Attacks on the Industrial Internet of Things – Development of a multi-layer Taxonomy
Introduction
The use of digital technologies is now widespread in the industrial sector. These technologies – for example, cloud computing – create increasing connections between the physical and the digital world, leading to the emergence of an Industrial Internet of Things (IIoT) (Sisinni et al., 2018). In highly flexible, self-organizing, and self-optimizing smart factories, the IIoT enables real-time monitoring and control of production (Brettel et al., 2014; Lasi et al., 2014; Radziwon et al., 2014). This enables manufacturing companies to remain competitive in turbulent markets characterized by ever-changing demands for customer-specific products, shorter research and development cycles, and resource and energy efficiency throughout the entire product life-cycle (Kagermann et al., 2013; Lasi et al., 2014).
Yet, in addition to these manifold opportunities, the development of the IIoT leads to additional IT security risks. In particular, increasing levels of cross-linking and decentralization make IIoT systems more complex. This not only increases the probability of unintentional or negligent disruptions and errors but also creates new targets for IT attacks (Broy et al., 2012); targets that are now vulnerable to both conventional IT attacks and emergent IIoT-specific threats (Alaba et al., 2017). For example, the fact that sensors and network nodes in the IIoT are limited in terms of energy, memory, and processing power (Lu et al., 2014) means that they can provide new entry points for attackers. Meanwhile, the continuing trend toward more sophisticated, multi-stage attacks (Ervural and Ervural, 2018), together with high levels of cross-linking, facilitates the spread of attacks within and across systems (Berger et al., 2019; Moustafa et al., 2018). In addition to the malfunctioning of IT components, compromised systems may entail physical damage or may even be life-threatening (Bhamare et al., 2020).
Attempts have already been made to classify IT attacks and so provide structure in this dynamic and opaque field. In the academic literature, one-dimensional category lists classify IT attacks related to individual characteristics (e.g., Lin et al., 2017; Zhao and Ge, 2013), while taxonomies conceptualize attacks based on multiple characteristics in various contexts (e.g., Elhabashy et al., 2019; Pan et al., 2017; Yampolskiy et al., 2013). However, these works show no uniform structure, only focus on selected attributes with differing levels of granularity, and do not fully account for the context of the IIoT (see Section 2.3). The professional literature authored by management consulting or IT institutions (e.g., CISCO, 2019; Kaspersky, 2019), meanwhile, is primarily focused on individual attacks.
Despite expressing their intentions to bring structure to the field, the majority of industrial organizations still struggle to identify, collect and use the information on IT threats (Iannacone et al., 2015). The comparison and exchange of information are further hampered by the fact that individuals and organizations often use different languages (Hansmann and Hunt, 2005; Howard and Longstaff, 1998). Hence, organizations still lack both an overview and an understanding of potential attacks and how they might be dealt with them (Kaspersky, 2017). However, a common understanding and the use of common language (across organizations) are not only necessary to identify and analyze attacks but also to develop mitigation measures (Shirazi et al., 2014; Spreitzer et al., 2018). The variety, heterogeneity, and complexity of security threats underline the need to order and classify attacks (Shirazi et al., 2014). Hence, we address the research question: How can attacks on the IIoT be classified?
To answer this research question, we set out to identify similarities and differences between attacks on the IIoT. To do so, we followed the iterative development method of Nickerson et al. (2013) and created a multi-layer taxonomy for classifying attacks. Our taxonomy, which comprises 8 dimensions and 19 characteristics, spanning 3 layers, was initially based on a structured literature review. The taxonomy was refined in the course of four iterations using a sample of 53 attacks. We confirmed the validity and reliability of the taxonomy by calculating object- and dimension-specific hit ratios. An illustrative example involving a real-world scenario is used to demonstrate the usefulness of the taxonomy.
