• Title/Summary/Keyword: stuxnet

Search Result 28, Processing Time 0.028 seconds

MITRE ATT&CK 프레임워크 기반 에너지분야 기반시설 보안 모니터링 방안

  • Choi, Seungoh;Kim, HyoungChun
    • Review of KIISC
    • /
    • v.30 no.5
    • /
    • pp.13-23
    • /
    • 2020
  • 주요 국가기반시설에 도입되어 운영 중인 산업제어시스템은 4차 산업혁명에 따른 디지털 전환으로 지능화됨에 따라 IT환경의 보안위협이 OT환경으로 상속되면서 제어시스템 보안위협 및 공격 양상도 복잡해지고 있다. 실제로 에너지분야 기반시설을 대상으로 한 Stuxnet, Conficker, BlackEnergy3 등 제어시스템 사이버 위협 및 사고 사례가 지속적으로 보고되고 있으나, 제어시스템을 대상으로 하는 사이버공격 대응을 위한 보안가시성 확보는 제대로 이루어지지 않고 있으며, 이를 위해서는 기존 IT 환경과는 다른 제어시스템의 특성이 반영된 보안 모니터링이 요구된다. 본 논문에서는 제어시스템 보안위협 지식 데이터베이스인 MITRE ATT&CK 프레임워크를 기반으로 제어시스템에 적합한 보안 모니터링을 수행하기 위한 요소들을 식별하고 방안을 제시한다.

A Study on Establishment of Simulation Test Facility for Analysing Relativity of NPP Accidents (원전 사고연계 시스템의 사이버보안성 분석환경 개발방안에 관한 연구)

  • Byun, Ye-Eun;Kim, Hyun-Doo;Kim, Si-Won
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2016.10a
    • /
    • pp.243-245
    • /
    • 2016
  • 2008년 미국 Hatch 발전소에서 제어시스템 소프트웨어 업데이트로 인한 비상정지, 2010년 이란 원자력시설에서 악성코드 스턱스넷(Stuxnet) 감염을 통한 원심분리기 1,000여개 파괴 등 원자력시설에 대한 사이버공격이 점차 증가하고 있는 상황에서 우리나라도 이와 같은 사고를 예방하기 위한 방안을 강구하여야 한다. 이미 우리나라 원자력시설에서 사용되는 시스템들이 아날로그 방식에서 디지털로 교체되고 있는 등 사이버공격에 용이하게 변화되고 있다. 이에 원전 사고연계 시스템들의 보안성을 평가할 수 있는 환경을 구축함으로써 사이버공격에 대한 보안대책 마련 및 근본적인 방어 체계를 수립하고자 한다.

Trend and verification measures of certification evaluation in control system (제어시스템 인증평가 동향 및 검증방안)

  • Ueda, Osamu
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2016.04a
    • /
    • pp.259-262
    • /
    • 2016
  • 최근 중요 인프라 업계에서 주로 다뤄지는 제어시스템을 표적으로 한 사이버 공격으로 Stuxnet에 이어 Havex RAT, BlackEnergy2 라고 하는 멀웨어(Malware)를 이용한 사건이 많이 증가하고 있다. 제어시스템의 새로운 공격 방법에 대한 대책으로 시스템 입구와 내부조직에 대한 대책을 강화하기 위한 필요성이 요구되어 왔지만 그러한 대책은 한정되어 있다. 본 논문에서는 보안대책에 필요한 인증 취득에 있어서 기준이 되는 국제 표준인 ISASecure(R)EDSA 인증제도에 착목했다. 인증평가는 요구요건이 중복되는 불필요한 인증평가 작업을 최소화 하는 것으로 인증 취득 시 발생되는 코스트를 절감할 수 있으며 기존의 정보 보안 관리체계(lSMS)의 인증을 취득하고 있는 기업이나 조직이면 제어시스템의 인증 기준으로 추가된 차분 요건만으로 취득이 가능 할 수 있을 것으로 상정된다. 이러한 제어시스템의 보안을 구현하기 위해 IACS(Industrial Automation and Control System)에서 표준화로 제정한 IEC62443 시리즈를 참조하여 세계각국에서 사용되는 제어시스템을 대상으로 인증(EDSA) 요구사항의 차분을 도출하는 수법을 제안하고자 한다.

