See discussions, stats, and author profiles for this publication at: [604109]
See discussions, stats, and author profiles for this publication at:
https://www.researchgate.net/publication/299442479
Feasibility of applying Moving Target Defensive
Techniques in a SCADA System
Conference Paper
· March 2016
DOI: 10.13140/RG.2.1.5189.5441
READS
15
2 authors
, including:
Cordell Clay Davidson
University of South Alabama
4
PUBLICATIONS
6
CITATIONS
SEE PROFILE
All in-text references
underlined in blue
are linked to publications on ResearchGate,
letting you access and read them immediately.
Available from: Cordell Clay Davidson
Retrieved on: 18 May 2016
Feasibility of applying Moving Target Defensive Techniques in a SCADA System
Cordell C. Davidson , Todd R. Andel
University of South Alabama, Mobile, USA
[anonimizat]
[anonimizat]
Abstract: Supervisory Control and Data Acquisition (SCADA) systems monitor and control industrial systems of
national importance, including but not limited to the electric power grid, oi l and gas refineries, water supply
and sewage systems, and gas pipelines. They are an integral part of a nation’s critical infrastructure. As such,
the reliability and availability of these systems are extremely important. Once SCADA systems are running
reliably, changes to the hardware or software are typically avoided. As a result, many of these systems rely
upon hardware and software systems that are years or even decades in age. Over time and for the purpose of
cost optimization, SCADA systems have beco me increasingly reliant upon commercial -off-the-shelf (COTS)
products. Many of these products have known vulnerabilities that are expected to be patched or replaced
quite often to mitigate potential attacks. However, frequent patches and updates are often unfeasible in a
SCADA system. The requirements of reliability and availability may outweigh the potential benefits. An
additional security issue is that in order to enable remote system management, SCADA systems are becoming
increasingly connected directly to corporate networks as well as the Internet thus making it easier for an
adversary to connect to a system in order to exploit known vulnerabilities. Moving Target Defense (MTD) is a
security approach used in many common computer systems to help make the m less easily compromised. A
MTD seeks to provide additional protection to all protected programs even if those programs have known
vulnerabilities. It does not seek to fix any particular software vulnerability but, instead, seeks to make any such
vulnera bility more difficult to exploit. Other security solutions elaborated for our common computer systems
and networks , such as frequent software patching, might not be applicable for SCADA systems due to their
specific requirements and constraints. However, t here has not been much academic discussion of applying
Moving Target Defenses to SCADA systems. We analyse d several different MTD techniques for their suitability
as defense of variou s components of SCADA systems . Our determination is that there are several MTD
approaches that are feasible for use in SCADA systems .
Keywords: Moving Target Defense, SCADA, Security, Network Security, Software Vulnerability Mitigation ,
Diversity Defense
1. Introduction
The electric power grid, oil and gas refineries, wat er supply and sewage systems, pipelines and other large
industrial or public infrastructure systems rely upon automated real -time control systems designed to monitor
and control various mechanical components such as motors, pumps, valves, fans and numerous other devices.
Supervisory Control and Data Acquisition (SCADA) systems monitor and control such installations. The local
control systems report to the SCADA system which in turn can send out alarms, change local control
parameters, update and display inf ormation for human interaction, store recorded data, and many other tasks
that may be required for keeping the monitored system running safely and efficiently (Krutz, 2005) (Stouffer,
et al., 2 011) . Many of these SCADA controlled systems are of great local or national importance. We expect an
electric current when we flip a light switch, water when we turn on our tap and fuel when we fill up at the gas
station. If any of these systems fail, there can be massive consequences on many different levels from
individual annoyance to a national scale disaster.
SCADA systems , a type of Industrial Control System (ICS) , have been reportedly attacked since mid ‘90s (Byres
& Lowe, 2004) . The well -known attacks in 2000 at the Maroochy Water Services in Australia (Slay, 2008) and
the 2005 Stuxnet attack on an Iranian nuclear enrichment program (Karnouskos, 2011 ) (Kushner, 2013) along
with the more recent attack upon a German steel mill in 2014 (Lee, et al., 2014) makes it clear that SCADA
attacks will continue into the foreseeable future .
