Protecting industrial control systems against cyberattacks is crucial to counter escalating threats to critical infrastructure. To this end, Industrial Intrusion Detection Systems (IIDSs) provide an easily retrofittable approach to uncover attacks quickly and before they can cause significant damage. Current research focuses either on maximizing automation, usually through heavy use of machine learning, or on expert systems that rely on detailed knowledge of the monitored systems. While the former hinders the interpretability of alarms, the latter is impractical in real deployments due to excessive manual work for each individual deployment. To bridge the gap between maximizing automation and leveraging expert knowledge, we introduce GeCo, a novel IIDS based on automatically derived comprehensible models of benign system behavior. GeCo leverages state-space models mined from historical process data to minimize manual effort for operators while maintaining high detection performance and generalizability across diverse industrial domains. Our evaluation against state-of-the-art IIDSs and datasets demonstrates GeCo’s superior performance while remaining comprehensible and performing on par with expert-derived rules. GeCo represents a critical step towards empowering operators with control over their cybersecurity toolset, thereby enhancing the protection of valuable physical processes in industrial control systems and critical infrastructures.
@inproceedings{wolsing2025geco,author={Wolsing, Konrad and Wagner, Eric and Lux, Luisa and Wehrle, Klaus and Henze, Martin},title={{GeCos Replacing Experts: Generalizable and Comprehensible Industrial Intrusion Detection}},booktitle={Proceedings of the 34th USENIX Security Symposium (USENIX Sec)},year={2025},}
EuroS&P
CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping
Eric Wagner, Frederik Basels, Jan Bauer, Till Zimmermann, Klaus Wehrle, and Martin Henze
In Proceedings of the 2025 IEEE 10th European Symposium on Security and Privacy (EuroS&P), Jun 2025
Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have, however, exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. Current efforts to retrofit security via intrusion detection or message authentication codes are insufficient to fully secure CAN as they cannot adequately protect against masquerading attacks, where a compromised communication device, a so-called electronic control units, imitates another device. To remedy this situation, multicast source authentication is required to reliably identify the senders of messages. In this paper, we present CAIBA, a novel multicast source authentication scheme specifically designed for communication buses like CAN. CAIBA relies on an authenticator overwriting authentication tags on-the-fly, such that a receiver only reads a valid tag if not only the integrity of a message but also its source can be verified. To integrate CAIBA into CAN, we devise a special message authentication scheme and a reactive bit overwriting mechanism. We achieve interoperability with legacy CAN devices, while protecting receivers implementing the AUTOSAR SecOC standard against masquerading attacks without communication overhead or verification delays.
@inproceedings{wagner2025caiba,author={Wagner, Eric and Basels, Frederik and Bauer, Jan and Zimmermann, Till and Wehrle, Klaus and Henze, Martin},title={{CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping}},booktitle={Proceedings of the 2025 IEEE 10th European Symposium on Security and Privacy (EuroS\&P)},year={2025}}
WiSec
Assessing the Latency of Network Layer Security in 5G Networks
In contrast to its predecessors, 5G supports a wide range of commercial, industrial, and critical infrastructure scenarios. One key feature of 5G, ultra-reliable low latency communication, is particularly appealing to such scenarios for its real-time capabilities. However, 5G’s enhanced security, mostly realized through optional security controls, imposes additional overhead on the network performance, potentially hindering its real-time capabilities. To better assess this impact and guide operators in choosing between different options, we measure the latency overhead of IPsec when applied over the N3 and the service-based interfaces to protect user and control plane data, respectively. Furthermore, we evaluate whether WireGuard constitutes an alternative to reduce this overhead. Our findings show that IPsec, if configured correctly, has minimal latency impact and thus is a prime candidate to secure real-time critical scenarios.
@inproceedings{michaelides2025latency,author={Michaelides, Sotiris and Mucke, Jonathan and Henze, Martin},title={{Assessing the Latency of Network Layer Security in 5G Networks}},booktitle={Proceedings of the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)},doi={10.1145/3734477.3734722},year={2025}}
FGCS
Secure Integration of 5G in Industrial Networks: State of the Art, Challenges and Opportunities
The industrial landscape is undergoing a significant transformation, moving away from traditional wired fieldbus networks to cutting-edge 5G mobile networks. This transition, extending from local applications to company-wide use and spanning multiple factories, is driven by the promise of low-latency communication and seamless connectivity for various devices in industrial settings. However, besides these tremendous benefits, the integration of 5G as the communication infrastructure in industrial networks introduces a new set of risks and threats to the security of industrial systems. The inherent complexity of 5G systems poses unique challenges for ensuring a secure integration, surpassing those encountered with any technology previously utilized in industrial networks. Most importantly, the distinct characteristics of industrial networks, such as real-time operation, required safety guarantees, and high availability requirements, further complicate this task. As the industrial transition from wired to wireless networks is a relatively new concept, a lack of guidance and recommendations on securely integrating 5G renders many industrial systems vulnerable and exposed to threats associated with 5G. To address this situation, in this paper, we summarize the state-of-the-art and derive a set of recommendations for the secure integration of 5G into industrial networks based on a thorough analysis of the research landscape. Furthermore, we identify opportunities to utilize 5G to enhance security and indicate remaining challenges, identifying future academic directions.
@article{michaelides2025industry5G,author={Michaelides, Sotiris and Lenz, Stefan and Vogt, Thomas and Henze, Martin},title={{Secure Integration of 5G in Industrial Networks: State of the Art, Challenges and Opportunities}},journal={Future Generation Computer Systems},doi={10.1016/j.future.2024.107645},volume={166},year={2025},}
IJCIP
Simulation of Multi-Stage Attack and Defense Mechanisms in Smart Grids
Ömer Sen, Bozhidar Ivanov, Christian Kloos, Christoph Zöll, Philipp Lutat, Martin Henze, Andreas Ulbig, and Michael Andres
International Journal of Critical Infrastructure Protection, Mar 2025
The power grid is a vital infrastructure in modern society, essential for ensuring public safety and welfare. As it increasingly relies on digital technologies for its operation, it becomes more vulnerable to sophisticated cyber threats. These threats, if successful, could disrupt the grid’s functionality, leading to severe consequences. To mitigate these risks, it is crucial to develop effective protective measures, such as intrusion detection systems and decision support systems, that can detect and respond to cyber attacks. Machine learning methods have shown great promise in this area, but their effectiveness is often limited by the scarcity of high-quality data, primarily due to confidentiality and access issues. In response to this challenge, our work introduces an advanced simulation environment that replicates the power grid’s infrastructure and communication behavior. This environment enables the simulation of complex, multi-stage cyber attacks and defensive mechanisms, using attack trees to map the attacker’s steps and a game-theoretic approach to model the defender’s response strategies. The primary goal of this simulation framework is to generate a diverse range of realistic attack data that can be used to train machine learning algorithms for detecting and mitigating cyber attacks. Additionally, the environment supports the evaluation of new security technologies, including advanced decision support systems, by providing a controlled and flexible testing platform. Our simulation environment is designed to be modular and scalable, supporting the integration of new use cases and attack scenarios without relying heavily on external components. It enables the entire process of scenario generation, data modeling, data point mapping, and power flow simulation, along with the depiction of communication traffic, in a coherent process chain. This ensures that all relevant data needed for cyber security investigations, including the interactions between attacker and defender, are captured under consistent conditions and constraints. The simulation environment also includes a detailed modeling of communication protocols and grid operation management, providing insights into how attacks propagate through the network. The generated data are validated through laboratory tests, ensuring that the simulation reflects real-world conditions. These datasets are used to train machine learning models for intrusion detection and evaluate their performance, specifically focusing on how well they can detect complex attack patterns in power grid operations.
