ICS Security Incidents Taxonomic Framework and Analysis

ICS Security Incidents Taxonomic Framework with Application to a Comprehensive Incidents Survey| M. M. Ahmadian ©2020 IJCIP Elsevier /58
Industrial Control System Security Incidents Taxonomic Framework
with Application to a Comprehensive Incidents Survey
Department of Computer Engineering and Information Technology,
Amirkabir University of Technology, Tehran, Iran
M. Mehdi Ahmadian
Presenter:

First Author Introduction
Mohammad Mehdi Ahmadian
mm.Ahmadian@aut.ac.ir
www.mmAhmadian.ir
@mmAhmadian
• Ph.D. candidate of information security in the Department of Computer Engineering and
Information Technology at Amirkabir University of Technology, Tehran, Iran
• ICS Cyber security Researcher and Consultant at the Center of Security Technology
Development in Iran Power Industry (Niroo Research Institute)
• Senior ICS Cyber Security Engineer & Instructor at MAPNA Group

Declaration
3
Industrial Control System Security Taxonomic Framework
International Journal of Critical Infrastructure Protection
M. Mehdi Ahmadian, Dr. Mehdi Shajari, Ali Shafiee
https://doi.org/10.1016/j.ijcip.2020.100356
Received date: 12 August 2018
Revised date: 20 October 2019
Accepted date: 26 February 2020
Please cite this article as: Mohammad Mehdi Ahmadian , Mehdi Shajari , Mohammad Ali Shafiee , Industrial Control
System Security Taxonomic Framework with Application to a Comprehensive Incidents Survey, International Journal
of Critical Infrastructure Protection (2020), doi:https://doi.org/10.1016/j.ijcip.2020.100356 © 2020
[This presentation is based on preprint version]
Amirkabir University of Technology Information Security & E-Commerce lab. (ISEC)

Audience
• ICS Cyber Security Researchers, Lectures , Students .
• ICS Cyber Security Engineers and Managers
• Cyber Security Researchers who are interested in attack modeling, security incidents’ taxonomies and threat
intelligence.
• etc.
4

M. Mehdi Ahmadian, Mehdi Shajari, Ali Shafiee
Agenda
1. Abstract
2. Introduction
3. Literature Review
4. Review of Definitions
5. Comparison of Taxonomies
6.Taxonomy Framework
7. ICS Events Analysis Example
8. Analysis of Incidents
9. Conclusion
5

Abstract
• we have proposed Hierarchical Taxonomic Framework (HTF) with 16 required characteristics for
classifying attacks and security incidents in ICSs.
• This framework has proper characteristics such as completeness, unambiguity, repeatability,
usefulness, appropriateness, and applicability.
• We provided semi-formal and standardized definitions of threats, events, incidents, non-incidents, non-
security incidents, non-attack security incidents, and attacks
• This proposed taxonomy with various parameters and sub-parameters prepares an expandable
hierarchical framework for any organization's requirements.
• In this paper, we present minimal parameters and sub-parameters for classification. Parameters
and sub-parameters of the HTF can be changed, expanded, and revised for other applications that
need more customization.
• we also classified and analyzed 268 security incidents on ICSs. Based on the HTF, we proposed the
statistical analytical study to show the useful patterns and key points for threat intelligence in ICSs and
critical infrastructures. These patterns and key points lead us to improve ICSs and critical
infrastructures security by being aware of cyber-attacks trends.
6

Agenda
1. Abstract
2. Introduction
9. Conclusion
7

Introduction Infrastructures
Legacy Industrial Infrastructures
(OTLegacy)
Modern Information &
Communication Infrastructure
(TCP/IP)
8

Introduction Infrastructure Convergence
9

Browns Ferry
Power Plant
Shutdown
(2006)
Introduction Some Attacks & Incidents in ICS
Siberian
Pipeline
Explosion
(1982)
Maroochy
Water &
Sewage
Attack
(2000)
California
System Operator
Hacking
(2001)
American
Northeast
Blackout
(2003)
Davis Besse
Power
Plant
Infection
(2003)
Brazil Steel
Plant Ahack
Worm
(2008)
Hatch
Power
Plant
Shutdown
(2008)
Stuxnet
Malware
(2010)
DUQU
Malware
(2012)
Flame
Malware
(2012)
Wiper
Malware
(2012)
Shamoon
Malware
(2012)
Black
Energy
Malware
(2013)
Ukraine Power
Grid Attack
(2015)
Industroyer
Malware
(2016)
Triton
Malware
2017))
Petya
Malware
(2017)
ClearEnergy
Malware
(2017)
VPNFilter Malware
(2018)
Grey
Energy Malware
(2018)
Venezuela
Blackout
(2019)
Kudankulam Power
Plant Attack
(2019)
European Power
Grid Hacking
(2020)
Germany
steel
factory
attack
(2014)
10