Until recently, very few of these systems were exposed to external systems such as corporate or government
networks and the Internet. They were physically isolated from other networks and required physical access.
This negated many of the attack vectors th at could be used by malicious entities to cause harm to the systems.
Vulnerabilities were still present but they were not easy to exploit by an external adversary.
Recently, however, this has begun to change. SCADA systems have become increasingly connect ed to the
Internet in order to enable remote management, thus improving incident response time. This, in turn, has
opened up the previously non -existent attack vectors and increased the susceptibility for a malicious adversary
to attack such a system. With the widespread push to both link SCADA systems with outside networks and
incorporate off -the-shelf protocols and components into their design, the most significant new threat category
for SCADA designers to address is the remote, external attack (East et al., 2009).
As defensive techniques for cyber security develop, a current trend has emerged in defending normal
corporate and governmental systems known as a Moving Target Defense (MTD) (CyberSecurity Division, 2013) .
The goal of a MTD is to periodically change the attack surface of protected systems in order to make it more
difficult for an adversary to make a successful attack. These techniques do not resolve any particular
vulnerability but, instead, seek to make the v ulnerability less probable of being successfully exploited . These
techniques have been applied to general computer systems. It remains to be seen how applicable they will be
for SCADA environments.
This research investigates the feasibility of applying va rious MTD strateg ies in defense of a SCADA system to
determine to what extent, if any, these techniques can be used to address the unique problems and
requirement constraints inherent in the defense of such systems .
2. SCADA Systems
SCADA systems are a type o f Industrial Control System (ICS) that are typically used for monitoring networked
devices that span great geographic distance s. Communications may be slow and with only intermittent
network connections to the remotely controlled sites. These remote sites contain components used by various
industrial applications such as water distribution systems, oil and natural gas pipelines, power grids, and
transportation systems (Stouffer , et al., 2011) . These systems are, in general, arranged into three tiers: the
sensors and actuators, the control units, and the central control location which usually includes a Human –
Machine -Interface (HMI) from which control engineers can make adju stments as needed .
At the lowest level are the electromechanical devices located at each remote site along with the sensors that
monitor them and actuators that manipulate them . The middle layer consists of remote terminal units (RTU)
and programmable log ic controllers (PLC) that receive sensor input into programs stored within their memory
to determine what action, if any, a controlled device should perform . In addition, they may also periodically
communicate with the top level to forward various status u pdates or receive additional instructions. The top
tier of a SCADA system is at a central control center. A Master Terminal Unit (MTU) located at the control
center receives data from the many dispersed remote controls and evaluates which data are of signi ficant
concern. If the MTU concludes that an issue is significant, it relays that information to a Human Machine
Interface (HMI). The HMI is used to display real -time information to the operators responsible for the system,
and can be used to send updates and overrides to other devices throughout the system. In addition to the
MTU and HMI, control centers often include a data historian that is responsible for storing the incoming data
and various other workstations and servers (Krutz, 2005) (Knapp, 2011) (Stouffer, et al., 2008) . In order for the
low level devices to communicate effectively, the SCADA systems require communication protocols to govern
their interaction which became known as a fieldbus . Originally, most of these fieldbus protocols were
developed as needed by various industry groups and manufa cturers and were proprietary to each system.
Over time, there has been a consolidation in protocols though there are still dozens in use (Krutz, 2005) .
2.1 SCADA Security Issues
SCADA systems control physical devices that may be part of a national infrastructure that is critical to a
nation’s safety, economy, or defense. Shutting down a country’s electric grid, or even a significant portion of it,
is not something to be taken ligh tly. If a section is brought offline for a planned upgrade, for example, the
primary emphasis will normally be to get it back up and running as quickly as possible. If the system is brought
down due to an attack, service restoration may be complicated by a continued successful attack.
As previously noted, SCADA systems were seldom designed with software security in mind. However, even
their existence was unknown to many people and the combination of inscrutable protocols connecting
unfamiliar and propriet ary hardware and software systems in a network that was completely separated from
any other networks , in some odd way , provided a degree of security through obscurity. Particular systems may
have had vulnerabilities but it required very specialized knowled ge along with some means of access for any
exploitation to occur. The Mar oochy Water Breech incident (Slay, 2008) that occurred in Queensland, Australia
in 2000 was just such an attack. A disgruntled ex -contractor with specia lized knowledge and radio access to
the system was able to cause extensive damage.
In more recent years, however, there has been a trend towards the use of commercial -off-the-shelf (COTS)
software and hardware within these systems (Krutz, 2005) . Often a windows based PC is the host for
centralized control center computers such as the HMI, MCU, engineering workstations, and data historians.
There are many known exploits that target known and unpatched vulnerabilities in such systems. This trend,
combined with the move to interconnect the SCADA system with corporate and external networks increases
the likelihood for attacks . Communications between the control center and the remote sites or between the
PLC and the controlled device are often not secure. Many fieldbus protocols lack even basic security features
such as authentication and ve ry few support encryption. A man -in-the-middle attack could insert function
codes, for example, that were never intende d (East, et al., 2009) .
In effect, th is means that these systems have significant vulnerabilities . A safe means of defending them is
required.
3. Moving Target Defense
The Federal Cybersecurity Research and Development Program defines a Moving Target Defense (MTD) as
those strategies “that aim to substantially increase the cost of attacks by deploying and operating networks
and systems in a manner that makes them less deterministic, less homogeneous, and less static'' (Executiv e
Office of the President NSTC, 2011).
A MTD makes the assumption that perfect security is an illusion and thus focuses effort on having systems that
provides resiliency in an insecure environment. They seek to provide systems that are defensible instead of
perfectly secure. An exploit may still be possible but the probability of a successful attack may be markedly
reduced. A moving target defense attempts to turn the table on an attacker by constantly changing the attack
surface the adversary can identify . The assumption that an attacker has plenty of time to discover and exploit
vulnerabilities loses validity in a MTD system. An adversary may lose gained privileges any time during an
intrusion attempt since the moving target defense proactively changes th e environments attack surface over a
designated time interval. When attacking a MTD, the attacker must remain active to even remain in the system
(Zhuang, et al., 2014) . A MTD is useful even when an ongoing attack is undet ected such as could happen wit h a
zero -day attack. Since a moving target defense proactively changes its characteristics even in the absence of a
threat, it can help protect against those undetected assaults as well. When something randomly changes in the
system under attack it increases the probability that the current attack will fail. Previous intelligence gathered
about the system must be re -evaluated, plans must change, and a new attack formulated and deployed.
Moving target defenses can be implemented through varying mechanisms such as Address Space Layout
Randomization (ASLR) (Shacham, et al., 2004) (Giuffrida, et al., 2012) , Instr uction Set Randomization (ISR)
(Barrantes, et al., 2003) (Kc, et al., 2003) , IP Hopping (Groat, et al., 2012) (Dunlop, et al., 2011) , Data Space
Randomization (Cadar, et al., 2008) (Bhatkar & Sekar, 2008) , emulators and virtualization systems (Barrantes,
et al., 2003) , intel ligent application controllers (John, et al., 2014) ,hardware (Gelbart, et al., 2005) ,
configuration randomization (John, et al., 2014) (Zhu & Basar, 2013) , and various combinations of these
techniques among others (Carvalho & Ford, 2014) .
A MTD can be designed to probabilistically protect a host, a network, or a particular program. Host based MTD
techniques seek to prot ect the system from attack by providing security at the host operating system level. A
program based defense would focus on protecting a particular program running upon the host operating
system whereas a network based moving target defense seeks to protec t the system by varying the attack
surface of the network itself. In a SCADA system the host operating system might be a windows machine, a
program might be a HMI program running on top of windows and the network would be the communications
stream to the r emote sites. Note that each MTD defense is additive to any other active or passive defenses
that may be available.
3.1 Host Based
Address Space Layout Randomization (ASLR) is the concept of randomly arranging the memory layout of a
processes address space to make it harder for an adversary to take advantage of known absolute and relative
addresses. This technique periodically rearrang es the positions of key data areas in a process's address space
including, in most approaches, the base of the executable and position of libraries, heap, and stack (Shacham,
et al., 2004) (Giuffrida, et al., 2012) (Bhatkar, et al., 2005) thus providing a moving target defense .
