Cyber Stealth Attacks in Critical Information InfrastructuresCyber Stealth Attacks in Critical Information Infrastructures Lorena Cazorla, Member, IEEE, Cristina Alcaraz, Member, IEEE,

Cyber Stealth Attacks

in Critical Information Infrastructures

Lorena Cazorla, Member, IEEE, Cristina Alcaraz, Member, IEEE,and Javier Lopez, Senior Member, IEEE ∗†

June 23, 2016

Abstract

Current Critical Infrastructures (CIs) are complexinterconnected industrial systems that, in recentyears, have incorporated information and commu-nications technologies such as connection to theInternet and commercial off-the-shelf components.This makes them easier to operate and maintain,but exposes them to the threats and attacks thatinundate conventional networks and systems. Thispaper contains a comprehensive study on the mainstealth attacks that threaten CIs, with a special focuson Critical Information Infrastructures (CIIs). Thistype of attack is characterized by an adversary whois able to finely tune his actions to avoid detectionwhile pursuing his objectives. To provide a completeanalysis of the scope and potential dangers of stealthattacks we determine and analyze their stages andrange, and we design a taxonomy to illustrate the

∗This work has been partially supported by the EUFP7 project FACIES (HOME/2011/CIPS/AG/4000002115),by the Spanish Ministry of Economy and Competitivenessthrough the project PERSIST (TIN2013-41739-R), and bythe Andalusian government through the project PISCIS (P10-TIC-06334). The first author has been funded by a FPI fel-lowship from the Junta de Andalucıa through the project FIS-ICCO (P11-TIC-07223). Additionally, the second author hasreceived funding from the Marie Curie COFUND programme“U-Mobility” co-financed by Universidad de Malaga, the ECFP7 under GA No. 246550 and the Spanish Ministry of Econ-omy and Competitiveness (COFUND2013-40259).†L. Cazorla, C. Alcaraz and J. Lopez are with the

Department of Computer Science, University of Malaga,Campus de Teatinos s/n, 29071, Malaga, Spain, e-mails:{lorena,alcaraz,jlm}@lcc.uma.es.

threats to CIs, offering an overview of the applicablecountermeasures against these attacks. From ouranalysis we understand that these types of attacks,due to the interdependent nature of CIs, pose a gravedanger to critical systems where the threats caneasily cascade down to the interconnected systems.

Keywords: Critical Infrastructures, Control Sys-tems, Countermeasures, Detection and Protection,Stealth Attacks.

1 Introduction

Information and Communication Technologies(ICTs) have now become essential elements in oursociety since they offer significant improvementsin efficiency, cost reduction and enhancing qualityof life. Mobile computing technologies, embeddedsystems, smart devices, wireless communicationand the growth of the Internet are becoming themajor driving forces. These enable management ofinformation from anywhere, at any time and anyway,allowing an easier implementation and quicker oper-ation of the great majority of today’s competitors’infrastructures and their services [1]. In fact, most ofthese physical facilities are highly interconnected toother national (and international) systems throughcommunication systems, and managed throughsoftware-based systems, where the atomic data arenot only the integral elements of the infrastructureitself but are also needed between infrastructures inorder for them to function properly [1].

1

L. Cazorla, C. Alcaraz, and J. Lopez, “Cyber Stealth Attacks in Critical Information Infrastructures”, IEEE Systems Journal, vol. 12, pp. 1778-1792,2018.http://doi.org/10.1109/JSYST.2015.2487684NICS Lab. Publications: https://www.nics.uma.es/publications

Critical Infrastructures (CIs) are interconnectionsof a set of systems and assets, whether physical or vir-tual [1], which are integral to the social, political, andeconomic life of a nation and its citizens. Examples ofthese infrastructures can be water treatment systems,energy generation and distribution systems, finance,transportation, etc. In policy terms, the EuropeanUnion (EU) considers a CI to be “an asset, systemor part thereof located in Member States which is es-sential for the maintenance of vital societal functions,health, safety, security, economic or social well-beingof people, and the disruption or destruction of whichwould have a significant impact in a Member State asa result of the failure to maintain those functions” [2].Similarly, the United States (US) government consid-ers critical infrastructures as those “systems and as-sets, whether physical or virtual, so vital to the UnitedStates that the incapacity or destruction of such sys-tems and assets would have a debilitating impact onsecurity, national economic security, national publichealth or safety, or any combination of those mat-ters” - extract from Law 107-56, Section 1016, enti-tled critical infrastructure protection act of 2001 [3].

Any protection put into place to safeguard CIsshould focus on preserving not only the physical el-ements of the infrastructure but also and most im-portantly its virtual (cyber) elements, as a disrup-tion of these assets may trigger the same damage asthe disruption of physical components, putting thesecurity and safety of these interconnected systemsat risk. In order to guarantee that CIs operate con-tinuously, they are monitored by control systems toensure the correct performance of processes and op-erations. In the industry, these systems are known asSupervisory Control and Data Acquisition (SCADA),and they belong to the category of Industrial Con-trol Systems (ICSs). SCADA systems are composedof hybrid integral systems in which a set of controlprocesses is widely distributed over large geographiclocations, but any information has to be centralizedat a single point, the SCADA center. To this end, re-mote substations comprise smart collectors (field de-vices) capable of interpreting ingoing/outgoing traf-fic, of sending information to the SCADA center orexecuting control actions in the field. These devices,widely known as PLCs (Programmable Logic Con-

trollers) or RTUs (Remote Terminal Units), are con-nected to sensors in charge of perceiving measure-ment values (e.g., pressure) or actuators to carry outan action.

These operational features mean that ICSs are alsoCIs in themselves [1], and, together with the rest ofthe cyber elements of CIs, constitute what is called aCritical Information Infrastructure (CII) (given theircritical nature, in the remainder of this paper we willrefer to them in general as CIs). Any physical or vir-tual disruption related to communication or controlmay have devastating consequences for the continuityof services and business. Government and industryentities are already announcing the importance of ad-dressing aspects of cyber-defense in their respectivecritical sectors, where CIIs are in the sights of poten-tial attackers [4, 5, 6].

1.1 Identified Cyber-Attacks to CIs

One of the most dangerous threats that CIs face arecyber-attacks, where adversaries can remotely per-form malicious acts that may have a disastrous im-pact on the infrastructures. This, together with anincreasing number of threats, faults and errors reg-istered, have alerted institutions worldwide. Thereare annual reports published by the different gov-ernments through specific organizations such as theEuropean Union Network and Information SecurityAgency (ENISA) [7] and the Industrial Control Sys-tem Cyber Emergency Response Team (ICS-CERT)[8, 9, 10], reflecting the current situation and theseverity of potential threats. The number of specificincidents apparently continues to grow, requiring amajor effort to establish security and protection mea-sures immediately.

ENISA’s work on managing incidents [7] in con-junction with the National Regulatory Authorities(NRAs) of the 28 EU member states was establishedin 2012 thanks to Article 13a of the framework Direc-tive (2009/140/EC) [11]. According to the two lat-est reports, the number of incidents caused by nat-ural disasters, human error, malicious actions, sys-tem faults and third party faults, and registered inthe different sectors has already reached significantnumbers. The majority of them targeted communi-

2

cation networks (51 in 2011 and 79 in 2012) basedon fixed telephony (e.g., VoIP over DSL, cable, etc.),fixed Internet (e.g., dial up, DSL, cable, etc.), mobiletelephony (e.g., UMTS, GSM), mobile Internet (e.g.,UMTS, GSM). With very similar goals, ICS-CERTvia the Critical Infrastructure Information Act (theCII Act) of 2002 manages incidents from owner orga-nizations of CIs.

According to ICS-CERT, the number of incidentsbecame more noticeable in 2010, the year in whichinformation technologies started to be well-known,in which active remote accesses (e.g., Internet con-nections, connection to sub-networks, use of wirelesstechnologies) also started to be exploited. The powergrid industry is leader in the number of detected in-cidents (18 in total), followed by nuclear, chemicaland water management, which received between 8and 15% of the threats. The majority of the inci-dents reported were related to SSH (Secure Shell),brute-force attacks, scanning and spear-phishing (2out of 3 attacks) in the power grid with the aim be-ing to acquire credentials or personal information. Aswe can appreciate, one of the most dangerous threatsthat CIs face are cyber-attacks, where adversaries canremotely perform malicious acts that may have a dis-astrous impact on the infrastructures [12]. This isespecially true when these cyber attacks target CIsand the adversaries’ objective is to remain unnoticedwhile pursuing their goals, and so we face stealth at-tacks, a sophisticated and potentially very danger-ous type of cyber attack. Usually these attacks arelaunched by powerful adversaries with the objectiveof extracting sensitive or reconnaissance informationwithout being noticed, to sometimes, afterwards, usethis information to launch malicious attacks to causedisruptions to CIs. Some examples of these attacks,perpetrated in 2010 are:

• CIKR Mariposa [13]. Mariposa was a bot-net, performing operations of denial of ser-vice attacks, e-mailing spam, personal informa-tion theft, modifications in the web-browser’ssearches, and other similar cyber-attacks.

• Stuxnet worm [14]. The first malware codedesigned specifically for engineering controllers

(i.e., PLCs/RTUs). The worm, with the abilityto infect numerous network devices without leav-ing evidence of the attack, was primarily focusedon reaching and manipulating critical sections ofa particular PLC of Siemens. The origin of theinfection was traced back to the unsuitable useof personal media devices (USB drivers).

In 2011, 197 reports of incidents were received;the water sector, topping the list with 81 incidents.Many of the reported incidents were related to spear-phishing for illicitly obtaining security credentials orunauthorized access to restricted systems, as well asother relevant attacks such as:

• Night Dragon attack [15]. Attack reported byMcAfee, which was based on a combination of aset of potential threats (e.g., social engineering)and malware (e.g., Trojans) to breach the secu-rity of corporate networks in charge of managingcontrol systems.

• Nitro Attacks [16]. Sophisticated attack that in-volved several companies in the chemical sector,primarily private companies involved in research,development, and manufacture of chemicals andadvanced materials. The attack aimed to collectconfidential data, and infected machines in theorder of 27% in the USA, 20% in Bangladesh,14% in United Kingdom, 6% in Argentina, 4%in Singapore, 4% in China, Taiwan, Germanyand Czech Republic; 2% in Hong Kong, India,Netherlands and Finland; 1% in South Korea,France, Russia, Japan, Sweden, Norway, andCanada.

• Duqu [17]. Virus considered to be a muta-tion of Stuxnet but without the ability to self-replicate. Despite this feature, Duqu is able toreveal private information, configurations andaccesses and has a similar behavior to Flame,described below.

