Security and Privacy Issues in

CPSs
 Introduction
• Cyber-physical systems (CPSs) are broadly used across
technology and industrial domains to enable process
optimization and previously unachievable functionality.
• However, CPSs have been key targets in some of the most
highly publicized security breaches over the last decade.
• Neither cyber- nor physical-security concepts alone can
protect CPSs because the complex interdependencies and
crossover effects can introduce unexpected vulnerabilities.
• Physical attacks may damage or compromise the information
system on the device, and cyber-attacks can cause physical
malfunctions.
 Introduction
• Because of the many critical applications where CPSs are
employed, either kind of attack can result in dire real-world
consequences.
• As a result, security and privacy must be key concerns for CPS
design, development, and operation.
 What is Security?
• Security is a set of measures to ensure that a
system will be able to accomplish its goal as
intended, while mitigating unintended
negative consequences.
• When features are added to a system, security
is applied to ensure that the additions neither
compromise intended functionality nor
introduce new attack vectors.
 What is Privacy?
• Assurance that the confidentiality of, and access to,
certain information about an entity is protected.
• “Entity,” in this case, can be a corporation or facility as
well as an individual person. “Certain information” may
refer to any sensitive information such as personally
identifiable information (PII).
• Confidentiality usually means that information is not
released to unauthorized parties, but privacy has a
more dynamic dimension of allowing owners to control
the dissemination of their information themselves.
Core principles of Information Security (CIA
Triad)
• Confidentiality – Only authorized parties can
access computer-related assets.
• Integrity – Assets can be modified only by
authorized parties or only in authorized ways.
• Availability – Assets are accessible to
authorized parties at appropriate times.
An example of the CIA triad in practice
• Think of logging into an e-commerce site to check your orders
and make an additional purchase. The e-commerce site uses
the three principles of the CIA triad in the following ways:
– Confidentiality: When you log in, you’re asked for a password. If it’s
been a while since your last log-in, you may be asked to input a code
that’s been sent to you or some other form of two-factor
authentication.
– Integrity: Data integrity is provided by making sure your purchases are
reflected in your account and allowing you to contact a representative
if there’s a discrepancy.
– Availability: You can log into your account whenever you want, and
you may even be able to contact customer support at any time of the
day or night.
 Two additional elements
• The CIA Triad is the heart of information security but
is widely thought to be incomplete.
• Two additional elements that are most germane to
the physical side of our discussion of CPSs.
– Authentication – Verifies the identity, often as a
prerequisite to access (Committee on National Security
Systems, 2010).
– Nonrepudiation – Protects against an individual’s false
denial of having performed a particular action and
captures whether a user performed particular actions (i.e.,
sending or receiving a message)
 Physical Security and Privacy
• Physical protection aims to defend an area in space according
to the following principles adapted from the U.S. Department
of Defense (2016) and U.S. Department of Energy (2005).
– Deterrence – A credible threat of countermeasures that prevents actions
against the system by making the perceived cost of an attack outweigh the
perceived benefits.
– Detection – The positive assessment that a specific object caused the alarm
and/or the announcement of a potential malevolent act through alarms.
– Delay – Impediments that slow or prevent an adversary from accessing a
protected asset or from completing a malevolent act.
– Response – Actions taken with appropriate force and at locations and times
designed to stop the advancement of the adversary.
– Neutralization – Rendering enemy forces incapable of interfering with a
particular operation.
 Physical Security and Privacy
• Deterrence can be as innocuous as a sign indicating the presence of physical-
security components or a guard posted in a visible location to warn the potential
adversary of the consequences of an attack.
• Detection is usually accomplished with surveillance technologies, human
watchers, or operational processes. Alarms may be coupled with detection to
alert those protecting the asset (the trusted agents) or to scare off the attacker.
• Barriers such as protective forces, walls, deployed obstacles, storage containers,
locks, and tamper-resistant devices take time for an adversary to penetrate,
providing delay (and some deterrence if the measures are visible).
• The response to intrusion events must be immediate and effective and may
include summoning authorities with sufficient force to halt the attack.
• The responders neutralize all the attackers by arresting them or in some other
way making it impossible for them to attack the system in that way again.

If these physical-security elements are not properly utilized, even the most
impenetrable defenses will eventually be defeated.
 Security and Privacy in CPSs
• The interconnectedness of CPSs leads to
interdependencies and system interactions that are
not obvious to even careful inspection.
• The very nature of CPSs affords both cyber and
physical attack pathways, greatly increasing the
adversary’s options.
• Separate sets of vulnerabilities on the cyber and
physical sides do not simply add up; they multiply.
• Having physical access to a cyber system makes
possible certain attacks that would not be otherwise.
 Security and Privacy in CPSs
• Adding a networked cyber dimension to a physical system
increases the complexity of the system, the scope of what may
be attacked, and the distance from where the attack may be
conducted.
• The separate attack pathways may be fully protected in only
one domain or the other, but only parts of the system where
both domains are simultaneously protected are truly protected.
• Security and privacy attack points in CPSs may be at the
interfaces between devices, on the devices themselves, in the
infrastructure that supports them, from the Internet, and even
from malicious users.
Security and Privacy in CPSs

