transmission [122] T Paukatong. Scada security: A new concerning issue of an in- system architecture, March 1 2005. US Patent 6,862,622. house egat-scada. In Transmission and Distribution Conference and [97] Andrew Nicholson, Stuart Webber, Shaun Dyer, Tanuja Patel, and Exhibition: Asia and Pacific, 2005 IEEE/PES, pages 1–5. IEEE, 2005. Helge Janicke. Scada security in the light of cyber-warfare. Computers [123] Igor Nai Fovino, Andrea Carcano, Marcelo Masera, and Alberto & Security, 31(4):418–436, 2012. Trombetta. An experimental investigation of malware attacks on scada [98] Raj Srinivasan. Rpc: Remote procedure call protocol specification systems. International Journal of Critical Infrastructure Protection, version 2. 1995. 2(4):139–145, 2009. [99] Maxwell Dondo, Jonathan Risto, and Reginald Sawilla. Reliability [124] Rose Tsang. Cyberthreats, vulnerabilities and attacks on scada net- of exploits and consequences for decision support. Technical Report, works. University of California, Berkeley, Working Paper, http://gspp. pages 1–16, 2015. berkeley. edu/iths/Tsang_SCADA% 20Attacks. pdf (as of Dec. 28, [100] Stamatis Karnouskos. Stuxnet worm impact on industrial cyber- 2011), 2010. physical system security. In IECON 2011-37th Annual Conference [125] Peter Huitsing, Rodrigo Chandia, Mauricio Papa, and Sujeet Shenoi. of the IEEE Industrial Electronics Society, pages 4490–4494. IEEE, Attack taxonomies for the modbus protocols. International Journal of 2011. Critical Infrastructure Protection, 1:37–44, 2008. [101] Thomas M Chen and Saeed Abu-Nimeh. Lessons from stuxnet. [126] Daisuke Mashima and Alvaro A Cárdenas. Evaluating electricity theft Computer, 44(4):91–93, 2011. detectors in smart grid networks. In International Workshop on Recent [102] Boldizsár Bencsáth, Gábor Pék, Levente Buttyán, and Mark Felegyhazi. Advances in Intrusion Detection, pages 210–229. Springer, 2012. The cousins of stuxnet: Duqu, flame, and gauss. Future Internet, [127] Wenye Wang and Zhuo Lu. Cyber security in the smart grid: Survey 4(4):971–1003, 2012. and challenges. Computer Networks, 57(5):1344–1371, 2013. [103] Boldizsár Bencsáth, Gábor Ács-Kurucz, Gábor Molnár, Gábor Vaspöri, [128] Ruben Santamarta. Here be backdoors: A journey into the secrets of Levente Buttyán, and Roland Kamarás. Duqu 2.0: A comparison to industrial firmware. Black Hat USA, 2012. duqu. Budapest. Retrieved February, 27:2016, 2015. [129] Shyamnath Gollakota, Haitham Hassanieh, Benjamin Ransford, Dina [104] Boldizsár Bencsáth, Gábor Pék, Levente Buttyán, and Márk Félegyházi. Katabi, and Kevin Fu. They can hear your heartbeats: non-invasive se- Duqu: A stuxnet-like malware found in the wild. CrySyS Lab Technical curity for implantable medical devices. In ACM SIGCOMM Computer Report, 14:1–60, 2011. Communication Review, volume 41, pages 2–13. ACM, 2011. [105] Darlene Storm. Gauss malware: Nation-state cyber-espionage banking [130] Daniel Halperin, Thomas S Heydt-Benjamin, Benjamin Ransford, trojan related to flame, stuxnet. Computerworld, 9, 2012. Shane S Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi [106] Andrew Leedom. Stuxnet-risk & uncertainty in the first salvo of global Kohno, and William H Maisel. Pacemakers and implantable cardiac cyber warfare. The SAIS Europe Journal of Global Affairs, 2016. defibrillators: Software radio attacks and zero-power defenses. In [107] Raymond Chavez, William Kranich, and Alex Casella. Red october Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 129– and its reincarnation. Bost. Univ.| CS558 Netw. Secur, 2015. 142. IEEE, 2008. [108] Henry Mwiki, Tooska Dargahi, Ali Dehghantanha, and Kim- [131] Jerome Radcliffe. Hacking medical devices for fun and insulin: Break- Kwang Raymond Choo. Analysis and triage of advanced hack- ing the human scada system. In Black Hat Conference presentation ing groups targeting western countries critical national infrastructure: slides, volume 2011, 2011. ฀฀฀฀฀฀฀฀฀

34

[132] Ulf E Larson and Dennis K Nilsson. Securing vehicles against cyber Electronique et Automatique, Laval, France 5-6 July 2012 Edited by, attacks. In Proceedings of the 4th annual workshop on Cyber security page 18, 2012. and information intelligence research: developing strategies to meet the [154] Merike Kaeo. Cyber attacks on estonia: Short synopsis. Double cyber security and information intelligence challenges ahead, page 30. Shot Security. www. doubleshotsecurity. com/pdf/NANOG_eesti. pdf ACM, 2008. (accessed 18 July 2009), 2007. [133] Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, [155] George T Donovan Jr. Russian operational art in the russo-georgian Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, war of 2008. Technical report, ARMY WAR COLL CARLISLE Danny Anderson, Hovav Shacham, et al. Experimental security analysis BARRACKS PA, 2009. of a modern automobile. In Security and Privacy (SP), 2010 IEEE [156] Madihah Mohd Saudi, Sazali Sukardi, Noor Azwa Azreen Abd Aziz, Symposium on, pages 447–462. IEEE, 2010. Azuan Ahmad, and Muhammad‘Afif Husainiamer. Malware classifica- [134] Rob Millerb Ishtiaq Roufa, Hossen Mustafaa, Sangho Ohb Travis Tay- tion for cyber physical system (cps) based on phylogenetics. lora, Wenyuan Xua, Marco Gruteserb, Wade Trappeb, and Ivan Seskarb. [157] Abel Yeboah-Ofori, Jamal-Deen Abdulai, and Ferdinand Katsriku. Security and privacy vulnerabilities of in-car wireless networks: A Cybercrime and risks for cyber physical systems 2019. International tire pressure monitoring system case study. In 19th USENIX Security Journal of Cyber-Security and Digital Forensics, 8(1):43–58, 2019. Symposium, Washington DC, pages 11–13, 2010. [158] Kristofas Barakat. Does Lebanon possess the capabilities to defend [135] Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, itself from cyber-theats? Learning from Estonia’s experience.(c2019). George Muller, Mary J Lancaster, and Will Hutton. Cyber/physical PhD thesis, Lebanese American University, 2019. security vulnerability assessment integration. In Innovative Smart Grid [159] Ale J Hejase, Hussin J Hejase, and Jose A Hejase. Cyber warfare Technologies (ISGT), 2013 IEEE PES, pages 1–6. IEEE, 2013. awareness in lebanon: Exploratory research. International Journal of [136] Yilin Mo, Tiffany Hyun-Jin Kim, Kenneth Brancik, Dona Dickinson, Cyber-Security and Digital Forensics (IJCSDF), 4(4):482–497, 2015. Heejo Lee, Adrian Perrig, and Bruno Sinopoli. Cyber–physical security [160] Tigist Abera, N Asokan, Lucas Davi, Jan-Erik Ekberg, Thomas Nyman, of a smart grid infrastructure. Proceedings of the IEEE, 100(1):195– Andrew Paverd, Ahmad-Reza Sadeghi, and Gene Tsudik. C-flat: 209, 2012. control-flow attestation for embedded systems software. In Proceedings [137] Haibo He and Jun Yan. Cyber-physical attacks and defences in of the 2016 ACM SIGSAC Conference on Computer and Communica- the smart grid: a survey. IET Cyber-Physical Systems: Theory & tions Security, pages 743–754. ACM, 2016. Applications, 1(1):13–27, 2016. [161] Daming D Chen, Maverick Woo, David Brumley, and Manuel [138] Hamza Fawzi, Paulo Tabuada, and Suhas Diggavi. Secure estimation Egele. Towards automated dynamic analysis for linux-based embedded and control for cyber-physical systems under adversarial attacks. IEEE firmware. In NDSS, 2016. Transactions on Automatic control, 59(6):1454–1467, 2014. [162] Aurélien Francillon and Claude Castelluccia. Code injection attacks [139] Mohammed Nasser Al-Mhiqani, Rabiah Ahmad, Warusia Yassin, on harvard-architecture devices. In Proceedings of the 15th ACM Aslinda Hassan, Zaheera Zainal Abidin, Nabeel Salih Ali, and Kar- conference on Computer and communications security, pages 15–26. rar Hameed Abdulkareem. Cyber-security incidents: a review cases in ACM, 2008. cyber-physical systems. International Journal of Advanced Computer [163] Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Science and Applications, 9(1):499–508, 2018. Return-oriented programming: Systems, languages, and applications. [140] David Albright, Paul Brannan, and Christina Walrond. Stuxnet malware ACM Transactions on Information and System Security (TISSEC), and natanz: Update of isis december 22, 2010 report. Institute for 15(1):2, 2012. Science and International Security, 15:739883–3, 2011. [164] Homa