• An important issue in threat intelligence is to have a comprehensive taxonomic framework with
required characteristics.
Introduction The importance of the issue
• The Importance of classification of cyber security threats/incidents/attacks
11

Agenda
1. Abstract
2. Introduction
9. Conclusion
12

Shirey's
Threat
Classification
STRIDE
Threat
Model
ISO 7498-
2
referenc
e model
Multi-
Dimensio
ns Threats
Taxonomy
Howard &
Longstaff
Taxonomy
Open &
Comprehe
nsive
Framewor
k for CPS
Incidents
Taxonomy
of Attacks
on SCADA
Systems
Literature Review Related Work
ISA/IEC-
62443
Informati
on
Security
Threats
Pyramid
Basic C3
Model
Three
Orthogonal
Dimensional
13

Literature Review ISA/IEC-62443 Attacks Taxonomy
‫سد‬ ‫شکستن‬
St. Louis
(2005)
• Attacks classified into :
1. “Active attack” attempts to alter systems’ resources or affect their operation.
2. “Passive attack” attempts to learn or make use of information from the system
but does not affect systems’ resources.
3. “Inside attack” is an attack initiated by an entity inside the security perimeter.
4. “Outside attack” is initiated from outside the perimeter, by an unauthorized or
illegitimate user of the system.
14

Literature Review Three Orthogonal Dimensional Classification Model
St. Louis
(2005)
• Ruf et al [3].
15

Literature Review The STRIDE Threat Model [7]
St. Louis
(2005)
16

Literature Review The Multi-Dimensions Threats Taxonomy
St. Louis
(2005)
• Jouini et al. [9]
17

Literature Review Open & Comprehensive Framework for CPS Incidents
St. Louis
(2005)
• Miller et al. [12, 13]
18

Literature Review Open & Comprehensive Framework for CPS Incidents
St. Louis
(2005)
• Howard and Longstaff [10]
19
• For studying other related works refer to paper.

Agenda
1. Abstract
2. Introduction
9. Conclusion
20

o Problem:
• There is an overlap between “threat” and “attack”.
• Most of the resources in related work were addressed threats and attacks, regardless of the exact
definition of these two categories and their differences
• Various information security literature has different definitions of security threat.
Review of Definitions Security Threat
o Generally, the security threat is anything that has the potential to cause damage to system assets.
 “a threat is a potential cause of an unwanted incident, which may result in harm to a system or
organization”. [ISO / IEC 13335-1(2004) and ISO / IEC 27000(2016)]
 “ potentially damaging action (intended or unintended) or capability (internal or external) to adversely
impact through a vulnerability is called a threat” [ISA/IEC-62443 ].
 “a threat is a potential violation of security” [Bishop 2005 ].
21

Review of Definitions Security Threat Vs. Attack
o Security Threat and attack in the HTF :
• “a threat is a potential violation of security [Bishop 2005 ]”
 The violation needs not actually to occur to be a threat.
 The fact that the violation might occur means that those actions could cause it to occur
must be guarded against (or prepared for); these actions are called attacks.
22

Review of Definitions Taxonomy Vs. Classification
o Taxonomy
• “Is a classification scheme that partitions a body of knowledge and defines the relationship of
the pieces ”.
o Classification
• “Is the process of using a taxonomy for separating and ordering ”.
23

Review of Definitions Security Incidents Taxonomies Characteristics
1. Accepted :
• Taxonomy should be logical and intuitive to become generally approved.
2. Apprehensible :
• A taxonomy is apprehensible if everyone could understand it, even non-experts in the field of security.
3. Complete / Comprehensive :
• Taxonomy should encompass all possible security incidents on the target system.
4. Deterministic :
• The process of security incidents classification must be clearly defined.
24