Most modern operating systems such as Microsoft Windows, Linux, Android OS, and others provide built -in
support for ASLR but require that each program to be protected , such as an HMI in a SCADA system, be re-
compiled and linked to take advantage of that support. If finer grained memory layout randomization is
desired, ASLR may also be customized at an individual program level by a highly skilled development team
(Bhatkar, 2007) .
There is little if any performance degradation when implementing ASLR at the host operating system level. A
program based version should also have a negligible effect on p erformance but is ultimately dependent upon
the skill of the particular developers. A drawback for implementation in a SCADA system is that re –
randomization generally requires a reboot of the program or operating system which is likely to be infrequent.
However, even infrequent changes to the attack surface provide some degree of additional security.
Configuration Randomization (CR) is a MTD implemented by modifying, in a seemingly random manner, the
initial and load time configuration parameters that govern changeable aspects of an operating system or
individual program. This is done by manipulating which group of parameters is acti vated along with the values
set for each individual parameter. By periodically changing which these groups of parameter/value pairs are
active the attack surface of the host or program may be altered in such a way as to provide a moving target
defense (John, et al., 2014) (Lucas, et al., 2014) . In some cases parameters may be changed during runtime
while other cases may require a reboot of the system or a switch between different virtual machin es. Virtual
machines are unlikely in a SCADA system and reboots have already been determined to be infrequent, at best.
Still, some additional protection is better than none though much consideration must be given with this
method to ensure that every pote ntial configuration provides the reliability required with a SCADA system.
3.2 Program Based
As already noted, Address Space Layout Randomization (ASLR) and Configuration R andomization (CR) may be
implemented a s either a host or an individual program level defense .
Instruction Set Randomization (IR) is an application based moving target defense that modifies the underlying
instruction set of a protected program so that any injected code is invalid and cannot be executed. This
technique seeks to negate remote attacks that seek to insert executable code via buffer overrun vulnerabilities
(Kc, et al., 2003) (Boyd, et al., 2010) .
One method to implement this defense is to run the program under an emulator or interpreter that encrypts
the program’s instructions in memory and then decrypts them back into the appropriate machine instructions
as they are executed (Barrantes, et al., 2003) . Injected malware code will not be correctly encoded or decoded
and will appear to the underlying architecture as random bit patterns wh ich will almost certainly not execute
as planned.
As noted by (Kc et al., 2003), a specialized hardware register would improve performance significantly but does
not as yet exist thus necessitating the machine emulator approach. A Field Programmable Gate Array (FPGA)
has been suggested in lieu of a hardware register (Gelbart, et al., 2005) (Andel, et al., 2014) . Unless this
technology or some other breakthrough occurs, ISR is likely too comp utationally intensive for use in a
deterministic real -time SCADA system.
Data Space Randomization (DSR) is a technique for scrambling or encrypting the data that is stored or used in
a program. Unlike instruction set randomization, data randomization seeks to encrypt or randomize user data
stored on the heap or the stack but does not randomize the program instructions (Cadar, et al., 2008) (Bhatkar
& Sekar, 2008) (Chen, et al., 2005) .
With DSR, e very reference to each data item must be identified so that appropriate randomization masks can
be applied in order to encrypt data in me mory and convert back to plain text when used. If an attack succeeds
in overwriting a data variable in memory, for example, it will overwrite it with data that has been scrambled
with an inappropriate key mask. When it is then read from memory by the progr am, it will decode improperly
and foil the attacker ’s plan. An additional benefit is that code injected into the data area will also be unusable
to the attacker thus also providing similar benefits as with ISR without the performance overhead .
Implementin g DSR in a SCADA system is possible for any program but requires a customization of the
protected program by highly skilled developers which can be both time consuming and expensive. However, if
the development process is successful and the program tested and vetted for SCADA use, then there should be
little performance impact.
3.3 Network Based
Network based Moving Target Defenses seek to protect the system by varying the attack surface of the
network itself. Even if an adversary is able to identify vulnerabi lity in a particular host operating system or a
particular program, a network based MTD changes the network in such a random and unpredictable manner .
IP Hopping is a network based MTD that periodically and randomly alter s the IP address of a host or gro up of
hosts in order to confuse an adversary and disrupt any attack. Even if an exploitable vulnerability is discovered
and targeted, by the time an attack is planned and executed the vulnerable system ’s IP address may have
changed thus foiling the attack. The degree of randomization allowed within this scheme depends upon the IP
version in use and the available address pool. A scheme using IPv6 effectively allows the address pool to be as
large as desir ed but even the relatively few addresses available with IPv4 can disrupt an attack and cause
generic attacks to fail (Jafarian, et al., 2012) (Groat, et al., 2012) (Dunlop, et al., 2011) .
IP Hopping in a SCADA system should be thoroughly tested to ensure that there are no delays in
communications and that each node can continue to communicate as necessary even when the address is
changed. This may be diffi cult to implement for a deterministic real -time system.
4. Feasibility of MTD to Defend a SCADA System
The moving target defense paradigm has been demonstrated to be a useful model for many traditional
computer systems. However, an area that has not received much attention is the feasibility of applying various
MTD techniques towards the protection of a SCADA system.
Unfortunately, simply migrating current IT solutions that have been designed for use with common corporate
and governmental computers and networ ks do not take into consideration the unique requirements and
constraints that are inherent in SCADA systems (Krutz, 2005) such as:
(i) Loss or even the interruption of data may be intolerable.
(ii) Systems must be extremely resilient and reliable.
(iii) Require deterministic times in control loops.
A failure of the first requirement could lead to extensive damage or even the loss of life. The second
requirement is necessary because these systems often cannot reboot for routine patches and other
maintenance. Though it may be months or years between software patches, it may be much longer before the
hardware is updated. Even under these circumstances, the system must continue to perform its task without
failure.
The third requirement, in many ways, is the core constraint that the other requirements are based upon.
These machines monitor and control real -time systems or are themselves real -time systems that require
deterministic times in their control loops. Delays in receiving or processing data cannot be tolerated beyond a
particular threshold that may vary between systems. This often negates the use of virus software protection,
encryption, and other common tools. Anything that causes a delay could be regarded as unn ecessary or
dangerous and not be allowed. Requirements such as these enact significantly more constraints then normal IT
security practices. In a traditional IT system the first lines of defense are to patch known vulnerabilities on a
regular basis and to run virus software. Encryption of network traffic is common when data security is
important and penetration testing can be performed without impacting safety. These passive defense
measures may not be consistently available on a SCADA system.
Moving targe t defenses, in contrast, seem to have some suitability to this type of environment. Once a MTD
has been designed, tested, and applied to a SCADA system it can continue to provide some measure of
probabilistic protection regardless of how long it goes betwe en changes. Obviously, there is a trade -off
between the frequency of the system reconfiguration and its impact on both the system performance and
security.
Below, we discuss the applicability of existing MTD techniques to various SCADA components . Table 1
summarizes our analytical analysis for each moving target technique and the components of a SCADA system
to which it may apply assigning the codes of Applicable (A) , Conditionally Applicable (CA), or Non -Applicable
(NA) as indicated .
Table 1: SCADA A pplicability of MTD Technique
MTD SCADA Component
PC/HMI MTU RTU/PLC Field
Units
ASLR A A CA CA
CR A A CA CA
DSR A A CA CA
ISR NA NA NA NA
IP
Hopping CA CA CA CA
Address Space Layout Randomizatio n (ASLR) may be a feasible defense of applications running on SCADA PC’s ,
such as an HMI . Host based ASLR on PC’s at the control center should be relatively easy to implement and is
expected to add an extra level of defense while still meeting SCADA requirements. If ASLR can be implemented
on a particular PLC/RTU or any other device , then it would be expected to also meet these requirements.
Data Space Randomization (DSR) requires a great deal of expertise for custom modification of an application.
This could be a sig nificant undertaking. Still, once the program has been completed and tested to ensure that it
is both correct and that it does not negatively impact SCADA requirements, it can provide a good defense for
buffer injection attacks.
Instruction Set Randomiza tion (ISR) is likely to impact performance too greatly to be effective at this point in
time. Though hardware based version using a FPGA as a register might increase speed enough to be used on a
machine in the control center, this is a technique still unde r development and not yet amenable to integration
into any SCADA system component.