Alemzadeh, Daniel Chen, Xiao Li, Thenkurussi Kesavadas, [141] Jill Slay and Michael Miller. Lessons learned from the maroochy Zbigniew T Kalbarczyk, and Ravishankar K Iyer. Targeted attacks water breach. In International conference on critical infrastructure on teleoperated surgical robots: Dynamic model-based detection and protection, pages 73–82. Springer, 2007. mitigation. In Dependable Systems and Networks (DSN), 2016 46th Annual IEEE/IFIP International Conference on, pages 395–406. IEEE, [142] Lionel Fillatre, Igor Nikiforov, Peter Willett, et al. Security of scada 2016. systems against cyber–physical attacks. IEEE Aerospace and Electronic [165] Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Systems Magazine, 32(5):28–45, 2017. Prateek Saxena, and Zhenkai Liang. Data-oriented programming: On [143] Mary Jane Credeur. Fbi probes georgia water plant break-in on terror the expressiveness of non-control data attacks. In Security and Privacy concern, 2013. (SP), 2016 IEEE Symposium on, pages 969–986. IEEE, 2016. [144] Fahmida Y Rashid. Telvent hit by sophisticated cyber-attack, scada [166] Venkat N Gudivada, Srini Ramaswamy, and Seshadri Srinivasan. Data admin tool compromised. Retrieved from SecurityWeek website: management issues in cyber-physical systems. In Transportation http://www. securityweek. com/telvent-hit-sophisticated-cyber-attack- Cyber-Physical Systems, pages 173–200. Elsevier, 2018. scada-admin-tool-compromised, 2012. [167] George Loukas. Cyber-physical attacks: A growing invisible threat. [145] Brian Krebs. Cyber incident blamed for nuclear power plant shutdown. Butterworth-Heinemann, 2015. Washington Post, June, 5:2008, 2008. [168] Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel [146] Tony Flick and Justin Morehouse. Securing the smart grid: next Winandy. Privilege escalation attacks on android. In international generation power grid security. Elsevier, 2010. conference on Information security, pages 346–360. Springer, 2010. [147] Lydia Ray. Cyber-physical systems: An overview of design process, [169] Jim Owens and Jeanna Matthews. A study of passwords and methods applications, and security. In Cyber Warfare and Terrorism: Concepts, used in brute-force ssh attacks. In USENIX Workshop on Large-Scale Methodologies, Tools, and Applications, pages 128–150. IGI Global, Exploits and Emergent Threats (LEET), 2008. 2020. [170] Arvind Narayanan and Vitaly Shmatikov. Fast dictionary attacks on [148] Michał Choras,´ Rafał Kozik, Adam Flizikowski, Witold Hołubowicz, passwords using time-space tradeoff. In Proceedings of the 12th ACM and Rafał Renk. Cyber threats impacting critical infrastructures. In conference on Computer and communications security, pages 364–372. Managing the Complexity of Critical Infrastructures, pages 139–161. ACM, 2005. Springer, Cham, 2016. [171] David P Jablon. Extended password key exchange protocols immune to [149] Timo Kiravuo, Mikko Särelä, and Jukka Manner. Weapons against dictionary attack. In Proceedings of IEEE 6th Workshop on Enabling cyber-physical targets. In 2013 IEEE 33rd International Conference Technologies: Infrastructure for Collaborative Enterprises, pages 248– on Distributed Computing Systems Workshops, pages 321–326. IEEE, 255. IEEE, 1997. 2013. [172] Panagiotis Papantonakis, Dionisios Pnevmatikatos, Ioannis Papaefs- [150] Yacov Y Haimes. Risk of terrorism to cyber-physical and tathiou, and Charalampos Manifavas. Fast, fpga-based rainbow table organizational-societal infrastructures. Public Works Management & creation for attacking encrypted mobile communications. In 2013 Policy, 6(4):231–240, 2002. 23rd International Conference on Field programmable Logic and [151] Abhishek Gupta, Mohit Kumar, Siddhartha Hansel, and Aswini Kumar Applications, pages 1–6. IEEE, 2013. Saini. Future of all technologies-the cloud and cyber physical systems. [173] Mihir Bellare and Tadayoshi Kohno. Hash function balance and Future, 2(2), 2013. its impact on birthday attacks. In International Conference on the [152] Abel Yeboah-ofori, Jamal-Deen Abdulai, and Ferdinand Katsriku. Theory and Applications of Cryptographic Techniques, pages 401–418. Cybercrime and risks for cyber physical systems: A review. 2018. Springer, 2004. [153] Kari Alenius and M Warren. An exceptional war that ended in victory [174] Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Richard for estonia or an ordinary e-disturbance? estonian narratives of the Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith cyber-attacks in 2007. The Institute Ecole Supérieure en Informatique Cranor, and Julio Lopez. Guess again (and again and again): Measuring ฀฀฀฀฀฀฀฀฀

35

password strength by simulating password-cracking algorithms. In Levchenko. To catch a ratter: Monitoring the behavior of amateur 2012 IEEE symposium on security and privacy, pages 523–537. IEEE, darkcomet rat operators in the wild. In 2017 IEEE Symposium on 2012. Security and Privacy (SP), pages 770–787. Ieee, 2017. [175] Niels Provos, Markus Friedl, and Peter Honeyman. Preventing privilege [197] Stephen Hilt and Lord Alfred Remorin. How cybercriminals can abuse escalation. In USENIX Security Symposium, 2003. chat platform apis as c&c infrastructures. [176] Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, [198] Alexander Gostev, Roman Unuchek, Maria Garnaeva, Denis and Ahmad-Reza Sadeghi. Xmandroid: A new android evolution to Makrushin, and Anton Ivanov. It threat evolution in q1 2016. mitigate privilege escalation attacks. Technische Universität Darmstadt, Kapersky 2015 Report, Kapersky L, 2016. Technical Report TR-2011-04, 2011. [199] James Cowie, A Ogielski, BJ Premore, and Yougu Yuan. Global routing [177] Mohammad Al-Shurman, Seong-Moo Yoo, and Seungjin Park. Black instabilities triggered by code red ii and nimda worm attacks. Technical hole attack in mobile ad hoc networks. In Proceedings of the 42nd report, Tech. Rep., Renesys Corporation, 2001. annual Southeast regional conference, pages 96–97, 2004. [200] A Machie, Jenssen Roculan, Ryan Russell, and MV Velzen. Nimda [178] Prajakta Solankar, Subhash Pingale, and Ranjeetsingh Parihar. Denial worm analysis. Technical report, Tech. Rep., Incident Analysis, of service attack and classification techniques for attack detection. SecurityFocus, 2001. (IJCSIT) International Journal of Computer Science and Information [201] AC Alessandro Di Pinto, Younes Dragoni, and Andrea Carcano. Triton: Technologies, 6(2):1096–1099, 2015. The first ics cyber attack on safety instrument systems. In Proc. Black [179] Fekadu Yihunie, Eman Abdelfattah, and Ammar Odeh. Analysis of Hat USA, pages 1–26, 2018. ping of death dos and ddos attacks. In 2018 IEEE Long Island Systems, [202] Ramjee Prasad and Vandana Rohokale. Malware. In Cyber Security: Applications and Technology Conference (LISAT), pages 1–4. IEEE, The Lifeline of Information and Communication Technology, pages 67– 2018. 81. Springer, 2020. [180] Sanjeev Kumar. Smurf-based distributed denial of service (ddos) [203] Deepen Desai and Thoufique Haq. Blackhole exploit kit: Rise & attack amplification in internet. In Second International Conference evolution. Malware Research Team Technical Paper, 2012. on Internet Monitoring and Protection (ICIMP 2007), pages 25–25. [204] NPH Adams, RJ Chisnall, C Pickering, and S Schauer. How port IEEE, 2007. security has to evolve to address the cyber-physical security threat: [181] Rafiullah Khan, Peter Maynard, Kieran McLaughlin, David Laverty, Lessons from the sauron project. International Journal of Transport and Sakir Sezer. Threat analysis of blackenergy malware for syn- Development and Integration, 4(1):29–41, 2020. chrophasor based real-time control and monitoring in smart grid. In 4th [205] James Twist. Cyber threat report 16 jan-31 jan 2018. 2018. International Symposium for ICS & SCADA Cyber Security Research [206] Morgan Marquis-Boire, Marion Marschalek, and Claudio Guarnieri. 2016 4, pages 53–63, 2016. Big game hunting: The peculiarities in nation-state malware research. [182] Anton Cherepanov and Robert Lipovsky. Blackenergy–what we really Black Hat, Las Vegas, NV, USA, 2015. know about the notorious cyber attacks. Virus Bulletin October, 2016. [207] Morgan Marquis-Boire, Bill Marzcak, and Claudio Guarnieri. The [183] E Kovacs. Blackenergy malware used in ukraine power grid attacks, smartphone who loved me: Finfisher goes mobile. 2012. 2016. [208] Julia E Sullivan and Dmitriy Kamensky. How cyber-attacks in ukraine [184] Jonathan Lemon et al. Resisting syn flood dos attacks with a syn cache. show the vulnerability of the us power grid. The Electricity Journal, In BSDCon, volume 2002, pages 89–97, 2002. 30(3):30–35, 2017. [185] Daniele Antonioli, Giuseppe Bernieri, and Nils Ole Tippenhauer. Tak- [209] Dermot Byrne and Christina Thorpe. Jigsaw: An investigation and ing control: Design and implementation of botnets for cyber-physical countermeasure for ransomware attacks. In European Conference on attacks with cpsbot. arXiv preprint arXiv:1802.00152, 2018. Cyber Warfare and Security, pages 656–665. Academic Conferences [186] Kallisthenis I Sgouras, Avraam N Kyriakidis, and Dimitris P Labridis. International Limited, 2017. Short-term risk assessment of botnet attacks on advanced metering [210] Segun I Popoola, Samuel O Ojewande, Faith O Sweetwilliams, infrastructure. IET Cyber-Physical Systems: Theory & Applications, SN John, AA Atayero, et al. Ransomware: Current trend, challenges, 2(3):143–151, 2017. and research directions. 2017. [187] Fadi Shrouf, Joaquin Ordieres, and Giovanni Miragliotta. Smart [211] Marcelo Ayres Branquinho. Ransomware in industrial control systems. factories in industry 4.0: A review of the concept and of energy what comes after wannacry and petya global attacks? WIT Transactions management approached in production based on the internet of things on The Built Environment, 174:329–334, 2018. paradigm. In Industrial Engineering and Engineering Management [212] Jagmeet Singh Aidan, Harsh Kumar Verma, and Lalit Kumar Awasthi. (IEEM), 2014 IEEE International Conference on, pages 697–701. Comprehensive survey on petya ransomware attack. In 2017 Inter- IEEE, 2014. national Conference on Next Generation Computing and Information [188] Lorenzo De Carli, Ruben Torres, Gaspar Modelo-Howard, Alok Ton- Systems (ICNGCIS), pages 122–125. IEEE, 2017. gaonkar, and Somesh Jha. Botnet protocol inference in the presence [213] Alexey S Petrenko, Sergei A Petrenko, Krystina A Makoveichuk, and of encrypted traffic. In IEEE INFOCOM 2017-IEEE Conference on Petr V Chetyrbok. Protection model of pcs of subway from attacks type Computer Communications, pages 1–9. IEEE, 2017. «wanna cry»,«petya» and «bad rabbit» iot. In 2018 IEEE Conference [189] Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and of Russian Young Researchers in Electrical and Electronic Engineering Jeffrey Voas. Ddos in the iot: Mirai and other botnets. Computer, (EIConRus), pages 945–949. IEEE, 2018. 50(7):80–84, 2017. [214] Ross Brewer. Ransomware attacks: detection, prevention and cure. [190] Joseph Seering, Juan Pablo Flores, Saiph Savage, and Jessica Hammer. Network Security, 2016(9):5–9, 2016. The social roles of bots: evaluating impact of bots on discussions in [215] Kevin Poulsen. Slammer worm crashed ohio nuke plant network. online communities. Proceedings of the ACM on Human-Computer http://www. securityfocus. com/news/6767, 2003. Interaction, 2(CSCW):1–29, 2018. [216] J David Rogers and Conor M Watkins. Overview of the taum sauk [191] Paul Rascagneres and Eddy Willems. Regin, an old but sophisticated pumped storage power plant upper reservoir failure, reynolds county, cyber espionage toolkit platform. 2016. mo. 2008. [192] Katerina Zdravkova. Reconsidering human dignity in the new era. New [217] Siobhan Gorman. Electricity grid in us penetrated by spies. The wall Ideas in Psychology, 54:112–117, 2019. street journal, 8, 2009. [193] Vamshika Boinapally, George Hsieh, and Kevin S Nauer. Building a [218] Martin Brunner, Hans Hofinger, Christoph Krauß, Christopher Roblee, gh0st malware experimentation environment. In Proceedings of the P Schoo, and S Todt. Infiltrating critical infrastructures with next- International Conference on Security and Management (SAM), pages generation attacks. Fraunhofer Institute for Secure Information Tech- 89–95. The Steering Committee of The World Congress in Computer nology (SIT), Munich, 2010. Science, Computer . . . , 2017. [219] Thomas FoxBrewster. Ukraine claims hackers caused christmas power [194] Stuart Murdoch and Nick Leaver. Anonymity vs. trust in cyber- outage. Forbes Security, 2016. security collaboration. In Proceedings of the 2nd ACM Workshop on [220] P Katerynchuk. Challenges and threats of ukraine’s national cyber Information Sharing and Collaborative Security, pages 27–29. ACM, security in hybrid war. .:. , (21):166–173, 2018. 2015. [221] Victor Zhoghov. The ransomware “Petya” as a challenge to the [195] Luky Hendraningrat, Shidong Li, and Ole Torsæter. A coreflood cybersecurity of Ukraine, main factors of spreading this virus in investigation of nanofluid enhanced oil recovery. Journal of Petroleum the focus of Ukraine, the steps taken by the authorities to combat Science and Engineering, 111:128–138, 2013. this phenomenon and suggest ways to improve such activities using [196] Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dhar- experience of other countries. PhD thesis, Victor Zhoghov The mdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, and Kirill ransomware “Petya” as a challenge to the cybersecurity of . . . , 2017. ฀฀฀฀฀฀฀฀฀

36

[222] Algirdas Avizienis, J-C Laprie, Brian Randell, and Carl Landwehr. [245] Wei Zhao, Feng Xie, Yong Peng, Yang Gao, Xuefeng Han, Haihui Gao, Basic concepts and taxonomy of dependable and secure computing. and Dejin Wang. Security testing methods and techniques of industrial IEEE transactions on dependable and secure computing, 1(1):11–33, control devices. In 2013 Ninth International Conference on Intelligent 2004. Information Hiding and Multimedia Signal Processing, pages 433–436. [223] Taylor Johnson. Fault-tolerant distributed cyber-physical systems: Two IEEE, 2013. case studies. 2010. [246] David Rhoades. Achilles – the world’s first man-in-the-middle web [224] Alvaro Cardenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, security tool. https://www.mavensecurity.com/about/achilles. Adrian Perrig, Shankar Sastry, et al. Challenges for securing cyber [247] Dark Reading. Breakingpoint unveils firestorm cy- physical systems. In Workshop on future directions in cyber-physical ber tomography ... https://www.darkreading.com/risk/ systems security, volume 5, 2009. breakingpoint-unveils-firestorm-cyber-tomography-machine/d/d-id/ [225] G Dondossola. Risk assessment of information and communication 1135182, October 2011. systems—analysis of some practices and methods in the electric power [248] Ryosuke Nishimura, Ryo Kurachi, Kazumasa Ito, Takashi Miyasaka, industry. CIGRÉ Electra, 2008. Masaki Yamamoto, and Miwako Mishima. Implementation of the can- [226] C Mani Krishna and Israel Koren. Adaptive fault-tolerance fault- fd protocol in the fuzzing tool bestorm. In 2016 IEEE International tolerance for cyber-physical systems. In Computing, Networking and Conference on Vehicular Electronics and Safety (ICVES), pages 1–6. Communications (ICNC), 2013 International Conference on, pages IEEE, 2016. 310–314. IEEE, 2013. [249] Anne MacFarland. Codenomicon defensics finds risks that lurk in your protocols, august 16, 2007. The Clipper Group Navigator, Report# [227] Janusz Zalewski, Steven Drager, William McKeever, and Andrew J TCG2007081, pages 1–3. Kornecki. Threat modeling for security assessment in cyberphysical [250] Mu studio performance suite. https://www.slideshare.net/aquaphlex/ systems. In Proceedings of the Eighth Annual Cyber Security and mu-studio-performance-suite. Information Intelligence Research Workshop, page 10. ACM, 2013. [251] Michael Eddington. Peach fuzzing platform. Peach Fuzzer, 34, 2011. [228] Tianbo Lu, Bing Xu, Xiaobo Guo, Lingling Zhao, and Feng Xie. A [252] Ganesh Devarajan. Unraveling scada protocols: Using sulley fuzzer. new multilevel framework for cyber-physical system security. In First In Defon 15 Hacking Conf, 2007. international workshop on the swarm at the edge of the cloud, 2013. [253] Dave Aitel. An introduction to spike, the fuzzer creation kit. presen- [229] Tianbo Lu, Jiaxi Lin, Lingling Zhao, Yang Li, and Yong Peng. An tation slides), Aug, 1, 2002. analysis of cyber physical system security theories. In 2014 7th [254] exida certification - iec 61508, iec 61511, iec 62443, iso 26262, cfse. International Conference on Security Technology, pages 19–21. IEEE, https://www.exida.com/Certification, November 2015. 