@article{sen2025simulation,author={Sen, {\"O}mer and Ivanov, Bozhidar and Kloos, Christian and Z{\"o}ll, Christoph and Lutat, Philipp and Henze, Martin and Ulbig, Andreas and Andres, Michael},title={{Simulation of Multi-Stage Attack and Defense Mechanisms in Smart Grids}},journal={International Journal of Critical Infrastructure Protection},doi={10.1016/j.ijcip.2024.100727},volume={48},year={2025},}
2024
CSNet Poster
Adaptive Optimization of TLS Overhead for Wireless Communication in Critical Infrastructure
With critical infrastructure increasingly relying on wireless communication, using end-to-end security such as TLS becomes imperative. However, TLS introduces significant overhead for resource-constrained devices and networks prevalent in critical infrastructure. In this paper, we propose to leverage the degrees of freedom in configuring TLS to dynamically adapt algorithms, parameters, and other settings to best meet the currently occurring resource and security constraints in a wireless communication scenario. Consequently, we can make the best use of scarce resources to provide tightened security for wireless networks in critical infrastructure.
@inproceedings{bodenhausen2024adaptive,author={Bodenhausen, J{\"o}rn and Grote, Laurenz and Rademacher, Michael and Henze, Martin},title={{Adaptive Optimization of TLS Overhead for Wireless Communication in Critical Infrastructure}},booktitle={Proceedings of the 2024 8th Cyber Security in Networking Conference (CSNet) - Poster Session},doi={10.1109/CSNet64211.2024.10851719},year={2024}}
CSET
Introducing a Comprehensive, Continuous, and Collaborative Survey of Intrusion Detection Datasets
Philipp Bönninghausen, Rafael Uetz, and Martin Henze
In Proceedings of the 17th Cyber Security Experimentation and Test Workshop (CSET), Aug 2024
Researchers in the highly active field of intrusion detection largely rely on public datasets for their experimental evaluations. However, the large number of existing datasets, the discovery of previously unknown flaws therein, and the frequent publication of new datasets make it hard to select suitable options and sufficiently understand their respective limitations. Hence, there is a great risk of drawing invalid conclusions from experimental results with respect to detection performance of novel methods in the real world. While there exist various surveys on intrusion detection datasets, they have deficiencies in providing researchers with a profound decision basis since they lack comprehensiveness, actionable details, and up-to-dateness. In this paper, we present Comidds, an ongoing effort to comprehensively survey intrusion detection datasets with an unprecedented level of detail, implemented as a website backed by a public GitHub repository. Comidds allows researchers to quickly identify suitable datasets depending on their requirements and provides structured and critical information on each dataset, including actual data samples and links to relevant publications. Comidds is freely accessible, regularly updated, and open to contributions.
@inproceedings{boenninghausen2024commids,author={B{\"o}nninghausen, Philipp and Uetz, Rafael and Henze, Martin},title={{Introducing a Comprehensive, Continuous, and Collaborative Survey of Intrusion Detection Datasets}},booktitle={Proceedings of the 17th Cyber Security Experimentation and Test Workshop (CSET)},doi={10.1145/3675741.3675754},year={2024},}
USENIX Sec
You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks
Rafael Uetz, Marco Herzog, Louis Hackländer, Simon Schwarz, and Martin Henze
In Proceedings of the 33rd USENIX Security Symposium (USENIX Sec), Aug 2024
Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally collect security-related events and scan them for attack indicators using expert-written detection rules. However, as we show by analyzing a set of widespread SIEM detection rules, adversaries can evade almost half of them easily, allowing them to perform common malicious actions within an enterprise network without being detected. To remedy these critical detection blind spots, we propose the idea of adaptive misuse detection, which utilizes machine learning to compare incoming events to SIEM rules on the one hand and known-benign events on the other hand to discover successful evasions. Based on this idea, we present AMIDES, an open-source proof-of-concept adaptive misuse detection system. Using four weeks of SIEM events from a large enterprise network and more than 500 hand-crafted evasions, we show that AMIDES successfully detects a majority of these evasions without any false alerts. In addition, AMIDES eases alert analysis by assessing which rules were evaded. Its computational efficiency qualifies AMIDES for real-world operation and hence enables organizations to significantly reduce detection blind spots with moderate effort.
@inproceedings{uetz2024amides,author={Uetz, Rafael and Herzog, Marco and Hackl{\"a}nder, Louis and Schwarz, Simon and Henze, Martin},title={{You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks}},booktitle={Proceedings of the 33rd USENIX Security Symposium (USENIX Sec)},year={2024},}
ASIA CCS
Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication
Eric Wagner, David Heye, Martin Serror, Ike Kunze, Klaus Wehrle, and Martin Henze
In Proceedings of the 19th ACM ASIA Conference on Computer and Communications Security (ASIA CCS), Jul 2024
Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
@inproceedings{wagner2024madtls,author={Wagner, Eric and Heye, David and Serror, Martin and Kunze, Ike and Wehrle, Klaus and Henze, Martin},title={{Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication}},booktitle={Proceedings of the 19th ACM ASIA Conference on Computer and Communications Security (ASIA CCS)},doi={10.1145/3634737.3637640},year={2024}}
NOMS
Unconsidered Installations: Discovering IoT Deployments in the IPv6 Internet
Markus Dahlmanns, Felix Heidenreich, Johannes Lohmöller, Jan Pennekamp, Klaus Wehrle, and Martin Henze
In Proceedings of the 2024 IEEE/IFIP Network Operations and Management Symposium (NOMS), May 2024
Internet-wide studies provide extremely valuable insight into how operators manage their Internet of Things (IoT) deployments in reality and often reveal grievances, e.g., significant security issues. However, while IoT devices often use IPv6, past studies resorted to comprehensively scan the IPv4 address space. To fully understand how the IoT and all its services and devices is operated, including IPv6-reachable deployments is inevitable – although scanning the entire IPv6 address space is infeasible. In this paper, we close this gap and examine how to discover IPv6-reachable IoT deployments. Using three sources of active IPv6 addresses and eleven address generators, we discovered 6658 IoT deployments. We derive that the available address sources are a good starting point for finding IoT deployments. Additionally, we show that using two address generators is sufficient to cover most found deployments. Assessing the security of the deployments, we surprisingly find similar issues as in the IPv4 Internet, although IPv6 deployments might be newer and generally more up-to-date: Only 39 % of deployments have access control in place and only 6.2 % make use of TLS inviting attackers, e.g., to eavesdrop sensitive data.