The number of incidents remained equally high in2012 with 198 registered [9]. 41% of the threats tar-geted the energy sector and its control systems, and

3

the water sector witnessed the second highest num-ber of incidents with 15% of the threats. The re-port of 2012 also noted two important aspects. Onthe one hand, systems connected to the Internet andprotected through weak or default credentials werethose that most received the most common attackson the Internet; and on the other hand, more andmore the water sector was becoming a specific tar-get for attackers. This report presented some spe-cific examples, such as the case of the water utilitylocated in Springfield (Curran-Gardner public waterdistrict), which was attacked from an IP address lo-cated in Russia without leaving any evidence of thisintrusion in the SCADA system. Another example ofa cyber-attack is:

• Flame [18]. Worm originally designed to openback doors, infect and modify functions, in ad-dition to stealing confidential data, destroyinginformation or recording conversations.

In 2013, ICS-CERT received roughly 200 incidents[10]. The highest percentage of incidents was foundto be in the energy sector (53%) followed by criticalmanufacturing (17%). The majority of these inci-dents were related to cyber-attacks such as wateringhole attacks (with the intention of attacking thosestrategic points (e.g., servers, websites) that are fre-quently visited by targets), SQL (Structured QueryLanguage) injection, and spear-phishing attacks. Inthe first quarter of 2014, the ICS-CERT reported at-tacks mainly on the energy and water sectors, fol-lowed by the transportation sector, where the mainvulnerabilities targeted were weaknesses and flaws inthe design of the systems [19].

Through this review of recent attacks, we can read-ily identify the real danger behind stealthy adver-saries, and the need to understand them better inorder to prevent attacks and counteract them, espe-cially in critical contexts. The concept of stealth at-tacks was introduced for conventional networks by M.Jakobsson et al. in 2003 [20]. They were described inthe literature as those attacks in which the cost andvisibility of the attacker have to be minimized. Cyberstealth attacks “allow a skilled but not very powerfulattacker to target communication networks in a way

that makes it unlikely that he gets traced and caught”[20]. This type of adversary has proliferated in re-cent years targeting critical systems, since the firstknown high-scale stealthy attacks on CIs (Mariposa,Stuxnet).

These incidents showed the characteristics and so-phisticated capabilities of these types of attacks, andproved that it is possible to adapt stealthy techniquesused for conventional networks to threaten criticalscenarios. However, besides these highly complex at-tacks, we understand that it is also possible to takethis same knowledge on stealth attacks from general-purpose networks to implement stealthy cyber at-tacks on CIs in a less complex manner, but with po-tential, equally harmful results. CIs, especially ICSs,have, over the years, added ICTs to their infrastruc-tures, but they have not incorporated sufficient se-curity mechanisms to protect them [1], so they haveinherited many threats and weaknesses from tradi-tional networks. This lack of strong security mecha-nisms opens the door to multiple types of cyber at-tacks against CIs, one of the most powerful beingstealthy attacks. Our work is, to the best of ourknowledge, the first attempt to undertake the analy-sis of this kind of stealth attack in CIs.

The remainder of this paper studies all aspects ofthese attacks in relation to CIs. Section 2 presentsthe stages of a stealth attack. Section 3 describes theAICAn taxonomy. Section 4 provides a review andclassification of the different types of cyber stealth at-tacks that can be launched against CIs. Section 5 re-views the countermeasures and prevention techniquesavailable against stealth attacks. In Section 6 we dis-cuss the effects of stealth attacks on the AICAn. Fi-nally, in Section 7, conclusions and future work areoutlined.

2 Stages of a Stealth Attack

Stealth attacks, as in any kind of (cyber) attack, arecomposed of three main stages or phases that have tobe fulfilled so as to achieve the adversary’s objectives,namely: (i) stealthiness of the communication, (ii)stealthiness of the execution, (iii) stealthiness of thepropagation. Figure 1 illustrates these stages, where

4

Communication Execution Propagation

Attacker

Figure 1: Stages of a stealth attack

each phase is based on the preceding one. Every sin-gle attack is different in nature, and can comprise oneor more of the three stages mentioned, always follow-ing the established order: first the communicationphase, then the execution of the attack and lastly itspropagation.

In the specific case of stealthy attacks, they followthese three phases, but the adversary remains unde-tected while pursuing his objective. However, it isimportant to note that the success of a stealth at-tack depends on the intention of the adversary, sincehis objective might be to achieve only one or two ofthe stages; e.g., the attacker aims to scan the portsof a system unnoticed, to determine which ones areopen, and he does not care about being detected af-terwards. In this case, therefore, by succeeding in thefirst stage of development of the stealth attack, theadversary fulfills his tasks.

Figure 1 represents an external cyber attacker, thattransmits the attack to the CI, mainly targeting thecommunication networks and the system’s criticalnodes. This first phase of the attack is the least in-trusive stage of the attack, since sometimes the onlyaim of the adversary is to achieve this phase unde-tected. In a second step, the adversary achieves theexecution of the attack within the CI itself, this ex-ecution could result in vast damage or compromisedinformation, since the adversary remains unnoticedwhile extracting information or damaging the equip-ment. The last stage of the attack represented in thefigure, is the propagation of the attack to other nodesor to other connected infrastructures. The success-ful achievement of this step reveals a highly sophis-ticated attack, launched by skilled adversaries, with

good knowledge of the victim system.However, the criticality of the attack depends on

the intention of the adversary, i.e., it is not the sameto subtract information as to cause irreparable dam-age to the CIs. Additionally, as we have mentioned,each attack achieves one or several of the aforemen-tioned stages according to the objectives of the ad-versary, i.e., in the case of industrial spies, they mayonly want to extract information without being dis-covered, and without causing any harm to the CIs. InSection 4, we provide a review of the stealth attacksagainst CIs, indicating the scope of each attack andthe intentions of the adversaries.

3 AICAn Taxonomy

In the current literature, there is a wide variety ofattack taxonomies and studies on cyber-security forboth conventional and critical systems [21, 22, 23, 24].However, it is important to stress that the majority ofthese studies do not consider new ways to address re-cent security problems. For example, Lipson showedin [25] a chronological study of threats carried outsince 1980, and most of these threats are still presentin modern information systems. This means that thearea of security remains open, where more attentionneeds to be paid by the scientific community, andmore specifically, when ICTs are being adopted incritical contexts.

To complement these studies on stealth attacks incritical scenarios, we extend the taxonomy proposedin [21], based on the security properties Availability(A), Integrity (I) and Confidentiality (C), AIC. Tothis end, we consider the attack taxonomies givenby the ENISA in [26], F. Skopik et al. in [27] andthe security framework for ROLL (Routing Over LowPower and Lossy Networks) specified by IETF (Inter-net Engineering Task Force) in [28].

The motivation behind the extension of the tax-onomy based on AIC is the fact that besides beingattacked, there are multiple types of anomalies ap-pearing all the time within a critical infrastructure,therefore it is necessary to include certain indicatorsof anomalies to study the effect they alone have, andwhen (stealth) attacks are present. In the critical

5

infrastructures field, it is, for example, necessary todiscern between infrastructural anomalies and con-trol anomalies:

• Infrastructural Anomalies (InfAn), related tophysical events (e.g., pressure, flow, radiation)relative to the critical infrastructure itself andits components.

• Control Anomalies (CAn), corresponding to anyunexpected alteration in the control of criticalsystems caused by Hardware (HW) and Software(SW) faults, errors or intrusion.

• Intrusion anomalies (IntrAn), associated withthose malicious actions within the physical in-frastructure or its control systems that cause un-foreseen incidents.

• Combinations of the above. For example, an In-trAn can trigger a CAn, or vice-versa; or an In-trAn can produce abnormal changes in the read-ings values causing an InfAn (e.g., a stealth at-tack).

Given the importance of taking into account theanomalies when detecting intrusion or security gaps,we therefore propose to include a new class within thetaxonomy given in [21], denoted here as AICAn anddepicted in Figure 2. This new taxonomy comprisesthe following threat classes:

Most of the stealthy attacks base their strategies onconventional threats against the availability (A), in-tegrity (I) and confidentiality (C) of critical data, itshardware/software resources and user’s information(credentials and roles) [21]. However, as mentionedabove, adversaries can also take advantage of existingvulnerabilities or anomalies to attack the critical sys-tem’s AIC. For this reason, we propose for this papera new taxonomy based on AIC plus anomalies, de-nominated here as AICAn, where, for each category,we identify a subset of threats according to the theirnature and type:

• Availability: these threats aim to reduce, asmuch as possible, the accessibility and dispo-sition of resources and information of the sys-tem, infringing upon some of the aforementioned

SCADA security requirements. These threatscan be carried out through a set of actions re-lated to denial of service/distributed denial ofservice (DoS/DDoS), or physical attacks. De-pending on the intentions of the attacker (ex-haustion of assets, operational disruption or re-duction of functionalities), we identify two sub-categories within the availability property: Re-source Availability (RA) and Information Avail-ability (IA).

• Integrity: correspond to those vulnerabilities ex-ploited to distort critical sections of a node/ob-ject or its messages, such as an overflow or imple-mentation attack. Availability attacks may alsohave a repercussion on the integrity of a nodeand its assets, thereby violating one of the es-sential security requirements of a SCADA sys-tem. We consider two sub-types of integritythreats: Resource Integrity (RI), and Informa-tion Integrity (II). Additionally, if an adversaryis capable of manipulating security credentialsand roles so as to impersonate the users or theadministrator of the system identities, a threatto the User Integrity (UI) and Host-User In-tegrity (HUI) can arise.

• Confidentiality: concerns the adversary’s abil-ity to eavesdrop or deliberately expose sensitiveinformation belonging to configurations or criti-cal data, i.e., information on operational control(commands, alarms or measurements) or infor-mation associated with connectivity, routing ta-bles, nodes location, existing vulnerabilities, etc.This allows the adversary to carry out subse-quent attacks [29], and thus we have to differen-tiate between Resource Confidentiality (RC) andInformation Confidentiality (IC) in our analysis.

• Anomalies: an anomaly is defined as some-thing that deviates from the standard or com-mon. If the system presents a specific set ofrules/patterns of behavior, an anomaly wouldtherefore be the introduction of new unknownpatterns, or the breach of such rules/patterns.As we have stated, it iso possible to iden-tify three anomaly categories: Infrastructural

6

AICAn

Availability Integrity Confidentiality Anomalies

Resource Availability (RA)

Information Availability (IA)

Resource Integrity (RI)

Information Integrity (II)

User Integrity (UI)

Host User Integrity (HUI)

Resource Confidentiality (RC)

Information Confidentiality (IC)

Infrastructural Anomalies (InfAn)

Control Anomalies (CAn)

Intrusion Anomalies (IntAn)

Combination

Figure 2: AICAn taxonomy

Anomaly (InfAn), Control Anomaly (CAn), In-trusion Anomaly (IntrAn), and any combinationof them.