5. Unambiguous :
• Every category should be accompanied by clear and precise classification criteria to make the classification
independent of the person who performs the classification.
6. Mutually Exclusive :
• Classifying in one category excludes all others because categories do not overlap.
7. Repeatable :
• Repeated applications result in the same classification, regardless of who is classifying.
8. Useful/Appropriate :
• A useful taxonomy should appropriately characterize the security incidents in the target system, that is any
constraints on the taxonomy or the system should be specified and considered before application. With this
property, classification can be used in security projects to gain insight into the field of inquiry.
25

9. Conformity of Terminology :
• To avoid confusion in the taxonomy, the terminology of the taxonomy should comply with the terminology
of the established security standards.
10. Well-Defined Terminology: :
• The terminology of the taxonomy should be completely defined.
• This characteristic shows how accurate the definitions are and how well their differences are
compared and contrasted.
 e.g., the definitions of threat, event, security incident, non-attack security incident, and
attack.
11. Adaptable/Flexible:
• A taxonomy should be flexible and adapt to new parameters, sub-parameters, and values to accommodate the
requirements of each environment and future changes.
26

12. Formalism:
• This property shows how formal a taxonomy is (○ : informal, ◐ : semi-formal, and ● : formal).
 Formal means the taxonomy is based on a method which has a mathematical foundation such as
Process algebras.
 Semi-Formal means the taxonomy is not based on a mathematical foundation, but it is based on precise
definitions and relationships.
 Informal means the taxonomy is neither based on a mathematical foundation nor any precise
definitions and relationships.
13. Sufficient Criteria:
• The number of suitable criteria for having different classifications of security incidents, which gives the user
a brief but complete overview of the incident information.
27

Review of Definitions Events and its subclass definitions
Events and its subclass definitions
To satisfy the requirements of a taxonomy for cyber security incidents
• we present the definitions of the “event”, “incident”, “non-incident”, “security incident”, “non-attack security
incident”, and “attack” as the security terms of the HTF.
28

Review of Definitions Event
29
Event :
• “is a discrete change of state or status of a system or device” .
 The Parameters of an event includes:
 event’s “Source”, “Action”, “Target”, and “Impact”.

Review of Definitions Incident
30
Incident :
• is an event or a group of events that negatively affects the system in a
way that impacts the performance, business, reputation, etc.
 e.g., an attacker deliberately or an employee unintentionally
disrupts the main services of a system.

Review of Definitions Non-Incident:
31
Non-Incident:
• Any event that cannot be included in the set of incidents.
• any change during normal operation of a system that moves the system
from one secure state to another secure state.
• No violation of policy happens during this change.
 e.g., a router ACL is updated or a firewall policy is pushed.

Review of Definitions Security incident
32
Security incident:
• The act of violating an explicit or implied security policy
• is an event that happened intentionally or unintentionally and
maliciously or non-maliciously by at least one agent.
• its impacts can violate at least one of the CIA principles
• this incident can originate from one or more vulnerabilities.

Review of Definitions Security incident Example
33
• An SCADA system suddenly shuts down after an engineer applies an infected software in a plant’s process
network.
• What is known as an "incident" in the field of information security is always a "security incident".

Review of Definitions Non-security incident
34
Non-security incident:
• Any incident that is not a security incident
• These incidents are not related to any security issues.
 e.g., natural incidents, equipment failure, destruction of a
building wall in a factory, explosion in a warehouse due to
negligence, etc.

Review of Definitions Non-attack security incident
35
Non-attack security incident:
• These security incidents happen non-maliciously and
unintentionally.
• The agent can be an unaware employee or a careless contractor.
 e.g., an unaware contractor reboots the engineering workstation
system after the synchronization program is updated. The ICS
network interprets this benign mistake as a sudden drop in the
reactor's water reservoirs and initiates an automatic shutdown.
𝑁𝑜𝑛𝐴𝑡𝑡𝑎𝑐𝑘𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦𝐼𝑛𝑐𝑖𝑑𝑒𝑛𝑡𝑠 ⊂ 𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝐼𝑛𝑐𝑖𝑑𝑒𝑛𝑡𝑠 ⊂ 𝐼𝑛𝑐𝑖𝑑𝑒𝑛𝑡𝑠 ⊂ 𝐸𝑣𝑒𝑛𝑡𝑠

Review of Definitions Attack
36
Attack:
• Happens with malicious intention and specific objectives using
operational techniques
• Each attack is a security incident, and each security incident is an
event, but the reverse is not true.
𝐴𝑡𝑡𝑎𝑐𝑘𝑠 ⊂ 𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝐼𝑛𝑐𝑖𝑑𝑒𝑛𝑡𝑠 ⊂ 𝐼𝑛𝑐𝑖𝑑𝑒𝑛𝑡𝑠 ⊂ 𝐸𝑣𝑒𝑛𝑡𝑠

Review of Definitions Header of the HTF
The proposed definitions infrastructure (the header of the HTF)
37
 Source, Action, Target, Impact, Violation against CIA, Vulnerability, Agent, Attacker, Operational Technique, and
Objectives are explained in the paper (link).