2014. [255] Isasecure - iec 62443-4-2 - edsa certification. https://www. [230] Yong Peng, Tianbo Lu, Jingli Liu, Yang Gao, Xiaobo Guo, and Feng isasecure.org/en-US/Certification/IEC-62443-EDSA-Certification, Oc- Xie. Cyber-physical system risk assessment. In 2013 Ninth Interna- tober 2018. tional Conference on Intelligent Information Hiding and Multimedia [256] Sana Belguith, Nesrine Kaaniche, and Giovanni Russello. Pu-abe: Signal Processing, pages 442–447. IEEE, 2013. lightweight attribute-based encryption supporting access policy update [231] Attlee M Gamundani. An impact review on internet of things attacks. for cloud assisted iot. In 2018 IEEE 11th International Conference on In 2015 International Conference on Emerging Trends in Networks and Cloud Computing (CLOUD), pages 924–927. IEEE, 2018. Computer Communications (ETNCC), pages 114–118. IEEE, 2015. [257] Sana Belguith, Nesrine Kaaniche, Mohamed Mohamed, and Giovanni [232] Keith Stouffer, Joe Falco, and Karen Scarfone. Guide to industrial Russello. C-absc: cooperative attribute based signcryption scheme for control systems (ics) security. NIST special publication, 800(82):16– internet of things applications. In 2018 IEEE International Conference 16, 2011. on Services Computing (SCC), pages 245–248. IEEE, 2018. [233] Nikos Virvilis and Dimitris Gritzalis. The big four-what we did wrong [258] Anthony O Moyegun. Information Security and Innovation; Guide to in advanced persistent threat detection? In Availability, Reliability and Secure Technology Innovation Initiatives. PhD thesis, 2016. Security (ARES), 2013 Eighth International Conference on, pages 248– [259] Nesrine Kaaniche and Maryline Laurent. Data security and privacy 254. IEEE, 2013. preservation in cloud storage environments based on cryptographic [234] Mouna Jouini, Latifa Ben Arfa Rabai, and Anis Ben Aissa. Classifi- mechanisms. Computer Communications, 111:120–141, 2017. cation of security threats in information systems. Procedia Computer [260] Jyri Rajamäki, Paresh Rathod, Anu Ahlgren, Johanna Aho, Mari Takari, Science, 32:489–496, 2014. and Sami Ahlgren. Resilience of cyber-physical system: A case study [235] Ateeq Ahmad. Type of security threats and it’s prevention. Int. J. of safe school environment. In Intelligence and Security Informatics Computer Technology & Applications, 3(2):750–752, 2012. Conference (EISIC), 2012 European, pages 285–285. IEEE, 2012. [236] SJ Ruffle, F Caccioli, AW Coburn, S Kelly, B Leslie, and D Ralph. [261] Vanessa Fuhrmans. Virus attacks siemens plant-control systems. The Stress test scenario: Sybil logic bomb cyber catastrophe. Cambridge Wall Street Journal, 2010. Risk Framework series, Centre for Risk Studies, University of Cam- [262] Elinor Mills. Hackers broke into faa air traffic control system. The bridge. Cambridge Centre for Risk Studies, University of Cambridge Wall Street Journal, page A, 6:2009, 2009. Judge Business School, pages 1–45, 2014. [263] Akshay Rajhans, Shang-Wen Cheng, Bradley Schmerl, David Garlan, [237] Ragunathan Rajkumar, Insup Lee, Lui Sha, and John Stankovic. Cyber- Bruce H Krogh, Clarence Agbi, and Ajinkya Bhave. An architectural physical systems: the next computing revolution. In Design Automation approach to the design and analysis of cyber-physical systems. Elec- Conference (DAC), 2010 47th ACM/IEEE, pages 731–736. IEEE, 2010. tronic Communications of the EASST, 21, 2009. [264] Siddharth Deshmukh, Balasubramaniam Natarajan, and Anil Pahwa. [238] Dr ANIL NIDHI KANDHIL. A study on secure shell (ssh) protocol. State estimation in spatially distributed cyber-physical systems: Bounds [239] Kaiyuan Yang, David Blaauw, and Dennis Sylvester. Hardware designs on critical measurement drop rates. In Distributed Computing in Sensor for security in ultra-low-power iot systems: an overview and survey. Systems (DCOSS), 2013 IEEE International Conference on, pages 157– IEEE Micro, 37(6):72–89, 2017. 164. IEEE, 2013. [240] Antonio Scarfo. New security perspectives around byod. In 2012 [265] Koenraad Van Brabant et al. Operational security management in Seventh International Conference on Broadband, Wireless Computing, violent environments. Overseas Development Institute London, 2000. Communication and Applications, pages 446–451. IEEE, 2012. [266] Terje Aven. Risk assessment and risk management: Review of recent [241] XL Keystone and Cardno ENTRIX. Comments of the sierra club, et advances on their foundation. European Journal of Operational al., to the department of state on the supplemental draft environmental Research, 253(1):1–13, 2016. impact statement for the transcanada keystone xl pipeline. [267] Carlton Shepherd, Ghada Arfaoui, Iakovos Gurulian, Robert P Lee, [242] S Girgin and E Krausmann. Historical analysis of us onshore hazardous Konstantinos Markantonakis, Raja Naeem Akram, Damien Sauveron, liquid pipeline accidents triggered by natural hazards. Journal of Loss and Emmanuel Conchon. Secure and trusted execution: Past, present, Prevention in the Process Industries, 40:578–590, 2016. and future-a critical review in the context of the internet of things [243] László Monostori, Botond Kádár, T Bauernhansl, S Kondoh, S Kumara, and cyber-physical systems. In Trustcom/BigDataSE/ISPA, 2016 IEEE, G Reinhart, O Sauer, G Schuh, W Sihn, and K Ueda. Cyber-physical pages 168–177. IEEE, 2016. systems in manufacturing. CIRP Annals, 65(2):621–641, 2016. [268] Hussain Almohri, Long Cheng, Danfeng Yao, and Homa Alemzadeh. [244] Zakarya Drias, Ahmed Serhrouchni, and Olivier Vogel. Analysis of On threat modeling and mitigation of medical cyber-physical systems. cyber security for industrial control systems. In 2015 International In Connected Health: Applications, Systems and Engineering Technolo- Conference on Cyber Security of Smart Cities, Industrial Control gies (CHASE), 2017 IEEE/ACM International Conference on, pages System and Communications (SSIC), pages 1–8. IEEE, 2015. 114–119. IEEE, 2017. ฀฀฀฀฀฀฀฀฀

37

[269] Hussain MJ Almohri, Danfeng Daphne Yao, and Dennis Kafura. [288] Tianqi Zhou, Jian Shen, Xiong Li, Chen Wang, and Haowen Tan. Process authentication for high system assurance. IEEE Transactions Logarithmic encryption scheme for cyber–physical systems employing on Dependable and Secure Computing, (1):1, 2013. fibonacci q-matrix. Future Generation Computer Systems, 2018. [270] Hussain MJ Almohri, Layne T Watson, Danfeng Yao, and Xinming Ou. [289] Sherali Zeadally, Ray Hunt, Yuh-Shyan Chen, Angela Irwin, and Aamir Security optimization of dynamic networks with probabilistic graph Hassan. Vehicular ad hoc networks (vanets): status, results, and modeling and linear programming. IEEE Transactions on Dependable challenges. Telecommunication Systems, 50(4):217–241, 2012. and Secure Computing, 13(4):474–487, 2016. [290] Saif Al-Sultan, Moath M Al-Doori, Ali H Al-Bayatti, and Hussien [271] Kathryn A Higley. Environmental consequences of the chernobyl Zedan. A comprehensive survey on vehicular ad hoc network. Journal accident and their remediation: twenty years of experience. report of of network and computer applications, 37:380–392, 2014. the chernobyl forum expert group ‘environment’ sti/pub/1239, 2006, [291] Qian He, Ning Zhang, Yongzhuang Wei, and Yan Zhang. Lightweight international atomic energy agency, vienna, austria isbn: 92-0-114705- attribute based encryption scheme for mobile cloud assisted cyber- 8, 166 pp, 40.00 euros (softbound). Radiation Protection Dosimetry, physical systems. Computer Networks, 140:163–173, 2018. 121(4):476–477, 2006. [292] Yanqi Zhao, Yannan Li, Qilin Mu, Bo Yang, and Yong Yu. Secure [272] Yang-Hyun Koo, Yong-Sik Yang, and Kun-Woo Song. Radioactivity pub-sub: Blockchain-based fair payment with reputation for reliable release from the fukushima accident and its consequences: A review. cyber physical systems. IEEE Access, 6:12295–12303, 2018. Progress in Nuclear Energy, 74:61–70, 2014. [293] Johanna Sepúlveda, Shiyang Liu, and Jose M Bermudo Mera. Post- [273] Ayan Banerjee, Krishna K Venkatasubramanian, Tridib Mukherjee, and quantum enabled cyber physical systems. IEEE Embedded Systems Sandeep Kumar S Gupta. Ensuring safety, security, and sustainability Letters, 2019. of mission-critical cyber–physical systems. Proceedings of the IEEE, [294] Omkar A Harshe, N Teja Chiluvuri, Cameron D Patterson, and 100(1):283–299, 2011. William T Baumann. Design and implementation of a security frame- [274] American Gas Association et al. Cryptographic protection of scada work for industrial control systems. In 2015 International Conference communications part 1: Background, policies and test plan. Technical on Industrial Instrumentation and Control (ICIC), pages 127–132. report, AGA Report, 2005. IEEE, 2015. [275] Michael Kirkpatrick, Elisa Bertino, and Frederick T Sheldon. Re- [295] Tiago Cruz, Jorge Barrigas, Jorge Proença, Antonio Graziano, Stefano stricted authentication and encryption for cyber-physical systems. In Panzieri, Leonid Lev, and Paulo Simões. Improving network security DHS CPS Workshop Restricted Authentication and Encryption for monitoring for industrial control systems. In 2015 IFIP/IEEE Inter- Cyber-physical Systems, 2009. national Symposium on Integrated Network Management (IM), pages [276] Derui Ding, Qing-Long Han, Yang Xiang, Xiaohua Ge, and Xian-Ming 878–881. IEEE, 2015. Zhang. A survey on security control and attack detection for industrial [296] Matthew E Luallen. Sans scada and process control security survey. A cyber-physical systems. Neurocomputing, 275:1674–1683, 2018. SANS Whitepaper, February, 2013. [277] Adam Hahn, Roshan K Thomas, Ivan Lozano, and Alvaro Cardenas. [297] Asem Ghaleb, Sami Zhioua, and Ahmad Almulhem. On plc network A multi-layered and kill-chain based security analysis framework for security. International Journal of Critical Infrastructure Protection, cyber-physical systems. International Journal of Critical Infrastructure 22:62–69, 2018. Protection, 11:39–50, 2015. [298] Huayang Cao, Peidong Zhu, Xicheng Lu, and Andrei Gurtov. A layered [278] Mridula Sharma, Fayez Gebali, Haytham Elmiligi, and Musfiq Rah- encryption mechanism for networked critical infrastructures. IEEE man. Network security evaluation scheme for wsn in cyber-physical Network, 27(1):12–18, 2013. systems. In 2018 IEEE 9th Annual Information Technology, Electronics [299] Saurabh Amin, Galina A Schwartz, and S Shankar Sastry. On and Mobile Communication Conference (IEMCON), pages 1145–1151. the interdependence of reliability and security in networked control IEEE, 2018. systems. In Decision and Control and European Control Conference [279] Meng Zhang, Anand Raghunathan, and Niraj K Jha. Trustworthiness (CDC-ECC), 2011 50th IEEE Conference on, pages 4078–4083. IEEE, of medical devices and body area networks. Proceedings of the IEEE, 2011. 102(8):1174–1188, 2014. [280] Andrey Bogdanov, Lars R Knudsen, Gregor Leander, Christof Paar, [300] Alvaro A Cárdenas, Saurabh Amin, Zong-Syun Lin, Yu-Lun Huang, Axel Poschmann, Matthew JB Robshaw, Yannick Seurin, and Charlotte Chi-Yen Huang, and Shankar Sastry. Attacks against process control Vikkelsoe. Present: An ultra-lightweight block cipher. In International systems: risk assessment, detection, and response. In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems, pages the 6th ACM symposium on information, computer and communications 450–466. Springer, 2007. security, pages 355–366. ACM, 2011. [281] Julia Borghoff, Anne Canteaut, Tim Güneysu, Elif Bilge Kavun, [301] Thiago Alves, Rishabh Das, and Thomas Morris. Embedding Miroslav Knezevic, Lars R Knudsen, Gregor Leander, Ventzislav encryption and machine learning intrusion prevention systems on Nikov, Christof Paar, Christian Rechberger, et al. Prince–a low-latency programmable logic controllers. IEEE Embedded Systems Letters, block cipher for pervasive computing applications. In International 10(3):99–102, 2018. Conference on the Theory and Application of Cryptology and Infor- [302] Sana Belguith, Nesrine Kaaniche, Mohammad Hammoudeh, and mation Security, pages 208–225. Springer, 2012. Tooska Dargahi. Proud: verifiable privacy-preserving outsourced at- [282] Aamir Shahzad, Malrey Lee, Young-Keun Lee, Suntae Kim, Naixue tribute based signcryption supporting access policy update for cloud Xiong, Jae-Young Choi, and Younghwa Cho. Real time modbus assisted iot applications. Future Generation Computer Systems, 2019. transmissions and cryptography security designs and enhancements of [303] Nesrine Kaaniche, Maryline Laurent, Pierre-Olivier Rocher, Christophe protocol sensitive information. Symmetry, 7(3):1176–1210, 2015. Kiennert, and Joaquin Garcia-Alfaro. Pcs, a privacy-preserving certi- [283] MD Hadley, KA Huston, and TW Edgar. Aga-12, part 2 performance fication scheme. In Data Privacy Management, Cryptocurrencies and test results. Pacific Northwest National Laboratories, 2007. Blockchain Technology, pages 239–256. Springer, 2017. [284] José Rubio-Hernán, Luca De Cicco, and Joaquin Garcia-Alfaro. Re- [304] Nesrine Kaaniche. Cloud data storage security based on cryptographic visiting a watermark-based detection scheme to handle cyber-physical mechanisms. PhD thesis, 2014. attacks. In 2016 11th International Conference on Availability, Relia- [305] Robert M Seepers, Jos H Weber, Zekeriya Erkin, Ioannis Sourdis, and bility and Security (ARES), pages 21–28. IEEE, 2016. Christos Strydis. Secure key-exchange protocol for implants using [285] Laura Vegh and Liviu Miclea. Secure and efficient communication heartbeats. In Proceedings of the ACM International Conference on in cyber-physical systems through cryptography and complex event Computing Frontiers, pages 119–126. ACM, 2016. processing. In 2016 International Conference on Communications [306] Z Esat Ankaralı, A Fatih Demir, Marwa Qaraqe, Qammer H Abbasi, (COMM), pages 273–276. IEEE, 2016. Erchin Serpedin, Huseyin Arslan, and Richard D Gitlin. Physical [286] Sachini Jayasekara, Srinath Perera, Miyuru Dayarathna, and Sriskan- layer security for wireless implantable medical devices. In Computer darajah Suhothayan. Continuous analytics on geospatial data streams Aided Modelling and Design of Communication Links and Networks with wso2 complex event processor. In Proceedings of the 9th ACM (CAMAD), 2015 IEEE 20th International Workshop on, pages 144–147. International Conference on Distributed Event-Based Systems, pages IEEE, 2015. 277–284. ACM, 2015. [307] Sanjar Ibrokhimov, Kueh Lee Hui, Ahmed Abdulhakim Al-Absi, Man- [287] Srinath Perera, Suhothayan Sriskandarajah, Mohanadarshan gal Sain, et al. Multi-factor authentication in cyber physical system: A Vivekanandalingam, Paul Fremantle, and Sanjiva Weerawarana. state of art survey. In 2019 21st International Conference on Advanced Solving the grand challenge using an opensource cep engine. In Communication Technology (ICACT), pages 279–284. IEEE, 2019. Proceedings of the 8th ACM International Conference on Distributed [308] Shuo Chen, Maode Ma, and Zhenxing Luo. An authentication scheme Event-Based Systems, pages 288–293. ACM, 2014. with identity-based cryptography for m2m security in cyber-physical ฀฀฀฀฀฀฀฀฀

38

systems. Security and Communication Networks, 9(10):1146–1157, based on energy consumption analysis in 6lowpan. In Advanced Tech- 2016. nologies, Embedded and Multimedia for Human-centric Computing, [309] Haroon Wardak, Sami Zhioua, and Ahmad Almulhem. Plc access pages 1205–1213. Springer, 2014. control: a security analysis. In 2016 World Congress on Industrial [329] Christian Cervantes, Diego Poplade, Michele Nogueira, and Aldri Control Systems Security (WCICSS), pages 1–6. IEEE, 2016. Santos. Detection of sinkhole attacks for supporting secure routing [310] Donghyun Choi, Hakman Kim, Dongho Won, and Seungjoo Kim. Ad- on 6lowpan for internet of things. In IM, pages 606–611, 2015. vanced key-management architecture for secure scada communications. [330] Ashfaq Hussain Farooqi and Farrukh Aslam Khan. Intrusion detection IEEE Transactions on Power Delivery, 24(3):1154–1163, 2009. systems for wireless sensor networks: A survey. In Communication [311] Marwa Keshk, Nour Moustafa, Elena Sitnikova, and Benjamin Turn- and networking, pages 234–241. Springer, 2009. bull. Privacy-preserving big data analytics for cyber-physical systems. [331] Choong Seon Hong, Toshio Tonouchi, Yan Ma, and Chi-Shih Chao. Wireless Networks, pages 1–9, 2018. Management Enabling the Future Internet for Changing Business and [312] Jun Feng, Laurence T Yang, and Ronghao Zhang. Practical privacy- New Computing Services: 12th Asia-Pacific Network Operations and preserving high-order bi-lanczos in integrated edge-fog-cloud architec- Management Symposium, APNOMS 2009 Jeju, South Korea, September ture for cyber-physical-social systems. ACM Transactions on Internet 23-25, 2009 Proceedings, volume 5787. Springer, 2009. Technology (TOIT), 19(2):26, 2019. [332] Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A Spirito, and [313] Heng Ye, Jiqiang Liu, Wei Wang, Ping Li, Tong Li, and Jin Li. Secure Mark Vinkovits. Denial-of-service detection in 6lowpan based internet and efficient outsourcing differential privacy data release scheme in of things. In 2013 IEEE 9th international conference on wireless and cyber–physical system. Future Generation Computer Systems, 2018. mobile computing, networking and communications (WiMob), pages [314] Xiaojun Zhang, Jie Zhao, Liming Mu, Yao Tang, and Chunxiang 600–607. IEEE, 2013. Xu. Identity-based proxy-oriented outsourcing with public auditing [333] Prabhakaran Kasinathan, Gianfranco Costamagna, Hussein Khaleel, in cloud-based medical cyber–physical systems. Pervasive and Mobile Claudio Pastrone, and Maurizio A Spirito. An ids framework for Computing, 56:18–28, 2019. internet of things empowered by 6lowpan. In Proceedings of the 2013 [315] Zhenyong Zhang, Junfeng Wu, David Yau, Peng Cheng, and Jiming ACM SIGSAC conference on Computer & communications security, Chen. Secure kalman filter state estimation by partially homomorphic pages 1337–1340. ACM, 2013. encryption. In 2018 ACM/IEEE 9th International Conference on Cyber- [334] Linus Wallgren, Shahid Raza, and Thiemo Voigt. Routing attacks Physical Systems (ICCPS), pages 345–346. IEEE, 2018. and countermeasures in the rpl-based internet of things. International [316] Junsoo Kim, Chanhwa Lee, Hyungbo Shim, Jung Hee Cheon, Andrey Journal of Distributed Sensor Networks, 9(8):794326, 2013. Kim, Miran Kim, and Yongsoo Song. Encrypting controller using fully [335] Anhtuan Le, Jonathan Loo, Yuan Luo, and Aboubaker Lasebae. homomorphic encryption for security of cyber-physical systems. IFAC- Specification-based ids for securing rpl from topology attacks. In PapersOnLine, 49(22):175–180, 2016. Wireless Days (WD), 2011 IFIP, pages 1–3. IEEE, 2011. [317] Zhaoe Min, Geng Yang, Arun Kumar Sangaiah, Shuangjie Bai, and [336] Anhtuan Le, Jonathan Loo, Kok Keong Chai, and Mahdi Aiash. Guoxiu Liu. A privacy protection-oriented parallel fully homomorphic A specification-based ids for detecting attacks on rpl-based network encryption algorithm in cyber physical systems. EURASIP Journal on topology. Information, 7(2):25, 2016. Wireless Communications and Networking, 2019(1):15, 2019. [337] Shahid Raza, Linus Wallgren, and Thiemo Voigt. Svelte: Real- [318] Nilotpal Chakraborty. Intrusion detection system and intrusion preven- time intrusion detection in the internet of things. Ad hoc networks, tion system: A comparative study. International Journal of Computing 11(8):2661–2674, 2013. and Business Research (IJCBR) ISSN (Online), pages 2229–6166, [338] Pavan Pongle and Gurunath Chavan. Real time intrusion and wormhole 2013. attack detection in internet of things. International Journal of Computer [319] Xiaokui Shu, Danfeng Yao, and Naren Ramakrishnan. Unearthing Applications, 121(9), 2015. stealthy program attacks buried in extremely long execution paths. In [339] Nanda Kumar Thanigaivelan, Ethiopia Nigussie, Rajeev Kumar Kanth, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Seppo Virtanen, and Jouni Isoaho. Distributed internal anomaly Communications Security, pages 401–413. ACM, 2015. detection system for internet-of-things. In Consumer Communications [320] Kui Xu, Ke Tian, Danfeng Yao, and Barbara G Ryder. A sharper & Networking Conference (CCNC), 2016 13th IEEE Annual, pages sense of self: Probabilistic reasoning of program behaviors for anomaly 319–320. IEEE, 2016. detection with context sensitivity. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), [340] Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang- pages 467–478. IEEE, 2016. Yuan Tung. Intrusion detection system: A comprehensive review. [321] Robert Mitchell and Ray Chen. Adaptive intrusion detection of mali- Journal of Network and Computer Applications, 36(1):16–24, 2013. cious unmanned air vehicles using behavior rule specifications. IEEE [341] John R Vacca. Computer and information security handbook. Newnes, Transactions on Systems, Man, and Cybernetics: Systems, 44(5):593– 2012. 604, 2014. [342] Caiming Liu, Jin Yang, Yan Zhang, Run Chen, and Jinquan Zeng. [322] David I Urbina, Jairo A Giraldo, Alvaro A Cardenas, Nils Ole Tippen- Research on immunity-based intrusion detection technology for the hauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and internet of things. In Natural Computation (ICNC), 2011 Seventh Henrik Sandberg. Limiting the impact of stealthy attacks on industrial International Conference on, volume 1, pages 212–216. IEEE, 2011. control systems. In Proceedings of the 2016 ACM SIGSAC Conference [343] Robert Mitchell and Ing-Ray Chen. A survey of intrusion detection on Computer and Communications Security, pages 1092–1105. ACM, techniques for cyber-physical systems. ACM Computing Surveys 2016. (CSUR), 46(4):55, 2014. [323] Siddharth Sridhar, Adam Hahn, Manimaran Govindarasu, et al. Cyber- [344] Ismail Butun, Salvatore D Morgera, and Ravi Sankar. A survey physical system security for the electric power grid. Proceedings of of intrusion detection systems in wireless sensor networks. IEEE the IEEE, 100(1):210–224, 2012. communications surveys & tutorials, 16(1):266–282, 2014. [324] Christopher Zimmer, Balasubramanya Bhat, Frank Mueller, and Sibin [345] Sudip Misra, P Venkata Krishna, Harshit Agarwal, Antriksh Saxena, Mohan. Time-based intrusion detection in cyber-physical systems. In and Mohammad S Obaidat. A learning automata based solution for Proceedings of the 1st ACM/IEEE International Conference on Cyber- preventing distributed denial of service in internet of things. In Internet Physical Systems, pages 109–118. ACM, 2010. of things (ithings/cpscom), 2011 international conference on and 4th [325] Robert Mitchell and Ray Chen. Behavior rule specification-based international conference on cyber, physical and social computing, intrusion detection for safety critical medical cyber physical systems. pages 114–122. IEEE, 2011. IEEE Transactions on Dependable and Secure Computing, 12(1):16– [346] Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed 30, 2015. Aledhari, and Moussa Ayyash. Internet of things: A survey on en- [326] Bruno Bogaz Zarpelão, Rodrigo Sanches Miani, Cláudio Toshio abling technologies, protocols, and applications. IEEE communications Kawakani, and Sean Carlisto de Alvarenga. A survey of intrusion surveys & tutorials, 17(4):2347–2376, 2015. detection in internet of things. Journal of Network and Computer [347] João P Amaral, Luís M Oliveira, Joel JPC Rodrigues, Guangjie Han, Applications, 84:25–37, 2017. and Lei Shu. Policy and network-based intrusion detection system [327] Doohwan Oh, Deokho Kim, and Won Woo Ro. A malicious pattern for ipv6-enabled wireless sensor networks. In Communications (ICC), detection engine for embedded security systems in the internet of 2014 IEEE International Conference on, pages 1796–1801. IEEE, things. Sensors, 14(12):24188–24211, 2014. 2014. [328] Tsung-Han Lee, Chih-Hao Wen, Lin-Huang Chang, Hung-Shiou Chi- [348] Herve Debar. An introduction to intrusion-detection systems. Proceed- ang, and Ming-Chun Hsieh. A lightweight intrusion detection scheme ings of Connect, 2002:1–18, 2000. ฀฀฀฀฀฀฀฀฀

39

