Malware communication and containment in critical infrastructure networks

Abstract

Critical infrastructures utilize information technology for control functions, which creates additional entry points in vulnerable hard- and software, providing distribution paths for cyber-attacks. In this dissertation we address the issue of cyber-attacks against critical infrastructures in five parts. First, we provide an evaluation of four network architectures suitable for critical infrastructures. Their security by design and their applicability toward real world scenarios are also considered. We summarize the benefits and drawbacks with a focus on the implementation of self-organizing structures within decentralized and centralized network topologies, regarding security. Then, we investigate malware communication in critical infrastructures, proposing a comprehensive generic model for cyber-attack life-cycles and addressing the specific characteristics of the environment. We include the building blocks for many major known malware types as well as different propagation methods, access vectors, scanning techniques, command and control structures, attack methods, triggers, and cleanup mechanisms. Toward this end, we evaluate a variety of malware types as basis for our attack model and introduce three novel superclasses that are particularly suited for attacking critical infrastructures. These synthetic models provide a basis for the detection of malware communication and extrapolates from existing malware technologies in order to predict future developments. Based on these malware models, we conduct discrete-event simulations in the ns3 environment, which are based on our network topologies that use real infrastructure data from our industrial partner. Our investigations show that aggressive malware, although quickly spreading, leaves footprints for defensive mechanisms to effectively counteract them. However, stealthy malware that is less visible and therefore harder to detect, spreads slower but requires more scrutiny on the defenders’ side. We also develop metrics that evaluate the security by design of each network topology and the malware movement inside critical infrastructure networks. We design those metrics to represent malware spreading and consider the importance of critical nodes inside each topology. This allows us to evaluate how different malware types behave from our simulation results and conclude how to defend against them. Finally, we introduce a list of defensive measures, categorized by functionality and attack type.We correlate these categories to the attack stages that occur during a cyber-attack and map them to our generic cyber-attack life-cycle model.