Agenda
1. Abstract
2. Introduction
9. Conclusion
38

Comparison of Taxonomies Table 1
39
• The comparison of these taxonomies has
been performed by the Analytical
Hierarchical Process (AHP)
 Interested audiences are referred to the
paper (link) for additional details about
this comparison.

Agenda
1. Abstract
2. Introduction
9. Conclusion
40

‫پژوهشی‬ ‫پیشنهاد‬‫دوم‬ ‫باز‬ ‫مسئله‬
41
 Interested audiences are referred to the
paper (link) for additional details about
HTF.

Agenda
1. Abstract
2. Introduction
7. ICS Incidents Analysis Example
9. Conclusion
42

ICS Incidents Analysis Example
o We collected the most important publicly available ICS incidents.
• ICS-Cert , Bitdefender , Symantec , Securelist , Securityweek , Computerworld , Repository of
Industrial Security Incidents (RISI ) online database, Idaho National Laboratory , and some articles
such as [18] and [19].
o The dataset covers 268 ICS security incidents publicly reported to have affected process control or
industrial automation in SCADA or DCS systems within the period of 1982 to 2018.
o In the analysis, we add two other parameters:
• Credibility of the Information
• (1) cannot be determined, (2) improbable, (3) doubtful, (4) possibly true, (5) probably true, and (6)
confirmed
• Amount of Technical Information Available:
• (1) no specifics, (2) high-level summary only, (3) some details, (4) many details, (5) extensive details, and
(6) comprehensive details with supporting evidence.
43

ICS Incidents Analysis Example The Properties of Related Work in ICS incidents Data Collection
o We used 2 specific criteria for ICS analysis such as ICS Target Layer and Target Industry
44

ICS Incidents Analysis Example Stuxnet
Hybrid
45

Agenda
1. Abstract
2. Introduction
7. ICS Incidents Analysis Example
9. Conclusion
46

Analysis of Incidents
o We classified and analyzed 268 security incidents on ICSs.
o Based on the HTF, we proposed the statistical analytical study to show the useful patterns and key
points for threat intelligence in ICSs and critical infrastructures.
Number of reported incidents per year
o One of the challenges in the field
of ICS security research is the
difficulty in data collection of
incidents.
 The RISI online database has
not been updated since 2015,
and unfortunately, there are no
public online updated
databases currently available
to provide this information.
47

Analysis of Incidents Source Type
o 32% of all ICS incidents are non-security incidents:
Distribution of incidents by type of their sources
• Poor equipment installation or utilization
(software or hardware)
• Incompatible software installation (caused
computer glitch or malfunction)
• Incorrect network configuration
• Inadequate staff or contractors training
• Incorrect programming of PLCs or RTUs
• Poor maintenance
• IT audits faults
• The mistake during the upgrading of aged
software and hardware
48

Analysis of Incidents Entry Point
o 50% of security incidents have an internal entry point.
Distribution of incidents by the type of entry point
49

Analysis of Incidents Target Layer
Pointo 29% of all ICS incidents targeted supervisory network.
Distribution of incidents by ICS target layer
50

Analysis of Incidents Target Industry
Point
Distribution of incidents by ICS target industry
1. Transportation industries
2. power industries
3. water and sewage
4. …
51

Analysis of Incidents Number of reported security incidents per country
1. the number of non-internal attacks with a very high level of reconnaissance (US, Iran, and Japan are the mo
frequent).
• US
• Iran
• Japan
52

Analysis of Incidents Target Reconnaissance Level
Industry
Point
Distribution of attacks by type of target reconnaissance level
o Frequency of “Very High Reconnaissance
level” attacks is 30%, attacks are too
targeted and their security impacts are
crippling
• Stuxnet
• Industroyer
53

Analysis of Incidents More than other 12 analysis of Incidents
 Interested audiences are referred to the paper
(link) for additional details and other 12
analysis of Incidents
54