A Study on Prevention against Malware Infection defending the Threat of Cyberwarfare in Defense Network (국방정보통신망에서 사이버공격에 대비한 악성코드 감염 예방에 관한 연구)

  • Kim, Sung-Hwan;Park, Min-Woo;Eom, Jung-Ho;Chung, Tai-Myoung
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2012.04a
    • /
    • pp.635-638
    • /
    • 2012
  • 2011년 Stuxnet의 출현을 기점으로 사이버공격이 보다 정밀화 구체화 되고 있으며 사이버전의 주요 무기라 할 수 있는 악성코드들의 특정 국가산업 기관시스템에 대한 직접적이고 지속적인 공격 시도가 예상된다. 본 논문에서는 사이버전의 개념, 악성코드 관련 동향과 공격행위별 감염대상 등을 살펴보고, 국방정보통신망에서 사이버공격에 대비한 악성코드 감염 예방방안을 제안한다.

A Study on the Possibility for Incident Investigation Using PLC Logs (PLC 로그의 사고조사 활용 가능성에 관한 연구)

  • Chang, Yeop;Kim, Taeyeon;Kim, Woo-Nyon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.4
    • /
    • pp.745-756
    • /
    • 2020
  • An ICS(industrial control system) is a complex system that safely and efficiently monitors and controls industrial processes such as electric power, water treatment, transportation, automation plants and chemical plants. Because successful cyber attacks targeting ICS can lead to casualties or serious economic losses, it becomes a prime target of hacker groups sponsored by national state. Cyber campaigns such as Stuxnet, Industroyer and TRITON are real examples of successful ICS attacks, and were developed based on the deep knowledge of the target ICS. Therefore, for incident investigation of ICSs, inspectors also need knowledge of control processes and accident investigation techniques specialized for ICSs. Because there is no applicable technology, it is especially necessary to develop techniques and tools for embedded controllers located at cyber and physical boundaries. As the first step in this research, we reviewed logging capability of 4 PLC(Programmable Logic Controller)s widely used in an ICS area, and checked whether selected PLCs generate logs that can be used for digital investigation in the proposed cyber attack scenario.

A Study on Cyber Operational Elements Classification and COA Evaluation Method for Cyber Command & Control Decision Making Support (사이버 지휘통제 의사결정 지원을 위한 사이버 작전요소 분류 및 방책 평가 방안 연구)

  • Lee, Dong-hwan;Yoon, Suk-joon;Kim, Kook-jin;Oh, Haeng-rok;Han, In-sung;Shin, Dong-kyoo
    • Journal of Internet Computing and Services
    • /
    • v.22 no.6
    • /
    • pp.99-113
    • /
    • 2021
  • In these days, as cyberspace has been recognized as the fifth battlefield area following the land, sea, air, and space, attention has been focused on activities that view cyberspace as an operational and mission domain in earnest. Also, in the 21st century, cyber operations based on cyberspace are being developed as a 4th generation warfare method. In such an environment, the success of the operation is determined by the commander's decision. Therefore, in order to increase the rationality and objectivity of such decision-making, it is necessary to systematically establish and select a course of action (COA). In this study, COA is established by using the method of classifying operational elements necessary for cyber operation, and it is intended to suggest a direction for quantitative evaluation of COA. To this end, we propose a method of composing the COES (Cyber Operational Elements Set), which becomes the COA of operation, and classifying the cyber operational elements identified in the target development process based on the 5W1H Method. In addition, by applying the proposed classification method to the cyber operation elements used in the STUXNET attack case, the COES is formed to establish the attack COAs. Finally, after prioritizing the established COA, quantitative evaluation of the policy was performed to select the optimal COA.

Detecting Cyber Threats Domains Based on DNS Traffic (DNS 트래픽 기반의 사이버 위협 도메인 탐지)

  • Lim, Sun-Hee;Kim, Jong-Hyun;Lee, Byung-Gil
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.37B no.11
    • /
    • pp.1082-1089
    • /
    • 2012
  • Recent malicious attempts in Cyber space are intended to emerge national threats such as Suxnet as well as to get financial benefits through a large pool of comprised botnets. The evolved botnets use the Domain Name System(DNS) to communicate with the C&C server and zombies. DNS is one of the core and most important components of the Internet and DNS traffic are continually increased by the popular wireless Internet service. On the other hand, domain names are popular for malicious use. This paper studies on DNS-based cyber threats domain detection by data classification based on supervised learning. Furthermore, the developed cyber threats domain detection system using DNS traffic analysis provides collection, analysis, and normal/abnormal domain classification of huge amounts of DNS data.