All of these threats, especially those related toavailability, integrity, confidentiality and intrusionanomalies, can be the origin of the distortion or cor-ruption of assets, destruction of assets, denial of ser-vice, information disclosure and eavesdropping [22].To form the AICAn taxonomy, however, we haveto consider the possibility that unforeseen events(anomalies) can also become potential threats, whichmay open up new security gaps that can be exploitedthrough stealth attacks; or that these events maystem from these attacks as well.

Stealth attacks, as described above, happen in ascenario where the objective of the adversary is notonly to successfully perform the attack, but also todo so with a minimal effort, and in a way that hideshis existence and activities to the largest possibleextent. It is therefore important to identify themethods or weapons employed by the adversaries,which are closely related to the AICAn taxonomy[20]. Firstly, impersonation, which attacks the in-tegrity (I) of the system, and consists in introduc-ing packets with stated originators different from thereal originators, which can be performed by spoofingIP addresses or by using communication frequenciesthat have been assigned to others. This is alwayssupposing that the originator of the impersonation isan honest party.

Secondly, the lies weapon threatens the integrity(I) of the system, where the attacker propagates in-correct information, such as incorrect routing tables.Lastly, overloading, which threatens the availability(A) of the system, is a technique that has been pro-posed as a possible technique to mount DoS attacks,where the attacker injects invalid messages (messagewith violated integrity, replayed message or junk mes-sage). Technically, overloading is difficult to imple-ment as a stealth attack, nevertheless, it can be quiteeffective in controlling operations such as route dis-covery or routing table update.

4 Classification of CyberStealth Attacks

Stealth attacks can be categorized according to sev-eral parameters. In our review of the literature, wefind there are five types of stealth attacks dependingon the objective of the adversary: (i) disconnectionand goodput reduction [20], (ii) active eavesdropping[20], (iii) scanning and probing [30], (iv) covert andside channel exploitation [31, 32] [33], and (v) codeinjection [34, 33].

4.1 Disconnection and Goodput Re-duction

In this first type of attack, the adversary wishes todisconnect the network (a partition of the networkor isolate particular nodes) or degrade its operation(its goodput). Here, the adversary does not needto control the nodes, but only needs to make theminadvertently get involved in the attack by trickingthem into modifying their behavior (e.g., modifyingtheir routing tables incorrectly) to cause disruption.This attack implies a threat to the availability andsometimes the integrity of the victim system, consti-tuting a risk to the IA, RA and RI according to theAICAn taxonomy; also, these threats indicate pos-sible anomalies in the infrastructure regarding confi-dentiality (CAn) and due to the intrusion itself (In-trAn).

An attacker may disconnect a victim in severalways, e.g, M. Jakobsson et al. [20] provide different

7

variations of the disconnection attack in wireless mo-bile networks, where the power consumption of thedevices is critical to their operation:

• Disconnection due to the unreachability of thenodes: the adversary disconnects the victimnodes making the other nodes believe they areunreachable (attack against the IA, RA). Thisattack has several variations, implementing dif-ferent degrees of stealthiness by using thesemethods:

– The adversary routes considerable amountsof traffic through the victim until it runsout of power. This attack is based on thecost that sending messages has in terms ofthe battery power consumed.

– The adversary attacks all the known neigh-bors of the victim node making their bat-teries run out of energy. This causes dis-connection as well, but it can be overcomeby moving into another neighborhood.

– The adversary routes traffic to the victimnode and its neighbors, causing a portionof the messages to be dropped due to in-sufficient bandwidth. This version of theattack takes into account the response of arouter trying to reach a node several times,and then concluding that the node is dis-connected.

• Removal of an entry in the routing table: here,the adversary disconnects a node removing itsentry in the routing tables of the network, mak-ing the victim node “disappear” (attack againstthe IA, RA, RI). It is also possible that the at-tacker forges the route discovery messages toconvince the source node and other legitimatenodes that no route to the victim can be found.

• Goodput reduction: the disconnection of one ormore nodes usually implies a reduction of thegoodput of a network. The adversary can dis-connect a large number of nodes, corrupt a largeenough number of routing tables to increase thede facto traffic through each node, or degrade

the power supplies of a large enough portion ofthe routers, virtually disabling them. This con-stitutes attacks against the IA, RA and RI of theAICAn taxonomy.

Stealthy implementation of these procedures allowsa low exposure of the adversary during the attack.What we have previously discussed are stealth ver-sions of the common DDoS attack [20]. Regardingstealth DoS, there are several ways of performingthis type of attack, for example, M. Jakobsson et al.provided an overview on how it can be carried outagainst different types of wireless networks in [20, 35].

4.2 Active Eavesdropping

This second type of stealth attack comprises the mod-ification of the routing information to hijack trafficfrom and to selected victim nodes [20]. Here the at-tacker can perform traffic analysis and selective filter-ing of packets without the knowledge of the victim, toactively eavesdrop on him and modify his behavior,e.g., making nodes of the network “disappear” anddetouring the network traffic through compromisednodes. This attack usually threatens the confiden-tiality of the system (IC, RC), thus we usually seethe activation of the indicator CAn in the presence ofeavesdropping attacks. Sometimes it also introducesrisks to the availability or integrity (IA, RI).

The simplest way to achieve this attack is to cor-rupt the routing tables of nodes on the path betweena victim and the sender/receiver. The attacker canremove correct routing table entries and add incor-rect ones in order to force rerouting [20]:

• For incoming traffic, i.e., packets going into thevictim, the attacker forces all incoming trafficto be sent through a node he has previouslycorrupted. To receive traffic only from certainsources, the attacker can selectively tamper withthe routing tables, allowing only those entriesthat are useful to the attacker to remain correct.

• For outgoing traffic, i.e., packets sent from thevictim to another node in the network, the at-tacker modifies the routing tables of the victimand/or the routing tables of the nodes close to

8

the victim forcing traffic to be rerouted througha corrupted node.

To corrupt the routing tables of the network, theadversary can use the very tools of the routing pro-tocols. The attacker can propagate routing tableswhere the entries are modified; another option is tomake use of the route discovery process of the net-work to include new routes or report route error, inorder to tamper with the routing tables.

4.3 Scanning and Probing

Scanning is a method for discovering exploitable com-munication channels. It implies a previous reconnais-sance of the network or a particular host [30]. The ob-jective of port scanning is to determine which ports ofthe system are open, and through them obtain valu-able information; e.g., which services are running onthe system that are available to the attacker, whatservices of the operating system are being used, pa-rameters such as IP and MAC addresses, topologicalinformation, etc. The idea is to probe as many lis-teners as possible, and keep track of the ones that arereceptive or useful to your particular need [36].

These types of attacks are the least dangerous interms of threats to the AICAn of the system, there-fore threatening the correct operation of the system,but they present a threat to the confidentiality of theresources (RC) and they can serve as a precursor tomore powerful and disruptive attacks, thus they needto be always considered and monitored. C. Yin et al.[37] state that the port-scan is at the beginning of theprocess of intrusion, and there are varied techniquesto scan the system, e.g., stealth scan, fragmentationscan, changes of scan order, slow scan, randomizinginter-probe timing, scan with forged address or dis-tributed scan. G. Lyon states in [36] that severaltechniques have been developed over time for survey-ing the protocols and ports on which a target machineis listening.

During a normal TCP connection, the source initi-ates the connection by sending a SYN (synchronize)packet to a port on the destination system. If a ser-vice is listening on that port, the service respondswith a SYN/ACK (synchronize/ acknowledgment)

packet. The client initiating the connection then re-sponds with an ACK packet, and the connection isestablished. If the destination host is not waiting fora connection on the specified port, it responds withan RST (reset) packet. Most system logs do not logcompleted connections until the final ACK packet isreceived from the source [38].

To scan the system, this standard behavior is modi-fied in different ways. Here, we describe some of thesevariations, in order of degree of stealthiness:

• TCP connect() scanning : the most basic form ofTCP scanning, where the connect() system callof the operating system is used to open a con-nection to every interesting port on a machine.If the port is listening, the connect() call willsucceed; otherwise the port is unreachable. Thistechnique is fast and does not need any superuser permissions, however, it is easily detectableand filterable, since the target node will log theconnection and error messages when the adver-sary initiates the connection to the port serviceand immediately shuts it down.

• TCP SYN scanning : sometimes referred to ashalf-open scanning, since the TCP connectionis not fully opened. The attacker sends a SYNpacket, as it would happen to open a real connec-tion, and waits for a response. The response canbe a SYN/ACK packet if the port is listening, ora RST packet if the port is not listening. Whenthe adversary receives a SYN/ACK packet, hesends a RST packet to tear down the connec-tion. This attack needs super user permissionsto build the SYN packets. The advantage of thisattack is that systems do not usually log thesekinds of attempts at communication; however, itis easily detectable if the firewalls are configuredto detect SYN packets targeting restricted ports.

• TCP FIN scanning : increasing the level ofstealthiness, the FIN (finalize) scanning tech-nique [39] is based on the idea that closed portsrespond to FIN packets with RST packets, whileopen ports ignore them. The FIN scan’s stealthpackets are unusual because they are sent to adevice without first going through the normal

9

TCP handshaking. Nevertheless, there are somesystems that are not vulnerable to this type ofscan, because they respond to a FIN packet withan RST packet regardless of the current state ofthe port.

• Christmas scan: this type of scanning techniquesends a TCP packet to a remote device with theSYN, FIN, ACK flags set. This is colloquiallycalled a Christmas tree scan because of the al-ternating bits turned on and off in the flags byte(00101001), like the lights of a Christmas tree.Similar to the FIN scan, a closed port respondsto this packet with an RST packet, and an openport ignores it.

• Null scan: the adversary creates a TCP packetwith all the TCP flags off. This is a type ofpacket that never occurs in the real world. As inthe previous two situations, an open port receiv-ing this kind of packet ignores it, and a closedport responds with an RST packet.

These last three attacks are denominated stealthscan attacks [38], because they do not usually gener-ate a log entry on the scanned host, and they allowan attacker to determine which ports are open on atarget node, without being detected by the host op-erating system. Many attacks in the literature usestealth scans and probes as a first stage in reconnais-sance to gain insight into the characteristics of thesystem, to later trigger a more sophisticated and in-formed attack.

I. Dainotti et al. [40] provide a study on stealthscans carried out by botnets, in a coordinated anddistributed infrastructure, targeting critical voicecommunications infrastructures. This scan attack iscalled sipscan and probes each target IP address withtwo packets: (1) an UDP packet sent to the port 5060carrying a session initiation protocol (SIP) header,and (2) a TCP SYN packet that attempts to opena connection on port 80. This attack is usually thefirst step in a more sophisticated attack, where theattacker sends malware that infects the nodes of thenetwork to make them act to profit the adversary.