• In this paper, we proposed the Hierarchical Taxonomic Framework (HTF) with sixteen required
characteristics for classifying attacks and security incidents in ICSs.
• We provided semi-formal and standardized definitions of threats, events, incidents, non-incidents, non-
security incidents, non-attack security incidents, and attacks.
• This framework has proper characteristics such as completeness, unambiguity, repeatability, usefulness,
appropriateness, and applicability.
• This proposed taxonomy with various parameters and sub-parameters prepares an expandable hierarchical
framework for any organization's requirements. (In this paper, we present minimal parameters and sub-
parameters for classification.)
• The HTF parameters and sub-parameters can be changed, expanded, and revised for other
applications that need more customization.
• In this research, we also classified and analyzed 268 security incidents (147 attacks and 121 non-attack
security incidents.) on ICSs.
55
Conclusion
55

Contact us More Details & Question
o For more details:
• Please read the final published version with other value added to it by the publisher (such as
formatting, technical enhancements, and the like) : link (https://doi.org/10.1016/j.ijcip.2020.100356 )
56

Contact us More Details & Question
o For more details:
• Please read the final published version with other value added to it by the publisher (such as
formatting, technical enhancements, and the like) : link (https://doi.org/10.1016/j.ijcip.2020.100356 )
Thank You!
mm.Ahmadian@aut.ac.ir
www.mmAhmadian.ir
@mmAhmadian
57

Contact us YouTube Channel
Link
58

1. Geric S, Hutinski Z. Information system security threats classifications. Journal of Information and Organizational
Sciences.(2007) Jun 12;31(1):51-61.
2. ISA/IEC-62443-1-1 Industrial communication networks , Network and system security,(2009).
3. Ruf L, AG C, Thorn A, GmbH A, Christen T, Zurich Financial Services AG, Gruber B, Credit Suisse AG., Portmann R, Luzer H,
Threat Modeling in Security Architecture - The Nature of Threats. ISSS Working Group on Security Architectures, (2008)
4. Alhabeeb M, Almuhaideb A, Le P, Srinivasan B. Information Security Threats Classification Pyramid. 24th IEEE International
Conference on Advanced Information Networking and Applications Workshops: (2010). p. 208-213, doi:
10.1109/WAINA.2010.39.
5. R. Shirey, Security Architecture for Internet Protocols: A Guide for Protocol Designs and Standards, Internet Draft: draft-irtf-psrg-
secarch-sect1-00.txt (Nov. 1994).
6. Bishop, Matt. Introduction to computer security, Boston, MA: Addison-Wesley, 2005.
7. Swiderski F, Snyder W. Threat Modeling. Microsoft Press; 2004.
8. ISO 7498-2,Information processing systems, Open Systems Interconnection, Basic Reference Model, 1989.
9. Jouini, Mouna, Latifa Ben Arfa Rabai, and Anis Ben Aissa. "Classification of security threats in information systems." Procedia
Computer Science 32 (2014): 489-496, doi: 10.1016/j.procs.2014.05.452
10. Howard, J. D., & Longstaff, T. A. A Common Language for Computer Security Incidents. Sandia Report # SAND98-8667.
Retrieved from http://prod.sandia.gov/techlib/access-control.cgi/1998/988667.pdf, (1998), October, doi: 10.2172/751004.
11. Zhu B, Joseph A, Sastry S. A taxonomy of cyber attacks on SCADA systems. InInternet of things (iThings/CPSCom), 2011
international conference on and 4th international conference on cyber, physical and social computing, IEEE, (2011) Oct 19, (pp.
380-388), doi: 10.1109/iThings/CPSCom.2011.34.
12. Miller WB, Rowe DC, Helps R, Woodside R. A Comprehensive and Open Framework for Classifying Incidents Involving Cyber-
Physical Systems.Proceedings of The 2014 IAJC/ISAM Joint International Conference, (2014).
13. Miller WB. Classifying and Cataloging Cyber-Security Incidents Within Cyber-Physical Systems,Brigham Young University -
Provo,(2014).
References

14. Kjaerland, M. A Taxonomy and Comparison of Computer Security Incidents from the Commercial and Government Sectors.
Computer Security, 25(7), (2006), October, 522-538, doi: 10.1016/j.cose.2006.08.004.
15. Blackwell, C. A Security Ontology for Incident Analysis. Proceedings of the Sixth Annual Workshop on Cyber Security and
Information Intelligence Research, 1, (2006), October, doi: 10.1145/1852666.1852717.
16. Hansman, S., & Hunt, R. A Taxonomy of Network and Computer Attacks. Compuer. Security, 24(1), (2005), 31-43, doi:
10.1016/j.cose.2004.06.011
17. Simmons, C., Dasgupta, S. S., & Wu, Q. AVOIDIT: A Cyber Attack Taxonomy. University of Memphis, Technical Report # CS-
09-003, (2009).
18. Miller B, Rowe D. A survey SCADA of and critical infrastructure incidents. InProceedings of the 1st Annual conference on
Research in information technology, ACM, (2012) Oct 11 (pp. 51-56), doi: 10.1145/2380790.2380805.
19. Ogie RI. Cyber Security Incidents on Critical Infrastructure and Industrial Networks. InProceedings of the 9th International
Conference on Computer and Automation Engineering, (2017) Feb 18 (pp. 254-258). doi: 10.1145/3057039.3057076.
20. John Radatz, Editor, IEEE, The IEEE Standard Dictionary of Electrical and Electronics Terms, Sixth Edition, Institute of Electrical
and Electronics Engineers, Inc., New York, NY, 1996, doi: 10.1109/TMTT.1979.1129614.
21. Amoroso E. Fundamentals of computer security technology.Englewood Cliffs, New Jersey: P T R Prentice Hall; 1994.
22. Howard JD. An analysis of security incidents on the internet 1989 -1995. Doctoral Dissertation, Carnegie Mellon University
Pittsburgh,PA, USA; 1998.
23. Tang J, Wang D, Ming L, Li X. A Scalable Architecture for Classifying Network Security Threats. Science and Technology on
Information system Security Laboratory; 2012Howard JD. An Analysis Of Security Incidents On The Internet 1989 – 1995.
Doctoral Dissertation, Carnegie Mellon University Pittsburgh,PA, USA; 1998.
24. Saaty TL. Decision making with the analytic hierarchy process. International journal of services sciences. (2008) Jan 1;1(1):83-
98, doi:10.1504/IJSSCI.2008.017590.
25. Lindqvist U, Jonsson E. How to systematically classify computer security intrusions. IEEE Security and Privacy (1997), doi:
10.1109/SECPRI.1997.601330.
References (Cont.)

26. Krsul IV. Software vulnerability analysis. PhD thesis, Purdue University; 1998.
27. Bishop M. Vulnerabilities analysis. InProceedings of the Recent Advances in intrusion Detection. (1999) Sep (pp. 125-136).
28. Computer Virus Infects Three London Hospitals, Other, United Kingdom, 2008,
http://www.risidata.com/Database/Detail/computer_virus_infects_three_london_hospitals (date of access:3/7/2018)
29. Computer Virus Strikes Two Scottish Hospitals, Other, United Kingdom, 2009, ,
http://www.risidata.com/Database/Detail/computer_virus_strikes_two_scottish_hospitals (date of access:11/6/2017)
30. Malware Shuts Down Hospital, Other , United States, 2011,
http://www.risidata.com/Database/Detail/malware_shuts_down_hospital (date of access:11/7/2017)
31. Texas Road Sign Hack, Transportation, United States, 2009, http://www.risidata.com/Database/Detail/texas_road_sign_hack
(date of access:11/12/2017)
32. After ‘Godzilla Attack!’ U.S. warns about traffic-sign hackers, Transportation,United States, 2014,
http://www.risidata.com/Database/Detail/after-godzilla-attack-u.s.-warns-about-traffic-sign-hackers (date of access:11/7/2017)
33. Slay J, Miller M. Lessons learned from the maroochy water breach. InInternational Conference on Critical Infrastructure
Protection, Springer, (2007) Mar 19 (pp. 73-82), Boston, MA, doi: 10.1007/978-0-387-75462-8_6.
34. Mustard S. Security of distributed control systems: The concern increases. Computing & Control Engineering Journal, (2005)
Dec;16(6):19-25, doi: 10.1049/cce:20050605.
35. Virus Infection of Operator Training Simulator,Petroleum,Canada,2002, ,http://www.risidata.com/Database/Detail/virus-infection-
of-operator-training-simulator (date of access:11/10/2017)
36. Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N. Inside the slammer worm. IEEE Security & Privacy. (2003
Jul);99(4):33-9, doi: 10.1109/MSECP.2003.1219056.
37. Geer D. Security of critical control systems sparks concern. Computer. (2006) Jan;39(1):20-3, doi: 10.1109/MC.2006.32.
38. L. Vries,Dam Breaks At Missouri Power Plant ,https://www.cbsnews.com/news/dam-breaks-at-missouri-power-plant (date of
access:2/4/2018)
References (Cont.)