@inproceedings{dahlmanns2024ipv6,author={Dahlmanns, Markus and Heidenreich, Felix and Lohm{\"o}ller, Johannes and Pennekamp, Jan and Wehrle, Klaus and Henze, Martin},title={{Unconsidered Installations: Discovering IoT Deployments in the IPv6 Internet}},booktitle={Proceedings of the 2024 IEEE/IFIP Network Operations and Management Symposium (NOMS)},year={2024},doi={10.1109/NOMS59830.2024.10574963},}
ACNS
When and How to Aggregate Message Authentication Codes on Lossy Channels?
Eric Wagner, Martin Serror, Klaus Wehrle, and Martin Henze
In Proceedings of the 22nd Conference on Applied Cryptography and Network Security (ACNS), Mar 2024
Aggregation of message authentication codes (MACs) is a proven and efficient method to preserve valuable bandwidth in resource-constrained environments: Instead of appending a long authentication tag to each message, the integrity protection of multiple messages is aggregated into a single tag. However, while such aggregation saves bandwidth, a single lost message typically means that authentication information for multiple messages cannot be verified anymore. With the significant increase of bandwidth-constrained lossy communication, as applications shift towards wireless channels, it thus becomes paramount to study the impact of packet loss on the diverse MAC aggregation schemes proposed over the past 15 years to assess when and how to aggregate message authentication. Therefore, we empirically study all relevant MAC aggregation schemes in the context of lossy channels, investigating achievable goodput improvements, the resulting verification delays, processing overhead, and resilience to denial-of-service attacks. Our analysis shows the importance of carefully choosing and configuring MAC aggregation, as selecting and correctly parameterizing the right scheme can, e.g., improve goodput by 39 % to 444 %, depending on the scenario. However, since no aggregation scheme performs best in all scenarios, we provide guidelines for network operators to select optimal schemes and parameterizations suiting specific network settings.
@inproceedings{wagner2024aggregate,author={Wagner, Eric and Serror, Martin and Wehrle, Klaus and Henze, Martin},title={{When and How to Aggregate Message Authentication Codes on Lossy Channels?}},booktitle={Proceedings of the 22nd Conference on Applied Cryptography and Network Security (ACNS)},doi={10.1007/978-3-031-54773-7_10},year={2024},}
Illicit Blockchain Content: Its Different Shapes, Consequences, and Remedies
Roman Matzutt, Martin Henze, Dirk Müllmann, and Klaus Wehrle
In Blockchains – A Handbook on Fundamentals, Platforms and Applications, Mar 2024
Augmenting public blockchains with arbitrary, nonfinancial content fuels novel applications that facilitate the interactions between mutually distrusting parties. However, new risks emerge at the same time when illegal content is added. This chapter thus provides a holistic overview of the risks of content insertion as well as proposed countermeasures. We first establish a simple framework for how content is added to the blockchain and subsequently distributed across the blockchain’s underlying peer-to-peer network. We then discuss technical as well as legal implications of this form of content distribution and give a systematic overview of basic methods and high-level services for inserting arbitrary blockchain content. Afterward, we assess to which extent these methods and services have been used in the past on the blockchains of Bitcoin Core, Bitcoin Cash, and Bitcoin SV, respectively. Based on this assessment of the current state of (unwanted) blockchain content, we discuss (a) countermeasures to mitigate its insertion, (b) how pruning blockchains relates to this issue, and (c) how strategically weakening the otherwise desired immutability of a blockchain allows for redacting objectionable content. We conclude this chapter by identifying future research directions in the domain of blockchain content insertion.
@incollection{matzutt2024blockchaincontent,author={Matzutt, Roman and Henze, Martin and M{\"u}llmann, Dirk and Wehrle, Klaus},title={{Illicit Blockchain Content: Its Different Shapes, Consequences, and Remedies}},booktitle={Blockchains -- A Handbook on Fundamentals, Platforms and Applications},publisher={Springer},year={2024},doi={10.1007/978-3-031-32146-7_10}}
ACNS Poster
Towards Secure 5G Infrastructures for Production Systems
Martin Henze, Maximilian Ortmann, Thomas Vogt, Osman Ugus, Kai Hermann, Svenja Nohr, Zeren Lu, Sotiris Michaelides, Angela Massonet, and Robert H. Schmitt
In Proceedings of the 22nd Conference on Applied Cryptography and Network Security (ACNS) – Poster Session, Mar 2024
To meet the requirements of modern production, industrial communication increasingly shifts from wired fieldbus to wireless 5G communication. Besides tremendous benefits, this shift introduces severe novel risks, ranging from limited reliability over new security vulnerabilities to a lack of accountability. To address these risks, we present approaches to (i) prevent attacks through authentication and redundant communication, (ii) detect anomalies and jamming, and (iii) respond to detected attacks through device exclusion and accountability measures.
@inproceedings{henze2024sierra,author={Henze, Martin and Ortmann, Maximilian and Vogt, Thomas and Ugus, Osman and Hermann, Kai and Nohr, Svenja and Lu, Zeren and Michaelides, Sotiris and Massonet, Angela and Schmitt, Robert H.},title={{Towards Secure 5G Infrastructures for Production Systems}},booktitle={Proceedings of the 22nd Conference on Applied Cryptography and Network Security (ACNS) – Poster Session},doi={10.1007/978-3-031-61489-7_14},year={2024}}
2023
MobiQuitous
Securing Wireless Communication in Critical Infrastructure: Challenges and Opportunities
Jörn Bodenhausen, Christian Sorgatz, Thomas Vogt, Kolja Grafflage, Sebastian Rötzel, Michael Rademacher, and Martin Henze
In Proceedings of the 20th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous), Nov 2023
Critical infrastructure constitutes the foundation of every society. While traditionally solely relying on dedicated cable-based communication, this infrastructure rapidly transforms to highly digitized and interconnected systems which increasingly rely on wireless communication. Besides providing tremendous benefits, especially affording the easy, cheap, and flexible interconnection of a large number of assets spread over larger geographic areas, wireless communication in critical infrastructure also raises unique security challenges. Most importantly, the shift from dedicated private wired networks to heterogeneous wireless communication over public and shared networks requires significantly more involved security measures. In this paper, we identify the most relevant challenges resulting from the use of wireless communication in critical infrastructure and use those to identify a comprehensive set of promising opportunities to preserve the high security standards of critical infrastructure even when switching from wired to wireless communication.
