Change search
Link to record
Permanent link

Direct link
BETA
Publications (10 of 145) Show all publications
Iqbal, A., Mahmood, F. & Ekstedt, M. (2019). Digital Forensic Analysis of Industrial Control Systems Using Sandboxing: A Case of WAMPAC Applications in the Power Systems. Energies, 12(13), Article ID 2598.
Open this publication in new window or tab >>Digital Forensic Analysis of Industrial Control Systems Using Sandboxing: A Case of WAMPAC Applications in the Power Systems
2019 (English)In: Energies, ISSN 1996-1073, E-ISSN 1996-1073, Vol. 12, no 13, article id 2598Article in journal (Refereed) Published
Abstract [en]

In today's connected world, there is a tendency of connectivity even in the sectors which conventionally have been not so connected in the past, such as power systems substations. Substations have seen considerable digitalization of the grid hence, providing much more available insights than before. This has all been possible due to connectivity, digitalization and automation of the power grids. Interestingly, this also means that anybody can access such critical infrastructures from a remote location and gone are the days of physical barriers. The power of connectivity and control makes it a much more challenging task to protect critical industrial control systems. This capability comes at a price, in this case, increasing the risk of potential cyber threats to substations. With all such potential risks, it is important that they can be traced back and attributed to any potential threats to their roots. It is extremely important for a forensic investigation to get credible evidence of any cyber-attack as required by the Daubert standard. Hence, to be able to identify and capture digital artifacts as a result of different attacks, in this paper, the authors have implemented and improvised a forensic testbed by implementing a sandboxing technique in the context of real time-hardware-in-the-loop setup. Newer experiments have been added by emulating the cyber-attacks on WAMPAC applications, and collecting and analyzing captured artifacts. Further, using sandboxing for the first time in such a setup has proven helpful.

Place, publisher, year, edition, pages
MDPI, 2019
Keywords
forensic investigations; forensic evidence substation; wide area monitoring protection and control; phasor measurement units (PMUs); industrial control systems; sandboxing
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Electrical Engineering; Industrial Information and Control Systems
Identifiers
urn:nbn:se:kth:diva-254917 (URN)10.3390/en12132598 (DOI)000477034700136 ()2-s2.0-85068759897 (Scopus ID)
Funder
Swedish Civil Contingencies Agency
Note

QC 20190710

Available from: 2019-07-09 Created: 2019-07-09 Last updated: 2019-08-12Bibliographically approved
Johnson, P., Lagerström, R., Ekstedt, M. & Franke, U. (2018). Can the Common Vulnerability Scoring System be Trusted?: A Bayesian Analysis. IEEE Transactions on Dependable and Secure Computing, 15(6), 1002-1015, Article ID 7797152.
Open this publication in new window or tab >>Can the Common Vulnerability Scoring System be Trusted?: A Bayesian Analysis
2018 (English)In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 15, no 6, p. 1002-1015, article id 7797152Article in journal (Refereed) Published
Abstract [en]

The Common Vulnerability Scoring System (CVSS) is the state-of-the art system for assessing software vulnerabilities. However, it has been criticized for lack of validity and practitioner relevance. In this paper, the credibility of the CVSS scoring data found in five leading databases – NVD, X-Force, OSVDB, CERT-VN, and Cisco – is assessed. A Bayesian method is used to infer the most probable true values underlying the imperfect assessments of the databases, thus circumventing the problem that ground truth is not known. It is concluded that with the exception of a few dimensions, the CVSS is quite trustworthy. The databases are relatively consistent, but some are better than others. The expected accuracy of each database for a given dimension can be found by marginalizing confusion matrices. By this measure, NVD is the best and OSVDB is the worst of the assessed databases.

