Skip to main content
SpringerLink
Log in

The Rise of ICS Malware: A Comparative Analysis

  • Conference paper
  • First Online:
Computer Security. ESORICS 2021 International Workshops (ESORICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13106))

Included in the following conference series:

  • 1590 Accesses

Abstract

Cyber attacks against Industrial Control Systems are one of the major concerns for worldwide manufacturing companies. With the growth of emerging technologies, protecting large-scale Critical Infrastructures has become a considerable research topic in the past decade. Nowadays, software used to monitor Industrial Control Systems might be malicious and cause harm not only to physical processes but also to people working in industrial environments. To that end, integrating safety and security in Industrial Control Systems requires a well-developed understanding of malware-based cyber attacks.

In this paper, we present a comparative analysis framework of ICS Malware in a bi-layered approach: A cyber threat intelligence layer based on the ICS cyber kill chain and a hybrid analysis layer based on a static and dynamic analysis of ICS malware. We evaluated our proposed method by experimenting five well-known ICS malware: Stuxnet, Havex, BlackEnergy2, CrashOverride, and TRISIS. Our comparative analysis results show different and similar strategies used by each ICS malware to disrupt the ICS environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Malware in Modern ICS: Understanding Impact While Avoiding Hype. https://www.powermag.com/malware-in-modern-ics-understanding-impact-while-avoiding-hype/

  2. Alcaraz, C.: Secure interconnection of IT-OT networks in industry 4.0. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds.) Critical Infrastructure Security and Resilience. ASTSA, pp. 201–217. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-00024-0_11

    Chapter  Google Scholar 

  3. Alexander, O., Belisle, M., Steele, J.: Mitre ATT&Ck® for Industrial Control Systems: Design and Philosophy. The MITRE Corporation, Bedford (2020)

    Google Scholar 

  4. Alladi, T., Chamola, V., Zeadally, S.: Industrial control systems: cyberattack trends and countermeasures. Comput. Commun. 155, 1–8 (2020)

    Google Scholar 

  5. Ani, U.P.D., He, H.M., Tiwari, A.: Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective. J. Cyber Secur. Technol. 1(1), 32–74 (2017). https://doi.org/10.1080/23742917.2016.1252211. https://www.tandfonline.com/doi/abs/10.1080/23742917.2016.1252211

    Article  Google Scholar 

  6. Assante, M., Lee, R.: Information Security Reading Room The Industrial Control System Cyber Kill Chain. Sans Institute, pp. 1–22 (2015). www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

  7. Bremer, J.: Cuckoo Sandbox - open source automated malware analysis (2013). https://media.blackhat.com/us-13/US-13-Bremer-Mo-Malware-Mo-Problems-Cuckoo-Sandbox-WP.pdf

  8. Byrum, S.: InfoSec Reading Room the Impact of the Sarbanes Oxley Act on IT (2003). https://www.sans.org/reading-room/whitepapers/casestudies/impact-sarbanes-oxley-act-security-1344

  9. De Souza, M.E.: An alternative to the variation of the fine structure constant. Phys. Essays 24(4), 472–474 (2011)

    Article  Google Scholar 

  10. Dragos: The ICS Landscape and Threat Activity Groups, pp. 11–45 (2020), https://dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf

  11. Dragos Inc.: CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. Technical report (2017). https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf

  12. Dragos Inc.: TRISIS Malware-Analysis of Safety System Targeted Malware. Dragos, pp. 1–19 (2017). https://www.energy.senate.gov/public/index.cfm/files/serve?File_id=40B2ED59-D34E-47C3-B9E2-1E8D030C5748

  13. Drias, Z., Serhrouchni, A., Vogel, O.: Analysis of cyber security for industrial control systems. In: 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications, SSIC 2015 - Proceedings (2015). https://doi.org/10.1109/SSIC.2015.7245330. https://ieeexplore.ieee.org/abstract/document/7245330/

  14. Fabro, M.: Control Systems Cyber Security: Defense-in- Depth Strategies Control. Idaho National Laboratory, USA, pp. 1–30, May 2007. https://www.osti.gov/biblio/923499

  15. Falliere, N., Murchu, L.O., Chien, E.: W32. Stuxnet Dossier, Symantec Security Response, Version 1.4, February 2011. Symantec Security Response 4 February, pp. 1–69 (2011), 20 September 2015

    Google Scholar 

  16. Geiger, M., Bauer, J., Masuch, M., Franke, J.: An analysis of black energy 3, Crashoverride, and Trisis, three malware approaches targeting operational technology systems. In: IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2020, September, pp. 1537–1543 (2020). https://doi.org/10.1109/ETFA46521.2020.9212128