@inproceedings{bodenhausen2023challenges,author={Bodenhausen, J{\"o}rn and Sorgatz, Christian and Vogt, Thomas and Grafflage, Kolja and R{\"o}tzel, Sebastian and Rademacher, Michael and Henze, Martin},title={{Securing Wireless Communication in Critical Infrastructure: Challenges and Opportunities}},booktitle={Proceedings of the 20th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous)},doi={10.1007/978-3-031-63989-0_17},year={2023}}
LCN
Retrofitting Integrity Protection into Unused Header Fields of Legacy Industrial Protocols
Eric Wagner, Nils Rothaug, Konrad Wolsing, Lennart Bader, Klaus Wehrle, and Martin Henze
In Proceedings of the 48th IEEE Conference on Local Computer Networks (LCN), Oct 2023
Industrial networks become increasingly interconnected, which opens the floodgates for cyberattacks on legacy networks designed without security in mind. Consequently, the vast landscape of legacy industrial communication protocols urgently demands a universal solution to integrate security features retroactively. However, current proposals are hardly adaptable to new scenarios and protocols, even though most industrial protocols share a common theme: Due to their progressive development, previously important legacy features became irrelevant and resulting unused protocol fields now offer a unique opportunity for retrofitting security. Our analysis of three prominent protocols shows that headers offer between 36 and 63 bits of unused space. To take advantage of this space, we designed the REtrofittable ProtEction Library (RePeL), which supports embedding authentication tags into arbitrary combinations of unused header fields. We show that RePeL incurs negligible overhead beyond the cryptographic processing, which can be adapted to hit performance targets or fulfill legal requirements.
@inproceedings{wagner2023repel,author={Wagner, Eric and Rothaug, Nils and Wolsing, Konrad and Bader, Lennart and Wehrle, Klaus and Henze, Martin},title={{Retrofitting Integrity Protection into Unused Header Fields of Legacy Industrial Protocols}},booktitle={Proceedings of the 48th IEEE Conference on Local Computer Networks (LCN)},doi={10.1109/LCN58197.2023.10223384},year={2023}}
JSys
SoK: Evaluations in Industrial Intrusion Detection Research
Olav Lamberts, Konrad Wolsing, Eric Wagner, Jan Pennekamp, Jan Bauer, Klaus Wehrle, and Martin Henze
Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward.
@article{lamberts2023evaluations,author={Lamberts, Olav and Wolsing, Konrad and Wagner, Eric and Pennekamp, Jan and Bauer, Jan and Wehrle, Klaus and Henze, Martin},title={{SoK: Evaluations in Industrial Intrusion Detection Research}},journal={Journal of Systems Research},volume={3},number={1},doi={10.5070/SR33162445},year={2023},}
ISGT-Europe
Benchmark Evaluation of Anomaly-Based Intrusion Detection Systems in the Context of Smart Grids
Ömer Sen, Simon Glomb, Martin Henze, and Andreas Ulbig
In Proceedings of the 2023 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Oct 2023
The increasing digitization of smart grids has made addressing cybersecurity issues crucial in order to secure the power supply. Anomaly detection has emerged as a key technology for cybersecurity in smart grids, enabling the detection of unknown threats. Many research efforts have proposed various machine-learning-based approaches for anomaly detection in grid operations. However, there is a need for a reproducible and comprehensive evaluation environment to investigate and compare different approaches to anomaly detection. The assessment process is highly dependent on the specific application and requires an evaluation that considers representative datasets from the use case as well as the specific characteristics of the use case. In this work, we present an evaluation environment for anomaly detection methods in smart grids that facilitates reproducible and comprehensive evaluation of different anomaly detection methods.
@inproceedings{sen2023benchmark,author={Sen, {\"O}mer and Glomb, Simon and Henze, Martin and Ulbig, Andreas},title={{Benchmark Evaluation of Anomaly-Based Intrusion Detection Systems in the Context of Smart Grids}},booktitle={Proceedings of the 2023 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe)},doi={10.1109/ISGTEUROPE56780.2023.10407262},year={2023},}
CyberICPS
METRICS: A Methodology for Evaluating and Testing the Resilience of Industrial Control Systems to Cyberattacks
Lennart Bader, Eric Wagner, Martin Henze, and Martin Serror
In Proceedings of the 8th Workshop on the Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS), Sep 2023
The increasing digitalization and interconnectivity of industrial control systems (ICSs) create enormous benefits, such as enhanced productivity and flexibility, but also amplify the impact of cyberattacks. Cybersecurity research thus continuously needs to adapt to new threats while proposing comprehensive security mechanisms for the ICS domain. As a prerequisite, researchers need to understand the resilience of ICSs against cyberattacks by systematically testing new security approaches without interfering with productive systems. Therefore, one possibility for such evaluations is using already available ICS testbeds and datasets. However, the heterogeneity of the industrial landscape poses great challenges to obtaining comparable and transferable results. In this paper, we propose to bridge this gap with METRICS, a methodology for systematic resilience evaluation of ICSs. METRICS complements existing ICS testbeds by enabling the configuration of measurement campaigns for comprehensive resilience evaluations. Therefore, the user specifies individual evaluation scenarios consisting of cyberattacks and countermeasures while facilitating manual and automatic interventions. Moreover, METRICS provides domain-agnostic evaluation capabilities to achieve comparable results, which user-defined domain-specific metrics can complement. We apply the methodology in a use case study with the power grid simulator Wattson, demonstrating its effectiveness in providing valuable insights for security practitioners and researchers.
@inproceedings{bader2023metrics,author={Bader, Lennart and Wagner, Eric and Henze, Martin and Serror, Martin},title={{METRICS: A Methodology for Evaluating and Testing the Resilience of Industrial Control Systems to Cyberattacks}},booktitle={Proceedings of the 8th Workshop on the Security of Industrial Control Systems \& of Cyber-Physical Systems (CyberICPS)},doi={10.1007/978-3-031-54204-6_2},year={2023}}
ESORICS
One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection
Konrad Wolsing, Dominik Kus, Eric Wagner, Jan Pennekamp, Klaus Wehrle, and Martin Henze
In Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS), Sep 2023
Industrial Intrusion Detection Systems (IIDSs) play a critical role in safeguarding Industrial Control Systems (ICSs) against targeted cyberattacks. Unsupervised anomaly detectors, capable of learning the expected behavior of physical processes, have proven effective in detecting even novel cyberattacks. While offering decent attack detection, these systems, however, still suffer from too many False-Positive Alarms (FPAs) that operators need to investigate, eventually leading to alarm fatigue. To address this issue, in this paper, we challenge the notion of relying on a single IIDS and explore the benefits of combining multiple IIDSs. To this end, we examine the concept of ensemble learning, where a collection of classifiers (IIDSs in our case) are combined to optimize attack detection and reduce FPAs. While training ensembles for supervised classifiers is relatively straightforward, retaining the unsupervised nature of IIDSs proves challenging. In that regard, novel time-aware ensemble methods that incorporate temporal correlations between alerts and transfer-learning to best utilize the scarce training data constitute viable solutions. By combining diverse IIDSs, the detection performance can be improved beyond the individual approaches with close to no FPAs, resulting in a promising path for strengthening ICS cybersecurity.