4.4 Covert and Side Channel Ex-ploitation

A side channel attack is very powerful in practice[41]. Here the adversary measures side channel in-formation and is able to recover very sensitive infor-mation about the functional behavior of a system,without utilizing its dedicated interface [31]. Sidechannel attacks exploit the external manifestations ofthe system, like processing time, power consumptionand electromagnetic emission to identify the internalcomputations [32]. This type of attack represents athreat to the confidentiality of the resource (RC) andin the particular case of side channel attacks that in-duce faults in the system, the anomalies indicatorsthat are activated are InfAn, CAn and the IntrAn.

The aim of side channel attacks is usually to iden-tify a “leakage” or source of secret data (side-channelanalysis), where the attacker can use the results ofthis information to identify weaknesses in the system.The different types of side channel attacks are: tim-ing attacks, power analysis attacks, electromagneticanalysis attacks, fault induction attacks, optical sidechannel attacks, and traffic analysis [31]:

• Timing attack : the adversary analyzes the run-ning time of the system in order to extractknowledge about the type of computations andthe parameters used. The main targets of timingattacks are cryptographic systems.

• Power analysis attack : here, the adversary mea-sures the power consumption of the system toextract knowledge about it. There are severaltypes of power analysis attacks, mainly targetingcryptosystems, which employ different method-ologies and levels of sophistication to obtain theinformation; e.g., simple power analysis, differ-ential power analysis or correlation power anal-ysis.

• Electromagnetic analysis attack : this kind of at-tack implies the analysis of the electromagneticvariations of a system by the adversary. Thereare several types of electromagnetic attack whichtarget very different kinds of systems; however,

10

this kind of attack is most often designed forconstrained cryptosystems.

• Fault induction attacks: the induction of faultsin the system can result in erroneous operationsthat can shed some potentially valuable informa-tion about its operation.

• Optical side channel attacks: here the adversaryis capable of retrieving information via the lightemission from the monitors and LEDs (light-emitting diode) of a system. There are differentkinds of displays and LEDs, and the informationthat can be extracted from them is varied.

• Traffic analysis attacks: this kind of attack pro-vides the adversary with information about thetopology of the network, through the analysis ofthe traffic flows.

A variation of a side channel attack is the use ofcovert channels [33], where there is a hidden connec-tion between the transmitter and the receiver, thusthere is a chance to extract or send valuable informa-tion through the channel without the system notic-ing. There are two types of covert channels: (i) com-municating extra information to a host, and (ii) hid-ing the fact that the communication to a host exists[34]. Covert channels usually take advantage of placeswhere random data is naturally transmitted, thus theencrypted information can be transmitted replacingthis data. This technique is sometimes referred toas piggybacking [42], where the messages are hiddenwithin the regular messages of the network. There aremany varied ways of implementing covert channels,and the targets are multiple. However the common-ality behind this type of attack is its dangerousnessand its potential to induce multiple threats withinthe victim systems, targeting most AICAn variables.According to N. Tomar et al. in [33] the followingvulnerabilities that can favor covert channels:

• Virus and malware: software such as viruses andTrojan horses can be introduced inside the vic-tim’s system, to perform activities such as cap-turing packets and injecting scripts into the vic-tim’s programs.

• Important resources: resources such as systemfiles, disks, RAM, etc. are valuable to attack-ers, and vulnerable due to their criticality in thenormal operation of the system.

• Data sensitivity : within the system coexist datawith different degrees of sensitivity. The mostsensitive data is the most interesting informa-tion to attackers, and thus the target of covertchannel exploitation.

• Vulnerable protocols: several protocols imple-mented by CIs that are not properly secured, orthey do not implement security mechanisms suchas authentication (e.g., Modbus [43]). To protectthe systems against covert channels attacks, it isimportant to strengthen their security.

• Design robustness: covert channels take advan-tage of principally two vulnerabilities of the sys-tem: design oversight, and weaknesses due tothe system’s design. Design oversight-derivedvulnerabilities are unintentional and unforeseen,however weaknesses inherent in the system’scharacteristics are strong obstacles to the secu-rity of the system and provides a way of accessfor covert channels.

• Packet headers: as seen in [34], covert channelscan be embedded in TCP and IP header fields,with very different objectives and functionalities.

• Super user permissions: an attacker can takeadvantage of an unintentional, careless or de-fault assignment of super user permissions toprocesses, to create a covert channel.

• Handshake trials: communication protocols usu-ally have handshake procedures to start thetransmission of information. Some attackers usehandshake trials to transfer information in anunnoticed way.

• Public resources: resources that are shared in thenetwork, such as printers or hard drive disks, arevulnerable to attacks if they are not protected bysecurity mechanisms.

11

• Authentication: as we have previously seen,some protocols and systems lack adequateauthentication mechanisms, such as Modbus,DNP3 or ICCP [43]. This adds multiple vul-nerabilities to the unprotected systems, amongthem, the use of covert channels by an attacker.

Most of these attacks introduce, as we have de-scribed, a wide range of AICAn threats, e.g., the at-tacks that exploit flaws or use malware are capableof threatening the availability (IA, RA) and the in-tegrity of the system (II, RI), as well as compromis-ing the integrity of the user and the host (UI, HUI);the confidentiality of the system can be also compro-mised (IC, RC), activating the CAn and sometimesthe IntrAn indicators.

4.5 Code Injection

A code injection-based attack consists in introducingor “injecting” a tainted or illegitimate code within acomputer program, in order to alter its outputs orchange its course of execution [44], and cause differ-ent effects, e.g., compromise sensitive data, executemalware, etc. These attacks pose a threat to multi-ple variables of the AICAn taxonomy, allowing theadversary to interfere with the AIC of the system,and insert CAn and IntrAn anomalies.

Depending on the targeted system’s characteristicsand the degree of stealthiness intended in the attack,it can be performed using two main channels: systemvulnerabilities, and malware infection (i.e., infectingthe system with malware, virus or Trojan horses). In-jections exploiting design vulnerabilities appear whensystem designers and developers make incorrect as-sumptions about the use of the system’s services, e.g.,(i) the input characters of a field will always be theregular and required ones (e.g., no colons, numbersor quotation marks are expected); (ii) the input of afield will never exceed a pre-determined size; (iii) thenumeric values introduced as inputs in a system willalways stay between the upper and lower bounds ex-pected; (iv) the client supplied values cannot be mod-ified by the adversary (e.g., cookies poisoning attack[45]); (v) it is safe to take pointers or array indexesfrom the requested input; (vi) the input will never

provide false information or fake values (e.g., the sizeof a file); etc. [46].

On the other hand, malware can also pose success-ful and potentially harmful threats when implement-ing injection attacks (e.g., Stuxnet [14], Duqu [17],etc.). There are multiple types of code injections, andseveral ways of classifying them. We have decided tocategorize them according to the target they are de-signed to inject, thus these attacks can be roughlysummarized into the following four categories:

• Database injection: are the injections performedby the adversary to corrupt the databases of thesystem, or retrieve valuable information from it,without having the proper credentials to accessthe system. Database injections compromise theAIC of the system (IA, RA, II, RI, IC and RC)and activates the CAn and IntrAn indicators ofanomalies. The most well-known attacks in thiscategory are the SQL-injection attacks [35].

• Command injection: also known as shell injec-tion attacks [47], can occur when the the sys-tem allows software to execute a command line.Therefore the attacker can make the system ex-ecute commands or functions to carry out un-wanted tasks. This type of attack allows theattacker to threaten the AIC of the system (IA,RA, II, RI, IC and RC) and of the user (UI,HUI), in addition to introducing the CAn andIntrAn anomalies.

• Website injection: is the set of attacks thattake advantage of flaws existing within web-sites, browsers or web applications that allowthe adversary to introduce code and execute un-wanted actions in an otherwise trusted environ-ment (threatens AICAn like the previous at-tack). The most well-known attack within thiscategory is cross-site scripting (XSS), which oc-curs when the adversary exploits a flaw detectedon a web server to inject some code in the server,for his own use [48, 49]. Related attacks are theCross-Site Request Forgery (CSRF) [50], wherethe adversary forces the victim to execute un-wanted actions on a web application in whichhe is currently authenticated; or the Server-Side

12

Includes (SSI) Injection [51], where the attackerintroduces scripts in HTML pages or executesarbitrary codes remotely.

• OS injection: comprise those attacks that targetthe stack, heap, pointers or internal variables de-termining the behavior of the system. Code in-jection at this level can make the operative sys-tem (OS) execute unwanted routines and pro-cedures, inserted in the OS’s running processesthrough the modification of the system variablesto point to external code introduced by the at-tacker [52]. They threaten the AICAn as doesthe previous attack.

In a critical context, these attacks can target differ-ent parts of the infrastructure, namely the corporatenetworks, the SCADA center and the remote sub-stations. The first are based on local area networksconnected to the SCADA to gain access to criticaldata streams on SCADA servers, and are vulnera-ble to injections designed for conventional networks.The SCADA center is in charge of constantly mon-itoring the infrastructures through distributed sub-stations. The remote substations are control sub-networks based on field devices (sensors, actuators)and communication interfaces (PLCs, gateways, etc.)in charge of sending sensorial measurements to theSCADA center. The SCADA center and the remotesubstations are vulnerable to injections specificallydesigned to target industrial devices and protocols.

Code injection attacks usually tend to implementsome degree of stealthiness, since the adversary usu-ally aims to retrieve valuable information from thesystem, or to force a desired (malicious) behaviorwithout the end user being alerted. The actual levelof stealthiness depends on the objective of the at-tacker, and also on the way the injection is tailoredto the targeted system. According to Figure 1, it ispossible to evaluate the degree of stealthiness of agiven attack (in the communication, execution andtransmission phases) and assess the potential threatsand risks it poses.

4.6 Assessment of Stealthiness

We can differentiate two main kinds of behaviors incyber stealth attacks: the reconnaissance based at-tacks and the attacks with disruptive or tampering ob-jectives. These two main groups differ in the threatsthey pose to the correct operation of the CIs in termsof the AICAn taxonomy. Attacks with reconnais-sance objectives, e.g., scanning and probing, or sidechannel attacks, are characterized by an adversarywho tries to gather as much information as possiblefrom the victim system, without being discovered inthe communication phase (see Figure 1). In the caseof this type of adversary behavior, the properties ofthe AICAn that are affected are usually related tothe confidentiality, specifically the confidentiality ofthe resources (RC). In some of the cases, the attackis capable of retrieving certain information from thesystem, thus the IC property of the AICAn is com-promised.