Configuration Randomization (CR) could be attempted on any SCADA component that has initial or runtime
configuration parameters that can be modified enough to cause an eff ective change in the attack surface of
the host operating system or an individual program. Since it is likely that the OS or program cannot be
reloaded very often, we would expect little movement based solely upon initialization parameters. If there are
significant runtime parameters that can be safely changed, then movement would be increased.
IP Hopping might be effective but should be thoroughly tested to ensure that there are no delays in
communications and that each node can continue to communicate a s necessary even when the address is
changed. If this can be accomplished, then this scheme could be used in every part of a SCADA network that
passed the tests
Some types of moving target defenses implemented within a SCADA system may be provided more e asily than
others. Though we are still gathering data concerning PLC’s and embedded systems, there is an expectation
that it may be possible to implement several different MTD techniques concurrently. However, a modern
operating system on a workstation or server enables the easiest and most diverse implementations of MTD in
SCADA systems.
5. Summary
Supervisory Control and Data Acquisition (SCADA) systems are the backbones of our national infrastructures
yet lack many of the security features of a common business network. Providing additional security has
become a priority but the particular safety, reliability, and functionality requirements precludes simply adding
these aspects of security. It will be many y ears before the current SCADA generation is updated with the
security features that are already needed today.
In researching other methods of mitigating these security needs, we looked into the feasibility of
implementing a Moving Target Defense (MTD). Th ese types of defenses do not seek to provide perfect
security. The assumption is that no such thing exists. Instead, it seeks to make any known or unknown
vulnerability less likely to be exploited. The key issue to be addressed is whether a particular movi ng target
defense can be implemented without affecting the core safe, reliable, deterministic, and correct operations of
the SCADA system.
Our investigation raised suspicion that the additional processor load normally associated with Instruction Set
Rando mization (ISR) was likely to interfere with determinism requirements of a SCADA system. No further
investigation into this technique with SCADA is planned at this time. Data Space Randomization (DSR),
Configuration Randomization (CR), Address Space Randomi zation (ASLR), and IP Hopping may be feasible as
security implementations for specific programs or network segments. We believe that Address Space Layout
Randomization (ASLR) at the host level appears to be the most promising avenue for initial testing in a SCADA
environment. With built -in support by modern operating systems, providing additional protection may require
only that protected applications be recompiled to take advantage.
Our continuing research is towards implementation of one or more MTD tech niques in a SCADA laboratory
setting.
6. References
Andel, T. R., Whitehurst, L. N. & McDonald, J. T., 2014. Software Security and Randomization through Program
Partioning and Circuit Variation. NY, ACM.
Barrantes, E. G. et al., 2003. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. NY,
ACM.
Bhatkar, S., 2007. Defeating Memory Error Exploits Using Automated Software Diversity, s.l.: s.n.
Bhatkar, S. & Sekar, R., 2008. Data Space Randomization. s.l., Springer -Verlag, pp. 1 -22.
Bhatkar, S., Sekar, R. & DuVarney, D. C., 2005. Efficient Techniques for Comprehensive Protection from Memory
Error Exploits. Berkeley, CA, USENIX Association, p. 16.
Boyd, S. W. et al., 2010. On the General Applicability of Instruction -Set Randomization. IEEE Transactions on
Dependable and Secure Computing, July, 7(3), pp. 255 -270.
Byres, E. & Lowe, J., 2004. The Myths and Facts Behind Cyber Security Risks for Industri al Control Systems. NY,
VDE Verlag, pp. 213 -217.
Cadar, C. et al., 2008. Data Randomization, Redmond, WA: Microsoft Research.
Carvalho, M. & Ford, R., 2014. Moving -Target Defenses for Computer Networks. Security Privacy, IEEE, Mar,
12(2), pp. 73 -76.
Chen, S. et al., 2005. Non-Control -Data Attacks Are Realistic Threats. s.l., USENIX.
CyberSecurity Division, D. H. S., 2013. Moving Target Defense. Washington, DC: Department of Homeland
Security.
Dunlop, M. et al., 2011. MT6D: A Moving Target IPv6 Defense. Baltimore, MD, IEEE, pp. 1321 -1326.
East, S., Butts, J., Papa, M. & Shenoi, S., 2009. A Taxonomy of Attacks on the DNP3 Protocol. In: C. Palmer & S.