@inproceedings{wolsing2023ensemble,author={Wolsing, Konrad and Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wehrle, Klaus and Henze, Martin},title={{One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection}},booktitle={Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS)},doi={10.1007/978-3-031-51476-0_6},year={2023},}
SEST
Investigation of Multi-stage Attack and Defense Simulation for Data Synthesis
Ömer Sen, Bozhidar Ivanov, Martin Henze, and Andreas Ulbig
In Proceedings of the 6th International Conference on Smart Energy Systems and Technologies (SEST), Sep 2023
The power grid is a critical infrastructure that plays a vital role in modern society. Its availability is of utmost importance, as a loss can endanger human lives. However, with the increasing digitalization of the power grid, it also becomes vulnerable to new cyberattacks that can compromise its availability. To counter these threats, intrusion detection systems are developed and deployed to detect cyberattacks targeting the power grid. Among intrusion detection systems, anomaly detection models based on machine learning have shown potential in detecting unknown attack vectors. However, the scarcity of data for training these models remains a challenge due to confidentiality concerns. To overcome this challenge, this study proposes a model for generating synthetic data of multi-stage cyber attacks in the power grid, using attack trees to model the attacker’s sequence of steps and a game-theoretic approach to incorporate the defender’s actions. This model aims to create diverse attack data on which machine learning algorithms can be trained.
@inproceedings{sen2023investigation,author={Sen, {\"O}mer and Ivanov, Bozhidar and Henze, Martin and Ulbig, Andreas},title={{Investigation of Multi-stage Attack and Defense Simulation for Data Synthesis}},booktitle={Proceedings of the 6th International Conference on Smart Energy Systems and Technologies (SEST)},year={2023},doi={10.1109/SEST57387.2023.10257329}}
EuroS&P
Comprehensively Analyzing the Impact of Cyberattacks on Power Grids
Lennart Bader, Martin Serror, Olav Lamberts, Ömer Sen, Dennis van der Velde, Immanuel Hacker, Julian Filter, Elmar Padilla, and Martin Henze
In Proceedings of the 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), Jul 2023
The increasing digitalization of power grids and especially the shift towards IP-based communication drastically increase the susceptibility to cyberattacks, potentially leading to blackouts and physical damage. Understanding the involved risks, the interplay of communication and physical assets, and the effects of cyberattacks are paramount for the uninterrupted operation of this critical infrastructure. However, as the impact of cyberattacks cannot be researched in real-world power grids, current efforts tend to focus on analyzing isolated aspects at small scales, often covering only either physical or communication assets. To fill this gap, we present WATTSON, a comprehensive research environment that facilitates reproducing, implementing, and analyzing cyberattacks against power grids and, in particular, their impact on both communication and physical processes. We validate WATTSON’s accuracy against a physical testbed and show its scalability to realistic power grid sizes. We then perform authentic cyberattacks, such as Industroyer, within the environment and study their impact on the power grid’s energy and communication side. Besides known vulnerabilities, our results reveal the ripple effects of susceptible communication on complex cyber-physical processes and thus lay the foundation for effective countermeasures.
@inproceedings{bader2023wattson,author={Bader, Lennart and Serror, Martin and Lamberts, Olav and Sen, {\"O}mer and van der Velde, Dennis and Hacker, Immanuel and Filter, Julian and Padilla, Elmar and Henze, Martin},title={{Comprehensively Analyzing the Impact of Cyberattacks on Power Grids}},booktitle={Proceedings of the 2023 IEEE 8th European Symposium on Security and Privacy (EuroS\&P)},year={2023},doi={10.1109/EuroSP57164.2023.00066}}
CAiSE
Designing Secure and Privacy-Preserving Information Systems for Industry Benchmarking
Jan Pennekamp, Johannes Lohmöller, Eduard Vlad, Joscha Loos, Niklas Rodemann, Patrick Sapel, Ina Berenice Fink, Seth Schmitz, Christian Hopmann, Matthias Jarke, Günther Schuh, Klaus Wehrle, and Martin Henze
In Proceedings of the 35th International Conference on Advanced Information Systems Engineering (CAiSE), Jun 2023
Benchmarking is an essential tool for industrial organizations to identify potentials that allows them to improve their competitive position through operational and strategic means. However, the handling of sensitive information, in terms of (i) internal company data and (ii) the underlying algorithm to compute the benchmark, demands strict (technical) confidentiality guarantees—an aspect that existing approaches fail to address adequately. Still, advances in private computing provide us with building blocks to reliably secure even complex computations and their inputs, as present in industry benchmarks. In this paper, we thus compare two promising and fundamentally different concepts (hardware- and software-based) to realize privacy-preserving benchmarks. Thereby, we provide detailed insights into the concept-specific benefits. Our evaluation of two real-world use cases from different industries underlines that realizing and deploying secure information systems for industry benchmarking is possible with today’s building blocks from private computing.
@inproceedings{pennekamp2023benchmarking,author={Pennekamp, Jan and Lohm{\"o}ller, Johannes and Vlad, Eduard and Loos, Joscha and Rodemann, Niklas and Sapel, Patrick and Fink, Ina Berenice and Schmitz, Seth and Hopmann, Christian and Jarke, Matthias and Schuh, G{\"u}nther and Wehrle, Klaus and Henze, Martin},title={{Designing Secure and Privacy-Preserving Information Systems for Industry Benchmarking}},booktitle={Proceedings of the 35th International Conference on Advanced Information Systems Engineering (CAiSE)},doi={10.1007/978-3-031-34560-9_29},year={2023},}
PowerTech
An Approach To Abstract Multi-Stage Cyberattack Data Generation For ML-based IDS In Smart Grids
Ömer Sen, Philipp Malskorn, Simon Glomb, Immanuel Hacker, Martin Henze, and Andreas Ulbig
In Proceedings of 2023 IEEE Belgrade PowerTech, Jun 2023
Power grids are becoming more digitized resulting in new opportunities for the grid operation but also new challenges, such as new threats from the cyber-domain. To address these challenges, cybersecurity solutions are being considered in the form of preventive, detective, and reactive measures. Machine learning-based intrusion detection systems are used as part of detection efforts to detect and defend against cyberattacks. However, training and testing data are often not available or suitable for use in machine learning models for detecting multistage cyberattacks in smart grids. In this paper, we propose a method to generate synthetic data in the form using a graphbased approach for training machine learning models in smart grids. We use an abstract form of multi-stage cyberattacks defined via graph formulations and simulate the propagation behavior of attacks in the network. The results showed that machine learning models trained on synthetic data can accurately
@inproceedings{sen2023generation,author={Sen, {\"O}mer and Malskorn, Philipp and Glomb, Simon and Hacker, Immanuel and Henze, Martin and Ulbig, Andreas},title={{An Approach To Abstract Multi-Stage Cyberattack Data Generation For ML-based IDS In Smart Grids}},booktitle={Proceedings of 2023 IEEE Belgrade PowerTech},year={2023},doi={10.1109/PowerTech55446.2023.10202747}}
CIRED
A Cyber-Physical Digital Twin Approach to Replicating Realistic Multi-Stage Cyberattacks on Smart Grids
Ömer Sen, Nathalie Bleser, Martin Henze, and Andreas Ulbig
In Proceedings of the 2023 International Conference on Electricity Distribution (CIRED), Jun 2023
The integration of information and communication technology in distribution grids presents opportunities for active grid operation management, but also increases the need for security against power outages and cyberattacks. This paper examines the impact of cyberattacks on smart grids by replicating the power grid in a secure laboratory environment as a cyber-physical digital twin. A simulation is used to study communication infrastructures for secure operation of smart grids. The cyber-physical digital twin approach combines communication network emulation and power grid simulation in a common modular environment, and is demonstrated through laboratory tests and attack replications.