Some of the reconnaissance attacks might causedisruptions in the victim system, when the attackerintentionally induces faults to obtain information; inthis case, the availability of the system can be af-fected, i.e., the IA and RA properties of the AICAntaxonomy; and the indicators of anomalies InfAn,CAn and IntrAn could be activated. Let us take asimple example, the TCP connect() scanning attack,where the attacker probes the ports of the systemin search of useful open ports. This attack does notcause any disruption to the victim system, howeverthe adversary is able to extract information about it,using just the communication phase of the attack tohis own benefit. The information discovered in thereconnaissance attacks can be used by the adversaryto launch more sophisticated attacks in a later step,using the knowledge acquired in the reconnaissance.The level of stealthiness achieved by this first group ofattacks is determined by the stealthiness of its com-munication phase; i.e., whenever the adversary im-plements the attack in such a way that the victimsystem’s warning mechanisms are not triggered bythe reconnaissance actions, the attack can be catego-rized as stealthy.

Our second category of attacks, those with disrup-tive or tampering objectives, are characterized by an

13

adversary who tries to achieve all the phases of theattack, i.e., communication, execution and sometimespropagation, stealthily. These attacks are much morecomplex, requiring highly skilled and informed at-tackers, capable of communicating with the systemand executing the attack and if desired, propagatingit to infect other components or target systems. Dueto the possibilities they offer to the attacker, theyare very dangerous to the victim system in terms ofAICAn, because they can potentially disrupt all theAIC properties of the system and trigger all the dif-ferent types of anomalies. The most representativeattacks in this category are covert channel attacksand code injections.

To evaluate the level of stealthiness of a given at-tack it is necessary to evaluate each phase of the at-tack in order to determine if all of them are stealthy,and if the defensive mechanisms (e.g., Intrusion De-tection System (IDS)) of the victim are not alerted bythe attacker’s actions. As an example, we consider acode injection attack where the adversary’s objectiveis to stealthily achieve the three phases of the attack.Firstly, in the communication phase of the attack,the adversary can exploit vulnerabilities detected inthe target system, or can make use of malware (virus,Trojan horses, etc.).

Both methods open the door to performing codeinjection stealthily if the attacker specifically designsthe attack to avoid triggering the defense mechanismsof the victim system. Therefore the injection attackis considered stealthy at the communication stage ifthe vulnerability exploitation or the malware commu-nication is stealthy. An example of this first phase isthe exploitation of the industrial communication pro-tocols used in the CIs, e.g., the Modbus TCP proto-col, commonly used in SCADA and DCS (DistributedControl System) networks for process control, whichdo not provide authentication of the source of a re-quest. This provides an adversary with a chance toattempt to gather information on the system beingcontrolled and about the PLC [53].

In the second phase, the execution of the injectedcode (see Figure 1), the level of stealthiness achievedin this stage depends on the implementation of theattack and on the defense mechanisms available in thetargeted system. If the attack is designed to perform

its tasks in a way that avoids triggering any alarm,and the security mechanisms implemented are notfinely tuned to detect this kind of attack, the injec-tion can be considered stealthy in its execution stage.To illustrate this assessment in the context of criti-cal infrastructure protection (CIP), we analyze thePLCs Modicon M340 from Schneider Electric, whichhas a disclosed vulnerability to CSRF attacks [54].These devices incorporate a web server interface thatprocesses requests from clients about the underlyinginfrastructure. However, the web server does not im-plement security mechanisms to verify their authen-ticity, thus an adversary could trick a client into send-ing an unintentional request to the web server, whichwould be considered authentic [55].

The injected commands could be sentto the PLC through a specially craftedHTTP request, for example, sending the vic-tim a request embedded in an image <imgsrc="http://plc-web-server.com/?query

string"/>, where the query string would requestthe server to perform some malicious action thatwould be considered legitimate. The adversarycould exploit this vulnerability to remotely resetor alter the PLC’s configuration. Lastly, we canassess the stealthiness of the propagation stageof a code injection. Through the exploitation ofvulnerabilities, the attack could in some cases besuccessfully disseminated. However, through the useof malware it is possible to stealthily communicatethe injection attack to other victims, as we have seenin the Stuxnet worm [14], or its variation Duqu [17],that were specifically designed to attack a particularPLC manufactured by Siemens, and infect numerousnetwork devices without leaving evidence of theattack.

Therefore, we conclude that cyber attacks withdisruptive or tampering objectives can be stealthilycarried out through the three phases illustrated inFigure 1. We also stress that these types of attacksshould be classified as very dangerous to ICSs, sincethe adversary could launch a potentially harmful at-tack that executes malicious actions and propagatesits effects without being noticed, threatening not onlya CI, but spreading the threat to other dependent orinterconnected targets.

14

Table 1: Cyber stealth attacks and their relation with AICAn

Category Stealth Attacks Stealthiness IA RA II RI UI HUI IC RC InfAn CAn IntrAn

Disconnection andGoodput Reduction

Unreachability of the nodes ◦ 4 4 4

Removal of entries in routing tables ◦ m 4 4 4 4

Goodput reduction ◦ m L L 4 4

Active EavesdroppingTraffic hijacking ◦ m U U 4 U 4

Modification of the routing tables ◦ m U U 4 U 4

Scanning and Probing

TCP connect() scanning ◦ 4

TCP SYN scanning ◦ 4

TCP FIN scanning ◦ 4

Christmas scan ◦ 4

Null scan ◦ 4

Side-Channel Exploita-tion

Timing attack ◦ 4

Power analysis attack ◦ 4

Electromagnetic analysis attack ◦ 4

Fault induction attack ◦ 4 4 L 4

Optical side channel attack ◦ 4

Traffic analysis attack ◦ 4

Covert Channel Ex-ploitation

Due to virus and malware ◦ m l U U U L L 4 4 L UTargeting important resources ◦ m L U L U 4 4 L LTargeting sensitive data ◦ m L L 4 4 UUsing vulnerable protocols ◦ m l U L 4 4 4 4 4

Using design flaws ◦ m l U U 4 4 L L 4 4 4

Using packet headers ◦ m 4 4

Using super user permissions ◦ m l L U U 4 4 4 4

Using handshake trials ◦ m 4 4

Using public resources ◦ m 4 4 4 L 4 4 4

Using lack of authentication ◦ m U U L L 4 4 4 4 4 L

Code Injection

Database injection ◦ m 4 4 4 4 4 4 4 4

Command injection ◦ m l 4 4 4 4 4 4 4 4 4 4

Website injection ◦ m l 4 4 4 4 4 4 4 4 4 4

OS injection ◦ m l 4 4 4 4 4 4 4 4 4 4

◦: stealthy communication of the attack. m : stealthy execution of the attack. l : stealthy propagation of the attack.4: the threat violates a security property ofAICAn.

L: the threat is likely to break a securityproperty of AICAn.

U: the threat is unlikely to break a sec. prop-erty of AICAn.

Table 1 summarizes the contents that have beenreviewed in this section, providing a tentative anal-ysis of the threats that stealth attacks pose to CIsin relation to the AICAn taxonomy. In this table,divided into targeted areas and threat categories, itis possible to observe that attacks are closely relatedto one another, since attackers, irrespective of theirmodus operandi, generally base their goals on the ex-ecution of a set of combined threats to the AIC of thesystem, as discussed previously. The AICAn analysisis based on the discussion, by a group of experts, ofthe impact on AICAn by different implementationsof each stealthy attack listed. It is important to notethat the assignment of likelihood in this table is de-termined by the different implementations of each ofthe selected stealth attacks, and may vary if otherexamples are taken into account. However, we be-lieve this study shows an interesting overview on theimpact of stealth attacks on CIs from the point ofview of AICAn. From Table 1 we can conclude thatmost of the stealth cyber attacks focus on altering

the integrity of the information of the system, pos-sibly inducing threats to the availability of resourcesand information, and consequently causing controlanomalies.

Additionally, some of the more sophisticated at-tacks expand their scope to also exploit the system’svulnerabilities in order to alter the integrity and con-fidentiality of the resources and information, and in-troduce the possibility of impersonation (UI and HUIcompromising), producing CAn and IntrAn anoma-lies. From this table, we conclude that most of theseattacks focus on the exploitation of the vulnerabili-ties associated with control and also those vulnera-bilities intentionally produced by intruders. We alsonote that threats classified as covert channel exploita-tion and code injection can become potentially harm-ful threats to CIs, since they can compromise or de-grade a wider range of security properties necessaryfor the good operation of critical systems, endanger-ing the availability, integrity and confidentiality ofthese systems.

15

5 Countermeasures and Pre-vention Mechanisms AgainstStealth Attacks

Given the restrictive nature of stealth attacks wherethe adversary wants to carry out his actions unno-ticed, they must be very precise and tailored to thetarget system. Therefore, the defense mechanismsand the countermeasures applied must always takeinto account the environment of the system that isbeing protected. In this section we discuss measuresthat counteract stealth attacks equivalent to thosediscussed in Section 4 in general-purpose networks,which are applicable to critical settings with the ade-quate adaptations to fit the constrained environmentof CIs, e.g., protocol reinforcements, introduction ofadditional equipment within the network, physicalmeasures, etc. An extensive review of the literatureprovides two main lines of action for the protectionof CIs: avoidance mechanisms (passive protection)and detection and recovery mechanisms (active pro-tection). We devote this section to providing someideas about how to protect the systems or minimizethe effects of these stealthy attacks.

Avoidance mechanisms are put into place to pre-vent threats and reduce risks, while detection andrecovery provide early detection and warning againstattacks, and help restore the system to its originalworking state, palliating the effect of anomalies orattacks. These protection mechanisms are applied tocounteract the weapons used to perform the attacks.The most threatening of the weapons under consider-ation, i.e., the one with the least visibility and cost, isthe use of impersonation. The use of lies is a weaponwith an inferior degree of stealthiness than imperson-ation, however it is also threatening if the attackeruses it to propagate incorrect information to corruptthe targeted system. Overloading has the lowest de-gree of stealthiness, nevertheless a skilled adversarycould make use of it to collapse a subsystem of a CIwithout drawing the attention of the system admin-istrators.

In general terms, it is possible to employ differ-ent methods to counteract these weapons; the mainavoidance mechanisms that can be used are: cryptog-

raphy, standardization and reputation mechanisms.Apart from these, when addressing each different at-tack, it is possible to apply specific countermeasures,either active or passive protection. The use of cryp-tographic authentication methods improves resistanceagainst stealth attacks, since cryptographic authen-tication is harder to forge than IP addresses, etc. Itis also important to note that in the field of CIP, themost-used protocols (e.g., Modbus [53]) still lack au-thentication mechanisms, something that is advanta-geous to the attacker [35]. Additionally, the naturallyscarce resources such as bandwidth, storage, compu-tation capabilities or power, provide the adversarieswith targets to easily bring down the operation of thenetwork.

