syssec_red_book

6.5. State of the Artretroactively lead to unexpected conditions in the ICS software, which couldultimately lead to failure loops with devastating consequences.These premises allow us to draw a global picture of what could happenin the future if the current menaces continue their evolution. The word“cyberwar” [119] appears frequently in the majority of recent threat reportsand news subsections. This word should be used with care, because, as ofMarch 2013, there is no strong evidence as to whether the aforementionedthreats have translated into concrete, planned attacks, as opposed to “testing”performed by the attackers (or governments). On the other hand, the futurescenario is frightening as it includes disasters caused by viruses like Stuxnetthat infect critical control systems, causing such events as traffic accidents, trainor plane collisions, nuclear power plans meltdowns or explosions. Needless tosay, such attacks may end up with a massive loss of life and an exacerbate theglobal financial crisis. Ultimately, the economy is also a critical system, withstrong impact on the physical world, which is highly dependent on computers.Once attackers have gained control of a CI, they can operate it at their will.6.5 State of the ArtRecent EU-funded research projects concerning the security of CIs are CRISALIS(http://www.crisalis-project.eu/), which focuses on practical aspects ofdetection of vulnerabilities and attacks, and SESAME (https://www.sesameproject.eu/),with the same focus, although more oriented toward observingthe CIs from the physical side (mainly on smart grids). We also refer the readerto recent work on attack assessment [381], analysis [376] (on espionage attacktriage), survey and challenges of smart grid security [392] and critique [314].Recent reference books worth mentioning are [146, 328].With system security of CIs being a young research field, a few notablepublications—reviewed in the remainder of this section—appeared in the lasttwo years at leading conferences. Most of the literature about detection orprotection methods focuses on SCADA protocols or on smart grids.6.5.1 Anomaly Detection of SCADA Events and Protocols[203, 204] address the detection of process-related threats in ICS used in CIs.These threats take place when an attacker impersonates a user to perform actionsthat appear legitimate although they are intended to disrupt the industrialprocess. They tested their approach on 101,025 log entries to detect anomalouspatterns of user actions. This preliminary case study suggests that the approachis effective. One year later the same authors extended their work beyond loganalysis and are concentrating on binary protocols, including those adopted bySCADA implementations (e.g., MODBUS). The motivation behind [68] is thatseveral complex and high-impact attacks specifically targeting binary protocols45