Journal of Platform Technology

ICT Platform Society (ICT플랫폼학회)
권호 표지

Study on Method to Develop Case-based Security Threat Scenario for Cybersecurity Training in ICS Environment

ICS 환경에서의 사이버보안 훈련을 위한 사례 기반 보안 위협 시나리오 개발 방법론 연구

  • GyuHyun Jeon ;
  • Kwangsoo Kim ;
  • Jaesik Kang ;
  • Seungwoon Lee ;
  • Jung Taek Seo
  • 전규현 (가천대학교 정보보호학과) ;
  • 김광수 (LIG 넥스원(주) 사이버전자전개발단) ;
  • 강재식 (LIG 넥스원(주) 사이버전자전개발단) ;
  • 이승운 (LIG 넥스원(주) 사이버전자전개발단) ;
  • 서정택 (가천대학교 컴퓨터공학부 컴퓨터공학전공)
  • Received : 2024.01.23
  • Accepted : 2024.02.16
  • Published : 2024.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

As the number of cases of applying IT systems to the existing isolated ICS (Industrial Control System) network environment continues to increase, security threats in the ICS environment have rapidly increased. Security threat scenarios help to design security strategies in cybersecurity training, including analysis, prediction, and response to cyberattacks. For successful cybersecurity training, research is needed to develop valid and reliable security threat scenarios for meaningful training. Therefore, this paper proposes a case-based security threat scenario development methodology for cybersecurity training in the ICS environment. To this end, we develop a methodology consisting of five steps based on analyzing actual cybersecurity incident cases targeting ICS. Threat techniques are standardized in the same form using objective data based on the MITER ATT&CK framework, and then a list of CVEs and CWEs corresponding to the threat technique is identified. Additionally, it analyzes and identifies vulnerable functions in programming used in CWE and ICS assets. Based on the data generated up to the previous stage, develop security threat scenarios for cybersecurity training for new ICS. As a result of verification through a comparative analysis between the proposed methodology and existing research confirmed that the proposed method was more effective than the existing method regarding scenario validity, appropriateness of evidence, and development of various scenarios.

기존 ICS(Industrial Control System)의 격리망 환경에 IT 시스템을 적용하는 사례가 계속 증가함으로써 ICS 환경에서의 보안 위협이 급격히 증가하였다. 보안 위협 시나리오는 사이버공격에 대한 분석, 예측 및 대응 등 사이버보안 훈련에서의 보안 전략 설계에 사용된다. 성공적인 사이버보안 훈련을 위해 유효하고 신뢰할 수 있는 훈련용 보안 위협 시나리오 개발 연구가 필요하다. 이에 본 논문에서는 ICS 환경에서의 사이버보안 훈련을 위한 사례 기반 보안 위협 시나리오 개발 방법론을 제안한다. 이를 위해 ICS 대상 실제 사이버보안 사고 사례를 분석한 내용을 기반으로 총 5단계로 구성된 방법론을 개발한다. 위협 기법은 MITRE ATT&CK 프레임워크를 기반의 객관적인 데이터를 사용하여 동일한 형태로 정형화한 후 위협 기법과 대응되는 CVE 및 CWE 목록을 식별한다. 그리고 CWE와 ICS 자산에서 사용 중인 프로그래밍내 취약한 함수를 분석 및 식별한다. 이전 단계까지 생성된 데이터를 기반으로 신규 ICS 대상 사이버보안 훈련용 보안 위협 시나리오를 개발한다. 제안한 방법론과 기존 연구간 비교 분석을 통한 검증 결과, 제안한 방식이 기존 방식보다 시나리오에 대한 유효성, 근거의 적절성, 그리고 다양한 시나리오 개발에 있어서 더 효과적임을 확인하였다.

Keywords

Acknowledgement

이 논문은 2021년 정부(방위사업청)의 재원으로 국방기술진흥연구소의 지원을 받아 수행된 연구임(KRIT-CT-21-037)