Shenoi, eds. Critical Infrastructure Protection III. Berlin: Springer Berlin Heidelberg, pp. 67 -81.
Gelbart, O. et al., 2005. Codesseal: Compiler/fpga approach to secure applications. Berlin, Springer Berlin
Heidelberg, pp. 539 -535.
Giuffrida, C., Kuijsten, A. & Tanenbaum, A. S., 2012. Enhanced Operating System Security Through Efficient and
Fine-grained Address Sp ace Randomization. s.l., USENIX Association.
Groat, S. et al., 2012. Using an IPv6 moving target defense to protect the Smart Grid. NY, IEEE Computer
Society, pp. 1 -7.
Jafarian, J. H., Al -Shaer, E. & Duan, Q., 2012. Openflow Random Host Mutation: Transparent Moving Target
Defense Using Software Defined Networking. New York, NY, USA, ACM, pp. 127 -132.
John, D. J. et al., 2014. Evolutionary Based Moving Target Cyber Defense. New York, NY, USA, ACM, pp. 1261 –
1268.
Karnou skos, S., 2011. Stuxnet worm impact on industrial cyber -physical system security. NY, IEEE, pp. 4490 –
4494.
Kc, G. S., Keromytis, A. D. & Prevelakis, V., 2003. Countering Code -injection Attacks with Instruction -set
Randomization. NY, ACM.
Knapp, E. D., 2011 . Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid,
SCADA, and Other Industrial Control Systems. Bloomberg, IL: Syngress Publishing.
Krutz, R. L., 2005. Securing SCADA Systems. NY: Hungry Minds, Inc..
Kushner, D., 2013. The Real Story of Stuxnet. NY: IEEE Spectrum.
Lee, R., Assante, M. & Conway, T., 2014. ICS CP/PE case study paper – German Steel Mill Cyber Attack. [Online]
Available at: https://ics.sans.org/media/ICS -CPPE -case -Study -2-German -Steelworks_Facility.pdf
[Accessed 4 10 2015].
Lucas, B., Fulp, E. W., John, D. J. & Canas, D., 2014. An Initial Framework for Evolving Computer Configurations
As a Moving Target Defense. New York, NY, USA, ACM, pp. 69 -72.
Shacham, H. et al., 2004. On the Effectiveness of Address -space Randomization. NY, ACM, pp. 298 -307.
Slay, J. a. M. M., 2008. Lessons learned from the Maroochy Water Breech. In: E. Goetz & S. Shenoi, eds. Critical
Infrastrucure Protection. NY: Springer, pp. 73 -82.
Stouffer, K. A., Falco, J. A. & Scarfone, K. A., 201 1. SP 800 -82.Guide to Industrial Control Systems (ICS) Security,
Gaithersburg, MD, United States: National Institute of Standards and Technology.
Stouffer, K., Falco, J. & Scarfone, K., 2008. Guide to Industrial Control Systems (ICS) Security.
Yampolskiy, M. et al., 2013. Taxonomy for description of cross -doman attacks on CPS. NY, Elseiver, pp. 132 –
142.
Yampolskiy, M. et al., 2015. A language for describing attacks on cyber -physical systems. International Journal
of Critical Infrastructure Protection, 8(20 15), pp. 40 -52.
Zhuang, R., DeLoach, S. A. & Ou, X., 2014. A Model for Analyzing the Effect of Moving Target Defenses on
Enterprise Networks. New York, NY, USA, ACM, pp. 73 -76.
Zhu, Q. & Basar, T., 2013. Game -Theoretic Approach to Feedback -Driven Multi -stage Moving Target Defense.
Fort Worth, TX, Springer -Verlag, NY, pp. 246 -263.
Copyright Notice
© Licențiada.org respectă drepturile de proprietate intelectuală și așteaptă ca toți utilizatorii să facă același lucru. Dacă consideri că un conținut de pe site încalcă drepturile tale de autor, te rugăm să trimiți o notificare DMCA.
Acest articol: See discussions, stats, and author profiles for this publication at: [604109] (ID: 604109)
Dacă considerați că acest conținut vă încalcă drepturile de autor, vă rugăm să depuneți o cerere pe pagina noastră Copyright Takedown.