[349] Karen Scarfone and Peter Mell. Guide to intrusion detection and cyber-physical systems with analysis cost constraint based on honeypot prevention systems (idps). NIST special publication, 800(2007):94, game model. 2019. 2007. [369] Qi Duan, Ehab Al-Shaer, Mazharul Islam, and Haadi Jafarian. Conceal: [350] Abhishek Gupta, Om Jee Pandey, Mahendra Shukla, Anjali Dadhich, A strategy composition for resilient cyber deception-framework, met- Samar Mathur, and Anup Ingle. Computational intelligence based rics and deployment. In 2018 IEEE Conference on Communications intrusion detection systems for wireless communication and pervasive and Network Security (CNS), pages 1–9. IEEE, 2018. computing networks. In Computational Intelligence and Computing [370] Giuseppe Bernieri, Mauro Conti, and Federica Pascucci. A novel Research (ICCIC), 2013 IEEE International Conference on, pages 1– architecture for cyber-physical security in industrial control networks. 7. IEEE, 2013. In 2018 IEEE 4th International Forum on Research and Technology [351] Douglas H Summerville, Kenneth M Zach, and Yu Chen. Ultra- for Society and Industry (RTSI), pages 1–6. IEEE, 2018. lightweight deep packet anomaly detection for internet of things [371] Muhammed O Sayin and Tamer Basar. Deception-as-defense frame- devices. In Computing and Communications Conference (IPCCC), work for cyber-physical systems. arXiv preprint arXiv:1902.01364, 2015 IEEE 34th International Performance, pages 1–8. IEEE, 2015. 2019. [352] Konstantinos Demertzis, Lazaros Iliadis, and Stefanos Spartalis. A [372] Irfan Ahmed, Sebastian Obermeier, Martin Naedele, and Golden G spiking one-class anomaly detection framework for cyber-security on Richard III. Scada systems: challenges for forensic investigators. industrial control systems. In International Conference on Engineering Computer, 45(12):44–51, 2012. Applications of Neural Networks, pages 122–134. Springer, 2017. [373] Irfan Ahmed, Sebastian Obermeier, Sneha Sudhakaran, and Vassil [353] Samuel Stone and Michael Temple. Radio-frequency-based anomaly Roussev. Programmable logic controller forensics. IEEE Security & detection for programmable logic controllers in the critical infras- Privacy, 15(6):18–24, 2017. tructure. International Journal of Critical Infrastructure Protection, [374] Rima Asmar Awad, Saeed Beztchi, Jared M Smith, Bryan Lyles, and 5(2):66–73, 2012. Stacy Prowell. Tools, techniques, and methodologies: A survey of [354] Andrew Hildick-Smith. Security for critical infrastructure scada sys- digital forensics for scada systems. In Proceedings of the 4th Annual tems. SANS Reading Room, GSEC Practical Assignment, Version, Industrial Control System Security Workshop, pages 1–8. ACM, 2018. 1:498–506, 2005. [375] George Grispos, William Bradley Glisson, and Kim-Kwang Raymond [355] Samuel J Stone, Michael A Temple, and Rusty O Baldwin. Detecting Choo. Medical cyber-physical systems development: A forensics- anomalous programmable logic controller behavior using rf-based driven approach. In Proceedings of the Second IEEE/ACM Interna- hilbert transform features and a correlation-based verification process. tional Conference on Connected Health: Applications, Systems and International Journal of Critical Infrastructure Protection, 9:41–51, Engineering Technologies, pages 108–114. IEEE Press, 2017. 2015. [376] Haider Al-Khateeb, Gregory Epiphaniou, and Herbert Daly. Blockchain [356] Stephen Dunlap, Jonathan Butts, Juan Lopez, Mason Rice, and Barry for modern digital forensics: The chain-of-custody as a distributed Mullins. Using timing-based side channels for anomaly detection in ledger. In Blockchain and Clinical Trial, pages 149–168. Springer, industrial control systems. International Journal of Critical Infrastruc- 2019. ture Protection, 15:12–26, 2016. [377] Chun-Fai Chan, Kam-Pui Chow, Siu-Ming Yiu, and Ken Yau. En- [357] Jana Krimmling and Steffen Peter. Integration and evaluation of intru- hancing the security and forensic capabilities of programmable logic sion detection for coap in smart city applications. In Communications controllers. In IFIP International Conference on Digital Forensics, and Network Security (CNS), 2014 IEEE Conference on, pages 73–78. pages 351–367. Springer, 2018. IEEE, 2014. [378] Gabriela Ahmadi-Assalemi, Haider M Al-Khateeb, Gregory Epiphan- [358] Ning Jiang, Hu Lin, Zhenyu Yin, and Chunyan Xi. Research of iou, Jon Cosson, Hamid Jahankhani, and Prashant Pillai. Federated paired industrial firewalls in defense-in-depth architecture of integrated blockchain-based tracking and liability attribution framework for em- manufacturing or production system. In 2017 IEEE International ployees and cyber-physical objects in a smart workplace. In 2019 Conference on Information and Automation (ICIA), pages 523–526. IEEE 12th International Conference on Global Security, Safety and IEEE, 2017. Sustainability (ICGS3), pages 1–9. IEEE, 2019. [359] Jeyasingam Nivethan and Mauricio Papa. On the use of open-source [379] Jack Parry, Daniel Hunter, Kenneth Radke, and Colin Fidge. A network firewalls in ics/scada systems. Information Security Journal: A Global forensics tool for precise data packet capture and replay in cyber- Perspective, 25(1-3):83–93, 2016. physical systems. In Proceedings of the Australasian Computer Science [360] Sridhar Adepu, Siddhant Shrivastava, and Aditya Mathur. Argus: An Week Multiconference, page 22. ACM, 2016. orthogonal defense framework to protect public infrastructure against [380] Mumin Cebe, Enes Erdin, Kemal Akkaya, Hidayet Aksu, and Sel- cyber-physical attacks. IEEE Internet Computing, 20(5):38–45, 2016. cuk Uluagac. Block4forensic: An integrated lightweight blockchain [361] Tamoghna Ghosh, Dipanjan Sarkar, Tushar Sharma, Ashok Desai, and framework for forensics applications of connected vehicles. IEEE Raghav Bali. Real time failure prediction of load balancers and Communications Magazine, 56(10):50–57, 2018. firewalls. In 2016 IEEE International Conference on Internet of Things [381] Pedro Taveras. Scada live forensics: real time data acquisition process (iThings) and IEEE Green Computing and Communications (Green- to detect, prevent or evaluate critical situations. European Scientific Com) and IEEE Cyber, Physical and Social Computing (CPSCom) and Journal, 9(21), 2013. IEEE Smart Data (SmartData), pages 822–827. IEEE, 2016. [382] Irfan Ahmed, Vassil Roussev, William Johnson, Saranyan Senthivel, [362] Yahya Javed, Muhamad Felemban, Tawfeeq Shawly, Jason Kobes, and and Sneha Sudhakaran. A scada system testbed for cybersecurity and Arif Ghafoor. A partition-driven integrated security architecture for forensic research and pedagogy. In Proceedings of the 2nd Annual cyber-physical systems. arXiv preprint arXiv:1901.03018, 2019. Industrial Control System Security Workshop, pages 1–9. ACM, 2016. [363] Fred Cohen. The use of deception techniques: Honeypots and decoys. [383] Ken Yau and Kam-Pui Chow. Detecting anomalous programmable Handbook of Information Security, 3(1):646–655, 2006. logic controller events using machine learning. In IFIP International [364] Daniele Antonioli, Anand Agrawal, and Nils Ole Tippenhauer. Towards Conference on Digital Forensics, pages 81–94. Springer, 2017. high-interaction virtual ics honeypots-in-a-box. In Proceedings of the [384] Saman Zonouz, Julian Rrushi, and Stephen McLaughlin. Detecting 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, industrial control malware using automated plc code analytics. IEEE pages 13–22. ACM, 2016. Security & Privacy, 12(6):40–47, 2014. [365] Samuel Litchfield, David Formby, Jonathan Rogers, Sakis Meliopoulos, [385] Lucille McMinn and Jonathan Butts. A firmware verification tool and Raheem Beyah. Rethinking the honeypot for cyber-physical for programmable logic controllers. In International Conference on systems. IEEE Internet Computing, 20(5):9–17, 2016. Critical Infrastructure Protection, pages 59–69. Springer, 2012. [366] Celine Irvene, David Formby, Samuel Litchfield, and Raheem Beyah. [386] Amit Kleinmann and Avishai Wool. Accurate modeling of the siemens Honeybot: A honeypot for robotic systems. Proceedings of the IEEE, s7 scada protocol for intrusion detection and digital forensics. Journal 106(1):61–70, 2017. of Digital Forensics, Security and Law, 9(2):4, 2014. [367] Daniel Fraunholz, Daniel Krohmer, Simon Duque Anton, and Hans Di- [387] Saranyan Senthivel, Irfan Ahmed, and Vassil Roussev. Scada network eter Schotten. Investigation of cyber crime conducted by abusing weak forensics of the pccc protocol. Digital Investigation, 22:S57–S65, 2017. or default passwords with a medium interaction honeypot. In 2017 [388] Ken Yau, Kam-Pui Chow, and Siu-Ming Yiu. A forensic logging system International Conference on Cyber Security And Protection Of Digital for siemens programmable logic controllers. In IFIP International Services (Cyber Security), pages 1–7. IEEE, 2017. Conference on Digital Forensics, pages 331–349. Springer, 2018. [368] Wen Tian, Xiaopeng Ji, Weiwei Liu, Guangjie Liu, Rong Lin, Jiangtao [389] Dillon Beresford. Exploiting siemens simatic s7 plcs. Black Hat USA, Zhai, and Yuewei Dai. Defense strategies against network attacks in 16(2):723–733, 2011. ฀฀฀฀฀฀฀฀฀