References

  1. Bhamare, D., Zolanvari, M., Erbad, A., Jain, R., Khan, K., & Meskin, N, "Cybersecurity for industrial control systems: A survey", computers & security, Vol. 89, 101677. Feb. 2020.
  2. Ackerman. P, "Industrial Cybersecurity: Efficiently secure critical infrastructure systems", in Packt Publishing, England, 2017, pp. 30-39
  3. "Duqu: A Stuxnet-like malware found in the wild", CRYSYS, [Online]. Available: https://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf
  4. "BlackEnergy & Quedagh: The convergence of crimeware and APT attack", F-Secure Labs, [Online]. Available: https://blog.f-secure.com/wpcontent/uploads/2019/10/BlackEnergy_Quedagh.pdf
  5. "BE2 custom plugins, router abuse, and target profiles", SECURELIST, [Online]. Available: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
  6. "BE2 extraordinary plugins, Siemens targeting, dev fails", SECURELIST, [Online]. Available: https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
  7. "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry", weliveserucrity, [Online]. Available: https://www.welivesecurity.com/2016/01/03/blackenergysshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
  8. "UK exposes series of Russian cyber attacks against Olympic and Paralympic Games", UK NCSC, [Online]. Available: https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyberattacks-against-olympic-and-paralympic-games
  9. "Win32/Industroyer: A new threat for industrial controls systems", ESET LLC, [Online]. Available: https://web-assets.esetstatic.com/wls/2017/06/Win32_Industroyer.pdf
  10. "CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations", DRAGOS, [Online]. Available: https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
  11. "CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection- Focused Attack", DRAGOS, [Online]. Available: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf
  12. "Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign", Varonis, [Online]. Available: https://www.varonis.com/blog/darkside-ransomware
  13. Ekisa, C., Briain, D. O., & Kavanagh, Y, "An open-source testbed to visualise ics cybersecurity weaknesses and remediation strategies-a research agenda proposal", In 2021 32nd Irish Signals and Systems Conference (ISSC), IEEE, pp. 1-6. Jun. 2021.
  14. Koay, A. M., Ko, R. K. L., Hettema, H., & Radke, K, "Machine learning in industrial control system (ICS) security: current landscape, opportunities, and challenges", Journal of Intelligent Information Systems, Vol. 60(2), pp. 377-405. Oct. 2023.
  15. Alwakeel, A. M, "An overview of fog computing and edge computing security and privacy issues", Sensors, Vol.21(24), 8226, Dec. 2021.
  16. "SANS Institute Information Security Reading Room Secure Architecture for Industrial Control Systems", Semantic Scholar, [Online]. Available: https://www.semanticscholar.org/paper/SANSInstitute-Information-Security-Reading-Room-Obregon/cf1193740974922c2fd29733ac204f06a3de7b08
  17. Kim. D. H., Choi. S. H, "A Study on the Active Defense Strategy of Honey System Using MTD", Korea Institute of Information Technology Magazine, Vol. 20(1), 27-32, Dec. 2022
  18. Ahn. M. K., Lee. J. R, "Research on System Architecture and Methodology based on MITRE ATT&CK for Experiment Analysis on Cyber Warfare Simulation", Journal of the Korea Society of Computer and Information, Vol. 25(8), pp. 31-37, Aug. 2020
  19. Liao, Y. C, "Generating Targeted Attack Scenarios against Availability for Critical Infrastructures", In 2021 14th CMI International Conference-Critical ICT Infrastructures and Platforms (CMI), IEEE, pp. 1-7, Nov. 2021.
  20. Hacks, S., Katsikeas, S., Ling, E., Lagerstrom, R., & Ekstedt, M, "powerLang: a probabilistic attack simulation language for the power domain", Energy Informatics, Vol. 3, pp. 1-17, Nov. 2020
  21. "ICS Matrix", MITRE ATT&CK, [Online]. Available: https://attack.mitre.org/matrices/ics/
  22. Georgiadou, A., Mouzakitis, S., & Askounis, D, "Assessing mitre att&ck risk using a cybersecurity culture framework", Sensors, Vol. 21(9), 3267, May. 2021.
  23. "W32.Stuxnet Dossier (Version 1.4)", Symantec, [Online]. Available: https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
  24. "ICS Advisory (ICSA-10-272-01)", CISA, [Online]. Available: https://www.cisa.gov/newsevents/ics-advisories/icsa-10-272-01
  25. "Stuxnet Under the Microscope", ESET LLC, [Online]. Available: http://www.rpac.in/image/ITR%201.pdf
  26. "To Kill a Centrifuge", The Langner Group, [Online]. Available: https://www.langner.com/wpcontent/uploads/2017/03/to-kill-a-centrifuge.pdf
  27. "Global Energy Cyberattacks: "Night Dragon"", McAfee, [Online]. Available: https://www.mcafee.com/blogs/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf
  28. "Attackers deploy new ICS attack framework "TRITON" and cause operational disruption to critical infrastructure", Mandiant, [Online]. Available: https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
  29. "First-of-a-kind U.S. grid cyberattack hit wind, solar", Energywire, [Online]. Available: https://subscriber.politicopro.com/article/eenews/1061421301
  30. "DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers", Kaspersky, [Online]. Available: https://usa.kaspersky.com/about/press-releases/2019_dtrackpreviously-unknown-spy-tool-hits-financial-institutions-and-research-centers
  31. "Hello! My name is Dtrack", SECURELIST, [Online]. Available: https://securelist.com/myname-is-dtrack/93338/
  32. "Industroyer2: Industroyer reloaded", weliveserucrity, [Online]. Available: https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded
  33. "Vulnerabilities", NIST, [Online]. Available: https://nvd.nist.gov/vuln
  34. Korodi, A., Nicolae, A., & Draghici, I. A, "Proactive decentralized historian-improving legacy system in the water industry 4.0 context", Sustainability, Vol. 15(15), 11487, Jul. 2023.
  35. Michalec, O., Milyaeva, S., & Rashid, A, "When the future meets the past: Can safety and Cybersecurity coexist in modern critical infrastructures?", Big Data & Society, Vol. 9(1), Jun. 2022.
  36. "HMI Works C Programming pt3", ICP DAS USA, [Online]. Available: https://www.icpdasusa.com/HMI-works-CProgramming-pt3.html
  37. "SIMATIC M7 Only Available on a Spare Part Basis as of October 2003", Siemens, [Online]. Available: https://support.industry.siemens.com/cs/document/14044569/simatic-m7-onlyavailable-on-a-spare-part-basis-as-of-october-2003-?dti=0&lc=en-WW
  38. "Touch HMI Devices", ICP DAS, [Online]. Available: https://www.bbrc.ru/upload/iblock/cf1/i8z9k9u6vd9enme563mqkw7jxwc177hx/603adb8b_0fed_11e8_80d8_0cc47a1243ef_58fbaa64_2692_11e8_80d8_0cc47a1243ef.pdf
  39. "Software Security Weakness Diagnostic Guide", KISA, [Online]. Available: https://www.kisa.or.kr/2060204/form?postSeq=9&page=1
  40. "Secure Coding Guide C", MOIS, [Online]. Available: https://www.mois.go.kr/
  41. "SEI CERT C Coding Standard", Carnegie Mellon University SEI, [Online]. Available: https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf