Information Hiding in Industrial Control Systems: An OPC UA based Supply Chain Attack and its Detection

Hildebrandt, Mario; Lamshöft, Kevin; Dittmann, Jana; Neubert, Tom; Vielhauer, Claus

doi:10.1145/3369412.3395068

Cited by 12 publications

(9 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We point out that a more fine-grained classification scheme has been proposed, especially to uniform discrepancies between different research works dealing with network steganography and covert channels, even not limited to the network-wide case [11], [24]. Unfortunately, information hiding techniques are proliferating in almost every new protocol or network/computing framework [17], [18], IoT environment [19], [25], smart vehicle [26], or industrial control system [27], [28], just to mention the most popular or emerging scenarios. Concerning recent examples, [20] analyzes many opportunities that an attacker can exploit for creating a covert channel within the Network Time Protocol, whereas [13] investigates whether timing channels can be used to implement long-range communications across different continents.…”

Section: A Network Covert Channelsmentioning

confidence: 99%

Analysis of Reversible Network Covert Channels

et al. 2022

View full text Add to dashboard Cite

In the last years, the utilization of information hiding techniques for empowering modern strains of malware has become a serious concern for security experts. Such an approach allows attackers to act in a stealthy manner, for instance, to covertly exfiltrate confidential data or retrieve additional command & control payloads for the operation of malware. Therefore, the deep understanding of data hiding mechanisms is a core requirement, as it allows designing effective countermeasures. Unfortunately, the most recent evolution of information-hiding-capable threats enjoys reversible properties, i.e., the abused network flow is restored to its original form. Hence, detection approaches based on the comparison of different traffic samples may not work anymore. In this paper, we further investigate various methods for performing reversible data hiding for network covert channels. Specifically, we extend our previous research by considering different scenarios focusing on IPv4 traffic and HTTP conversations. The results confirm that reversibility can be used in various network conditions and is not impaired by middleboxes. In addition, engineering countermeasures or mitigation techniques could be difficult, thus requiring to consider reversible mechanisms already in the early design stages of a protocol/deployment.

show abstract

Section: A Network Covert Channelsmentioning

confidence: 99%

Analysis of Reversible Network Covert Channels

et al. 2022

View full text Add to dashboard Cite

show abstract

“…In addition, Hildebrandt et al demonstrated that a command injection attack through a hidden channel could be performed on a packet transmitted from a server to a client (PLC) in an OPC UA protocol-based communication environment, a potential supply chain attack. Attack vectors have also been described [13]. For example, Polge et al identified new threats that can occur using the OPC UA protocol based on IoT security threat modeling [14].…”

Section: Opc Ua Security Analysismentioning

confidence: 99%

“…Moreover, studies have demonstrated denial-of-service (DoS) attacks, packet sniffing, and man-in-the-middle (MiTM) attacks through attack simulations on OPC UA networks [8][9][10][11][12][13][14]. However, they focused on the impact assessment of industrial Internet of Things (IoT) systems and verified possible attack types for known security threats specified in the OPC UA system specifications.…”

Section: Introduction 1background and Motivationmentioning

confidence: 99%

Vulnerabilities of the Open Platform Communication Unified Architecture Protocol in Industrial Internet of Things Operation

Shin

Kim

Euom

2022

Sensors

View full text Add to dashboard Cite

Recently, as new threats from attackers are discovered, the damage and scale of these threats are increasing. Vulnerabilities should be identified early, and countermeasures should be implemented to solve this problem. However, there are limitations to applying the vulnerability discovery framework used in practice. Existing frameworks have limitations in terms of the analysis target. If the analysis target is abstract, it cannot be easily applied to the framework. Therefore, this study proposes a framework for vulnerability discovery and countermeasures that can be applied to any analysis target. The proposed framework includes a structural analysis to discover vulnerabilities from a scenario composition, including analysis targets. In addition, a proof of concept is conducted to derive and verify threats that can actually occur through threat modeling. In this study, the open platform communication integrated architecture used in the industrial control system and industrial Internet of Things environment was selected as an analysis target. We find 30 major threats and four vulnerabilities based on the proposed framework. As a result, the validity of malicious client attacks using certificates and DoS attack scenarios using flooding were validated, and we create countermeasures for these vulnerabilities.

show abstract

“…Most recently, covert channels in the Internet of Things has gained increasing attention, cf. works by Mileva et al [28], Wendzel et al [29] and Hildebrandt et al [30].…”

Section: Related Workmentioning

confidence: 99%

Reversible and Plausibly Deniable Covert Channels in One-Time Passwords Based on Hash Chains

Keller

Wendzel

2021

Applied Sciences

View full text Add to dashboard Cite

Covert channels enable stealthy communications over innocent appearing carriers. They are increasingly applied in the network context. However, little work is available that exploits cryptographic primitives in the networking context to establish such covert communications. We present a covert channel between two devices where one device authenticates itself with Lamport’s one-time passwords based on a cryptographic hash function. Our channel enables plausible deniability jointly with reversibility and is applicable in different contexts, such as traditional TCP/IP networks, CPS/IoT communication, blockchain-driven systems and local inter-process communications that apply hash chains. We also present countermeasures to detect the presence of such a covert channel, which are non-trivial because hash values are random-looking binary strings, so that deviations are not likely to be detected. We report on experimental results with MD5 and SHA-3 hash functions for two covert channel variants running in a localhost setup. In particular, we evaluate the channels’ time performance, conduct statistical tests using the NIST suite and run a test for matching hash values between legitimate and covert environments to determine our channels’ stealthiness.

show abstract

Information Hiding in Industrial Control Systems: An OPC UA based Supply Chain Attack and its Detection

Cited by 12 publications

References 2 publications

Analysis of Reversible Network Covert Channels

Analysis of Reversible Network Covert Channels

Vulnerabilities of the Open Platform Communication Unified Architecture Protocol in Industrial Internet of Things Operation

Reversible and Plausibly Deniable Covert Channels in One-Time Passwords Based on Hash Chains

Contact Info

Product

Resources

About