@inproceedings{sen2023digitaltwin,author={Sen, {\"O}mer and Bleser, Nathalie and Henze, Martin and Ulbig, Andreas},title={{A Cyber-Physical Digital Twin Approach to Replicating Realistic Multi-Stage Cyberattacks on Smart Grids}},booktitle={Proceedings of the 2023 International Conference on Electricity Distribution (CIRED)},year={2023},doi={10.1049/icp.2023.0614}}
Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead
Jan Pennekamp, Anastasiia Belova, Thomas Bergs, Matthias Bodenbenner, Andreas Bührig-Polaczek, Markus Dahlmanns, Ike Kunze, Moritz Kröger, Sandra Geisler, Martin Henze, Daniel Lütticke, Benjamin Montavon, Philipp Niemietz, Lucia Ortjohann, Maximilian Rudack, Robert H. Schmitt, Uwe Vroomen, Klaus Wehrle, and Michael Zeng
In Internet of Production: Fundamentals, Applications and Proceedings, Feb 2023
The Internet of Production (IoP) leverages concepts such as digital shadows, data lakes, and a World Wide Lab (WWL) to advance today’s production. Consequently, it requires a technical infrastructure that can support the agile deployment of these concepts and corresponding high-level applications, which, e.g., demand the processing of massive data in motion and at rest. As such, key research aspects are the support for low-latency control loops, concepts on scalable data stream processing, deployable information security, and semantically rich and efficient long-term storage. In particular, such an infrastructure cannot continue to be limited to machines and sensors, but additionally needs to encompass networked environments: production cells, edge computing, and location-independent cloud infrastructures. Finally, in light of the envisioned WWL, i.e., the interconnection of production sites, the technical infrastructure must be advanced to support secure and privacy-preserving industrial collaboration. To evolve today’s production sites and lay the infrastructural foundation for the IoP, we identify five broad streams of research: (1) adapting data and stream processing to heterogeneous data from distributed sources, (2) ensuring data interoperability between systems and production sites, (3) exchanging and sharing data with different stakeholders, (4) network security approaches addressing the risks of increasing interconnectivity, and (5) security architectures to enable secure and privacy-preserving industrial collaboration. With our research, we evolve the underlying infrastructure from isolated, sparsely networked production sites toward an architecture that supports high-level applications and sophisticated digital shadows while facilitating the transition toward a WWL.
@incollection{pennekamp2023iop,author={Pennekamp, Jan and Belova, Anastasiia and Bergs, Thomas and Bodenbenner, Matthias and B{\"u}hrig-Polaczek, Andreas and Dahlmanns, Markus and Kunze, Ike and Kr{\"o}ger, Moritz and Geisler, Sandra and Henze, Martin and L{\"u}tticke, Daniel and Montavon, Benjamin and Niemietz, Philipp and Ortjohann, Lucia and Rudack, Maximilian and Schmitt, Robert H. and Vroomen, Uwe and Wehrle, Klaus and Zeng, Michael},title={{Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead}},booktitle={Internet of Production: Fundamentals, Applications and Proceedings},editor={Brecher, Christian and Schuh, G{\"u}nther and van der Aalst, Wil and Jarke, Matthias and Piller, Frank T. and Padberg, Melanie},publisher={Springer},year={2023},doi={10.1007/978-3-030-98062-7_2-1}}
2022
SEGAN
On Using Contextual Correlation to Detect Multi-stage Cyber Attacks in Smart Grids
Ömer Sen, Dennis van der Velde, Katharina A. Wehrmeister, Immanuel Hacker, Martin Henze, and Michael Andres
While the digitization of the distribution grids brings numerous benefits to grid operations, it also increases the risks imposed by serious cyber security threats such as coordinated, timed attacks. Addressing this new threat landscape requires an advanced security approach beyond established preventive IT security measures such as encryption, network segmentation, or access control. Here, detective capabilities and reactive countermeasures as part of incident response strategies promise to complement nicely the security-by-design approach by providing cyber security situational awareness. However, manually evaluating extensive cyber intelligence within a reasonable timeframe requires an unmanageable effort to process a large amount of cross-domain information. An automated procedure is needed to systematically process and correlate the various cyber intelligence to correctly assess the situation to reduce the manuel effort and support security operations. In this paper, we present an approach that leverages cyber intelligence from multiple sources to detect multi-stage cyber attacks that threaten the smart grid. We investigate the detection quality of the presented correlation approach and discuss the results to highlight the challenges in automated methods for contextual assessment and understanding of the cyber security situation.
@article{sen2022contextual,author={Sen, {\"O}mer and van der Velde, Dennis and Wehrmeister, Katharina A. and Hacker, Immanuel and Henze, Martin and Andres, Michael},title={{On Using Contextual Correlation to Detect Multi-stage Cyber Attacks in Smart Grids}},journal={Sustainable Energy, Grids and Networks},volume={32},year={2022},doi={10.1016/j.segan.2022.100821}}
CUMUL & Co: High-Impact Artifacts for Website Fingerprinting Research
Jan Pennekamp, Martin Henze, Andreas Zinnen, Fabian Lanze, Klaus Wehrle, and Andriy Panchenko
Anonymous communication on the Internet is about hiding the relationship between communicating parties. At NDSS ’16, we presented a new website fingerprinting approach, CUMUL, that utilizes novel features and a simple yet powerful algorithm to attack anonymization networks such as Tor. Based on pattern observation of data flows, this attack aims at identifying the content of encrypted and anonymized connections. Apart from the feature generation and the used classifier, we also provided a large dataset to the research community to study the attack at Internet scale. In this paper, we emphasize the impact of our artifacts by analyzing publications referring to our work with respect to the dataset, feature extraction method, and source code of the implementation. Based on this data, we draw conclusions about the impact of our artifacts on the research field and discuss their influence on related cybersecurity topics. Overall, from 393 unique citations, we discover more than 130 academic references that utilize our artifacts, 61 among them are highly influential (according to SemanticScholar), and at least 35 are from top-ranked security venues. This data underlines the significant relevance and impact of our work as well as of our artifacts in the community and beyond.
@misc{pennekamp2022cumul,title={{CUMUL {\&} Co: High-Impact Artifacts for Website Fingerprinting Research}},author={Pennekamp, Jan and Henze, Martin and Zinnen, Andreas and Lanze, Fabian and Wehrle, Klaus and Panchenko, Andriy},howpublished={Cybersecurity Artifacts Competition and Impact Award at the 38th Annual Computer Security Applications Conference (ACSAC)},year={2022},doi={10.18154/RWTH-2022-10811}}
ACSAC Poster
Poster: Ensemble Learning for Industrial Intrusion Detection
Dominik Kus, Konrad Wolsing, Jan Pennekamp, Eric Wagner, Martin Henze, and Klaus Wehrle
Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept’s feasibility with initial results of various methods to combine detectors.