Combining the fields of IT security, IIoT, and risk management, our interdisciplinary approach provides both researchers and practitioners with a common understanding of attacks on the IIoT. Based on various dimensions and characteristics of comparable granularity, our taxonomy enables the comparison of conventional and emerging IIoT-specific attacks. From an academic perspective, our taxonomy contributes to the descriptive knowledge, providing a means to identify similarities and differences between attacks on the IIoT. This understanding is key to the advancement of research in this fast-moving field. From a practical point of view, managers, IT security experts, system designers, and network administrators can use our taxonomy to collect and analyze attack information in a structured and comprehensive manner. This information will, in turn, support the development of mitigation measures for counteracting existing and future threats.
The remainder of this paper is structured as follows: In Section 2, we introduce key terms related to the IIoT and IT security and discuss related work. In Section 3, we present our research method. Next, we present the dimensions and characteristics of our taxonomy as the core of our work in Section 4. In Section 5, we present the evaluation results. After discussing theoretical and managerial implications in Section 6, we conclude by summarizing our results, limitations, and suggestions for future research in Section 7.
Section snippets
Theoretical background
In this section, we first provide key definitions related to the IIoT. We then introduce IT security terms and elaborate on differences between IIoT and conventional IT systems related to IT security. We conclude this section with a discussion of prior works on the classification of attacks.
Research method
Taxonomy development has been used successfully in multiple different contexts (e.g., Addas and Pinsonneault, 2015; Posey et al., 2013; Williams et al., 2008). Also called a ‘typology’ or ‘framework’, a taxonomy is a scheme that classifies (real-world) objects of interest on the basis of shared characteristics (Nickerson et al., 2013). Research and management both benefit from the systematic organization of knowledge “because the classification of objects helps researchers and practitioners
A Multi-layer Taxonomy of Attacks on the IIoT
In the following, we present our taxonomy, which consists of 3 layers, 8 dimensions, and 19 characteristics (Fig. 3). Apart from the characteristics within the vulnerability, IoT level, and consequence dimensions, all characteristics are mutually exclusive.
In accordance with recently published taxonomies (e.g., Gimpel et al. (2018)), we have enhanced the clarity of our taxonomy by introducing layers. For this, we examined existing frameworks that describe attacks using a high level of
Application and evaluation of the taxonomy
Once we had completed the development process, we evaluated the taxonomy: First, we conducted a feature comparison discussing our taxonomy's specification. Second, we classified our entire sample of 53 attacks and calculated object- and dimension-specific hit ratios in order to assess our taxonomy's reliability and validity. Third, we demonstrated our taxonomy's usefulness and practical relevance by applying it to the real-world use-case of an incident in a German steel factory.
For the feature
Theoretical implications
From an academic perspective, our results expand the descriptive knowledge of IIoT security, in general, and attacks on the IIoT, in particular, as they enable researchers to better understand the nature of attacks on the IIoT. Based on a common set of dimensions and characteristics, the primary value of the taxonomy is that it allows users to compare and distinguish attacks on the IIoT and examine complex incidents. We offer researchers and practitioners a comprehensive overview and common
Conclusion
The number of attacks on the IIoT – and so the threat to production – continues to increase, exacerbated by the high level of cross-linking and nodes with limited resources. Yet, attacks on the IIoT remain inadequately described and poorly understood. This hampers the current research in, and practice of, IT security. In response to this problem, we set out to capture the similarities and differences between attacks on the IIoT by applying a systematic, interdisciplinary approach and creating a
CRediT authorship contribution statement
Stephan Berger: Conceptualization, Methodology, Investigation, Validation, Writing - original draft, Writing - review & editing. Olga Bürger: Writing - review & editing, Validation, Writing - original draft. Maximilian Röglinger: Writing - review & editing, Supervision, Project administration.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
The presented research work is partially financed by the European Regional Development Fund (ERDF) and the Oberfrankenstiftung as supporters of the project Oberfranken 4.0 (20-3066-02-16). The co-authors are responsible for the contents of this publication.
Stephan Berger is a research assistant at the Research Center Finance & Information Management (FIM) and at the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. Stephan studied information-oriented Business Administration with a major in Finance & Information at the University of Augsburg (Germany). His research interests relate to the application of digital technologies in the context of Industry 4.0 and IT security. He has published articles in the Journal
References (141)
- et al.
Internet of things security: a survey
J. Netw. Comput. Appl.
(2017) - et al.
Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions
Comput. Secur.
(2018) - et al.
The Internet of Things: A survey
Comput. Netw.
(2010) - et al.
Cybersecurity for industrial control systems: a survey
Comput. Secur.
(2020) Information security essentials for information technology managers: Protecting mission-critical systems
Computer and Information Security Handbook
(2017)- et al.
Towards identifying and preventing behavioral side channel attack on recording attack resilient unaided authentication services
Comput. Secur.
(2019) - et al.
Efficient DDoS flood attack detection using dynamic thresholding on flow-based network traffic
Comput. Secur.
(2019) - et al.
Ontology-based knowledge representation for malware individuals and families
Comput. Secur.
(2019) - et al.
Security testing: a survey
Advances in Computers
(2016) - et al.
Internet of things (IoT): a vision, architectural elements, and future directions
Future Gener. Comput. Syst.
(2013)
TCP/IP security threats and attack methods
Comput. Commun.
A taxonomy on misbehaving nodes in delay tolerant networks
Comput. Secur.
Choices for interaction with things on internet and underlying issues
Ad Hoc Networks
The qualitative interview in IS research: examining the craft
Inf. Org.
Cyber security and the Internet of Things: Vulnerabilities, threats, intruders and attacks
J. Cyber Secur. Mobil.
The many faces of information technology interruptions: a taxonomy and preliminary investigation of their performance effects
Inf. Syst. J.
Internet of things: security vulnerabilities and challenges
Modelling availability risks of IT threats in smart factory networks: a modular petri net approach
Internet of things: architecture, security issues and countermeasures
Int. J. Comput. Appl.
A Taxonomy of (Unix) System and Network Vulner-Abilities: Technical Report CSE-951
A quantitative model for information-security risk management
Eng. Manag. J.
How virtualization, decentralization and network building change the manufacturing landscape: an Industry 4.0 perspective
Int. J. Mech. Aerosp. Industr. Mechatron. Manuf. Eng.
Cyber-physical systems: imminent challenges
On the practicality of motion based keystroke inference attack
Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science
Man-in-the-middle attack to the HTTPS protocol
IEEE Secur. Priv. Mag.
Secure control: towards survivable cyber-physical systems
Denial-of-service attack-detection techniques
IEEE Internet Comput.
Hardware trojan: Threats and emerging solutions
Defending against flooding-based distributed denial-of-service attacks: A tutorial
IEEE Commun. Mag.
Throttling spoofed SYN flooding traffic at the source
Telecommun. Syst.
Protection and Security on the Information Superhighway
Synthesizing Research: A Guide for Literature Reviews
Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks
Typologies as a unique form of theory building: toward improved understanding and modeling
Acad. Manage. Rev.
Controlling IP spoofing through interdomain packet filters
IEEE Trans. Dependable Secure Comput.
A cyber-physical attack taxonomy for production systems: a quality control perspective
J. Intell. Manuf.
Overview of cyber security in the industry 4.0 era
Industry 4.0: Managing the Digital Transformation
IT project portfolio management - A structured literature review
Evaluating critical security issues of the IoT world: Present and future challenges
IEEE Int. Things J.
A study of password authentication method against observing attacks
Port scan detection
Comparative analysis of various ransomware virii
J. Comput. Virol.
Case Studies and Theory Development in the Social Sciences
Understanding FinTech start-ups – a taxonomy of consumer-oriented service offerings
Electronic Markets
The nature of theory in information systems
MIS Q.
Formal modelling and automatic detection of resource exhaustion attacks
Cited by (31)
Analysis of safety and security challenges and opportunities related to cyber-physical systems
2023, Process Safety and Environmental ProtectionAttacking the trust machine: Developing an information systems research agenda for blockchain cybersecurity
2023, International Journal of Information ManagementCitation Excerpt :Information security generally aligns along the C-I-A triangle comprising the goals of confidentiality, integrity, and availability (Whitman & Mattord, 2011). Research lately extended these foundational goals of information security to include authenticity, accountability, auditability, trustworthiness, non-repudiation, and privacy (Berger, Bürger, & Röglinger, 2020). Cybersecurity is broadly defined as “[t]he approach and actions associated with security risk management processes followed by organizations and states to protect confidentiality, integrity and availability of data and assets used in cyber space” (Schatz, Bashroush, & Wall, 2017, p. 66).
Software-defined network aided lightweight group key management for resource-constrained Internet of Things devices
2022, Sustainable Computing: Informatics and SystemsCitation Excerpt :A VSF is built to store the group credentials and SDN controller is used to set flow rules so that only group members can communicate. Another SDN centered server for horizontal end to end security management is proposed in [13] which uses an SDN centered key management server to distribute keys for inter and intra-group communication. The proposed scheme also uses an SDN centered Key Management Server (SDNKMS) to distribute keys to the groups formed in IoT applications in order to achieve a globalized control.
Security First, Security by Design, or Security Pragmatism – Strategic Roles of IT Security in Digitalization Projects
2022, Computers and SecurityCitation Excerpt :To capitalize on the numerous advantages of digitalization, organizations strive to develop IT capabilities enhancing their digital maturity (Röglinger et al., 2018). Organizations whose core competence was not previously in digital solutions, such as industry or manufacturing, adapt digital technologies (e.g., IIoT) to enhance production flexibility or provide digital service-supported products (Margherita and Braccini, 2020; Berger et al., 2020; Rövekamp et al., 2022). Thereby, digitalization projects play a central role in leveraging digital technologies and enhancing digital maturity (Barthel and Hess, 2019; Gimpel et al., 2018; Barthel and Hess, 2020).
Industry 4.0 implementation: The relevance of sustainability and the potential social impact in a developing country
2022, Journal of Cleaner ProductionCitation Excerpt :These results suggest that Industry 4.0 was only partially associated with sustainability in the minds of these experts, pointing out improving sustainability is not associated with an important point for these respondents. The term Industry 4.0 represents an assembly of different advanced and digital technologies (Calabrese et al., 2021; Wagner and Walton, 2016), aiming to improve operational processes to increase productivity and performance with higher level of customization and flexibility (Hermann et al., 2015), and the potential to bring new business models (Berger et al., 2020; Culot et al., 2020) that can impact traditional business. Although some authors affirm that Industry 4.0 could incorporate social and environmental dimensions (Ding et al., 2017; Hermann et al., 2015; Luthra et al., 2020) to promote social benefits (Ghobakhloo, 2020; Müller et al., 2018) and sustainability (Elkington, 1998, 2004), the results of this study indicate that companies are more motivated to implement Industry 4.0 for performance and productivity gains to increase competitiveness and not sustainability, especially with regard to its social dimension.
Stephan Berger is a research assistant at the Research Center Finance & Information Management (FIM) and at the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. Stephan studied information-oriented Business Administration with a major in Finance & Information at the University of Augsburg (Germany). His research interests relate to the application of digital technologies in the context of Industry 4.0 and IT security. He has published articles in the Journal Information Systems Frontiers and the Proceedings of the European Conference on Information Systems.
Olga Bürger was a research assistant at the Research Center Finance & Information Management, University of Augsburg, Germany. Her research interests include open innovation and investments in IT innovations, and IT security in industrial IoT and data-driven value chains. Olga has published articles in journals like Decision Support Systems, R & D Management, and Journal of Decision Systems. In 2019, she finished her doctoral theses in Business and Information Systems Engineering.
Maximilian Röglinger is a professor of Information Systems at the University of Bayreuth (Germany). He serves as Deputy Academic Director of the Research Center Finance & Information Management (FIM) and works with the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. Most of Maximilian's work centers around business process management, customer relationship management, and digital transformation, including the Internet of Things. He publishes in journals like the Information Systems Journal, Business & Information Systems Engineering, Decision Support Systems, European Journal of Information Systems, Journal of the Association for Information Systems, and Journal of Strategic Information Systems.