Place, publisher, year, edition, pages
IEEE Press, 2018
Keywords
cyber security, software vulnerability, CVSS, information security
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-200695 (URN)10.1109/TDSC.2016.2644614 (DOI)000449980000008 ()2-s2.0-85056520813 (Scopus ID)
Funder
EU, FP7, Seventh Framework Programme, 607109Swedish Civil Contingencies Agency, 2015-6986StandUp
Note

QC 20170202

Available from: 2017-02-01 Created: 2017-02-01 Last updated: 2019-03-12Bibliographically approved
Ekstedt, M., Lapalme, J., Franke, U. & Schulte, S. (2018). Message from the EDOC 2018 Workshop and Demo Chairs. Paper presented at 16 October 2018 through 19 October 2018. 22nd IEEE International Enterprise Distributed Object Computing Conference Workshops, EDOCW 2018, 2018-October, Article ID 8536091.
Open this publication in new window or tab >>Message from the EDOC 2018 Workshop and Demo Chairs
2018 (English)In: 22nd IEEE International Enterprise Distributed Object Computing Conference Workshops, EDOCW 2018, ISSN 1541-7719, Vol. 2018-October, article id 8536091Article in journal (Refereed) Published
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers Inc., 2018
National Category
Computer Engineering
Identifiers
urn:nbn:se:kth:diva-247053 (URN)10.1109/EDOCW.2018.00005 (DOI)2-s2.0-85058951280 (Scopus ID)
Conference
16 October 2018 through 19 October 2018
Note

QC 20190625

Available from: 2019-06-25 Created: 2019-06-25 Last updated: 2019-06-25Bibliographically approved
Korman, M., Välja, M., Björkman, G., Ekstedt, M., Vernotte, A. & Lagerström, R. (2017). Analyzing the effectiveness of attack countermeasures in a SCADA system. In: Proceedings - 2017 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, CPSR-SG 2017 (part of CPS Week): . Paper presented at 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, CPSR-SG 2017, 21 April 2017 (pp. 73-78). Association for Computing Machinery, Inc
Open this publication in new window or tab >>Analyzing the effectiveness of attack countermeasures in a SCADA system
Show others...
2017 (English)In: Proceedings - 2017 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, CPSR-SG 2017 (part of CPS Week), Association for Computing Machinery, Inc , 2017, p. 73-78Conference paper (Refereed)
Abstract [en]

The SCADA infrastructure is a key component for power grid operations. Securing the SCADA infrastructure against cyber intrusions is thus vital for a well-functioning power grid. However, the task remains a particular challenge, not the least since not all available security mechanisms are easily deployable in these reliability-critical and complex, multi-vendor environments that host modern systems alongside legacy ones, to support a range of sensitive power grid operations. This paper examines how effective a few countermeasures are likely to be in SCADA environments, including those that are commonly considered out of bounds. The results show that granular network segmentation is a particularly effective countermeasure, followed by frequent patching of systems (which is unfortunately still difficult to date). The results also show that the enforcement of a password policy and restrictive network configuration including whitelisting of devices contributes to increased security, though best in combination with granular network segmentation.

Place, publisher, year, edition, pages
Association for Computing Machinery, Inc, 2017
Keywords
Cyber security, SCADA system, Security controls, Threat modeling, Vulnerability assessment, Electric power system security, Electric power transmission networks, Legacy systems, SCADA systems, Smart power grids, Multi-vendor environment, Network configuration, Network segmentation, Power grid operations, Vulnerability assessments, Network security
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-216532 (URN)10.1145/3055386.3055393 (DOI)2-s2.0-85019036296 (Scopus ID)9781450349789 (ISBN)
Conference
2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, CPSR-SG 2017, 21 April 2017
Note

QC 20171128

Available from: 2017-11-28 Created: 2017-11-28 Last updated: 2017-11-28Bibliographically approved
Lagerström, R., Johnson, P. & Ekstedt, M. (2017). Automatic Design of Secure Enterprise Architecture. In: Halle, S Dijkman, R Lapalme, J (Ed.), Proceedings of the 2017 IEEE 21st International Enterprise Distributed Object Computing Conference Workshops and Demonstrations (EDOCW 2017): . Paper presented at 21st IEEE International Enterprise Distributed Object Computing Conference (EDOC), OCT 10-13, 2017, Quebec City, CANADA (pp. 65-70). Institute of Electrical and Electronics Engineers (IEEE)
Open this publication in new window or tab >>Automatic Design of Secure Enterprise Architecture
2017 (English)In: Proceedings of the 2017 IEEE 21st International Enterprise Distributed Object Computing Conference Workshops and Demonstrations (EDOCW 2017) / [ed] Halle, S Dijkman, R Lapalme, J, Institute of Electrical and Electronics Engineers (IEEE), 2017, p. 65-70Conference paper, Published paper (Refereed)
Abstract [en]