@misc{kus2022ensemble,author={Kus, Dominik and Wolsing, Konrad and Pennekamp, Jan and Wagner, Eric and Henze, Martin and Wehrle, Klaus},title={{Poster: Ensemble Learning for Industrial Intrusion Detection}},year={2022},howpublished={Poster Session at the 38th Annual Computer Security Applications Conference (ACSAC)},doi={10.18154/RWTH-2022-10809}}
CCS Poster
Poster: INSIDE - Enhancing Network Intrusion Detection in Power Grids with Automated Facility Monitoring
Martin Serror, Lennart Bader, Martin Henze, Arne Schwarze, and Kai Nürnberger
In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS) – Poster Session, Nov 2022
Advances in digitalization and networking of power grids have increased the risks of cyberattacks against such critical infrastructures, where the attacks often originate from within the power grid’s network. Adequate detection must hence consider both physical access violations and network anomalies to identify the attack’s origin. Therefore, we propose INSIDE, combining network intrusion detection with automated facility monitoring to swiftly detect cyberattacks on power grids based on unauthorized access. Besides providing an initial design for INSIDE, we discuss potential use cases illustrating the benefits of such a comprehensive methodology.
@inproceedings{serror2022inside,author={Serror, Martin and Bader, Lennart and Henze, Martin and Schwarze, Arne and N{\"u}rnberger, Kai},title={{Poster: INSIDE - Enhancing Network Intrusion Detection in Power Grids with Automated Facility Monitoring}},booktitle={Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS) – Poster Session},year={2022},doi={10.1145/3548606.3563500}}
RAID
IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems
Konrad Wolsing, Eric Wagner, Antoine Saillard, and Martin Henze
In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Oct 2022
The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL’s correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos.
@inproceedings{wolsing2022ipal,author={Wolsing, Konrad and Wagner, Eric and Saillard, Antoine and Henze, Martin},title={{IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems}},booktitle={Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)},year={2022},doi={10.1145/3545948.3545968}}
LCN
Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset
Konrad Wolsing, Antoine Saillard, Jan Bauer, Eric Wagner, Christian van Sloun, Ina Berenice Fink, Mari Schmidt, Klaus Wehrle, and Martin Henze
In Proceedings of the 47th IEEE Conference on Local Computer Networks (LCN), Sep 2022
Shipboard marine radar systems are essential for safe navigation, helping seafarers perceive their surroundings as they provide bearing and range estimations, object detection, and tracking. Since onboard systems have become increasingly digitized, interconnecting distributed electronics, radars have been integrated into modern bridge systems. But digitization increases the risk of cyberattacks, especially as vessels cannot be considered air-gapped. Consequently, in-depth security is crucial. However, particularly radar systems are not sufficiently protected against harmful network-level adversaries. Therefore, we ask: Can seafarers believe their eyes? In this paper, we identify possible attacks on radar communication and discuss how these threaten safe vessel operation in an attack taxonomy. Furthermore, we develop a holistic simulation environment with radar, complementary nautical sensors, and prototypically implemented cyberattacks from our taxonomy. Finally, leveraging this environment, we create a comprehensive dataset (RadarPWN) with radar network attacks that provides a foundation for future security research to secure marine radar communication.
@inproceedings{wolsing2022radar,author={Wolsing, Konrad and Saillard, Antoine and Bauer, Jan and Wagner, Eric and van Sloun, Christian and Fink, Ina Berenice and Schmidt, Mari and Wehrle, Klaus and Henze, Martin},title={{Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset}},booktitle={Proceedings of the 47th IEEE Conference on Local Computer Networks (LCN)},year={2022},doi={10.1109/LCN53696.2022.9843801}}
On Specification-based Cyber-Attack Detection in Smart Grids
Ömer Sen, Dennis van der Velde, Maik Lühman, Florian Sprünken, Immanuel Hacker, Andreas Ulbig, Michael Andres, and Martin Henze
In Proceedings of the 11th DACH+ Conference on Energy Informatics, Sep 2022
The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.
@inproceedings{sen2022specificationbased,author={Sen, {\"O}mer and van der Velde, Dennis and L{\"u}hman, Maik and Spr{\"u}nken, Florian and Hacker, Immanuel and Ulbig, Andreas and Andres, Michael and Henze, Martin},title={{On Specification-based Cyber-Attack Detection in Smart Grids}},booktitle={Proceedings of the 11th DACH+ Conference on Energy Informatics},year={2022},doi={10.1186/s42162-022-00206-7}}
ESORICS
Can Industrial Intrusion Detection Be SIMPLE?
Konrad Wolsing, Lea Thiemt, Christian van Sloun, Eric Wagner, Klaus Wehrle, and Martin Henze
In Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS), Sep 2022
Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.
@inproceedings{wolsing2022simple,author={Wolsing, Konrad and Thiemt, Lea and van Sloun, Christian and Wagner, Eric and Wehrle, Klaus and Henze, Martin},title={{Can Industrial Intrusion Detection Be SIMPLE?}},booktitle={Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS)},year={2022},doi={10.1007/978-3-031-17143-7_28}}
CSET
PowerDuck: A GOOSE Data Set of Cyberattacks in Substations
Sven Zemanek, Immanuel Hacker, Konrad Wolsing, Eric Wagner, Martin Henze, and Martin Serror
In Proceedings of the 15th Workshop on Cyber Security Experimentation and Test (CSET), Aug 2022
Power grids worldwide are increasingly victims of cyberattacks, where attackers can cause immense damage to critical infrastructure. The growing digitalization and networking in power grids combined with insufficient protection against cyberattacks further exacerbate this trend. Hence, security engineers and researchers must counter these new risks by continuously improving security measures. Data sets of real network traffic during cyberattacks play a decisive role in analyzing and understanding such attacks. Therefore, this paper presents PowerDuck, a publicly available security data set containing network traces of GOOSE communication in a physical substation testbed. The data set includes recordings of various scenarios with and without the presence of attacks. Furthermore, all network packets originating from the attacker are clearly labeled to facilitate their identification. We thus envision PowerDuck improving and complementing existing data sets of substations, which are often generated synthetically, thus enhancing the security of power grids.
@inproceedings{zemanek2022powerduck,author={Zemanek, Sven and Hacker, Immanuel and Wolsing, Konrad and Wagner, Eric and Henze, Martin and Serror, Martin},title={{PowerDuck: A GOOSE Data Set of Cyberattacks in Substations}},booktitle={Proceedings of the 15th Workshop on Cyber Security Experimentation and Test (CSET)},year={2022},doi={10.1145/3546096.3546102}}
WiSec
BP-MAC: Fast Authentication for Short Messages
Eric Wagner, Martin Serror, Klaus Wehrle, and Martin Henze
In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), May 2022
Resource-constrained devices increasingly rely on wireless communication for the reliable and low-latency transmission of short messages. However, especially the implementation of adequate integrity protection of time-critical messages places a significant burden on these devices. We address this issue by proposing BP-MAC, a fast and memory-efficient approach for computing message authentication codes based on the well-established Carter-Wegman construction. Our key idea is to offload resource-intensive computations to idle phases and thus save valuable time in latency-critical phases, i.e., when new data awaits processing. Therefore, BP-MAC leverages a universal hash function designed for the bitwise preprocessing of integrity protection to later only require a few XOR operations during the latency-critical phase. Our evaluation on embedded hardware shows that BP-MAC outperforms the state-of-the-art in terms of latency and memory overhead, notably for small messages, as required to adequately protect resource-constrained devices with stringent security and latency requirements.