Nevertheless, the implementation of cryptographyin constrained systems is challenging, thus it is neces-sary to consider the use of lightweight cryptographicprimitives for authentication, e.g., symmetric cryp-tography or elliptic curve cryptography [41]. How-ever, to only rely on authentication is insufficient tothwart stealth attacks, since the corruption of le-gitimate nodes’ behaviors perverts the correct au-thentication processes [35]. Thus it is necessary tostrengthen the authentication process by applyingrecommended and standard procedures. The IEC-62351-8 standard [56], focuses on the security of re-mote control substations, and underlines the need toimplement access control mechanisms using the tech-nique of Role-Based Access Control (RBAC) togetherwith the restrictive principle of the minimum privi-lege. This principle states that the sole entities ableto gain access to logical devices and modify their ob-jects will be those (virtual and physical) entities withthe suitable permissions to operate in the field.

To address this, authentication must be basedon the assignation of subjects-to-roles and roles-to-rights, restricting the accesses to particular objectsdeveloped in substations (e.g., IEC-61850 objects).This difficulty is increased due to the knowledge un-certainty about the honesty of the different hosts.However, several of the aforementioned problems canbe palliated (even solved) when deploying reputationmechanisms to protect the networks, so that even ifthe nodes are compromised by adversaries, the relia-bility of the system can still be assured. The use of

16

Table 2: Cyber stealth attacks summary table

Category Stealth Attack Stealthiness Weapons Countermeasures

Disconnection andGoodput Reduction

Unreachability of the nodes ◦

ImpersonationLiesOverloading

CryptographyReputation mechanisms

Removal of entries in routing tables ◦ m

Goodput reduction ◦ m

Active EavesdroppingTraffic hijacking ◦ m Cryptography

Reputation mechanismsModification of the routing tables ◦ m

Scanning and Probing

TCP connect() scanning ◦

Stealth probesHoneypots

TCP SYN scanning ◦TCP FIN scanning ◦Christmas scan ◦Null scan ◦

Side Channel Exploita-tion

Timing attack ◦ Hiding timing variationsBlinding techniquesMasking techniquesProtective casingIDS and validation of computationsDisabling and masking of light signalsEncryption and masking of the channel

Power analysis attack ◦Electromagnetic analysis attack ◦Fault induction attack ◦Optical side channel attack ◦Traffic analysis attack ◦

Covert Channel Ex-ploitation

Due to virus and malware ◦ m lAnti-malwareResource monitoringSpecial security mechanisms applied tosensitive dataSecure protocolsDesign assessment and correctionUse of IDSProper policies to assign permissionsHandshake restrictionsRestricted access to public resourcesAuthentication mechanisms

Targeting important resources ◦ m

Targeting sensitive data ◦ m

Using vulnerable protocols ◦ m l

Using design flaws ◦ m l

Using packet headers ◦ m

Using super user permissions ◦ m l

Using handshake trials ◦ m

Using public resources ◦ m

Using lack of authentication ◦ m

Code InjectionBased on design flaws ◦ m l Monitoring tools

Prevention and validation mechanismsBased on malware propagation ◦ m l

◦: stealthy communication of the attack. m : stealthy execution of the attack. l : stealthy propagation of the attack.

17

reputation has various advantages, such as the use ofcollaborative methods, which provides robustness tothe design of the network and eliminates the connec-tivity dependencies between nodes [35].

Cryptography and reputation measures are espe-cially beneficial for goodput reduction attacks. Al-though these two main countermeasures try to mini-mize and palliate all kinds of stealth attacks againstthe networks, they are particularly useful in the caseof the disconnection attacks or the active eavesdrop-ping, where once detected, the traffic going throughthe corrupted nodes can be averted or reduced [20].

Scanning and probing attacks are one of the mostcritical types of stealth attacks, since they open thedoor to other more sophisticated and more informedattacks. Some countermeasures against these attacksare provided by V. Marinova-Boncheva in the paper[30]. The author proposes the use of stealth probesto detect any attacker that prolongs his proceduresfor a long period of time, for example, checking forsystem vulnerabilities and open ports for a periodof two months. To this end, the stealth probes col-lect information from the system, checking for me-thodical attacks that last an extended period of time,they sample a wide area and discover correlating at-tacks. Basically this technique implies the use ofmixed signature-based and anomaly-based IDSs.

Another way to confront stealth scanning andprobing is proposed by C. Yin et al. in [37], wherethey suggest the use of honeypots to detect the at-tacks and alert the system’s administrators. A hon-eypot is “an information system resource whose valuelies in unauthorized or illicit use of that resource”; itreacts like a normal machine, based on the type of op-erating system it simulates, while it is recording andtransferring packets to scan detection mechanisms tolearn the tactics and tools used by the attackers andalert the administrators of illegal accesses to the net-work it is protecting.

The countermeasures for side channel attacks arehighly tailored to the type of exploitation and theactual implementation of the attack. G. Joy Persialet al. provide certain guidelines to counteract sidechannel attacks in their work in [31]:

• Timing attacks: this kind of attack can be pre-

vented by hiding time variations or using blind-ing techniques [57]. A simple form of hiding vari-ations is to make the computations in constanttime. Another possibility is to always add cer-tain computations to the execution of the algo-rithms to mask the timings. Other variationsinclude hiding the internal state of the systems,so that the attacker is no longer able to simulateinternal computations.

• Power analysis attack : the power consumptionis reduced using masking and elimination tech-niques. Masking “randomizes the signal valuesat the internal circuit nodes while still produc-ing the correct cipher text” [31]. It can be doneat software level, adding random masks to datasubsequently encrypted, or at hardware levelwhere the system adds random mask bits to bal-ance the degree of randomness of the resultingmessage.

• Electromagnetic analysis attack : this kind of at-tack can be prevented by covering the systemwith a protective casing that hides or attenu-ates the electromagnetic radiations. This casealso prevents the attacker from accessing the in-dividual physical components of the system.

• Fault induction attack : can be prevented bychecking the computations [57] or verifying thesignature of the sent messages to identify thefailures. There are IDSs specifically designed toidentify core failures and hijacks and the correctoperation of the systems [58] [59].

• Optical side channel attack : to prevent the ad-versary from retrieving information from displaymonitors and leds, once the device is ready to bedeployed. These lighting signals used for debug-ging should be disabled, or masked.

• Traffic analysis attack : counteracting this typeof attack is very difficult [31], since it is necessaryto encrypt the messages transmitted and maskthe channel, to prevent the adversary from ana-lyzing the traffic. In their work in [60], J. Denget al. provide different countermeasures to pre-vent this attack, based on modifications of the

18

routing schemes used by the nodes of the net-work.

Existing countermeasures for covert channels arevaried, and comprise the use of commercial solutionssuch as antivirus and anti-malware SW, and restrict-ing and strengthening the implementation of the net-work’s protocols and policies. Examples are [33]:

• Anti-malware: as we have previously seen, soft-ware such as viruses, worms and Trojan horsescan be introduced inside the victim’s system, tocapture packets and inject scripts into the vic-tim’s programs. Updated anti-virus and anti-malware SW can generally detect these behav-iors.

• Resource monitoring : resources such as systemfiles, disks, RAM, sockets, etc. are valuable toattackers, and thus adversaries frequently targetthem. Monitoring these resources with HIDS canprovide insight into the system’s status and helpdetect the presence of covert channels.

• Data sensitivity : information can be classifiedaccording to its level of sensitivity, thus specialsecurity mechanisms can be put into place to dif-fering degrees to protect the data according toits sensitivity.

• Secure protocols: to protect the systems againstcovert channels attacks, it is important tostrengthen the security of the network, thus im-plementing secure protocols, e.g., HTTPS in-stead of HTTP, helps prevent such attacks andprotects the transmission of sensitive informa-tion.

• Design robustness: covert channels take ad-vantage of design oversight vulnerabilities,andweaknesses due to the system’s design. In thefirst case, these unintentional failures can becorrected once discovered, removing the covertchannel. In the second case, they cannot be re-moved until the system is re-designed to elim-inate the vulnerabilities. However, the use ofgood practices, such as secure programming orprocess desegmentation, can make the systemmore resilient against covert channels.

• Network Intrusion Detection Systems (NIDS):such as Snort [61], monitor packet header fieldssuch as ACK, SYN, to detect patterns that canindicate (unmask) the presence of covert chan-nels.

• Super user permissions: super user permissionsmay be needed to execute software, but it is nec-essary to carefully evaluate the processes grantedwith these permissions, to avoid harmful rou-tines that are able to damage the system.

• Handshake restrictions: handshake trials be-tween systems can be a way used by a mali-cious actor to fool traffic monitoring systems,thus a limitation on these trials should be putinto place.

• Public resources: the access to public resourcessuch as printers or shared disks should be re-stricted and limited to the known users ofthe network, and reinforced with authenticationmethods for preventing covert channels. For ex-ample, the use of RBAC, Attribute-Based AccessControl (ABAC), Kerberos or simple Public KeyInfrastructure (PKI) could help.

• Authentication: methods like passwords,captchas [62] or biometric mechanisms can helpprotect the system against covert channels,as well as RBAC/ABAC, Kerberos or PKI.Additionally, the IEC/TS 62351-8 [56] standardfor security in substations recommends theuse of authentication mechanisms, and moreparticularly RBAC to reduce complexities inthe entire SCADA network.

Prevention methods for covert channels are not re-stricted to just these points. Since the covert chan-nels implemented for a system are highly tailored toits individual characteristics, each of the targeted en-vironments will provide new challenges to the adver-sary. Thus, new behaviors will appear, and conse-quently, the targeted systems can be protected in dif-ferent ways according to each specific situation.

Regarding the countermeasures that can be putinto place to prevent and fight code injection attacks,in addition to the general measures that can be used

19

(i.e., cryptography, standardization and reputation),it is possible to take two different approaches: pre-vention and validation mechanisms and monitoringtools (e.g., IDSs, antivirus, anti-malware SW).

To prevent code injection, it is important to se-cure the input and output handling, by introducingvalidation mechanisms, selective inclusion and exclu-sion procedures, standardized input and text format-ting and encoding, parametric variables, dissociationand modularization of the procedures from the ker-nel of the system, good handling of super user cre-dentials, isolation of some critical procedures, hashvalidation of executable images, and similar mecha-nisms [44, 63].

In order to detect the most sophisticated andstealthy injection attacks, it is important to deployintelligent and finely tuned IDSs, capable of adapt-ing to new dynamics and learning new attacks [64],beyond just relying on attack signatures and knownevents. These automatic and adaptive capabilitiesprovide the detection systems with tools to detectand prevent highly targeted and complex stealth at-tacks [65, 66, 67].

Most of the countermeasures and preventive mech-anisms discussed in this section can be categorizedas avoidance mechanisms (passive protection), how-ever, as cyber attacks against control systems are be-coming increasingly aggressive and sophisticated, itis necessary to put into place active protection mech-anisms, to address the continuous threats to the CIs[8, 68]. Thus, as discussed and as a complementarymeasure to avoidance mechanisms, detection and re-covery mechanisms are the techniques put in placefor early detection, prevention of and counteractionto risks in order to restore the system to its originalworking state, and palliate the effect of the attacksor anomalies happening within the system.