39. Rogers JD, Watkins CM, Chung JW. The 2005 upper Taum Sauk dam failure: A case history. Environmental & Engineering
Geoscience. (2010) Aug 1;16(3):257-89, doi: https://doi.org/10.2113/gseegeosci.16.3.257.
40. Nicholson A, Webber S, Dyer S, Patel T, Janicke H. SCADA security in the light of Cyber-Warfare. Computers & Security. (2012)
Jun 1;31(4):418-36, doi: 10.1016/j.cose.2012.02.009.
41. Steel Plant infection with Ahack Worm,Metals,Brazil,2008,
,Brazil,http://www.risidata.com/Database/Detail/steel_plant_infection_with_ahack_worm (date of access:4/4/2018)
42. Daniela T. Communication security in SCADA pipeline monitoring systems. IEEE, InRoedunet International Conference
(RoEduNet), (2011) 10th (2011) Jun 23 (pp. 1-5), doi: 10.1109/RoEduNet.2011.5993706.
43. Virvilis, Nikos, Dimitris Gritzalis, and Theodoros Apostolopoulos. "Trusted Computing vs. Advanced Persistent Threats: Can a
defender win this game?." Ubiquitous intelligence and computing, 2013 IEEE 10th international conference on and 10th
international conference on autonomic and trusted computing (uic/atc), (2013), doi: 10.1109/UIC-ATC.2013.80.
44. Advisory (ICSA-11-041-01A), McAfee Night Dragon Report (Update A), 2011, https://ics-cert.us-cert.gov/advisories/ICSA-11-
041-01A (date of access:8/4/2017).
45. Protecting Critical Systems While Promoting Operational Efficiency, Towards the digital oilfield, 2012,
http://www.symantec.com/content/en/uk/enterprise/fact_sheets/b-Oil_and_Gas_Report_lr.pdf (date of access:8/4/2017).
46. W32.Duqu: The Precursor to the Next Stuxnet, 2012,
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_ne
xt_stuxnet.pdf (date of access:8/4/2017).
47. Duqu F.A.Q., R. Naraine, 2011, https://securelist.com/duqu-faq-33/32463/ (date of access:8/4/2017).
48. From Shamoon to Stronedrill, Version 1.05, 2017, https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf
(date of access:8/4/2017).
49. The Shamoon Attacks, Symantec Security Resoponse, 2012, https://www.symantec.com/connect/blogs/shamoon-attacks (date
of access:9/4/2017).
References (Cont.)

50. The Flame: Questions and Answers, Alexander Gostev, https://securelist.com/the-flame-questions-and-answers-51/34344/ (date
of access:7/11/2017).
51. Destructive Malware – Five Wipers in the Spotlight, Costin Raiu, https://securelist.com/destructive-malware-five-wipers-in-the-
spotlight/58194/ (date of access:6/1/2017).
52. Kaspersky Lab Publishes New Research about Wiper, the Destructive Malware Targeting Computer Systems in April 2012,
https://usa.kaspersky.com/about/press-releases/2012_kaspersky-lab-publishes-new-research-about-wiper-the-destructive-
malware-targeting-computer-systems-in-april-2012 (date of access:8/4/2017).
53. What was that Wiper Thing? GReAT, https://securelist.com/what-was-that-wiper-thing-48/34088/(date of access:8/4/2015).
54. Dragonfly: Western Energy Companies Under Sabotage Threat, Symantec Security Response,
https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat (date of
access:8/4/2017).
55. Alert (ICS-ALERT-14-176-02A) ICS Focused Malware (Update A), https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A(date
of access:6/4/2015).
56. Energetic Bear – Crouching Yeti, Kaspersky Lab Global Research and Analysis Team, https://securelist.com/files/2014/07/EB-
YetiJuly2014-Public.pdf (date of access:6/4/2017).
57. Motives Behind Havex ICS Malware Campaign Remain a Mystery, Michael Mimoso, https://threatpost.com/motives-behind-
havex-ics-malware-campaign-remain-a-mystery/107046/#comment-234144 (date of access:8/14/2017).
58. Stuxnet-like 'Havex' Malware Strikes European SCADA Systems., S. Khandelwal, https://thehackernews.com/2014/06/stuxnet-
like-havex-malware-strikes.html (date of access:7/11/2017).
59. German Steel Mill Cyber Attack, R.M. Lee, M.J. Assante, T. Conway, https://ics.sans.org/media/ICS-CPPE-case-Study-2-
German-Steelworks_Facility.pdf (date of access:8/20/2017).
60. Cyberattack on German Steel Plant Caused Significant Damage: Report, E. Kovacs, http://www.securityweek.com/cyberattack-
german-steel-plant-causes-significant-damage-report (date of access:8/20/2017).
References (Cont.)

61. A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever, K. Zetter,
https://www.wired.com/2015/01/german-steel-mill-hack-destruction/ (date of access: 8/20/2017).
62. Alert (TA17-163A),CrashOverride Malware, https://www.us-cert.gov/ncas/alerts/TA17-163A (date of access:1/5/2018).
63. A. Cherepanov, Industroyer: biggest threat to industrial control systems since Stuxnet,
https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/ (date of
access:11/4/2017).
64. ClearEnergy Ransomware Targets Critical Infrastructure, SCADA and Industrial Control Systems, by Boyan Angelov,
http://virusguides.com/clearenergy-ransomware-targets-critical-infrastructure-scada-industrial-control-systems/ (date of
access:8/14/2017).
65. ClearEnergy Ransomware aim to Destroy Process Automation Logics in Critical Infrastructure, SCADA and Industrial Control
Systems, by Pierluigi Paganini, http://securityaffairs.co/wordpress/57731/malware/clearenergy-ransomware-scada.html (date of
access:8/14/2017).
66. PLCs From Several Vendors Vulnerable to Replay Attacks, by Edward Kovacs, http://www.securityweek.com/plcs-several-
vendors-vulnerable-replay-attacks (date of access:8/14/2017).
67. B. Johnson, D. Caban, M. Krotofil, D.Scali, Nathan Brubaker, Christopher Glyer, Attackers Deploy New ICS Attack Framework
“TRITON” and Cause Operational Disruption to Critical Infrastructure, https://www.fireeye.com/blog/threat-
research/2017/12/attackers-deploy-new-ics-attack-framework-
triton.html?utm_content=bufferbca54&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer (date of
access:1/11/2018).
68. E. Kovacs, Iran Used "Triton" Malware to Target Saudi Arabia: Researchers, https://www.securityweek.com/iran-used-triton-
malware-target-saudi-arabia-researchers (date of access:11/4/2017).
69. Han C, Dongre R. Q&A. What Motivates Cyber-Attackers?. Technology Innovation Management Review.;4(10).
https://timreview.ca/article/838 (date of access:4/4/2018)
References (Cont.)

70. Thomas RK, Cardenas AA, Bobba RB. First Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC): Challenges
and Research Directions, InProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
(2015) Oct 12 (pp. 1705-1706), doi: 10.1145/2810103.2812621.
71. Cyber Attack on Texas Electricity Provider,Power and Utilities,United States,2010,
,http://www.risidata.com/Database/Detail/cyber_attack_on_texas_electricity_provider (date of access:11/2/2017)
72. Public utility compromised after brute-force hack attack,Power and Utilities,United States,2014,
http://www.risidata.com/Database/Detail/public-utility-compromised-after-brute-force-hack-attack-says-homeland-secu (date of
access:11/8/2017)
73. Whitehat Takeover of DCS Consoles,Petroleum,Canada,2002, ,http://www.risidata.com/Database/Detail/whitehat-takeover-of-
dcs-consoles (date of access:11/17/2017)
74. Kovacs E. Former Sysadmin Sentenced to Prison for Hacking Industrial Facility ,https://www.securityweek.com/former-sysadmin-
sentenced-prison-hacking-industrial-facility(date of access:4/5/2017)
References (Cont.)

ICS Security Incidents Taxonomic Framework and Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to ICS Security Incidents Taxonomic Framework and Analysis

Similar to ICS Security Incidents Taxonomic Framework and Analysis (20)

More from M Mehdi Ahmadian

More from M Mehdi Ahmadian (13)

Recently uploaded

Recently uploaded (20)

ICS Security Incidents Taxonomic Framework and Analysis