Architecture models mainly have three functions; 1) document, 2) analyze, and 3) improve the system under consideration. All three functions have suffered from being time-consuming and expensive, mainly due to being manual processes in need of hard to find expertise. Recent work has however automated both the data collection and the analysis. In order for enterprise architecture modeling to finally become free of manual labor the design function also needs to be automated. In this position paper we propose the Automatic Designer. A solution that employs machine learning techniques to realize the design of (near) optimal architecture solutions. This particular implementation is focused on security analysis, but could easily be extended to other topics.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2017
Series
IEEE International Enterprise Distributed Object Computing Conference Workshops-EDOCW, ISSN 2325-6583
National Category
Other Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-220665 (URN)10.1109/EDOCW.2017.19 (DOI)000417417800011 ()2-s2.0-85043595735 (Scopus ID)978-1-5386-1568-3 (ISBN)
Conference
21st IEEE International Enterprise Distributed Object Computing Conference (EDOC), OCT 10-13, 2017, Quebec City, CANADA
Note

QC 20191009

Available from: 2017-12-29 Created: 2017-12-29 Last updated: 2019-10-09Bibliographically approved
Vernotte, A., Johnson, P., Ekstedt, M. & Lagerström, R. (2017). In-Depth Modeling of the UNIX Operating System for Architectural Cyber Security Analysis. In: Halle, S Dijkman, R Lapalme, J (Ed.), PROCEEDINGS OF THE 2017 IEEE 21ST INTERNATIONAL ENTERPRISE DISTRIBUTED OBJECT COMPUTING CONFERENCE WORKSHOPS AND DEMONSTRATIONS (EDOCW 2017): . Paper presented at 21st IEEE International Enterprise Distributed Object Computing Conference (EDOC), OCT 10-13, 2017, Quebec City, CANADA (pp. 127-136). Institute of Electrical and Electronics Engineers (IEEE)
Open this publication in new window or tab >>In-Depth Modeling of the UNIX Operating System for Architectural Cyber Security Analysis
2017 (English)In: PROCEEDINGS OF THE 2017 IEEE 21ST INTERNATIONAL ENTERPRISE DISTRIBUTED OBJECT COMPUTING CONFERENCE WORKSHOPS AND DEMONSTRATIONS (EDOCW 2017) / [ed] Halle, S Dijkman, R Lapalme, J, Institute of Electrical and Electronics Engineers (IEEE), 2017, p. 127-136Conference paper, Published paper (Refereed)
Abstract [en]

ICT systems have become an integral part of business and life. At the same time, these systems have become extremely complex. In such systems exist numerous vulnerabilities waiting to be exploited by potential threat actors. pwnPr3d is a novel modelling approach that performs automated architectural analysis with the objective of measuring the cyber security of the modeled architecture. Its integrated modelling language allows users to model software and hardware components with great level of details. To illustrate this capability, we present in this paper the metamodel of UNIX, operating systems being the core of every software and every IT system. After describing the main UNIX constituents and how they have been modelled, we illustrate how the modelled OS integrates within pwnPr3d's rationale by modelling the spreading of a self-replicating malware inspired by WannaCry.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2017
Series
IEEE International Enterprise Distributed Object Computing Conference Workshops-EDOCW, ISSN 2325-6583
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-220666 (URN)10.1109/EDOCW.2017.26 (DOI)000417417800020 ()2-s2.0-85043606711 (Scopus ID)978-1-5386-1568-3 (ISBN)
Conference
21st IEEE International Enterprise Distributed Object Computing Conference (EDOC), OCT 10-13, 2017, Quebec City, CANADA
Funder
EU, FP7, Seventh Framework Programme, 607109Swedish Civil Contingencies Agency
Note