Given this definition, we classify the active pro-tection mechanisms into two main categories: themethods that require the intervention of an operator,and the automatic methods. Within the first class,we find the early warning systems, the IDS, and allthe situational awareness [21] mechanisms deployedto detect and alert the human operators of any at-tack or anomaly happening within the system undersurveillance. To the contrary, the automatic meth-

ods are those tools deployed to provide an automaticresponse to the problems that arise, with little to nosupervision from the human operators.

Currently there is little literature on the automaticor semi automatic response mechanisms, since theirapplication to CIs is complex and potentially dan-gerous, due to the criticality of the environment.However, it is absolutely essential to start to de-ploy such techniques within CIs, since faster coun-teractions would help prevent the effect of attacksor anomalies from cascading to other interconnectedand interdependent CIs [68]. Solutions that can pro-vide these automatic functionalities are the IntrusionPrevention Systems (IPSs), SW that “has all the ca-pabilities of an intrusion detection system and canalso attempt to stop possible incidents” [69].

The IPS is often integrated as an extension of theIDS, but it usually receives less attention than IDSresearch due to the intrinsic complexity of develop-ing the mechanisms that offer an automated and cor-rect response against certain events. However, theincreased complexity and speed of cyber-attacks inrecent years shows the acute necessity for complexintelligent dynamic response mechanisms [64]. Thesesystems can perform a wide variety of actions, fromoperations on files and re-routing, to automatic revo-cation of privileges for certain profiles of the infras-tructure. Thus, using this module, it is not necessaryto alert the system’s human operator/administratorto launch countermeasure actions, the system itselfcould select and execute them in a semi-supervisedor unsupervised way.

In Table 2, we summarize the analysis of the stealthattacks from the point of view of countermeasuresand protection, also reviewing the level of stealthi-ness of the attacks corresponding to Figure 1. Thisevaluation takes into account their associated AICAnrisks (see Table 1), always considering the worst sce-nario possible; i.e., the maximum level of stealthinessthat an adversary can achieve using these techniquesand approaches. Moreover, we provide an overviewof the most suitable countermeasures applicable toprevent or react against the stealth attacks, outlinedin the last column of this table. This set of tenta-tive measures is a selection of procedures that comefrom the context of general-purpose networks (try-

20

ing to palliate or avoid stealth attacks in these non-critical settings) and which can be applied to CIs witha few adaptations to fit the specific needs of criticalenvironments (industrial protocols, additional equip-ment, etc.).

6 Discussion on Cyber StealthAttacks

According to M. Jakobsson et al. [20], stealth attacksare better (i.e., more profitable) than regular attacks,which require a higher amount of energy and leavethe attacker more exposed to detection. In the pre-vious sections, we have identified five different types(main categories) of stealth attacks, namely: (i) dis-connection and goodput reduction, (ii) active eaves-dropping, (iii) scanning and probing, (iv) covert andside-channel exploitation, and (v) code injection at-tacks. We have described their objectives and scopeand using the AICAn taxonomy, we have determinedtheir potential threats to CIs.

This study therefore shows the danger inherent inattacks where the adversary tries to go unnoticed,since the system can be threatened for long periodsof time without being protected, the actions againstthe infrastructure are varied and range from simpleprobing of the system to extraction of sensitive infor-mation, or disruption to the correct operation of theCIs affected. Additionally, the adversaries are ableto propagate their threats to other nodes or interde-pendent CIs, thus creating cascading effects throughthe interconnected infrastructures.

Besides the vulnerabilities introduced in the sce-nario associated to the interest of the infrastructureto adversaries (sensitive data, potential of social dis-ruption, etc.), the high complexity of the environ-ment and their interconnected nature increase expo-sure to potential attackers and unintentional errors.According to NIST [70], a high number of intercon-nections present increased opportunities for DoS at-tacks, introduction of malicious code or compromisedHW. Moreover, when dealing with a vast amount ofnodes in the network, as happens in CIs, the numberof entry points and paths exploitable by and adver-

sary increases.

Nevertheless, there are several methods that helpprevent and counteract the attacks studied. Themain actions we find that currently are indicated tohelp in the case of stealth attacks are the preventivemechanisms, such as reputation or cryptography. Wefind therefore that it is essential to incorporate pro-tection tools for control elements, governance, valida-tion and testing of SW and HW components, to pre-vent any perturbation to the system’s security prop-erties. Moreover, protection of communication chan-nels (using for example cryptography, virtual privatenetworks, bump-in-the-wire, etc.) is also needed,since most of the cyber threats rely on attacks againstthe confidentiality (information or configurations ofresources), in order to learn about the environment,conditions and elements of the victim system.

However, in the event of truly sophisticated stealthattacks, it is necessary to include a layer of protec-tion that provides reactive recovery mechanisms ca-pable of launching automatic reactions against an at-tack that is underway, to restore the normal opera-tion of the system under attack, as soon as possible.Within this category we find the IDS and IPS mod-ules, capable of advanced detection mechanisms, andin some cases, of launching some prevention actionsand alerts to the security profiles responsible for thenodes under attack. Currently, there is little researchon automatic and semi-automatic reaction systems,due to the inherent complexity of the modules, whichis vastly increased in the case of CIs, where any dis-turbance of their operation is of critical relevance.

7 Conclusions

In this paper we have provided an overview of thedifferent types of stealth attacks that can potentiallytarget the CIs. We have discussed these attacks intheir different stages through the AICAn taxonomy,and evaluated the potential risks these attacks canpose to the critical environments in terms of availabil-ity, integrity, confidentiality and the anomalies thatcan occur in the infrastructure. We conclude thatstealth attacks are potentially very dangerous to CIs,and it is extremely difficult to fully secure networks

21

against them, nevertheless we have reviewed severalmethods that help to prevent and to counteract someof these attacks, focusing on the conjunction of ac-tive and preventive security mechanisms. The estab-lishment of the AICAn taxonomy and the study ofcriticality at each stage of the stealth attacks pre-sented in this paper summarize the main risks deriv-ing from stealthy attacks that can target the CIs inthe world today. An extended analysis of this workcould help determine and boost the capabilities of thesecurity measures currently in place to detect stealthattacks, and it could help ascertain and identify thebest countermeasures to prevent the damages derivedfrom these attacks. The use of simulations would bevery valuable to assess the risks and consequencesof stealthy attacks in highly complex interdependentscenarios, thus we intend to develop a prototype ofsuch a system, providing an AICAn-based model ofthe infrastructure where different kinds of stealth at-tacks can be launched in different areas of the system.Simulations in this area would help us understand thecascading effects across CIs and integrate machinelearning algorithms to help predict the complex dy-namics found in these types of scenarios.

References

[1] C. Alcaraz, G. Fernandez, and F. Carvajal, “Se-curity Aspects of SCADA and DCS Environ-ments,” Critical Infrastructure Protection, vol.7130, pp. 120–149, 2012.

[2] C. Directive, “114/EC of 08 December 2008 onthe Identification and Designation of EuropeanCritical Infrastructures and the Assessment ofthe Need to Improve their Protection,” OfficialJournal of the European Union, vol. 345, 2008.

[3] Congress of the United States of America,“Public Law 107 - 56 - Uniting and Strength-ening America by Providing Appropriate ToolsRequired to Intercept and Obstruct Terrorism(USA Patriot Act) Act of 2001,” USA PA-TRIOT ACT, October 2001, washington D.C.[Online]. Available: http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/content-detail.html

[4] Homeland Security News Wire, “Black HatEvent Highlights Vulnerability of U.S. CriticalInfrastructure,” Online News, July 2013, lastAccessed May 2014.

[5] Computer News, “Chinese Hacking TeamCaught Taking Over Decoy Water Plant,”Online News, August 2013, last AccessedMay 2014. [Online]. Available: http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-over-decoy-water-plant/

[6] J. Lopez, R. Setola, and S. Wolthusen, Criti-cal Infrastructure Protection: Advances in Crit-ical Infrastructure Protection: Information In-frastructure Models, Analysis, and Defenses.Springer, 2012, vol. 7130.

[7] ENISA, “Analysis of Annual Incident Reports2012,” Annual Incident Reports, vol. 13, pp. 1–30, 2012.

[8] US DHS ICS-CERT, “Incident Response Sum-mary Report,” September 2011, last ac-cess July 2013. [Online]. Available: http://www.uscert.gov

[9] ——, “ICS-Monitor Malware Infections in theControl Environment,” US CERT, December2012, last accessed, April 2014. [Online].Available: http://www.uscert.gov

[10] ——, “ICS-Monitor Brute Force Attacks onInternet-Facing Control Systems,” June 2013,last accessed, April 2014. [Online]. Available:http://www.uscert.gov

[11] European Comission, “Directive 2009/140/ECof the European Parliament and of the Council,”L337/37, November 2009, last Accessed May2014. [Online]. Available: https://resilience.enisa.europa.eu/article-13

[12] B. Genge, I. Kiss, and P. Haller, “A SystemDynamics Approach for Assessing the Impactof Cyber Attacks on Critical Infrastructures,”International Journal of Critical InfrastructureProtection, 2015.

22

[13] M. Thompson, “Mariposa Botnet Analysis,”Technical report, Defence Intelligence, Tech.Rep., 2009.

[14] A. Matrosov, E. Rodionov, D. Harley, andJ. Malcho, “Stuxnet Under the Microscope,”ESET LLC (September 2010), 2010.

[15] McAfee, “Global Energy Cyberattacks: NightDragon,” Version 1.4, McAfee Foundstone Pro-fessional Services and McAfee Labs, Tech. Rep.,February 2011.

[16] E. Chien and G. OGorman, “The Nitro Attacks,Stealing Secrets from the Chemical Industry,”Symantec Security Response, 2011.

[17] Kaspersky Lab Expert, “Duqu: Steal Every-thing,” 2011, last accessed, April 2014. [Online].Available: http://www.kaspersky.com/about/press/major malware outbreaks/duqu

[18] K. Munro, “Deconstructing Flame: the Limita-tions of Traditional Defences,” Computer Fraud& Security, vol. 2012, no. 10, pp. 8–11, 2012.

[19] US DHS ICS-CERT, “ICS-Monitor IncidentResponse Activity,” National Cybersecurity andCommunications Integration Center, April 2014,last accessed, May 2014. [Online]. Available:https://ics-cert.us-cert.gov

[20] M. Jakobsson, S. Wetzel, and B. Yener, “StealthAttacks on Ad-hoc Wireless Networks,” inVehicular Technology Conference, 2003. VTC2003-Fall. 2003 IEEE 58th, vol. 3. IEEE, 2003,pp. 2103–2111.

[21] C. Alcaraz and J. Lopez, “Wide-Area Situa-tional Awareness for Critical Infrastructure Pro-tection,” IEEE Computer, vol. 46, no. 4, pp. 30–37, 2013.