Security attack points in CPSs

 Security and Privacy in CPSs
• Attackers may take advantage of the ambiguities of
vulnerable communication protocols to mount an attack
across an interface.
• They may exploit security flaws in weak implementations of
application programming interfaces to compromise a
component.
• Alternatively, they may take advantage of trust relationships
between peer devices or between the devices and
infrastructures, clients, and users to whom they talk.
• Each of these vulnerability points must be covered by
security protections and considered as potentially
compromised system components from the perspective of
other components.
 Security and Privacy in CPSs
• Wireless Exploitation: It requires knowledge of the system’s
structure and thus, exploiting its wireless capabilities to gain
remote access or control over a system or possibly disrupt the
system’s operations. This causes collision and/or loss of control.
• Jamming: In this case, attackers usually aim at changing the
device’s state and the expected operations to cause damage by
launching waves of de-authentication or wireless jamming signals,
which would result into denial of device and system services.
• Reconnaissance: An example of such a threat is where intelligence
agencies continuously perform operations targeting a nation’s
Computational Intelligence (CI) and Industrial Control System (ICS)
mainly through a malware spread [74]. This results in violating data
confidentiality due to the limitation of traditional defenses.
 Security and Privacy in CPSs
• Remote Access: This is mainly done by trying to gain remote
access to the CPS infrastructure, for example, causing
disturbances, financial losses, blackouts, as well as industrial data
theft and industrial espionage. Moreover, Havex Trojans are among
the most dangerous malware against ICSs, as they can be
weaponized and used as part of cyber-warfare campaign
management against a nation’s CPS.
• Disclosure of Information: Hackers can disclose any
private/personal information through the interception of
communication traffic using wireless hacking tools, violating both
privacy and confidentiality.
• Unauthorized Access: Attackers try to gain an unauthorized access
through either a logical or physical network breach and to retrieve
important data, leading to a privacy breach.
 Security and Privacy in CPSs
• Interception: Hackers can intercept private conversations through
the exploitation of already existing or new vulnerabilities leading
to another type of privacy and confidentiality breach.
• GPS Exploitation: Hackers can track a device or even a car by
exploiting (GPS) navigation systems, resulting in a location privacy
violation.
• Information Gathering: software manufacturers covertly gather
files and audit logs stored on any given device in order to sell this
huge amount of personal information for marketing and
commercial purposes in an illegal manner.
CPS security: common attack
types/subtypes
 DoS Subtypes
• Permanent DoS is a type of attack when intruder tries to
exploit unpatched vulnerabilities in order to install modified
firmware to damage a system.
• Distributed DoS attack is based on a model when several
nodes/systems are sending requests to a victim system trying
to occupy the available resources (i.e. bandwidth, processor
time, etc.), thus rendering the system unable to provide
services.
• Intruder employs the broadcast address of ill-configured
network and sends packet by replacing its own address with
the victim node address in reflected attacks. Thus the victim
node eventually is flooded with fake responses. Smurf attack
(ICMP packets) and Fraggle attack (UDP packets) are some of
the variations of reflected attacks.
DDoS
Low Orbit Ion Cannon (LOIC)
 Spoofing Subtypes
• GPS spoofing is based on broadcasting of incorrect signals of
higher strength than received from satellites in order to
deceive the victim.
• Intruder explores the IP addresses of the victim nodes and
then sends ARP responses to node X and node Y, with IP
address of corresponding node and its own MAC address in
ARP spoofing. Thus all packets between X and Y will then
pass through the intruder node.
• IP spoofing is another subtype of spoofing attack aimed at
using another IP address to pass through security system.
This type of attack can be used on the first stage of complex
intrusion in conjunction with reflected attack.
GPS Spoofing
ARP Spoofing
IP Spoofing
 Code injection subtypes
• SQL injection attack involves insertion of malicious SQL
statement in the queries, thus leading towards failure of the
input data.
• Cross site scripting exploits open scripting vulnerabilities and
adds malicious code into web application leading towards
execution.
• Remote file injection extends itself on the serve side of web
applications where the file with malicious code is
downloaded and is executed on the server.
• Shell injection attack is implemented through inclusion of
malicious shell code into the code string for further
interpretation by the shell.
SQL Injection
Cross-Site Scripting (XSS)
 Eavesdropping subtypes
• Man-in-the-Middle is an active type of attack and occurs
when intruder intervenes between communicating entities
trying to intercept the packets.
• Traffic sniffing is a passive type of eavesdropping aimed at
traffic analysis using special device or program.
• Relay attacks are aimed at interception of authentication
related information.
MITM Attack
 Malware subtypes
• Worm is a type of Malware software with ability of making
copies of itself thus resulting into wastage of network
bandwidth.
• Virus is also able to replicate itself as worm, but
comparatively infects files and programs in the system.
• Trojan horse intrudes in the system under the guise of
legitimate software, whereas Rootkit is a set of software;
such as scripts, executable files, configuration files, etc; with
ability to hide itself and other malicious software.
 Control hijacking subtypes
• Buffer overflow is a phenomenon when a program is writing
data outside of the given buffer, often it is the consequence
of the wrong processing of input data.
• Integer overflow is an error occurred due to inability to
represent the numeric value within given storage space.
• Format string is an intrusion during which the input string is
executed as a command
Buffer Overflow Attack
CPS layers and security