40

[390] Raymond Chan and Kam-Pui Chow. Forensic analysis of a siemens In 2019 International Conference on Wireless and Mobile Computing, programmable logic controller. In International Conference on Critical Networking and Communications (WiMob), pages 1–8. IEEE, 2019. Infrastructure Protection, pages 117–130. Springer, 2016. [411] Reem Melki, Hassan N Noura, and Ali Chehab. Lightweight multi- [391] Hassan Noura, Ali Chehab, Mohamad Noura, Raphaël Couturier, and factor mutual authentication protocol for IoT devices. International Mohammad M Mansour. Lightweight, dynamic and efficient image Journal of Information Security, pages 1–16, 2019. encryption scheme. Multimedia Tools and Applications, 78(12):16527– [412] Hassan N Noura, Reem Melki, and Ali Chehab. Secure and lightweight 16561, 2019. mutual multi-factor authentication for IoT communication systems. In [392] Hassan Noura, Ali Chehab, Lama Sleem, Mohamad Noura, Raphaël 2019 IEEE 90th Vehicular Technology Conference (VTC2019-Fall), Couturier, and Mohammad M. Mansour. One round cipher algorithm pages 1–7. IEEE, 2019. for multimedia IoT devices. Multimedia Tools and Applications, Jan [413] Hassan N Noura, Ola Salman, Ali Chehab, and Raphaël Couturier. 2018. Distlog: A distributed logging scheme for iot forensics. Ad Hoc [393] Hassan N Noura, Reem Melki, Ali Chehab, and Mohammad M Networks, 98:102061, 2020. Mansour. A physical encryption scheme for low-power wireless M2M [414] Steven Thomason. Improving network security: next generation fire- devices: a dynamic key approach. Mobile Networks and Applications, walls and advanced packet inspection devices. Global Journal of pages 1–17, 2018. Computer Science and Technology, 2012. [394] Reem Melki, Hassan N Noura, Mohammad M Mansour, and Ali [415] Iyad Kuwatly, Malek Sraj, Zaid Al Masri, and Hassan Artail. A Chehab. An efficient OFDM-based encryption scheme using a dynamic dynamic honeypot design for intrusion detection. In The IEEE/ACS key approach. IEEE Internet of Things Journal, 2018. International Conference onPervasive Services, 2004. ICPS 2004. [395] Reem Melki, Hassan N Noura, Mohammad M Mansour, and Ali Proceedings., pages 95–104. IEEE, 2004. Chehab. A survey on OFDM physical layer security. Physical [416] L Carver and Murray Turoff. The human and computer as a team Communication, 32:1–30, 2019. in emergency management information systems. CACM, 50(3):33–38, [396] Hassan Noura, Soran Hussein, Steven Martin, Lila Boukhatem, and 2007. Khaldoun Al Agha. Erdia: An efficient and robust data integrity algo- [417] Robin Ruefle, Audrey Dorofee, David Mundie, Allen D Householder, rithm for mobile and wireless networks. In Wireless Communications Michael Murray, and Samuel J Perl. Computer security incident and Networking Conference (WCNC), 2015 IEEE, pages 2103–2108. response team development and evolution. IEEE Security & Privacy, IEEE, 2015. 12(5):16–26, 2014. [397] Han Qiu, Gerard Memmi, and Hassan Noura. An efficient secure [418] Karen Kent, Suzanne Chevalier, Tim Grance, and Hung Dang. Guide storage scheme based on information fragmentation. In 2017 IEEE to integrating forensic techniques into incident response. NIST Special 4th International Conference on Cyber Security and Cloud Computing Publication, 10(14):800–86, 2006. (CSCloud), pages 108–113. IEEE, 2017. [419] Chris Prosise, Kevin Mandia, and Matt Pepe. Incident response & [398] Hassan Noura, Steven Martin, Khaldoun Al Agha, and Khaled Chahine. computer forensics. 2003. ERSS-RLNC: efficient and robust secure scheme for random linear [420] Maurice M Klee. The importance of having a non-disclosure agree- network coding. Computer networks, 75:99–112, 2014. ment. IEEE engineering in medicine and biology magazine, 19(3):120, [399] Hassan Noura, Ola Salman, Ali Chehab, and Raphael Couturier. Pre- 2000. serving data security in distributed fog computing. Ad Hoc Networks, [421] Joyce Hogan and Robert Hogan. How to measure employee reliability. 94:101937, 2019. Journal of Applied psychology, 74(2):273, 1989. [400] Katarzyna Kapusta, Gerard Memmi, and Hassan Noura. Secure and [422] Abraham Serhane, Mohamad Raad, Raad Raad, and Willy Susilo. resilient scheme for data protection in unattended wireless sensor Plc code-level vulnerabilities. In 2018 International Conference on networks. In 2017 1st Cyber Security in Networking Conference Computer and Applications (ICCA), pages 348–352. IEEE, 2018. (CSNet), pages 1–8. IEEE, 2017. [423] Yung-Chang Chang, Li-Ren Huang, Hsing-Chuang Liu, Chih-Jen Yang, [401] Katarzyna Kapusta, Gerard Memmi, and Hassan Noura. Additively ho- and Ching-Te Chiu. Assessing automotive functional safety micropro- momorphic encryption and fragmentation scheme for data aggregation cessor with iso 26262 hardware requirements. In Technical papers of inside unattended wireless sensor networks. Annals of Telecommuni- 2014 international symposium on VLSI design, automation and test, cations, 74(3-4):157–165, 2019. pages 1–4. IEEE, 2014. [402] Rida Diba, Elias Yaacoub, Mohammed Al-Husseini, Hassan Noura, [424] Ron Bell. Introduction and revision of iec 61508. In Advances in Khalid Abualsaud, Tamer Khattab, and Mohsen Guizani. A simple Systems Safety, pages 273–291. Springer, 2011. approach for securing iot data transmitted over multi-rats. In 2018 [425] Ron Bell. Introduction to iec 61508. In ACM International Conference 14th International Wireless Communications & Mobile Computing Proceeding Series, volume 162, pages 3–12, 2006. Conference (IWCMC), pages 249–254. IEEE, 2018. [426] Curtis Miller, Justin Kassie, Daniel Poston, et al. Assessing and com- [403] Hassan N Noura, Reem Melki, Mohammad Malli, and Ali Chehab. puting the safety integrity level (sil) for turbo machinery protection. In Design and realization of efficient & secure multi-homed systems based Proceedings of the 46th Turbomachinery Symposium. Turbomachinery on random linear network coding. Computer Networks, 163:106886, Laboratory, Texas A&M Engineering Experiment Station, 2017. 2019. [427] Teiyu Goto. Electronic control unit, October 2 2001. US Patent App. [404] John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam 29/132,291. Waksman, Simha Sethumadhavan, and Salvatore Stolfo. On the [428] Nikolaus Dellantoni, Bernhard Schinkowitsch, André Schoenekaes, feasibility of online malware detection with performance counters. In Axel Nix, and Niall R Lynam. Scalable integrated electronic control ACM SIGARCH Computer Architecture News, volume 41, pages 559– unit for vehicle, May 19 2015. US Patent 9,036,026. 570. ACM, 2013. [405] Nesrine Kaaniche, Maryline Laurent, and Claire Levallois-Barth. Id- based user-centric data usage auditing scheme for distributed environ- ments. Frontiers in Blockchain, 3:17, 2020. [406] Nesrine Kaaniche, Mohamed Mohamed, Maryline Laurent, and Heiko Ludwig. Security sla based monitoring in clouds. In 2017 IEEE International Conference on Edge Computing (EDGE), pages 90–97. IEEE, 2017. [407] Giedre Sabaliauskaite and Aditya P Mathur. Aligning cyber-physical system safety and security. In Complex Systems Design & Management Asia, pages 41–53. Springer, 2015. [408] Feng Xie, Tianbo Lu, Xiaobo Guo, Jingli Liu, Yong Peng, and Yang Gao. Security analysis on cyber-physical system using attack tree. In 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pages 429–432. IEEE, 2013. [409] Hassan N Noura, Ali Chehab, and Raphael Couturier. Efficient & secure cipher scheme with dynamic key-dependent mode of operation. Signal Processing: Image Communication, 78:448–464, 2019. [410] Hassan Noura, Raphaël Couturier, Congduc Pham, and Ali Chehab. Lightweight stream cipher scheme for resource-constrained iot devices.