[22] B. Miller and D. Rowe, “A Survey SCADA ofand Critical Infrastructure Incidents,” in Pro-ceedings of the 1st Annual conference on Re-search in information technology. ACM, 2012,pp. 51–56.

[23] B. Zhu, A. Joseph, and S. Sastry, “A Taxonomyof Cyber Attacks on SCADA Systems,” in In-ternet of Things (iThings/CPSCom), 2011 In-ternational Conference on and 4th InternationalConference on Cyber, Physical and Social Com-puting. IEEE, 2011, pp. 380–388.

[24] C. Myers, S. Powers, and D. Faissol, “Tax-onomies of Cyber Adversaries and Attacks: aSurvey of Incidents and Approaches,” LawrenceLivermore National Laboratory (April 2009),vol. 7, pp. 1–22, 2009.

[25] H. F. Lipson, “Tracking and Tracing Cyber-Attacks: Technical Challenges and Global PolicyIssues,” DTIC Document, Tech. Rep., 2002.

[26] ENISA, “Existing Taxonomies,” 2005-2013,last Access on August 2013. [Online]. Avail-able: http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies

[27] F. Skopik and Z. Ma, “Attack Vectors to Meter-ing Data in Smart Grids under Security Con-straints,” in Computer Software and Applica-tions Conference Workshops (COMPSACW),2012 IEEE 36th Annual. IEEE, 2012, pp. 134–139.

[28] T. Tsao, R. Alexander, M. Dohler, V. Daza, andA. Lozano, “Routing Over Low Power and LossyNetworks,” pp. 1–50, January 2012, last Accesson August 2013. [Online]. Available: https://datatracker.ietf.org/doc/charter-ietf-roll/

[29] E. Rescorla and B. Korver, “Guidelines forWriting RFC Text on Security Considerations,”IETF, RFC-3552, vol. 1, pp. 1–44, 2003.[Online]. Available: https://tools.ietf.org/html/rfc3552

[30] V. Marinova-Boncheva, “A Short Survey of In-trusion Detection Systems,” Problems of Engi-neering Cybernetics and Robotics, vol. 58, pp.23–30, 2007.

23

[31] G. Joy Persial, M. Prabhu, and R. Shanmugalak-shmi, “Side channel Attack-Survey,” Int J AdvaSci Res Rev, vol. 1, no. 4, pp. 54–57, 2011.

[32] J. Kong, O. Aciicmez, J.-P. Seifert, andH. Zhou, “Hardware-software Integrated Ap-proaches to Defend Against Software Cache-based Side Channel Attacks,” in 15th Interna-tional Symposium on High Performance Com-puter Architecture. IEEE, 2009, pp. 393–404.

[33] N. Tomar and M. S. Gaur, “Information TheftThrough Covert Channel by Exploiting HTTPPost Method,” in Tenth International Confer-ence on Wireless and Optical CommunicationsNetworks (WOCN). IEEE, 2013, pp. 1–5.

[34] A. Hintz, “Covert channels in TCP and IP Head-ers,” Presentation at DEF CON Security Con-ference, Las Vegas, NV, USA, 2002.

[35] M. Jakobsson, X. Wang, and S. Wetzel, “StealthAttacks in Vehicular Technologies,” in IEEE60th Vehicular Technology Conference, vol. 2.IEEE, 2004, pp. 1218–1222.

[36] G. F. Lyon, Nmap Network Scanning: The Offi-cial Nmap Project Guide to Network Discoveryand Security Scanning. Insecure, 2009.

[37] C. Yin, M. Li, J. Ma, and J. Sun, “Honeypotand Scan Detection in Intrusion Detection Sys-tem,” in Canadian Conference on Electrical andComputer Engineering, vol. 2. IEEE, 2004, pp.1107–1110.

[38] IBM. (2013, November) IBM X-Force Trendand Risk Report. IBM. [Online]. Available:http://xforce.iss.net/xforce/xfdb/405

[39] U. Maimon, A. Kantor, and O. Dov, “ScanDetection,” Jan. 3 2005, uS Patent App.11/025,983.

[40] A. Dainotti, A. King, K. Claffy, O. Papale, andA. Pescape, “Analysis of a/0 Stealth Scan froma Botnet,” in Proceedings of the 2012 ACM Con-ference on Internet Measurement. ACM, 2012,pp. 1–14.

[41] J. Fan, X. Guo, E. DeMulder, P. Schaumont,B. Preneel, and I. Verbauwhede, “State-of-the-Art of Secure ECC Implementations: A Surveyon Known Side-Channel Attacks and Counter-measures,” in IEEE International Symposiumon Hardware-Oriented Security and Trust, 2010,pp. 76–87.

[42] M. M. Islam, R. Pose, and C. Kopp, “SuburbanAd-hoc Networks in Information Warfare,” inProc. 6th Australian InfoWar Conference, Gee-long, Australia, 2005.

[43] Modbus-IDA, “Modbus Application Proto-col Specification,” 2006. [Online]. Avail-able: http://www.modbus.org/docs/ModbusApplication Protocol V1 1b.pdf

[44] J. A. Ambrose, R. G. Ragel, andS. Parameswaran, “RIJID: Random CodeInjection to Mask Power Analysis Based SideChannel Attacks,” in Proceedings of the 44thannual Design Automation Conference. ACM,2007, pp. 489–492.

[45] D. Gollmann, “Securing Web Applications,” In-formation Security Technical Report, vol. 13,no. 1, pp. 1–9, 2008.

[46] A. Grasso and P. H. Cole, “Definition ofTerms Used by the Auto-ID Labs in the Anti-Counterfeiting White Paper Series,” Auto-IDLabs University of Adelaide, White Paper, 2006.

[47] Z. Su and G. Wassermann, “The Essence ofCommand Injection Attacks in Web Applica-tions,” in ACM SIGPLAN Notices, vol. 41, no. 1.ACM, 2006, pp. 372–382.

[48] L. K. Shar and H. K. Tan, “DefendingAgainst Cross-Site Scripting Attacks,” Com-puter, vol. 45, no. 3, pp. 55–62, 2012.

[49] M. Van Gundy and H. Chen, “Noncespaces: Us-ing Randomization to Enforce Information FlowTracking and Thwart Cross-Site Scripting At-tacks,” in NDSS, 2009.

24

[50] A. Barth, C. Jackson, and J. Mitchell, “Ro-bust Defenses for Cross-Site Request Forgery,”in Proceedings of the 15th ACM conference onComputer and communications security. ACM,2008, pp. 75–88.

[51] T. Jim, N. Swamy, and M. Hicks, “DefeatingScript Injection Attacks with Browser-enforcedEmbedded Policies,” in Proceedings of the 16thinternational conference on World Wide Web.ACM, 2007, pp. 601–610.

[52] OWASP, “The Ten Most Critical Web Applica-tion Security Risks,” October 2010.

[53] Symantec, “TCP MODBUS - Unau-thorized Read Request,” last ac-cessed, April 2014. [Online]. Available:http://www.symantec.com/security response/attacksignatures/detail.jsp?asid=20674

[54] National Vulnerability Database, “VulnerabilitySummary for CVE-2013-0663,” NIST, April2013. [Online]. Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0663

[55] US DHS ICS-CERT, “ICSA-13-077-01A Schnei-der Electric PLCs Vulnerabilities,” June 2013,last accessed, April 2014. [Online]. Available:http://ics-cert.us-cert.gov/node/642

[56] IEC/TS 62351-8 Power Systems Managementand Associated Information Exchange - Dataand Communications Security - Part 8: Role-Based Access Control, IEC/TS Std., September2011.

[57] J.-J. Quisquater and F. Koene, “Side ChannelAttacks: State of the Art,” project CRYPTREC,2002.

[58] J. Reeves, A. Ramaswamy, M. Locasto, S. Bra-tus, and S. Smith, “Intrusion Detection forResource-constrained Embedded Control Sys-tems in the Power Grid,” International Jour-nal of Critical Infrastructure Protection, vol. 5,no. 2, pp. 74–83, 2012.

[59] R. Berthier and W. H. Sanders, “Specification-based Intrusion Detection for Advanced Meter-ing Infrastructures,” in 2011 IEEE 17th Pa-cific Rim International Symposium on Depend-able Computing (PRDC). IEEE, 2011, pp. 184–193.

[60] J. Deng, R. Han, and S. Mishra, “Countermea-sures Against Traffic Analysis Attacks in Wire-less Sensor Networks,” in Security and Privacyfor Emerging Areas in Communications Net-works, 2005. SecureComm 2005. First Interna-tional Conference on. IEEE, 2005, pp. 113–126.

[61] M. Roesch, “Snort-lightweight Intrusion Detec-tion for Networks,” in Proceedings of the 13thUSENIX conference on System administration.Seattle, Washington, 1999, pp. 229–238.

[62] M. Blum, L. Von Ahn, J. Langford, and N. Hop-per, “The CAPTCHA Project (Completely Au-tomatic Public Turing Test to tell Computersand Humans Apart),” School of ComputerScience, Carnegie-Mellon University, 2000.[Online]. Available: http://www.captcha.net

[63] P. Ratanaworabhan, V. Livshits, and B. Zorn,“NOZZLE: A Defense Against Heap-sprayingCode Injection Attacks,” in USENIX SecuritySymposium, 2009, pp. 169–186.

[64] S. Bologna and R. Setola, “The Need to Im-prove Local Self-Awareness in CIP/CIIP,” inFirst IEEE International Workshop on CriticalInfrastructure Protection. IEEE Computer So-ciety, 2005, pp. 84–89.

[65] S. Avallone, C. Mazzariello, F. Oliviero, andS. P. Romano, “Protecting Critical Infrastruc-tures from Stealth Attacks: A Closed-Loop Ap-proach Involving Detection and Remediation,”in Critical Information Infrastructure Security.Springer, 2013, pp. 209–212.

[66] S. D’Antonio, F. Oliviero, and R. Setola, “High-Speed Intrusion Detection in Support of CriticalInfrastructure Protection,” Critical InformationInfrastructures Security, pp. 222–234, 2006.

25

[67] F. Pasqualetti, F. Dorfler, and F. Bullo, “AttackDetection and Identification in Cyber-PhysicalSystems,” IEEE Transactions on AutomaticControl, vol. 58, no. 11, pp. 2715–2729, 2013.

[68] European Commission, COM(2011) 163 -Achievements and Next Steps: Towards GlobalCyber-Security, ser. COM(2011) 163. Publica-tions Office, 3 2011.

[69] K. Scarfone and P. Mell, “Guide to Intrusion De-tection and Prevention Systems (IDPS),” NISTspecial publication, vol. 800, p. 94, 2007.

[70] Smart Grid Interoperability Panel Cyber Secu-rity Working Group and others, “NISTIR 7628-Guidelines for Smart Grid Cyber Security vol.1-3,” 2010.

26