A Study on North Korea's Cyber Attacks and Countermeasures (북한의 사이버공격과 대응방안에 관한 연구)

  • Chung, Min Kyung;Lim, Jong In;Kwon, Hun Yeong
    • Journal of Information Technology Services
    • /
    • v.15 no.1
    • /
    • pp.67-79
    • /
    • 2016
  • This study aims to present the necessary elements that should be part of South Korea's National Defense Strategy against the recent North Korean cyber-attacks. The elements proposed in this study also reflect the recent trend of cyber-attack incidents that are happening in the Unites States and other countries and have been classified into the three levels of cyber incidents: cyberwarfare, cyberterrorism and cybercrime. As such, the elements proposed are presented in accordance with this classification system. In order to properly take into account the recent trend of cyber-attacks perpetrated by North Korea, this paper analyzed the characteristics of recent North Korean cyber-attacks as well as the countermeasures and responses of South Korea. Moreover, by making use of case studies of cyber-attack incidents by foreign nations that threaten national security, the response measures at a national level can be deduced and applied as in this study. Thus, the authors of this study hope that the newly proposed elements here within will help to strengthen the level of Korea's cyber security against foreign attacks, specifically that of North Korea such as the KHNP hacking incidents and so on. It is hoped that further damage such as leakage of confidential information, invasion of privacy and physical intimidation can be mitigated.

Cyber attack taxonomy for digital environment in nuclear power plants

  • Kim, Seungmin;Heo, Gyunyoung;Zio, Enrico;Shin, Jinsoo;Song, Jae-gu
    • Nuclear Engineering and Technology
    • /
    • v.52 no.5
    • /
    • pp.995-1001
    • /
    • 2020
  • With the development of digital instrumentation and control (I&C) devices, cyber security at nuclear power plants (NPPs) has become a hot issue. The Stuxnet, which destroyed Iran's uranium enrichment facility in 2010, suggests that NPPs could even lead to an accident involving the release of radioactive materials cyber-attacks. However, cyber security research on industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems is relatively inadequate compared to information technology (IT) and further it is difficult to study cyber-attack taxonomy for NPPs considering the characteristics of ICSs. The advanced research of cyber-attack taxonomy does not reflect the architectural and inherent characteristics of NPPs and lacks a systematic countermeasure strategy. Therefore, it is necessary to more systematically check the consistency of operators and regulators related to cyber security, as in regulatory guide 5.71 (RG.5.71) and regulatory standard 015 (RS.015). For this reason, this paper attempts to suggest a template for cyber-attack taxonomy based on the characteristics of NPPs and exemplifies a specific cyber-attack case in the template. In addition, this paper proposes a systematic countermeasure strategy by matching the countermeasure with critical digital assets (CDAs). The cyber-attack cases investigated using the proposed cyber-attack taxonomy can be used as data for evaluation and validation of cyber security conformance for digital devices to be applied, and as effective prevention and mitigation for cyber-attacks of NPPs.

STRIDE-based threat modeling and DREAD evaluation for the distributed control system in the oil refinery

  • Kyoung Ho Kim;Kyounggon Kim;Huy Kang Kim
    • ETRI Journal
    • /
    • v.44 no.6
    • /
    • pp.991-1003
    • /
    • 2022
  • Industrial control systems (ICSs) used to be operated in closed networks, that is, separated physically from the Internet and corporate networks, and independent protocols were used for each manufacturer. Thus, their operation was relatively safe from cyberattacks. However, with advances in recent technologies, such as big data and internet of things, companies have been trying to use data generated from the ICS environment to improve production yield and minimize process downtime. Thus, ICSs are being connected to the internet or corporate networks. These changes have increased the frequency of attacks on ICSs. Despite this increased cybersecurity risk, research on ICS security remains insufficient. In this paper, we analyze threats in detail using STRIDE threat analysis modeling and DREAD evaluation for distributed control systems, a type of ICSs, based on our work experience as cybersecurity specialists at a refinery. Furthermore, we verify the validity of threats identified using STRIDE through case studies of major ICS cybersecurity incidents: Stuxnet, BlackEnergy 3, and Triton. Finally, we present countermeasures and strategies to improve risk assessment of identified threats.