@inproceedings{wagner2022bpmac,author={Wagner, Eric and Serror, Martin and Wehrle, Klaus and Henze, Martin},title={{BP-MAC: Fast Authentication for Short Messages}},booktitle={Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)},year={2022},doi={10.1145/3507657.3528554}}
ASIA CCS
Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things
The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed to use TLS. To understand whether these changes indeed lead to secure Industrial Internet of Things deployments, i.e., using TLS-based protocols, which are configured according to security best practices, we perform an Internet-wide security assessment of ten industrial protocols covering the complete IPv4 address space. Our results show that both, retrofitted existing protocols and newly developed secure alternatives, are barely noticeable in the wild. While we find that new protocols have a higher TLS adoption rate than traditional protocols (7.2 % vs. 0.4 %), the overall adoption of TLS is comparably low (6.5 % of hosts). Thus, most industrial deployments (934,736 hosts) are insecurely connected to the Internet. Furthermore, we identify that 42 % of hosts with TLS support (26,665 hosts) show security deficits, e.g., missing access control. Finally, we show that support in configuring systems securely, e.g., via configuration templates, is promising to strengthen security.
@inproceedings{dahlmanns2022tls,author={Dahlmanns, Markus and Lohm{\"o}ller, Johannes and Pennekamp, Jan and Bodenhausen, J{\"o}rn and Wehrle, Klaus and Henze, Martin},title={{Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things}},booktitle={Proceedings of the 17th ACM ASIA Conference on Computer and Communications Security (ASIA CCS)},year={2022},doi={10.1145/3488932.3497762}}
CPSS
A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection
Dominik Kus, Eric Wagner, Jan Pennekamp, Konrad Wolsing, Ina Berenice Fink, Markus Dahlmanns, Klaus Wehrle, and Martin Henze
In Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS), May 2022
Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 %. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 % and 14.7 % for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.
@inproceedings{kus2022false,author={Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wolsing, Konrad and Fink, Ina Berenice and Dahlmanns, Markus and Wehrle, Klaus and Henze, Martin},title={{A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection}},booktitle={Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS)},year={2022},doi={10.1145/3494107.3522773}}
WiSec
Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes
Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, to achieve this goal, message authentication considerably expands packet sizes, which is especially problematic in constrained wireless environments. To address this issue, progressive message authentication provides initially reduced integrity protection that is often sufficient to process messages upon reception. This reduced security is then successively improved with subsequent messages to uphold the strong guarantees of traditional integrity protection. However, contrary to previous claims, we show in this paper that existing progressive message authentication schemes are highly susceptible to packet loss induced by poor channel conditions or jamming attacks. Thus, we consider it imperative to rethink how authentication tags depend on the successful reception of surrounding packets. To this end, we propose R2-D2, which uses randomized dependencies with parameterized security guarantees to increase the resilience of progressive authentication against packet loss. To deploy our approach to resource-constrained devices, we introduce SP-MAC, which implements R2-D2 using efficient XOR operations. Our evaluation shows that SP-MAC is resilient to sophisticated network-level attacks and operates as resources-conscious and fast as existing, yet insecure, progressive message authentication schemes.
@inproceedings{wagner2022promac,author={Wagner, Eric and Bauer, Jan and Henze, Martin},title={{Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes}},booktitle={Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)},year={2022},doi={10.1145/3507657.3528539}}
ICBC
Scalable and Privacy-Focused Company-Centric Supply Chain Management
Eric Wagner, Roman Matzutt, Jan Pennekamp, Lennart Bader, Irakli Bajelidze, Klaus Wehrle, and Martin Henze
In Proceedings of the 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), May 2022
Blockchain technology promises to overcome trust and privacy concerns inherent to centralized information sharing. However, current decentralized supply chain management systems do either not meet privacy and scalability requirements or require a trustworthy consortium, which is challenging for increasingly dynamic supply chains with constantly changing participants. In this paper, we propose CCChain, a scalable and privacy-aware supply chain management system that stores all information locally to give companies complete sovereignty over who accesses their data. Still, tamper protection of all data through a permissionless blockchain enables on-demand tracking and tracing of products as well as reliable information sharing while affording the detection of data inconsistencies. Our evaluation confirms that CCChain offers superior scalability in comparison to alternatives while also enabling near real-time tracking and tracing for many, less complex products.
author = {Wagner, Eric and Matzutt, Roman and Pennekamp, Jan and Bader, Lennart and Bajelidze, Irakli and Wehrle, Klaus and Henze, Martin},title = {{Scalable and Privacy-Focused Company-Centric Supply Chain Management}},booktitle = {Proceedings of the 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)},year = {2022},doi = {10.1109/ICBC54727.2022.9805503}}
2021
ACSAC
Reproducible and Adaptable Log Data Generation for Sound Cybersecurity Experiments
Rafael Uetz, Christian Hemminghaus, Louis Hackländer, Philipp Schlipper, and Martin Henze
In Proceedings of the 37th Annual Computer Security Applications Conference (ACSAC), Dec 2021
Artifacts such as log data and network traffic are fundamental for cybersecurity research, e.g., in the area of intrusion detection. Yet, most research is based on artifacts that are not available to others or cannot be adapted to own purposes, thus making it difficult to reproduce and build on existing work. In this paper, we identify the challenges of artifact generation with the goal of conducting sound experiments that are valid, controlled, and reproducible. We argue that testbeds for artifact generation have to be designed specifically with reproducibility and adaptability in mind. To achieve this goal, we present SOCBED, our proof-of-concept implementation and the first testbed with a focus on generating realistic log data for cybersecurity experiments in a reproducible and adaptable manner. SOCBED enables researchers to reproduce testbed instances on commodity computers, adapt them according to own requirements, and verify their correct functionality. We evaluate SOCBED with an exemplary, practical experiment on detecting a multi-step intrusion of an enterprise network and show that the resulting experiment is indeed valid, controlled, and reproducible. Both SOCBED and the log dataset underlying our evaluation are freely available.
@inproceedings{uetz2021socbed,author={Uetz, Rafael and Hemminghaus, Christian and Hackl{\"a}nder, Louis and Schlipper, Philipp and Henze, Martin},title={{Reproducible and Adaptable Log Data Generation for Sound Cybersecurity Experiments}},booktitle={Proceedings of the 37th Annual Computer Security Applications Conference (ACSAC)},year={2021},doi={10.1145/3485832.3488020}}