QC 20180108

Available from: 2018-01-08 Created: 2018-01-08 Last updated: 2019-09-23
Välja, M., Korman, M., Lagerström, R., Franke, U. & Ekstedt, M. (2016). Automated Architecture Modeling for Enterprise Technology Management Using Principles from Data Fusion: A Security Analysis Case. In: Kocaoglu, DF Anderson, TR Daim, TU Kozanoglu, DC Niwa, K Perman, G (Ed.), PORTLAND INTERNATIONAL CONFERENCE ON MANAGEMENT OF ENGINEERING AND TECHNOLOGY (PICMET 2016): TECHNOLOGY MANAGEMENT FOR SOCIAL INNOVATION. Paper presented at Portland International Conference on Management of Engineering and Technology (PICMET), SEP 04-08, 2016, Honolulu, HI (pp. 14-22). IEEE
Open this publication in new window or tab >>Automated Architecture Modeling for Enterprise Technology Management Using Principles from Data Fusion: A Security Analysis Case
Show others...
2016 (English)In: PORTLAND INTERNATIONAL CONFERENCE ON MANAGEMENT OF ENGINEERING AND TECHNOLOGY (PICMET 2016): TECHNOLOGY MANAGEMENT FOR SOCIAL INNOVATION / [ed] Kocaoglu, DF Anderson, TR Daim, TU Kozanoglu, DC Niwa, K Perman, G, IEEE , 2016, p. 14-22Conference paper, Published paper (Refereed)
Abstract [en]

Architecture models arc used in enterprise management for decision support. These decisions range from designing processes to planning for the appropriate supporting technology. It is unreasonable for an existing enterprise to completely reinvent itself. Incremental changes are in most cases a more resource efficient tactic. Thus, for planning organizational changes, models of the current practices and systems need to be created. For mid-sized to large organizations this can be an enormous task when executed manually. Fortunately, there's a lot of data available from different sources within an enterprise that can be used for populating such models. The data are however almost always heterogeneous and usually only representing fragmented views of certain aspects. In order to merge such data and obtaining a unified view of the enterprise a suitable methodology is needed. In this paper we address this problem of creating enterprise architecture models from heterogeneous data. The paper proposes a novel approach that combines methods from the fields of data fusion and data warehousing. The approach is tested using a modeling language focusing on cyber security analysis in a study of a lab setup mirroring a small power utility's IT environment.

Place, publisher, year, edition, pages
IEEE, 2016
Series
Portland International Conference on Management of Engineering and Technology, ISSN 2159-5100
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:kth:diva-242720 (URN)10.1109/PICMET.2016.7806662 (DOI)000403104500002 ()2-s2.0-85016195766 (Scopus ID)
Conference
Portland International Conference on Management of Engineering and Technology (PICMET), SEP 04-08, 2016, Honolulu, HI
Note

QC 20190220

Available from: 2019-02-20 Created: 2019-02-20 Last updated: 2019-09-19
Kordy, B., Ekstedt, M. & Kim, D. S. (2016). Preface. In: 3rd International Workshop on Graphical Models for Security, GraMSec 2016: . Paper presented at 27 June 2016 through 27 June 2016 (pp. V-VI). Springer
Open this publication in new window or tab >>Preface
2016 (English)In: 3rd International Workshop on Graphical Models for Security, GraMSec 2016, Springer, 2016, p. V-VIConference paper, Published paper (Refereed)
Place, publisher, year, edition, pages
Springer, 2016
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-195505 (URN)2-s2.0-84988497608 (Scopus ID)9783319462622 (ISBN)
Conference
27 June 2016 through 27 June 2016
Note

QC 20161125

Available from: 2016-11-25 Created: 2016-11-03 Last updated: 2016-11-25Bibliographically approved
Johnson, P., Vernotte, A., Ekstedt, M. & Lagerström, R. (2016). pwnPr3d: an Attack Graph Driven Probabilistic Threat Modeling Approach. In: Availability, Reliability and Security (ARES), 2016 11th International Conference on: . Paper presented at International Conference on Availability, Reliability and Security (ARES). IEEE conference proceedings
Open this publication in new window or tab >>pwnPr3d: an Attack Graph Driven Probabilistic Threat Modeling Approach
2016 (English)In: Availability, Reliability and Security (ARES), 2016 11th International Conference on, IEEE conference proceedings, 2016Conference paper, Published paper (Refereed)
Abstract [en]

In this paper we introduce pwnPr3d, a probabilistic threat modeling approach for automatic attack graph generation based on network modeling. The aim is to provide stakeholders in organizations with a holistic approach that both provides high-level overview and technical details. Unlike many other threat modeling and attack graph approaches that rely heavily on manual work and security expertise, our language comes with built-in security analysis capabilities. pwnPr3d generates probability distributions over the time to compromise assets.

Place, publisher, year, edition, pages
IEEE conference proceedings, 2016
Keywords
:Threat Modeling; Network Security; Attack Graphs
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-200698 (URN)10.1109/ARES.2016.77 (DOI)000391214400034 ()2-s2.0-85015304142 (Scopus ID)
Conference
International Conference on Availability, Reliability and Security (ARES)
Note

QC 20170202

Available from: 2017-02-01 Created: 2017-02-01 Last updated: 2019-09-23
Johnson, P., Vernotte, A., Gorton, D., Ekstedt, M. & Lagerström, R. (2016). Quantitative Information Security Risk Estimation using Probabilistic Attack Graphs. In: RISK: International Workshop on Risk Assessment and Risk-driven Testing: 4th International Workshop, RISK 2016, Held in Conjunction with ICTSS 2016, Graz, Austria, October 18, 2016, Revised Selected Papers. Paper presented at 4th International Workshop on Risk Assessment and Risk Driven Quality Assurance, RISK 2016 held in conjunction with 28th International Conference on Testing Software and Systems, ICTSS 2016, Graz, Austria, 18 October 2016 through 18 October 2016 (pp. 37-52). Springer, 10224
Open this publication in new window or tab >>Quantitative Information Security Risk Estimation using Probabilistic Attack Graphs
Show others...
2016 (English)In: RISK: International Workshop on Risk Assessment and Risk-driven Testing: 4th International Workshop, RISK 2016, Held in Conjunction with ICTSS 2016, Graz, Austria, October 18, 2016, Revised Selected Papers, Springer, 2016, Vol. 10224, p. 37-52Conference paper, Published paper (Refereed)
Abstract [en]

This paper proposes an approach, called pwnPr3d, for quantitatively estimating information security risk in ICT systems. Unlike many other risk analysis approaches that rely heavily on manual work and security expertise, this approach comes with built-in security risk analysis capabilities. pwnPr3d combines a network architecture modeling language and a probabilistic inference engine to automatically generate an attack graph, making it possible to identify threats along with the likelihood of these threats exploiting a vulnerability. After defining the value of information assets to their organization with regards to confidentiality, integrity and availability breaches, pwnPr3d allows users to automatically quantify information security risk over time, depending on the possible progression of the attacker. As a result, pwnPr3d provides stakeholders in organizations with a holistic approach that both allows high-level overview and technical details.

Place, publisher, year, edition, pages
Springer, 2016
Series
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), ISSN 0302-9743 ; 10224
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-200700 (URN)10.1007/978-3-319-57858-3_4 (DOI)000426090100004 ()2-s2.0-85018370233 (Scopus ID)9783319578576 (ISBN)
Conference
4th International Workshop on Risk Assessment and Risk Driven Quality Assurance, RISK 2016 held in conjunction with 28th International Conference on Testing Software and Systems, ICTSS 2016, Graz, Austria, 18 October 2016 through 18 October 2016
Funder
Swedish Civil Contingencies AgencyEU, FP7, Seventh Framework Programme, 607109
Note

QC 20171030

Available from: 2017-02-01 Created: 2017-02-01 Last updated: 2019-09-23
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0003-3922-9606

Search in DiVA

Show all publications