  17. Ginter, A.: The Top 20 Cyber Attacks Against Industrial Control Systems. Waterfall, stronger than firewalls, May, p. 3 (2018). https://waterfall-security.com/20-attacks/

  18. Hemsley, K.E., Fisher, E.: History of Industrial Control System Cyber Incidents. INL/CON-18-44411-Revision-2, December, pp. 1–37 (2018). https://www.osti.gov/servlets/purl/1505628

  19. Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: 6th International Conference on Information Warfare and Security, ICIW 2011, July 2005, pp. 113–125 (2011)

    Google Scholar 

  20. Kaspersky Lab: Threat Landscape for Industrial Automation Systems in H1 2020. ICS Cert, pp. 1–27 (2020). https://ics-cert.kaspersky.com/reports/2020/09/24/threat-landscape-for-industrial-automation-systems-h1-2020/#_Toc49782409

  21. Lab, K.: Threat landscape for industrial automation systems in the second half of 2020. AO Kaspersky Lab, 1997–2017, pp. 1–12 (2021). https://ics-cert.kaspersky.com/wp-content/uploads/sites/6/2017/03/KL-ICS-CERT_H2-2016_report_FINAL_EN.pdf

  22. Mekdad, Y., Bernieri, G., Conti, M., Fergougui, A.E.: A threat model method for ICS malware: the TRISIS case. In: Proceedings of the 18th ACM International Conference on Computing Frontiers, pp. 221–228 (2021)

    Google Scholar 

  23. Obregon, L.: Information security reading room secure architecture for industrial control systems. SANS Instit. InfoSec GIAC (GSEC) Gold Certification 1, 1–27 (2020)

    Google Scholar 

  24. Or-Meir, O., Nissim, N., Elovici, Y., Rokach, L.: Dynamic malware analysis in the modern era–a state of the art survey. ACM Comput. Surv. 52(5), 1–48 (2019). https://doi.org/10.1145/3329786

    Article  Google Scholar 

  25. Rrushi, J., Farhangi, H., Howey, C., Carmichael, K., Dabell, J.: A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin, December 2015. https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf

  26. Shrivastava, S.: Analysis Report BlackEnergy-Malware for Cyber-Physical Attacks Malware for Cyber-Physical Attacks, May 2016. http://itrust.sutd.edu.sg

  27. Slowik, J.: Anatomy of an attack: Detecting and defeating Crashoverride. Virus Bulletin 2018 Montreal, June 2017, pp. 1–23 (2018). https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Slowik.pdf

  28. Slowik, J.: Evolution of ICS Attacks and the Prospects for Future Disruptive Events. Ph.D. thesis (2019). https://www.dragos.com/resource/evolution-of-ics-attacks-and-the-prospects-for-future-disruptive-events/

  29. Williams, T.J.: The Purdue enterprise reference architecture. Comput. Ind. 24(2–3), 141–158 (1994). https://doi.org/10.1016/0166-3615(94)90017-5

    Article  Google Scholar 

  30. Zetter, K.: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Broadway Books, New York (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Laboratory of Computer Networks and Systems, Moulay Ismail University of Meknes, Meknes, Morocco

    Yassine Mekdad & Abdeslam El Fergougui

  2. Department of Mathematics, University of Padua, Padua, Italy

    Giuseppe Bernieri & Mauro Conti

Authors
  1. Yassine Mekdad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giuseppe Bernieri
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abdeslam El Fergougui
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yassine Mekdad .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  3. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  4. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  7. University of Nottingham, Nottingham, UK

    Steven Furnell

  8. Technische Universität Berlin, Berlin, Germany

    Frank Pallas

  9. Alexander von Humboldt Institut für Internet und Gesellschaft gGmbH, Berlin, Germany

    Jörg Pohle

  10. Ruhr-Universität Bochum, Bochum, Germany

    M. Angela Sasse

  11. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  12. University of Trento and Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  13. Università degli Studi di Genova, Genoa, Italy

    Luca Verderame

  14. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  15. Indra, Alcobendas, Spain

    Jorge Maestre Vidal

  16. Indra, Alcobendas, Spain

    Marco Antonio Sotelo Monge

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mekdad, Y., Bernieri, G., Conti, M., El Fergougui, A. (2022). The Rise of ICS Malware: A Comparative Analysis. In: Katsikas, S., et al. Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science(), vol 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95484-0_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95483-3

  • Online ISBN: 978-3-030-95484-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation