International Conference on Cyber Warfare and Security

Editorial, Biographies and Review Committee

Richard Wilson — Thu, 02 Mar 2023 00:00:00 +0000

Editorial, Biographies and Review Committee

Secure Cloud Migration Strategy (SCMS): A Safe Journey to the Cloud

Dalal Alharthi — Tue, 28 Feb 2023 00:00:00 +0000

The state of cloud security is evolving. Many organizations are migrating their on-premises data centers to cloud networks at a rapid pace due to the benefits like cost-effectiveness, scalability, reliability, and flexibility. Yet, cloud environments also raise certain security concerns that may hinder their adoption. Cloud security threats may include data breaches/leaks, data loss, access management, insecure APIs, and misconfigured cloud storage. The security challenges associated with cloud computing have been widely studied in previous literature and different research groups. This paper conducted a systematic literature review and examined the research studies published between 2010 and 2023 within popular digital libraries. The paper then proposes a comprehensive Secure Cloud Migration Strategy (SCMS) that organizations can adopt to secure their cloud environment. The proposed SCMS consists of three main repeatable phases/processes, which are preparation; readiness and adoption; and testing. Among these phases, the author addresses tasks/projects from the different perspectives of the three cybersecurity teams, which are the blue team (defenders), the red team (attackers), and the yellow team (developers). This can be used by the Cloud Center of Excellence (CCoE) as a checklist that covers defending the cloud; attacking and abusing the cloud; and applying the security shift left concepts. In addition to that, the paper addresses the necessary cloud security documents/runbooks that should be developed and automated such as incident response runbook, disaster recovery planning, risk assessment methodology, and cloud security controls. Future research venues and open cloud security problems/issues were addressed throughout the paper. The ultimate goal is to support the development of a proper security system to an efficient cloud computing system to help harden organizations’ cloud infrastructures and increase the cloud security awareness level, which is significant to national security. Furthermore, practitioners and researchers can use the proposed solutions to replicate and/or extend the proposed work.

Cyber-Physical Attack Using High Power RF in Havana, Cuba

Allyffazzkkamn Argudo, Ghislaine Nasibu — Tue, 28 Feb 2023 00:00:00 +0000

Abstract: Global communications have relied heavily on fiber-optic cables. Satellite communications have become the norm for areas that are not highly populated or easily reached by conventional wires. The availability and use of satellite communications systems have had a limited market; with this limitation, the need for open development of each vendor's software never gained traction. This led to weaknesses not being discovered until a flaw was made public in a systems breach that affected the end users. Wireless communications that rely on microwaves lead to the use of malware to provide an override to normal operations of the equipment. As the issue of Stuxnet would allow for the override of the safety settings of satellite terminals, the malware could even be deployed remotely through a system update. The weaponization of such systems is now a point of concern. Previous studies have shown that naval satellite communications systems can be a weapon by removing the software power limitations McKay, R. W 2021 [15]. As satellite systems on ships can be larger due to being fixed, transmission power generation may be more significant. This study considers the land-based mobile systems deployed against any target and quickly dismantled and removed. Can land-based mobile satellite communication systems affected by Stuxnet or manually altered yield the same power output, and at what range will it affect human tissue? This is believed to be the case with the ongoing investigation. The survey results showed that mobile equipment could be dangerous to human tissue at distances easily achieved by mobile terminals, especially if the target is a fixed location like a building with large glass windows that R.F. power can penetrate easily

Cybersecurity in Digital Transformation applications: Analysis of Past Research and Future Directions

Zakariya Belkhamza — Tue, 28 Feb 2023 00:00:00 +0000

The term digital is often used to indicate the changes occurring in today’s world, generally referred to as a cyber-physical system, driven by the rapid adoption of digital technologies, where the cyber and the physical worlds are partly overlapping. Digital transformation refers to the integration of the digital technology of the cyber world into all physical domains. These cyber-physical systems must be secure against the threat of cyberattacks. However, one of the most challenging aspects of cybersecurity is the evolving nature of cyberattack risks, which is highly integrated with digital transformation. Despite a number of published articles, there is little investigation of past literature analysis that presents digital transformation applications and cybersecurity trends. The objective of this paper is to provide an intensive examination of digital transformation applications and cybersecurity research between 2019 and 2022, to detect the most profound research areas, emphasize existing challenges and identify patterns, tendencies or regularities existing in the literature in terms of technological applications. This aims to support scholars with a comprehensive understanding of the past, present and future directions of this research trend. To achieve these objectives, a systematic literature review is utilized. The findings introduce several implications for the present state of the literature, apparent study gaps and several research questions, which can be explored in future research.

An Automated Post-Exploitation Model for Cyber Red Teaming

Ryan Benito, Alan Shaffer, Gurminder Singh — Tue, 28 Feb 2023 00:00:00 +0000

Red teaming is a well-established methodology for ensuring and augmenting cyber system security; however, the training, expertise, and knowledge of appropriate tools and techniques required to perform effective red teaming come with a significant cost in time and resources. Large organizations such as the Department of Defense (DOD) use vulnerability assessment to identify software patches and other remediations for cyber systems to mitigate cyberspace exploitation. If a patch cannot be applied in a timely manner, for instance to minimize network downtime, measuring and identifying the impact of such unpatched vulnerabilities is left to scarce red teaming services. These services typically concentrate on initial access exploitation, which stops short of exploring the larger security impacts of cyber threats performing post-exploitation actions. This gap in post-exploitation red team analysis results in increased susceptibility to adversary offensive cyberspace operations (OCO) against DOD systems. This research extends the Cyber Automated Red Team Tool (CARTT), developed at the Naval Postgraduate School, by implementing automated red team post-exploitation analysis. The intent of this extended capability is to reduce the workload on limited DOD red teams and penetration testers by providing system administrators with the ability to perform deeper system analysis for the impacts of exploited vulnerabilities.

Review of End-to-End Encryption for Social Media

Vijay Bhuse — Tue, 28 Feb 2023 00:00:00 +0000

People have valid concerns about their privacy and the use of their personal information by corporations. People do not necessarily trust social media companies to protect their right to privacy. Social media companies are under pressure to provide greater levels of security and privacy to their users. The current gold standard of security protocols for messaging system is the Signal Protocol. The Signal protocol is an open-source end-to-end encryption model. It uses AES-256, HMAC-SHA256 and Curve25519 as its cryptographic primitives. This protocol is currently considered cryptographically sound and provides excellent information security. However, many social media companies are still using less secure protocols often underpinned by less secure primitives. This paper discusses in detail the various cryptographic primitives used in social media apps like WhatsApp, Twitter, Facebook, Snapchat and Instagram.

An Analysis of Crypto Scams during the Covid-19 Pandemic: 2020-2022

Johannes George Botha, Danielle Botha, Louise Leenen — Tue, 28 Feb 2023 00:00:00 +0000

Blockchain and cryptocurrency adoption has increased significantly since the start of the Covid-19 pandemic. This adoption rate has overtaken the Internet adoption rate in the 90s and early 2000s, but as a result, the instances of crypto scams have also increased. The types of crypto scams reported are typically giveaway scams, rug pulls, phishing scams, impersonation scams, Ponzi schemes as well as pump and dumps. The US Federal Trade Commission (FTC) reported that in May 2021 the number of crypto scams were twelve times higher than in 2020, and the total loss increased by almost 1000%. The FTC also reported that Americans have lost more than $80 million due to cryptocurrency investment scams from October 2019 to October 2020, with victims between the ages of 20 and 39 represented 44% of the reported cases. Social Media has become the go-to place for scammers where attackers hack pre-existing profiles and ask targets’ contacts for payments in cryptocurrency. In 2020, both Joe Biden and Bill Gates’ Twitter accounts were hacked where the hacker posted tweets promising that for all payments sent to a specified address, double the amount will be returned, and this case of fraud was responsible for $100,000 in losses. A similar scheme using Elon Musk’s Twitter account resulted in losses of nearly $2 million. This paper analyses the most significant blockchain and cryptocurrency scams since the start of the Covid-19 pandemic, with the aim of raising awareness and contributing to protection against attacks. Even though the blockchain is a revolutionary technology with numerous benefits, it also poses an international crisis that cannot be ignored.

Case Study: Conducting a Risk Assessment for an Electrical Utility

Edwin Covert — Tue, 28 Feb 2023 00:00:00 +0000

Risk management is an important part of effective cybersecurity. This paper presents a hypothetical risk assessment as a case study for one of the largest electricity providers in the southern California region using the approach outlined in the National Institute of Standards and Technology Special Publication 800 series on cybersecurity.

On the Use and Strategic Implications of Cyber Ranges in Military Contexts: A Dual Typology

Andrew Dwyer, Kathrin Moog, Jantje Silomon, Mischa Hansel — Tue, 28 Feb 2023 00:00:00 +0000

The use of simulated environments in cybersecurity – cyber ranges (CRs) – has become a popular method and tool to support training and education, assess system vulnerabilities, as well as to test and probe computer networks. Yet, CRs can be adopted to improve and enhance adversarial skill sets, tools, and operations that are attractive for military applications. This paper develops a strategic typology on how CRs have been used and adopted in military contexts (CRiMCs), where states have turned to CRs as one method to build cyber capacity, address proportionality and responsibility of cyber operations, as well as offer training and education.

We identify CRiMCs that offer two strategic purposes: 1) reserved for sovereign use and capability development and 2) those intended to support cyber capacity building through domestic resilience and collaborative inter-state exercises. We thus ask, why do states establish sovereign cyber ranges ‘on top’ of being involved in collaborative ones? Why and how do they differ? To answer such questions, this paper delves into both the crucial technical components that support each CRiMC type and their implications by offering exemplars from five states (Lithuania, Norway, Slovenia, the Netherlands, and the USA). The paper concludes with some preliminary thoughts on future research avenues on CRiMCs and their implications for the use and governance of state cyber capabilities.

Evaluation of Quantum Key Distribution for Secure Satellite-integrated IoT Networks

Andrew Edwards, Yee Wei Law, Ronald Mulinde, Jill Slay — Tue, 28 Feb 2023 00:00:00 +0000

There has been a dramatic increase in the number of Internet of Things (IoT) devices and their applications. Furthermore, there is a growing impetus to integrate IoT networks on a global scale, using satellites to expand the range of IoT connectivity into geographically remote areas. Ensuring the security of satellite backhaul for IoT networks is thus of paramount importance. The steady advance of quantum computing in recent years threatens to nullify classical cryptographic approaches based on assumptions of computational hardness, motivating the need for post-quantum cryptography. Quantum computing algorithms have been developed that, once a quantum computer of sufficient scale is realised, will be able to break classical cryptosystems efficiently (at polynomial-time complexity). A promising method of securing information against this threat at the physical layer has emerged in the form of quantum key distribution (QKD). QKD exploits the fundamental physical properties of light to guarantee information-theoretic security. Research into the application and standardisation of QKD to secure satellite backhaul, however, is still in its infancy. This paper presents a brief overview of the theoretical basis for QKD, whilst also providing a survey of contemporary QKD protocols. It evaluates the ability of these protocols to secure satellite backhaul in the context of a typical satellite-IoT network architecture. Furthermore, it highlights the vulnerabilities, as well as the technical challenges associated with this endeavour. Finally, it proposes directions for future research and development into protocols and standardisation for the satellite-integrated IoT domain. Several challenges must be overcome before QKD can evolve into a global-scale solution for securing satellite-IoT. Secret key generation rate remains very low in practical demonstrations of trusted-relay QKD satellite architectures. Further research is needed to overcome or mitigate the fundamental rate-distance trade-off before satellite QKD can be considered practicable in an IoT application. Alternatives that do not rely on trusted nodes are contingent on nascent technologies such as quantum repeaters and quantum memory. Whilst in theory QKD provides perfect information-theoretic security, it remains vulnerable to attacks that exploit imperfections in real-world equipment. Further effort is needed to develop QKD protocols that can safeguard against the aforementioned challenges.

Commentary on Healthcare and Disruptive Innovation

Hilary Finch, Abasi-Amefon Affia, Woosub Jung, Lucas Potter, Xavier-Lewis Palmer — Tue, 28 Feb 2023 00:00:00 +0000

Exploits of technology have been an issue in healthcare for many years. Many hospital systems have a problem
with “disruptive innovation” when introducing new technology. Disruptive innovation is “an innovation that
creates a new market by applying a different set of values, which ultimately overtakes an existing market”
(Sensmeier, 2012). Modern healthcare systems are historically slow to accept new technological advancements .
This may be because patient-based, provider-based, or industry-wide decisions are tough to implement, giving way
to dire consequences. One potential consequence is that healthcare providers may not be able to provide the best
possible care to patients. For example, if a healthcare provider does not adopt new technologies or approaches to
medical treatment, they may not be able to offer the same level of care as a provider who has embraced those
innovations. This leads to lower quality of care and poorer patient outcomes.
Another consequence is that healthcare providers who do not adapt to disruptive innovations may lose market
share to competitors who are more forward-thinking and willing to embrace new technologies and approaches.
This can harm the provider's financial performance and sustainability.Not adapting to disruptive innovations in
healthcare can result in missed opportunities to improve the efficiency and effectiveness of medical treatment. If a
healthcare provider does not adopt electronic medical records, they may miss out on the benefits of faster and
more accurate information sharing, improving patient care.
Once the decision to implement technology in a specific healthcare industry is made, concerns about patient
safety, an aversion to change, and hospital-wide compliance with regulations begin to arise (WynHouse, nd.). The
healthcare technology industry also boomed with the COVID-19 outbreak. The COVID-19 outbreak has led to
significant advancements and innovations in medical technology. In order to diagnose, treat, and prevent the
spread of the virus, healthcare providers and researchers have had to develop and deploy new technologies and
approaches. The COVID-19 outbreak has highlighted the importance of the medical industry and the essential role
it plays in society. This has led to increased funding, support for medical research and development, as well as a
greater appreciation for the work of healthcare providers. This has created opportunities for growth and
innovation in the medical industry. It also placed enormous strain on global health systems, disrupting healthcare
by increasing the risk of fraud and deception; the risk of hospital operations and assets being compromised,
disrupted, or altered; and the increased use of telehealth resulting in a breakdown between providers and
consumers (Kuehn,2021). This article will cover the effects/impact of disruptive innovations/technologies
introduced into healthcare industries over the short term through a light review of disruptions and responses,
followed by commentary and policy recommendations.

Securing Commercial Satellites for Military Operations: A Cybersecurity Supply Chain Framework

Courtney Fleming, Mark Reith, Wayne Henry — Tue, 28 Feb 2023 00:00:00 +0000

The increased reliance on commercial satellites for military operations has made it essential for the Department of Defense (DoD) to adopt a supply chain framework to address cybersecurity threats in space. This paper presents a satellite supply chain framework, the Cybersecurity Supply Chain (CSSC) Framework, for the DoD in the evaluation and selection of commercial satellite contracts. The proposed strategy is informed by research on cybersecurity threats to commercial satellites, national security concerns, current DoD policy, and previous cybersecurity frameworks. This paper aims to provide a comprehensive approach for safeguarding commercial satellites used by the DoD and ensuring the security of their supporting components. Inspired by the National Institute of Standards and Technology (NIST) 800-171 requirements and the DoD’s future Cybersecurity Maturity Model Certification (CMMC) process, the two-part framework significantly streamlines the NIST requirements to accommodate small businesses. It also extends key NIST requirements to commercial-off-the-shelf (COTS) suppliers. The CSSC Framework complements the CMMC certification process by addressing the need for cybersecurity requirements for all subcontractors supporting a commercial space asset. The framework incorporates a scoring process similar to CMMC scoring, granting points to a subcontractor for meeting the cybersecurity requirements outlined by the framework. In addition, the framework creates a space architecture overview that details the overall bid score and establishes a matrix based on individual requirements. This model and matrix allow DoD acquisition personnel to closely analyze each contract bid, comparing the subcontractor's strengths and weaknesses to other bidders. The CSSC Framework will allow the DoD to apply NIST standards to subcontractors who do not meet the requirements for CMMC certification.

Predictors of Human Efficiency in Radar Detection Tasks

Elizabeth Fox, Arielle Stephenson, Christopher Stevens, Gregory Bowers — Tue, 28 Feb 2023 00:00:00 +0000

Aegis operators simultaneously locate and monitor the activity of several hostile targets, intervening and alerting their team when appropriate. Utilizing the Aegis Combat System, operators find, track, and respond to dynamic targets on a radar screen. The demand that operators undergo is often high, inevitably causing strain on cognitive functions and detriments to performance. We applied model-based measures, Cost and Multitasking Throughput, to quantify the influence of external factors on processing efficiency in radar task(s). We captured the influence of three experimental manipulations, each of three levels, on human efficiency to track the location of hostiles and/or detect brief radar interference. We collected participants’ performance to complete a multiple object tracking (MOT) task and an electronic attack detection task (EA) using a radar display. A factorial manipulation of conditions comprised changes to task(s) (EA, MOT, or both), the number of targets to track (2, 4, or 6) and the presence or absence of distractors, deemed 'friendlies' (between 500-1000 total tracks). Our novel individual- and model-based approach provided quantitative estimates of human efficiency. We compared the observed variation in efficiency among predictors including target quantity, visual load, and the presence of one or two interrelated tasks. Through quantifying the relationship of these variables to radar detection tasks, we discuss implications of our findings and provide a framework to examine how system designers may develop tools to alleviate observed cognitive demands and/or counter potential threats of electronic attacks in radar detection and tracking tasks.

Nuclear Cyber Attacks: A Study of Sabotage and Regulation of Critical Infrastructure

Virginia Greiman — Tue, 28 Feb 2023 00:00:00 +0000

As of 2021, the World Nuclear Association reports 440 Nuclear reactors are in operation worldwide in 30 countries generating capacity of 390 (GW) which is equivalent to about 10% of the world’s electricity. After Hydroelectric power, nuclear is the world's second largest source of low-carbon power. Important new nuclear technologies including the Small Modular Reactors (SMRs) are being developed globally creating more efficient and safer reactors that can be reproduced off site.

While governments redoubled their commitments to reducing greenhouse gas emissions at the UN Climate Change Conference (COP26) in Glasgow, the recovery of economies following the harsh impacts of COVID-19 led to a surge in energy demand that surpassed the growth in production from clean sources including nuclear. The safety and security of nuclear power has received renewed attention since the Russian invasion of Ukraine presenting growing concern about the potential threat of increased malevolent cyber activity against Ukraine’s critical infrastructure. Moreover, there have been more than 20 known cyber incidents worldwide at nuclear facilities since 1990.

To address these concerns this paper focuses on the progress of cyber security and cyber resilience in the nuclear industry globally. The 2015 cyber-attack on the Ukrainian Kyivoblenergo, a regional electricity distribution company was analyzed by multiple sources including private companies, investigators in Ukraine, and the U.S. government. The analysis revealed many opportunities to stop or prevent this attack, however, the nuclear industry continues to face serious challenges in protecting against cyber threats. This research will investigate through a comparative analysis the recent government regulations, rules and standards, for nuclear cyber security safety in the United States and internationally to determine whether these laws adequately protect energy infrastructure from cyberattacks and hold responsible parties accountable. Recent initiatives by government and the private sector to enhance the opportunities for improving cyber security in the nuclear sector will be reviewed to determine best practices for improving nuclear safety and cyber resilience.

Social-Engineering, Bio-economies, and Nation-State Ontological Security: A Commentary

Brandon Griffin, Keitavius Alexander, Xavier-Lewis Palmer, Lucas Potter — Tue, 28 Feb 2023 00:00:00 +0000

Biocybersecurity is an evolving discipline that aims to identify the gaps and risks associated with the convergence of Biology (the science of life and living organisms) and cybersecurity (the science, study, and theory of cyberspace and cybernetics) to protect the bioeconomy. The biological industries’ increased reliance on digitization, automation, and computing power has resulted in benefits for the scientific community, it has simultaneously multiplied the risk factors associated with industrial espionage and the protection of data both commercial and proprietary. The sensitive and potentially destructive power of this data and its access inherently poses a risk to the national and ontological security of a nation. Ontological security refers to the extent to which an individual or group feels secure in their understanding of the world and their place in it. It is a psychological concept that pertains to the way in which people construct their sense of self and their place in the world, and how this sense of self and place is shaped by their interactions with others and the broader social, cultural, and political context in which they live. Nation-states provide stability and wider social cohesion, but these capacities can be disrupted when the nation state is sufficiently threatened (Bolton, 2021). Leading to an interest in maintaining a national identity; which can have profound effects on the behavior of a nation. Targeted social engineering is aimed at exploiting the changing and damaged mental health of workers in life science enterprises who have not been trained in a sufficient manner to deal with these attacks. Failure to identify the existing vulnerabilities associated with social engineering would expose the bioeconomy to unnecessary risk. Numerous scholars have pointed towards growing risks of nation-state stability being increasingly threatened vs inadequate actions taken to match threats for defense; when reflecting on energy, food, construction materials and more from the multi-trillion US bioeconomy we see that the ground to cover is huge (George 2019, Jordan, 2020, Murch, 2018; Mueller 2021). This paper seeks to discuss some of the existing vulnerabilities associated with social engineering attacks and the effects those attacks would have on the population's ontological security and spark conversations about ways in which ontological security of nation states are modified.

Search and CompAre Reverse (SCAR): A Bioinformatics–Inspired Methodology for Detecting File Remnants in Digital Forensics

George Grispos, William Mahoney, Sayonnha Mandal — Tue, 28 Feb 2023 00:00:00 +0000

A storage device may contain data that an individual is legally or morally not allowed to possess. Or, a disgruntled company employee may intentionally destroy corporate files, assuming once deleted the information is lost forever. The data could take the form of a database owned by a competitor, illegal images, or videos, or trade secrets or confidential business information. Fragments of the data may very well still be present on the disk drive, for example, and forensic tools may be capable of recovering some of the confidential information. This paper introduces Search and CompAre Reverse (SCAR), inspired from tools used in the bioinformatics community. The contribution is an initial empirical investigation into the use of this bioinformatics-inspired approach to deduce the partial existence of patterns in cases where traditional digital forensics tools cannot detect the type of the file due to overwriting the file signature portion of the file.

Development and Analysis of a Reconnaissance-Technique Knowledge Graph

Thomas Heverin, Elsa Deitz, Eve Cohen, Jordana Wilkes — Tue, 28 Feb 2023 00:00:00 +0000

Penetration testing involves the use of many tools and techniques. The first stage of penetration testing involves conducting reconnaissance on a target organization. In the reconnaissance phase, adversaries use tools to find network data, people data, company/organization data, and attack data to generate a risk assessment about a target to determine where initial weaknesses may be. Although a small number of tools can be used to conduct many of reconnaissance tasks, including Shodan, Nmap, Recon-ng, Maltego, Metasploit, Google and more, each tool holds an abundance of specific techniques that can be used. Furthermore, each technique uses unique syntax. For example, Nmap holds over 600 scripts that make up its Nmap Scripting Engine. Depending on the type of device targeted, Nmap scripts can scan for ports, operating systems, IP addresses, hostnames and more. As another example, Maltego operates over 150 transforms or modules that collect data on organizations, files and people.

Understanding which reconnaissance tool, techniques within those tools, and the syntax for each technique represents a highly complex task. MITRE ATT&CK, a widely accepted framework, models tactics and techniques within the tactics to help users make sense of adversarial behaviours. The tactic of reconnaissance is modelled in ATT&CK as well as its techniques. However, the explicit links between reconnaissance techniques are not modelled. Our research focused on the development of an ontology called Recontology to model the domain of reconnaissance. Recontology was then used to form Reconnaissance-Technique Graph (RT-Graph) to model 102 reconnaissance techniques and the directional links between the techniques. We used exploratory data analysis (EDA) methods including a graph spatial-layout algorithm and several graph-statistical algorithms to examine RT-Graph. We also used EDA to find critical techniques within the graph. Patterns across the results are discussed as well as implications for real-world uses of RT-Graph.

Zero Trust is Not Enough: Mitigating Data Repository Breaches

JS Hurley Hurley — Tue, 28 Feb 2023 00:00:00 +0000

Successful mission operations depend on the ability of an organization to collect, manage, analyze, and secure its data. Traditional network frameworks have become less appealing because they rely on a “trust but verify” paradigm that does not stand up well against the advanced tools and techniques of modern cyber attackers. The Zero Trust Framework has emerged as a logical replacement but unfortunately does not adequately address the trustworthiness of data in data repositories. This broader view is important because data repositories have become arguably, the most prominent means for data sharing across many sectors around the globe. Unfortunately, data repositories are also undergoing widespread malware attacks and, in some cases, data critical to national security can be impacted. In this study, we propose a potential framework that relies more on data lineage, end-to-end metadata, and the use of machine learning tools and techniques to reduce and possibly mitigate the problems with data repositories that Zero Trust Frameworks fail to address.

Managing Large-Scale Heterogeneous Deployments for Cybersecurity

JS Hurley Hurley — Tue, 28 Feb 2023 00:00:00 +0000

In cyber defense, we must contend with the massive amounts of data being generated in a variety of different formats and speeds. Unfortunately, traditional tools and methods are not meeting the requirements for scale and speed and rely too heavily on heuristics. Advancements in mobile technologies and the Internet of Things (IoTs) will continue to contribute to the additional growth in data volumes anticipated for the foreseeable future. As data continues to grow in complexity and scale, cyber professionals must rely upon models that are more elaborate and sophisticated to predict future behavior. More complex models can give additional inference capabilities; however, they are also difficult to scale and deploy in real-time environments. Managing large-scale, heterogeneous deployments for cybersecurity is challenging. Hardware capabilities and software tools both motivate and limit computational and inferential objectives. Hence, the interplay between data science (especially machine learning) and computation become more significant than ever to explore to gain more insight into heterogeneous deployments and how they can be more effectively managed. In this study, we identify ways in which data science tools and techniques can be used in improving the management of large-scale heterogeneous deployments for cybersecurity.

Digital Geopolitics: A Review of the Current State

Gazmend Huskaj — Tue, 28 Feb 2023 00:00:00 +0000

The purpose of this research product is to present the current state of digital geopolitics. Digital Geopolitics is attracting much attention. It features in national digital strategies (for those countries that have those), and there is some research on the topic. However, until now, no systematic and up-to-date review of the scientific literature on digital geopolitics exists. This article reviews the scientific literature using the computational literature review method. 124 articles were identified in a scientific database. After removing articles without author and abstract, 120 articles remained to read, cluster and present in this research product. The findings present that research output increases from 2015 and onwards, 53 topics are covered in the data set, and top cited articles and top publication venues are presented. The answer to the research question is that based on the results and the manual clustering of topics, it is indicative that the Technology, Informational, Geography are Security areas have a high focus, with less focus on, for example, political and health areas.

Managing Variable Cyber Environments with Organizational Foresight and Resilience Thinking

Eveliina Hytönen, Jyri Rajamäki, Harri Ruoslahti — Tue, 28 Feb 2023 00:00:00 +0000

Combining business continuity management (BCM) and systematic cyber threat intelligence (CTI) can improve cyber situational awareness to support decision-making through the phases of the resilience cycle (plan, absorb, recover, adapt) to ensure the continuity of organizational operations when encountered by cyber disruptions. End-user needs, human factors, high ethical standards, and social impacts can best be adapted when professionals from different fields work together with end-users to refine and co-develop selected tools into a platform. A resilience assessment that combines BCM and CTI enables 1) quick or detailed assessment of the investigated industry and its critical processes, 2) measurement of performance goals based on information received from end users, where artificial intelligence-based self-learning approaches can be used for functional descriptions, 3) information on the sensitivity of the investigated industry and vulnerability and 4) resilience and BCM throughout the entire resilience cycle. A new Horizon Europe project DYNAMO (Dynamic Resilience Assessment Method including a combined Business Continuity Management and Cyber Threat Intelligence solution for Critical Sectors) works towards combining BCM and CTI to generate a situational picture for decision support. Having this in mind, certain cybersecurity and BCM tools will be developed, refined, and integrated into the DYNAMO platform to provide decision support and awareness to chief information security officers, cybersecurity practitioners, and other stakeholders. This paper reports a case study that explores how combining CTI and BCM can help in the case of a cyber-attack. The research material consists of the news articles by the largest newspaper in Finland, Helsingin Sanomat (HS) of how the cyber attack against the therapy center Vastaamo progressed during the first week after the attack. The results show that cyber threat intelligence when flexibly integrated into the BCM approach could create better conditions for improved organizational foresight to react to unpredictable cyber threats to ensure business continuity.

Fingerprinting Network Sessions for the Discovery of Cyber Threats

Christiaan Klopper, Jan — Tue, 28 Feb 2023 00:00:00 +0000

rtificial intelligence (AI) assisted cyber-attacks, within the network cybersecurity domain, have evolved to be more successful at every phase of the cyber threat lifecycle. This involves, amongst other tasks, reconnaissance, weaponisation, delivery, exploitation, installation, command & control, and actions. The result has been AI-enhanced attacks, such as DeepLocker, self-learning malware and MalGan, which are highly targeted and undetectable, and automatically exploit vulnerabilities in existing cyber defence systems

. Countermeasures would require significant improvements in the efficacy of existing cyber defence systems to enable the discovery and detection of AI-enhanced attacks in networks in general. The challenge is that rule-and-anomaly-based intrusion detection approaches would need to be evolved into a dynamic self-learning approach before being able to discover “undetectable” network threats. The problem is that, when considering current state-of-the-art network cybersecurity countermeasures, this has not yet been achieved. One of the key challenges in achieving this is the inability to extract meaningful information from network packets. The novel solution proposed in this paper is to fingerprint network sessions. Each fingerprint is represented by a two-dimensional matrix that can be visualised, comprising a unique session key, the protocol discourse and the transmitted data. This is achieved by extracting information, summarising network session key events, encoding the received data, and merging it with existing fingerprints. The unique key and transmitted data are encoded using a Hilbert curve, while the protocol discourse is encoded into a tornado diagram. The resulting visualised network session fingerprints reveal hidden patterns that are ideal for subsequent pattern recognition, reinforcement learning (RL) or support vector machines (SVM) training to discover AI-enhanced cyber threats as they evolve.

S-400s, Disinformation, and Anti-American Sentiment in Turkey

Tue, 28 Feb 2023 00:00:00 +0000

As social and political discourse in most countries becomes more polarized, anti-Americanism has
risen not only in the Middle East and Latin America but also among the U.S. allies in Europe. Social media is
one platform used to disseminate anti-American views in NATO countries, and its effectiveness can be
magnified when mass media, public officials, and popular figures adopt these views. Disinformation, in
particular, has gained recognition as a cybersecurity issue from 2016 onward, but disinformation can be
manufactured domestically in addition to being part of a foreign influence campaign. In this paper, we analyze
Turkish tweets using sentiment analysis techniques and compare the model's results to the manual
investigation based on qualitative research. We investigate institutional conditions, social and mass media
control, and the state of political discourse in Turkey and focus on narratives pertaining to the purchase of S-
400 missiles from Russia by Turkey, as well as the actors spreading these narratives, analyzing for popularity,
narrative type, and bot-like behavior. Our findings suggest that although anti-American sentiment has held
relatively steady in Turkey since 2003, the tightening of control over mass media networks in Turkey and the
adoption of conspiratorial rhetoric by President Erdogan and his allies in the AKP from 2014 onward amplified
anti-American sentiment and exacerbated negative sentiment on social media by pitting users against one
another. This study and its findings are important because they highlight the importance of social and
psychological components of cybersecurity. The ease by which disinformation efforts, influence operations,
and other “softer” forms of cyber- and information warfare can be carried out means that they will only grow
more common.

Detecting and tracking hypersonic glide vehicles: A cybersecurity-engineering analysis of academic literature

Tue, 28 Feb 2023 00:00:00 +0000

Hypersonic vehicles are vehicles travelling faster than Mach 5 (five times the speed of sound). Hypersonic technologies have existed since the end of the 1950s, but recent developments of defence applications have led to their resurgence. Hypersonic weapons can be hypersonic (powered) cruise missiles or hypersonic glide vehicles (HGVs). The near-space trajectories of HGV, combined with their superior manoeuvrability, enable HGVs to evade existing space and terrestrial sensors used to track ballistic missiles, posing an immediate threat to today’s radar networks and making HGVs well-suited for intercontinental (> 5500 km) targets. Securing HGV detection and tracking systems is of great interest to at-risk nations and cybersecurity researchers alike.

However, like hypersonic flight technologies, HGV defence technologies are heavily guarded secrets. The shortage of public-domain information did not stop academia from proposing various detection and tracking schemes, but a reasonable question is: “How credible and useful is current public-domain information, including academic publications, on HGV detection and tracking for academic researchers to base their cybersecurity research on?” To answer this question, we scanned and critically reviewed public-domain literature on HGV detection and tracking. We then identified ambiguities and knowledge gaps in the literature. In this paper, we provide a concise version of our multivocal literature review and an analysis of the identified ambiguities and knowledge gaps in our attempt to answer our earlier question.

Cyber security training in Finnish basic and general upper secondary education

Martti Lehto, Pekka Neittaanmäki — Tue, 28 Feb 2023 00:00:00 +0000

Cyber security in Finland is part of other areas of comprehensive security, as digital solutions multiply in society and technologies advance. Cyber security is one of the primary national security and national defense concerns. Cyber security has quickly evolved from a technical discipline to a strategic concept. Cyber security capacity building can be measured based on the existence and number of research and developments, education and training programs, and certified professionals and public sector agencies.

Cybersecurity awareness and the related civic skills play an increasingly important role as our societies become more digitalized. Improving citizens' cyber skills through education is an important goal that would strengthen Finland as a country of higher education and expertise and lay the foundation for the society of the future.

Pursuant to the Finland’s Cyber Security Strategy (2019) “National cyber security competence will be ensured by identifying requirements and strengthening education and research.” Finland’s Cyber Security Development Programme (2021) necessitates that in basic education ensures young people have sufficient skills to operate in a digital operating environment and that they understand cyber security threats and know how to protect themselves from them. So, cybersecurity is an important subject for everyone, not just industry or public organizations. It’s also vital for our children to understand how to stay safe online, and the need to be aware of any dangers that might come their way. Cybersecurity awareness training is important because it teaches pupils how they can protect themselves from cyber-attacks (MTC, 2021).

The study of cybersecurity education in Finland was made in autumn 2021 and spring 2022 for the National Cyber Security Director. According to the study, measures are needed so that cyber security becomes an important aspect when planning education and teaching. There are different models to choose from to make training more effective. This paper presents the results of the research focusing basic and general upper secondary education.

Russian Influence Operations during the Invasion of Ukraine

Joseph Littell, Nicolas Starck — Tue, 28 Feb 2023 00:00:00 +0000

Prior to their invasion of Ukraine, the Russian Federation was seen as having a vastly superior ability to conduct operations in the information environment, particularly their ability to influence foreign audiences, when compared to their western counterparts (Cunningham, 2020). However, the efforts of Ukraine, NATO allies, and other aligned nations to conduct operations in the information environment with intelligence pre-bunking, traditional diplomacy, and sanctions, blunted many of Russia’s best efforts. Further tactical and operational failures from the Armed Forces of the Russian Federation also undercut the salience of Russian messaging campaigns. This does not mean that Russia’s efforts in the informational environment fully failed or did not adapt to these actions in the lead-up and continuation of the war. Through the use of the Natural Language Processing (NLP) technique transformer-based topic modeling (Grootendorst, 2022) and the causal inference technique Bayesian Structural Time Series analysis (Brodersen, 2015) this paper looks to both qualitatively and quantitatively examine how Russian state media on Twitter reacted, changed narratives, and focused efforts regionally from January 1^st through September 1^st, 2022. Through this analysis we argue that Russian efforts in Europe may have been of limited success. We further argue that by shifting focus, Russia gained influence in South America, and Middle East and North Africa, where their influence operations faced minimal obstructions, such as sanctions, and a latent anti-western sentiment.

Modelling the Influential Factors Embedded in the Proportionality Assessment in Military Operations

Clara Maathuis, Sabarathinam Chockalingam — Tue, 28 Feb 2023 00:00:00 +0000

The ongoing decade was believed to be a peaceful one. However, contemporary conflicts, and in particular, ongoing wars prove the opposite as they show the increase in context complexity when defining their goals as well as execution strategies for building means and methods for achieving them by gaining advantage against their adversaries through the engagement of well-established targets. At the core of the engagement decision relies the principle of proportionality which brings in a direct relation the expected unintended effects on civilian side with the anticipated intended effects on military side. While the clusters of effects involved in the proportionality assessment are clear, the process itself is subjective, governed by different dimensions of uncertainty, and represents the responsibility of military Commanders. Thus, a complex socio-technical process where different clusters of influential factors (e.g., military, technical, socio-ethical) play a role in the decisions made. Having said that, the objective of this research is to capture and cluster these factors, and further to model their influence in the proportionality decision-making process. This decision support system produces military targeting awareness to the agents involved in the processes of building, executing, and assessing military operations. To accomplish the aim of this research, a Design Science Research methodological approach is taken for capturing and modelling the influential factors as a socio-technical artefact in the form of a Bayesian Belief Network (BBN) model. The model proposed is further evaluated through demonstration on three different cases in respect to real military operations incidents and scenarios existing in the scientific literature in this research field. Hence, through this demonstration, it is illustrated and interpreted how the factors identified influence proportionality decisions when assessing target engagement as being proportional or disproportional. In these cases, corresponding measures for strengthening proportionality and reducing disproportionality in military operations are considered.

Social Media Manipulation Awareness through Deep Learning based Disinformation Generation

Clara Maathuis, Iddo Kerkhof — Tue, 28 Feb 2023 00:00:00 +0000

As a digital environment introduced for establishing and enhancing human communication through different social networks and channels, social media continued to develop and spread at an incredible rate making it difficult to find or imagine a concept, technology, or business that does not have or plan to have its social media representation and space. Concurrently, social media became a playground and even a battlefield where different ideas carrying out diverse validity degrees are spread for reaching their target audiences generated by clear and trustable well-known, uncertain, or even evil aimed entities. In the stride carried out for preventing, containing, and limiting the effects of social manipulation of the last two types of entities, proper/effective security awareness is critical and mandatory in the first place. On this behalf, several strategies, policies, methods, and technologies were proposed by research and practitioner communities, but such initiatives take mostly a defender perspective, and this is not enough in cyberspace where the offender is in advantage in attack. Therefore, this research aims to produce social media manipulation security awareness taking the offender stance by generating and analysing disinformation tweets using deep learning. To reach this goal, a Design Science Research methodology is followed in a Data Science approach, and the results obtained are analysed and positioned in the ongoing discourses showing the effectiveness of such approach and its role in building future social media manipulation detection solutions. This research also intends to contribute to the design of further transparent and responsible modelling and gaming solutions for building/enhancing social manipulation awareness and the definition of realistic cyber/information operations scenarios dedicated/engaging large multi-domain (non)expert audiences.

Social Media Manipulation Deep Learning based Disinformation Detection

Clara Maathuis, Rik Godschalk — Tue, 28 Feb 2023 00:00:00 +0000

The rapid grow and use of different social platforms enhanced communication between different entities and their audiences plus the transformation through digitalization of existing, e.g., ideas and businesses, or the creation of new ones fully existing or depending on this digital environment. Nevertheless, next to these promising aspects, social media is a vulnerable digital environment where a diverse plethora of cyber incidents are planned and executed engaging a diverse range of targets. Among these, social media manipulation through threats like disinformation and misinformation produce a broad span of effects that cross digital borders into the human realm by influencing and altering human believes, behaviour, and attitudes towards specific ideas, institutions, or people. To tackle these issues, existing academic, social platforms, dedicated organizations, and institutions efforts exist for building specific advanced and intelligent solutions for detecting and preventing them. Regardless, these efforts embed defender’s perspective and are focused locally, at target level, without being designed to fit a broader agenda of producing and/or strengthening social media security awareness. On this behalf, this research proposes a deep learning-based disinformation detection solution for facilitating and/or enhancing social media security awareness in respect to offender’s perspective. To achieve this objective, a Data Science approach is taken based on the Design Science Research methodology, and the results obtained are discussed with a keen on further field developments regarding intelligent, transparent, and responsible solutions countering social manipulation through realistic participation and contribution of different stakeholders from different disciplines.

Improvements on Hiding x86-64 Instructions by Interleaving

William Mahoney, Todd McDonald, George Grispos, Sayonnha Mandal — Tue, 28 Feb 2023 00:00:00 +0000

This paper presents the results of a new method for interleaving CPU instructions in x86-64 machine code, such that one can hide executable code within other valid instructions. The aim is to make it more difficult to reverse-engineer software at a machine code level – to obfuscate instructions. A result is a hidden execution path within a visible main instruction path. While previous methods for this instruction obfuscation exist, we present a new method which builds upon past work, and which allows a greater flexibility in the selection of main instruction path instructions. The result of this new approach is to provide a methodology for instruction concealment which is free of restrictions present in prior work.

Developing Privacy Incident Responses to Combat Information Warfare

Sean McElroy, Lisa McKee — Tue, 28 Feb 2023 00:00:00 +0000

Violations of privacy harm real people, and as nation-state actors grow their information warfare capabilities, civilians suffer these harms as part of coordinated and targeted actions on objectives. When privacy harms manifest, they allow threat actors to injure data subjects by weaponizing their information to harm individuals, communities, and societies. These attacks injure civilians as the confidence of legitimate authorities, institutions, and defences is eroded, and consequences may impact national security. Distinct from cybersecurity, privacy depends upon confidentiality, integrity, and availability but encompasses a unique set of concerns. Whereas security incident response has an established practice and research history, approaches to privacy incident response, such as unauthorized disclosure, are not well researched or documented in academic literature in the unique context of privacy. By mapping privacy harm to techniques and tactics, a cohesive framework emerges to distinguish tailored mitigation strategies for each. This paper proposes a conceptual model and classification framework for privacy-related harms, tactics, techniques, and mitigation strategies to address sophisticated privacy threat actors. Using this model and framework, contingency planners can develop privacy incident response strategies to defend against the privacy harms of information warfare.

Use of Intrusion Detection Systems in Vehicular Controller Area Networks to Preclude Remote Attacks

Anthony Monge, Todd Andel — Tue, 28 Feb 2023 00:00:00 +0000

Security is always at the forefront of our thoughts whether we know it or not. Mindlessly, people go about their daily lives with security a part of everything performed. Is the house door locked? Is the phone off and upside down on the table so no one can see it? Is the computer at home/work logged out and secure? However, when thinking about our vehicles, the normal person stops at locking the door. Problem is that our vehicles’ electronic systems are unprotected. Vehicles today are essentially personal computers with wheels. It is arguable that vehicles are incredibly safe, but that safety is an illusion. The computers that control our cars have essentially zero security in place to protect them. It is a chilling notion to have the knowledge your brakes could be rendered useless while moving at a high rate of speed. On top of that, this could be done and leave essentially no trace it had been performed. The main crux of this insecurity is the Controller Area Network (CAN) utilized by the vehicles’ electronics. This paper outlines the current vulnerabilities that vex this network system and why those issues have remained unsolved. It also outlines a plausible solution to get the security community moving in the right direction. While this solution is a mere small step toward a robust network, it does alert the operator to a potential network attack. With this knowledge, the driver of the vehicle may get it to a safe location prior to more damage being inflected on themselves or others.

Digital Insanity: Exploring the Flexibility of NIST Digital Identity Assurance Levels

Kenneth Myers — Tue, 28 Feb 2023 00:00:00 +0000

NIST Special Publication 800-63-3 presents a new risk management concept on digital identity. It includes various harm categories to determine an appropriate assurance level for identity proofing, authentication, and federation. These three distinct approaches are highlighted to give flexibility in protecting systems. This paper explores if this is a realized flexibility by developing a tool to test assurance level and component flexibility. It also identifies appropriate MFA levels given different levels of risks and makes three recommendations to help improve the adoption of the NIST digital identity guidelines.

Risk likelihood of planned and unplanned cyber-attacks in small business sectors: A cybersecurity concern

Tabisa Ncubukezi — Tue, 28 Feb 2023 00:00:00 +0000

Human factors such as planned and unplanned cyber-attacks are a serious threat to any institution. The presence of planned and unplanned actions exposes the state of cybersecurity within the small business sector – leaving them vulnerable to a range of cyber-risks. This study used the AgenaRisk package with Bayesian Network (BN) tools to illustrate the likelihood of risk in planned and unplanned attacks. Adopting the package demonstrates the dependent and independent variables of the human factors, which are planned and unplanned, with their relationships resulting in the ultimate data breach. The work also combined qualitative research with quantitative risk analysis techniques to determine the risk likelihood of planned activities and unplanned employee actions and their behaviors influencing data breaches.

The work used the judgemental sampling method to select twenty-five (25) research participants who are business owners and Information Technology (IT) managers. An online survey was used to collect data from the selected research participants. Results were analysed using content analysis and interpreted using the package with BN tools, and risk analysis techniques. The results were further discussed, and the study concluded with remarks and future developments.

Ret-gadgets in RISC-V-based Binaries Resulting in Traps for Hijackers

Toyosi Oyinloye, Lee Speakman, Thaddeus Eze — Tue, 28 Feb 2023 00:00:00 +0000

The presence of instructions within executable programs is what makes the binaries executable. However, attackers leverage on the same to achieve some form of Control Flow Hijacking (CFH). Such code re-use attacks have also been found to lead to Denial of Service (DoS). An example of code re-use attack is Return Oriented Programming (ROP) which is caused by passing input crafted as chained sequences of instructions that are already existing as subroutines in the target program. The instructions are called gadgets and they would normally end with ret. The ret instructions enable the flow of hijacked execution from one set of instruction to another within the attacker’s control. There could however be exceptions depending on the structure of the chained gadgets where the chained gadget fails to run its course due to inability of specific gadgets to replace the value in the return address (ra) register. The dangers of chained gadgets are not a new idea but the possibility for an attacker’s gadget chain to fall into a trap during a ROP attack is not commonly addressed. In addition to this, recent studies have revealed that understanding the behaviours of gadgets would be useful for building information base in training machine learning (ML) models to combat ROP. This study explains the behaviour of certain ROP gadgets showing the possibility of occurrence of a loop in execution during exploitation. A sample program which accesses gadgets from the GNU C library (glibc) is used to demonstrate the findings. Gadgets identified with this possibility are poor for chaining as they do not contain instructions to load or move new values to the ra register and would produce unreliable exploits. This would result in a trap for the chained gadgets instead of arbitrary code execution, and DoS on the path of the user. This implies that the impact that a ROP chain could have on a targeted process does not only rely on the underlying system architecture but also on relies on the structure of the chained gadget. In this paper, the RISC-V architecture is the focus, new gadget finders (scripts are available) are presented, and sample of chained gadgets are analysed on a RISC-V -based binary.

Basic Elements of Cyber Security for a Smart Terminal Process

Jouni Pöyhönen, Jussi Simola, Martti Lehto — Tue, 28 Feb 2023 00:00:00 +0000

Global maritime transportation and logistics systems are essential parts of critical infrastructures in every society, and a crucial part of maritime logistics processes are seaports. Digitalization helps improve the efficiency of terminal systems in the processes of these ports. In Finland this development is going on and it is called SMARTER research program. In the best cases, digitalization can also promote the reduction of emissions by optimizing port operations and enhancing cargo and people flows while improving the experience for all stakeholders. The improvement of port processes relies on the development of Information and Communication Technology (ICT) and as well as on Industrial Control Systems (ICS) or Operation Technologies (OT). At the same time, the cyber security aspects of maritime logistics also need to be addressed. In Finland, the SMARTER research program has been established to create port services by using, among other tools, Industry 4.0 solutions. As critical systems become more complicated in terms of users, processes and technology, the entire port infrastructure becomes a complex system of systems environment characterized by a conglomeration of interconnected networks and dependencies. ICT systems are significant parts of the operations and core processes, and are related to the administration and management of information in the network. The components of process levels include ICS/OT systems as well.This paper presents findings related to the SMARTER research goal on cyber security, which is a comprehensive cyber security architecture for port services at the system level. The paper emphasizes the importance of system description and recognizing basic system elements and their description in the first phase of the research process. The descriptions of these elements are needed to answer the following question at the beginning of the research: “What are the basic elements of cyber security for a smart terminal process?” The main elements identified in this paper are activities, the recognition of every stakeholder and the relationships between them, security dimensions, security capabilities, and system views of organizational criteria for cyber security in the SMARTER system. The solution can be called the Smart Port Cyber Security Management System (PortCSMS).

Key words: maritime logistics, smart port, cyber security management, SMARTER

Anti-American Stance in Turkey: A Twitter Case Study

Gowri Prathap, Hamdi Kavak, Ekrem Kaya, Luke Palmieri, Saltuk Karahan, Alex Korb — Tue, 28 Feb 2023 00:00:00 +0000

The availability of social media and biased actors exacerbated Anti-American and Anti-Western views to extremes. In this paper, we report our efforts in analyzing anti-American views on Twitter. We have collected over three years of Turkish tweets related to the US, translated them into English, and analyzed these tweets using various computational social science tools. We found that Turkish tweets related to the US are significantly negative, and emotions reflect disgust and anger. Furthermore, we found that the source of the negative views stems from political actors like Trump or Biden rather than general hatred. Our results shed light on potential policy plans and interventions.

Gaps in Asset Management Systems to Integrate Railway Companies’ Resilience

Jyri Rajamäki, Jari Savolainen, Rauno Pirinen, Eduardo Villamor Medina — Tue, 28 Feb 2023 00:00:00 +0000

Railways and metros are safe, efficient, reliable, and environmentally friendly mass carriers. They are critical cyber-physical systems (CPS) that are attractive targets for cyber and/or physical attacks. SAFETY4RAILS project delivers methods and systems to increase the safety and resilience of track-based inter-city railway and intra-city metro transportation. Asset management plays a fundamental role in resilience management. This study analyses the gaps in asset management systems of rail infrastructure. The objective of the study is to understand the weaknesses and vulnerabilities in an asset management system that impacts resilience. The form of triangulation fashion was used for the analysis of consequences for each threat event. The research conducted included: a systematic literature review; a multiple case study review; and an analysis. The strength of asset inventory, condition inspection methods and decision-making scenarios were analysed, and as an expanded part of this analysis, mitigation actions linked to the vulnerabilities were identified. The study implies that asset management systems are most important in resilience management’s response and recovery phases where the largest sudden economic implications can take place. The results of the gap analysis could be used to provide policy recommendations and standardisation efforts.

LoRaWAN & The Helium Blockchain: A Study on Military IoT Deployment

Michael A. Reyneke, Barry E. Mullins , Mark G. Reith — Tue, 28 Feb 2023 00:00:00 +0000

Technology is evolving at a rapid pace, and the demand for a reliable, far-reaching Internet of Things (IoT) network has never been higher. Low Power Wide Area Network (LPWAN) offers an energy-efficient, low-cost, long-range wireless communication protocol catered to IoT devices. A subset of LPWAN, Long Range Wireless Access Network (LoRaWAN), is being rapidly adopted due to its effortless integration into existing system architectures and real-world success. The Helium Network cryptocurrency blockchain’s financial incentives have been used to speed up the LoRaWAN adoption and deployment in urban and rural areas by financially incentivizing gateway owners to establish a redundant network based out of their homes and businesses. In addition to ease of deployment, the Helium Network allows for enhanced security by utilizing a public blockchain ledger to verify the identities of both sender and recipient to combat packet replay and man-in-the-middle attacks. This research argues for the effectiveness of LoRaWAN and Helium Network technology fusion based on real-world examples of a robust and dependable worldwide network. Further, this research advocates for adoption and modification of this technology by the Department of Defense (DoD), to enhance environmental sensing, establish real-time tactical networks, and critical infrastructure and logistics monitoring. If the DoD chooses to integrate these two technologies with its existing IoT infrastructure; it can reliably, securely, and anonymously use LoRaWAN nodes and routers as both a long-range and backup encrypted communication network capable of supporting end-to-end encryption up to AES-128 (DoD SECRET-classification standard). The DoD could capitalize on these successes to advance information dominance in both domestic and international environments. The demonstrated performance and low adoption cost of LoRaWAN and Helium Network technologies could greatly enhance the DoD’s mission of maintaining its lethality and dominance in information warfare.

Blockchain Forensics: A Modern Approach to Investigating Cybercrime in the Age of Decentralisation

Saminu Salisu, Velitchko Filipov — Tue, 28 Feb 2023 00:00:00 +0000

Blockchain forensics (the use of scientific methods to manipulate data to create useful and informative descriptions of the manipulated data) takes data from the blockchain to interpret the flow of digital assets. Investigators use sophisticated data manipulation and visualization tools to identify the travel history of stolen assets. With these capabilities, chain hopping, round-tripping, and all attempts to blur transfer trails by cyber criminals become smoke screens with no effect. This paper establishes a framework for investigating financial crimes on the blockchain, starting with a brief explanation of blockchain forensics, types of financial crimes committed by criminals using the blockchain, and how they can be mitigated using OSINT’s (OSINT, 2022) investigation process of data collection, data preservation, data processing, and data presentation. This paper also presents a community-based approach to financial crime investigations on the blockchain that involves the public and victims themselves contributing valuable intelligence that can be used to trace and track criminals by authorities and security agencies in the global fight against cybercrime.

Biocybersecurity and Deterrence: Hypothetical Rwandan Considerations

Issah Samori, Gbadebo Odularu, Lucas Potter, Xavier-Lewis Palmer — Tue, 28 Feb 2023 00:00:00 +0000

Digitalization and sustainability are popular words within modern disciplines as practitioners each look toward the future of their respective fields. Specifically for the African continent, which is making great strides in developmental targets, those two terms are central to core aspects of policy initiatives that may foster cooperation across its varied lands and nations. One of the underlying challenges that confront Africa is a lack of strong regional integration across socioeconomic and political programs; there is value in African regions having more regional connectedness. We assess the rate of regional integration and development in Africa and discuss how to alleviate development crises that could be accelerated by deploying a sustainable cybersecurity strategy, which increasingly includes the bioeconomy and its components. This can be done through the application of Fourth Industrial Revolution (4IR) technologies such as Artificial Intelligence (AI) and modern biotechnology. This work suggests that political and socio-economic activities associated with regional integration must be seen as an all-encompassing task that transcends beyond national boundaries towards a cyber biodefense fortification and increases in 4IR technological integration. This has the aim of thereby encompassing efforts to persuade leaders to fast-track policies that seek to promote geospatial cyberinfrastructure, integrative cybersecurity considerations, cross-border digitalization programs, and increased need for cybersecurity research and education, with mindfulness towards education and further integration of mindful automation. In conclusion, a model of integrative security is proposed for Africa.

Lesson Plan: An Interdisciplinary Approach to Teaching Cyber Warfare Concepts

Donna Schaeffer, Patrick Olson — Tue, 28 Feb 2023 00:00:00 +0000

Interdisciplinary topics and fields need special attention to ensure that the breadth of the knowledge they represent are completely expressed. This is especially important and difficult to achieve in curriculum areas that tend to add new ideas on a constant basis and are sometimes interdisciplinary themselves. The topic/field cyber warfare is area this paper considers. This paper recommends and describes a lesson plan that provides the means of achieving a fully expressed examination of cyber warfare. The outcome is an articulation of the concept that will diffuse knowledge about cyber warfare. The lesson plan will be useful to any institution (particularly universities and government agencies) that need to diffuse knowledge about cyber warfare.

The Impact of Edge Computing on the Industrial Internet of Things

Nkata Sekonya, Siphesihle Sithungu — Tue, 28 Feb 2023 00:00:00 +0000

The emergence of the Industrial Internet of Things (IIoT) has improved the management of industrial operations and processes. IIoT involves collecting and processing data from a vast array of sensors deployed across industrial complexes. This enables the measurement of the efficiency of industrial processes, monitoring the health of machinery, optimisation of operations, and response to real-time events. In its application, IIoT underpins the operation of critical infrastructure in sectors including manufacturing and utilities. Maintaining the availability and resilience of critical infrastructure against internal and external threats is essential to minimise disruptions that could have a debilitating effect on a nation’s economy. Although internal threats can lead to a critical infrastructure’s downtime, external threats through cyberattacks also pose a significant threat. Historical events have demonstrated that the successful disruption of critical infrastructure can lead to the loss of human life, the interruption of necessary economic activities and national security concerns. Therefore, the availability of resilient critical infrastructures is vital to the well-being of a country. In this context, the paper compares the deployment of traditional IIoT to that of edge computing for the storage and processing of data. Traditional IIoT relies on a centralised server for data storage and processing, which is insufficient as IIoT environments cannot tolerate delays in responding to real-time events. Conversely, edge computing allows for data processing at the edge, closer to the data source, which plays a crucial role in enabling IIoT devices to respond to real-time events by reducing decision-making latency. Moreover, the decentralised nature of edge computing reduces the reliance on a centralised server by only sending required data to the cloud for further processing. Although edge computing enhances IIoT deployments, a notable concern is a resultant increase in the attack surface of IIoT environments, which consequently restricts its implementation. Exploratory research is conducted to explore the integration of edge computing into IIoT environments with a focus on improving the management and operation of critical infrastructures. A review of the current literature is performed to identify and discuss security concerns prevalent in edge computing-enabled IIoT environments and proposed mitigation strategies.

Cyber Threat Analysis in Smart Terminal Systems

Jussi Simola, Jouni Pöyhönen, Lehto Martti — Tue, 28 Feb 2023 00:00:00 +0000

Cyber threats create significant factors that challenge traditional threat prevention mechanisms in harbor areas and port terminals. It has been recognized that understanding security functionalities in the harbor area is based on a more traditional experience of what it requires. It is not enough that the maritime and harbor ecosystem repeats only physical security service routines regarding random checks of passengers and vehicles and customs functions on cargo and passenger transportation. Smart environments and infrastructures are widely expanded in urban areas and create more challenges if old practices are combined with new technologies and functionalities. Traditional threats have changed to a combination of threat types. While developing cyber or physical threats may evolve into hybrid threats, it may prevent everyday harbor activities so that damage can become long-lasting and harm business continuity management. Therefore, it is essential to analyze cyber threat factors in Smart Terminal Systems. The research provides cyber threat and vulnerability analysis and the main attack vectors in the Smart Terminal systems. This research belongs in Finland to the maritime Sea4Value (S4VF) research program that includes Smart Terminals (SMARTER) project for harbor’s digitalization.

Towards a Scientific Definition of Cyber Resilience

Sidney Smith — Tue, 28 Feb 2023 00:00:00 +0000

Cyber resilience must be improved. Improving cyber resilience requires the quantitatively measuring it. However, before cyber resilience can be measured, it must first be scientifically defined. An effort to discover a consensus among researchers as to the scientific definition of resilience, in general, and cyber resilience, specifically, revealed that no such consensus exists. Experts from several disciplines agree that the word resilience is becoming a meaningless buzz word. This paper reviews the literature to establish the current state of the scientific definition of resilience. It briefly surveys the literature to discover what makes a valid scientific definition. It reviews and analyses the historic scientific use of resilience to discover the path from its original meaning to its current diverse and conflicting meanings. These concepts are decomposed using a genus-differentia analysis untangling the various connotations and separating the related but different concepts. Based upon this analysis, a proposal is made that resilience is part of a family of properties under the umbrella of tenacity. This family includes resistance, resilience, persistence, and perseverance. Finally, an initial operational definition of cyber resilience based upon key performance parameters under stress is proposed.

Implications of Cyberbiosecurity in Advanced Agriculture

Simone Stephen, Keitavius Alexander, Lucas Potter, Xavier-Lewis Palmer — Tue, 28 Feb 2023 00:00:00 +0000

The world is currently undergoing a rapid digital transformation sometimes referred to as the fourth industrial revolution. During this transformation, it is increasingly clear that many scientific fields are not prepared for this change. One specific area is agriculture. As the sector which creates global food supply, this critical infrastructure requires detailed assessment and research via newly developed technologies (Millett et al, 2019; Peccoud et al, 2018) . Despite its fundamental significance to modern civilization, many aspects of industrial agriculture have not yet adapted to the digital world. This is evident in the many vulnerabilities currently present within agricultural systems, as well as the lacking and fragmented nature of policy dictating cybersecurity stances– the field which intersects both cybersecurity and biosecurity to protect several areas within life sciences (Murch et al, 2018; Duncan et al, 2019; U.S. Department of Agriculture, 2022) . These looming oversights create dangers to advanced agricultural systems, which in turn poses risk to businesses, economies, and individuals. While there are various methods to reduce these risk factors, they ultimately depend on the careful consideration of cyberbiosecurity (CBS) by all involved. This includes the system developers, equipment engineers, and especially the end users - all of us. A conscientious team-effort can work to diminish risks and ultimately provide a safer environment for advanced agriculture and all who depend on it. This analysis explores numerous vulnerabilities within the system of advanced agriculture, discusses potential solutions to the escalating risks they present, and considers the achievable future of an advanced agricultural system which further implements the role of CBS.

Organizational Cybersecurity Post The Pandemic: An Exploration of Remote Working Risks and Mitigation Strategies

Tue, 28 Feb 2023 00:00:00 +0000

The Covid-19 pandemic has forced organisations to embrace the largest remote workforce in history, yet this upheaval also brought an increasing number of cyber vulnerabilities to the fore. Organisations must remain committed to not leaving business processes, personal data, or vital infrastructure at risk, which has proved challenging for most. As remote working establishes itself as the new normal, criminals are seeking to capitalize on the widespread cybersecurity uncertainty, and succeeding. Private organisations and cybersecurity professionals must come together to establish robust solutions for home working cybersecurity.

This investigation explores several prevalent cyber risks (private networks, public hotspots, remote desktop protocol, authentication policies, virtual private network configuration and phishing attacks) across three key threat classifications of management, technical and human factors when remote working from the perspective of twenty industry experts. These findings offer key insights to emerging vulnerabilities, while also revealing defined strategies for organisations to help mitigate these challenges.

A Quantitative Risk Assessment Framework for the Cybersecurity of Networked Medical Devices

Maureen Van Devender, Jeffrey Todd McDonald — Tue, 28 Feb 2023 00:00:00 +0000

Medical devices are increasingly the source of cybersecurity exposure in healthcare organizations. Research and media reports demonstrate that the exploitation of cybersecurity vulnerabilities can have significant adverse impacts ranging from the exposure of sensitive and personally identifiable patient information to compromising the integrity and availability of clinical care. The results can include identity theft and negative health consequences, including loss of life. Assessing the risk posed by medical devices can provide healthcare organizations with information to prioritize mitigation efforts. However, producing accurate risk assessments in environments with both sparse historical data and a lack of validation regarding the accuracy of forecasts is particularly challenging.

We present a risk assessment framework for quantifying the risk posed by connected medical devices in trusted healthcare networks. Our framework is built upon prominent existing frameworks and guidance for general risk assessment and cybersecurity risk assessment. We add a method for quantifying risk, which to our knowledge is novel in the context of medical devices on trusted networks. The framework provides a structure for combining publicly available information along with expert elicitation about threats, vulnerabilities, and consequences. The goal is to provide healthcare organizations with actionable information for prioritizing and mitigating risks in medical devices.

Towards the Usefulness of Learning Factories in the Cybersecurity Domain

Namosha Veerasamy, Thuli Mkhwanazi, Zubeida Dawood — Tue, 28 Feb 2023 00:00:00 +0000

The success of an organisation depends on its employees’ skills and the extent to which they are developed. Although organisations often assume employees are fit and ready for a new position or new developments in their functions, employees need adequate training before, during and after effective performance in their respective roles. Amongst other important roles, training is significant in problem-solving, continuously improving skills, and creating consistency or culture in the work environment. Nonetheless, the significance of training is often disregarded or not understood by organisations as there are often inadequacies, inconsistencies, and ignorance from the employer.

Furthermore, organisations are facing cybersecurity skills shortages. Some specialists leave the profession due to a lack of skills or support. The lack of experienced and qualified cyber security specialists increases the risk of IT system systems being targeted with cyber-attacks. Having insufficient cybersecurity staff, companies may struggle to protect their networks from attacks. Organisations are being placed into a troubling position as the threat landscape continues to evolve. With the growth in volume and sophistication of cyber security attacks, the problem of a skilled workforce is exasperated.

In order to support the cybersecurity workforce, this paper proposes the implementation of learning factories. Typically, learning factories have been used in the manufacturing sector. However, the fundamental principles and guiding ideologies can also be applied in the cybersecurity domain. Learning factories provide a mechanism to remove the barriers of entering the field of cybersecurity by cultivating and nurturing a cybersecurity workforce. They enable the broadening of the scope for talent and change our current working practices and tighten the gap between education and experience. The closing of the talent gap is an important imperative for cybersecurity. In this paper, a motivation and description of the functionality of learning factories for cybersecurity is provided. Through this paper the benefits of learning factories will be highlighted in order to show the advantages of active engagements in learning activities, real-world application and information sharing.

Naïve Bayes Supervised Learning based Physical Layer Authentication: Anti-Spoofing techniques for Industrial Radio Systems

Andreas Weinand, Christoph Lipps, Michael Karrenbauer, Hans Dieter Schotten — Tue, 28 Feb 2023 00:00:00 +0000

Physical Layer Security (PLS) based authentication schemes are an alternative to conventional security schemes such as e.g. certificates or Message Authentication Codes (MACs). They can provide a more lightweight solution compared to traditional cryptography in order to meet the requirement of secure data transmission. However, errors in Physical Layer Authentication (PLA) techniques can occur due to adverse influences resulting from PLS schemes such as receiver noise or fading channels. Skillfull methods are therefore required in order to detect anormal system behaviour. One promising solution are supervised classification schemes. The application of Naïve Bayes (NB) classifiers for PLA is therefore proposed and evaluated within this work. Prior to that, we analyse the resource efficiency within typical Ultra Reliable Low Latency Communication (URLLC) applications and conduct a security overhead analysis. We propose strategies in order to overcome the problem of missing training data from either the URLLC user or attacker node. A real world Software Defined Radio (SDR) based testbed using OFDM (Orthogonal Frequency Division Multiplexing) is implemented in order to evaluate the performance of NB based PLA. The measurements are conducted within the german campus network frequency band (LTE band 43). Further, we conduct a hyperparameter optimization (HPO) based on random search. The investigated classifiers show promising results in terms of authentication accuracy and Receiver Operating Characteristic (ROC) curve performance.

How the Russian Influence Operation on Twitter Weaponized Military Narratives

Dana Weinberg, Jessica Dawson, April Edwards — Tue, 28 Feb 2023 00:00:00 +0000

Since 2016, Russia has engaged in a dedicated influence operation against the United States to exacerbate existing cleavages in American society and to undermine US national security. Although distinctly modern in its use of social media platforms, the current methods align with old Soviet doctrine using information warfare to gain a strategic edge over competitors. We examine Russia’s use of military-related content and profiles in their influence operation on Twitter and, in particular, the strategic deployment of military narratives. Using data from Twitter’s comprehensive data archive of state-backed information operations, we find that 12.14% of the 1,408,712 tweets in English from 2009 through February 2021 contain military-related content. In addition, of the 2,370 fake accounts on Twitter tied to the IRA and GRU, 148 were from accounts posing as military or military-adjacent, and these accounts posted 12.7% of the influence operation’s tweets. Together, tweets containing military-related content or coming from fake military and military-adjacent profiles account for 22.6% of the tweets identified as part of the Russian influence operation on Twitter. The Russians used narratives related to veterans, particularly sacrifice narratives and post-Vietnam government betrayal of sacrifice narratives. Patriotic sacrifice narratives were used to gather and engage an audience and to legitimize and amplify the content and accounts. In contrast, betrayal of sacrifice narratives were weaponized to amplify and escalate divisive social issues by tying them to veterans’ sacrifices. We conclude the Russians amplified existing military narratives in American culture and used fake American military profiles to wrap anti-government sentiment in patriotic trappings to exacerbate existing social divisions. Turning Americans against their government achieves Russian strategic goals of removing American influence abroad and allowing Russia to have greater impact on the levers of international power that serve Russian interests.

Nuclear Weapons, Cyber Warfare, and Cyber Security: Ethical and Anticipated Ethical Issues

Richard Wilson, Alexia Fitz — Tue, 28 Feb 2023 00:00:00 +0000

In this paper, we discuss the interrelationship of nuclear weapons, cyber warfare, and cyber security. Some of the most significant cyber threats to nuclear stability are now due to the intersection of technologies related to nuclear weapons and cyber technology. Cyber warfare can now be used to engage in and influence international events through cyber attacks upon nuclear systems and weapons. In the current war between Russia and Ukraine there has been the threat of the use of nuclear weapons. Since cyber warfare has already been employed in the Russia/Ukraine conflict it is possible that cyber attacks could be employed to trigger a nuclear event. To prevent cyber warfare from leading to nuclear warfare there needs to be a focus on cyber security in order to protect nuclear systems and nuclear arsenals but also to mitigate cyber attacks that could lead to the use of nuclear weapons.

One of the main risks to nuclear weapons systems is sabotage. It is easy to imagine cyber attackers placing incorrect information into systems and even taking control of nuclear weapons. Various parts of nuclear weapons systems are capable of being targeted. Command and control systems, alert systems, launch systems, and target-positioning systems could all become targets. Scenarios in which alert systems are hacked and show a nuclear attack by adversaries, may lead to an accidental nuclear conflict. It is also conceivable that hackers could manipulate the coordinates of (pre-programmed) targets of nuclear missiles, or to spoof GPS-like systems that some missiles use to calculate their positions their targets. At the present time there is no evidence that any state or non-state actor is able to successfully perform such manipulations but considering the exponential rate of developments in the cyber arena, in the near future, such attacks might be possible. In the worst-case scenarios, these possibilities could lead to the inadvertent use of nuclear weapons, and/or use against unintended targets. In less dramatic scenarios, the perceived vulnerabilities of the nuclear weapons systems may affect nuclear stability. This could lead to a decrease in the deterrent value of nuclear weapons. This could come about because potential adversaries may think they have options to manipulate these weapons when being used. It is difficult to forecast the effects of decreasing nuclear deterrence.

This analysis will define a stakeholder framework for identifying the ethical and anticipated ethical issues with cyber warfare and nuclear warfare and relate these issues to the importance of cyber security. Ethics should be at the center of the discussion of the use of nuclear weapons, nuclear warfare and cyber warfare. Moral concerns should be at the center of the discussion of nuclear warfare. The need for this moral concern is due to the threat to vulnerable populations by nuclear systems and nuclear weapons, as well as the threat posed to democratic institutions by the use of nuclear weapons.

Robots Security Assessment and Analysis Using Open-Source Tools

Benjamin Yankson, Tyler Loucks, Andrea Sampson, Chelsea Lojano — Tue, 28 Feb 2023 00:00:00 +0000

The Internet of things (IoT) has revolutionized many aspects of the world, including industrial systems, automobiles, home automation, and surveillance, to name a few. IoT has offered a multitude of conveniences for our daily lives, such as being able to control our thermostats remotely, view our home surveillance cameras while away, or have a smart television that can surf the web. However, the widespread adoption of IoT devices combined with their vast device vulnerabilities results in significant security risks reinforcing the need for more robust default security controls and public awareness. As such, this paper aims to discover and document security vulnerabilities in the Asus Zenbo Junior IoT robot, along with providing a few best practices when securing smart home devices. This work presents an experiment using several security vulnerability assessment tools such as Nmap and OpenVAS scans to assess cybersecurity vulnerability currently present on Zenbo based on the 4P forensic investigative framework. The result of the experiment shows multiple open ports were discovered, along with miscellaneous information that an attacker could use to their advantage to attack the Zenbo robot. Based on the result, this work presents various security precautions that can help users protect against cyber-attack.

Social Robots Privacy Enhancement Using Colored Petri Net (CPN) for Behavior Modeling: A Case Study of Asus Zenbo Robot

Benjamin Yankson, Farkhund Iqbal, Fadya AlMaeeni — Tue, 28 Feb 2023 00:00:00 +0000

The interactions between a social robot and the user consist of continuous communication and behavior involving different data types that can be subject to cybersecurity attacks and prone to user privacy concerns. In this paper, we use Colored Petri Net (CPN) to develop two graphical models that illustrate different patterned behavior of a robot during such interaction. Using CPN, we model and analyze complicated robot system interactions considering synchronization and concurrency of events that can be subject to privacy violations. We focus on two specific scenarios involving user registration and medication reminder to provide an efficient illustration of the objects and events collaborated to carry out the intended tasks of the robot pertaining to privacy issues. The results show that CPN modeling simulation can capture and represent the robot's behavior, provide a better understanding of the task execution, and highlight users' privacy gaps requiring immediate controls.

A Unified Forensics Analysis Approach to Digital Investigation

Ali Alshumrani, Nathan Clarke, Bogdan Ghita — Tue, 28 Feb 2023 00:00:00 +0000

Digital forensics is now essential in addressing cybercrime and cyber-enabled crime but potentially it can have a role in almost every other type of crime. Given technology's continuous development and prevalence, the widespread adoption of technologies among society and the subsequent digital footprints that exist, the analysis of these technologies can help support investigations. The abundance of interconnected technologies and telecommunication platforms has significantly changed the nature of digital evidence. Subsequently, the nature and characteristics of digital forensic cases involve an enormous volume of data heterogeneity, scattered across multiple evidence sources, technologies, applications, and services. It is indisputable that the outspread and connections between existing technologies have raised the need to integrate, harmonise, unify and correlate evidence across data sources in an automated fashion. Unfortunately, the current state of the art in digital forensics leads to siloed approaches focussed upon specific technologies or support of a particular part of digital investigation. Due to this shortcoming, the digital investigator examines each data source independently, trawls through interconnected data across various sources, and often has to conduct data correlation manually, thus restricting the digital investigator’s ability to answer high-level questions in a timely manner with a low cognitive load. Therefore, this research paper investigates the limitations of the current state of the art in the digital forensics discipline and categorises common investigation crimes with the necessary corresponding digital analyses to define the characteristics of the next-generation approach. Based on these observations, it discusses the future capabilities of the next-generation unified forensics analysis tool (U-FAT), with a workflow example that illustrates data unification, correlation and visualisation processes within the proposed method.

Offensive Cyberspace Operations for Cyber Security

Gazmend Huskaj — Tue, 28 Feb 2023 00:00:00 +0000

This work-in-progress research product covers Offensive Cyberspace Operations for Cyber Security or “Offensive Defense” for Cyber Security. Offensive cyberspace operations are shrouded in secrecy. From an intelligence perspective, this makes sense because of their development since Operation Desert Storm in 1991. The phenomenon, dubbed “Information Warfare,” and to the professionals’ surprise, they could remotely turn off an Iraqi power substation. However, the implication of remotely turning off the power substation was not only to cut off the power source to an Iraqi military headquarters, but it also meant cutting off the power to a nearby hospital, risking the lives of injured Iraqi soldiers protected by the Geneva Conventions. Since the 2000s and onwards, and with the US military recognizing cyberspace as a war-fighting domain, establishing United States Cyber Command (USCYBERCOM) may be a milestone. Thus, researchers have put much thought into cyberspace operations (offensive, defensive), such as doctrine, organizations, training, materials, leadership and education, personnel, facilities, and policy. One phenomenon, dubbed “defending forward,” was coined in the 2018 US Department of Defense Cyber Strategy. The idea is simple: take the fight to the adversary. Other terms include “hunt-forward operations” and “offensive defense.” Therefore, what is “Offensive Defense” for cyber security, and why now?

Categorizing Cyber Activity Through an Information-psychological and Information-technological Perspective, Case Ukraine.

Harry Kantola — Tue, 28 Feb 2023 00:00:00 +0000

Russian approach to warfighting includes an informational facet. Western hemisphere usually treats cyber activity as a tool similar to traditional warfighting tools such as rifles, artillery and tanks, whereas the Russian approach has an informational and narrative stance to the whole conflict. Placing information in the focus, switches the cyber activity to serve either an informational-psychological or an informational-technical approach. Examining the activity from this non-conventional trait and correlating it to other activities during the execution, the study highlights the coordination of kinetic and non-kinetic actions in an altered manner. In this article I am examining cyber activity through the terms of information-psychological and information-technological approach to form an understanding of Russian or Russian supported activities in cyber space before and during the Ukraine crisis. This will recognize types of cyber activity connected to actions in the physical environment. Actions identified are categorized and placed in a matrix created on psychological and/or technical clout. From this matrix groups of activities are scrutinized in correlation to other activities to expose possible narratives or underlying themes. The study relies on a variant of Grounded theory and is selected to elude from examine technical methods and actions. The observed timeframe is for the first study from 2021, well before the current hot phase, until summer 2022. This article is the first part of a two-stage study, where the first part examines cyber activity through the terms of information-psychological and information-technological approach. The second study places the previous findings in correlation to actions, reactions and mitigation activities to find out how defensive measures were relevant or if the outcome were result of something else than deliberate defensive (cyber-)activities. Throughout the larger study, the underlying hypothesis is that there is a larger coordination of cyber activities than acknowledged related to the ongoing crisis.

Using Military Cyber Operations as a Deterrent

Maria Keinonen — Tue, 28 Feb 2023 00:00:00 +0000

The Deterrence theory was formed after the World War II to describe the tensions between nuclear-armed states. Because of its origins, deterrence is mainly researched from the point of view of powerful states. However, deterrence nowadays is essential for any state to include in their strategies. The ever-increasing dependence on technology forces states to protect their sovereignty in cyberspace as well as in other domains. Cyber operations should be considered not just as a means to protect the cyber domain, but as means of deterrence. Cross domain deterrence (CDD) is a theory that includes all the warfighting domains in creating deterrence, including cyberspace. Despite these new perspectives, the use of military cyber operations as a deterrent has been studied mainly in terms of offensive strategies. Incorporating all types of military cyber operations into deterrence strategies is understudied. This study focuses on the possibilities of a small state to use cyber operations to create deterrence. The research question is: “How can a small state use cyber operations as a deterrent?” According to the Finnish understanding, cyber operations can be divided into three types: offensive, defensive and supportive operations. Using Finland as a case study, this paper argues that using military cyber operations is noteworthy for any state dependent on cyberspace, not only for military purposes, but for building CDD. The CDD theory and characteristics of cyber operations are studied in order to form better understanding of the topic and provide ideas for academic discussion. The research methods are content and SWOT analysis. The key observation presented is that each type of cyber operation has a role in forming CDD. For a small state, it´s profitable to use every type of cyber operations and thus expand the tool box for deterrence.

Identifying Commonalities of Cyberattacks Against the Maritime Transportation System

Rebecca Rohan — Tue, 28 Feb 2023 00:00:00 +0000

The purpose of this study is to identify commonalities in cyberattacks against the civilian maritime transportation system (MTS). For this exploratory study, the researcher analysed documents to identify trends about the cyberattacks impacting and responsible adversaries targeting maritime operations. The MTS can use identified trends to make informed decisions about information technology (IT) and operational technology (OT) requiring new or enhanced cybersecurity measures. Current research examining publicly disclosed cyberattacks impacting MTS companies identifies the trend of increasing cyberattacks against the MTS. However, current research fails to examine adversaries and their social-political needs thoroughly. Knowledge of the adversary based on the Diamond Model of Intrusion Analysis can be augmented by identifying which MTS assets (e.g., shipbuilding, ports) and which aspect of the information security triad—Confidentiality, Integrity, or Availability (CIA)—the adversary targeted. At the conclusion of this limited, exploratory document analysis, the researcher determined the most compromised aspect of the information security triad was Availability and then Confidentiality; there were no identified Integrity compromises. The most targeted MTS assets was shipping companies, followed by ports, administration, shipbuilding, and vessels. Concerning the adversary customer behind MTS cyberattacks, China was first, followed by unknown cyber adversaries, then Russia, Iran, and Israel. Last, in terms of adversary’s social-political needs, data exfiltration occurred the most, followed by ransomware, political agenda, and unknown needs.

Evaluating a Non-platform-specific OCR/NLP system to detect Online Grooming

Jake Street, Funminiyi Olajide — Tue, 28 Feb 2023 00:00:00 +0000

Online Grooming is a social engineering attack in which the attacking party uses deceptive practices for sexual gratification. The targets of these attacks can vary in demographics however in most cases the target is children, with most of these attacks occurring on social media platforms. As well as the illegality of these attacks in the UK and US, children who experience these attacks are at a higher risk of self-harm or having suicidal thoughts. Due to the deployment of new social media platforms/features any implementation that is made specific to a certain feature/platform is likely to be outdated/ineffective upon release, due to the volatility of the methods/tactics used. Therefore a non-platform specific implementation has been considered within this investigation. From a preliminary analysis, it was concluded that there was an average true positive detection rate of 71% from using optical recognition and natural language processing across three different social media platforms. It is suggested that implementing this text extraction and processing method alongside a 'category-based' machine learning algorithm, a solution that can identify online grooming can be developed that considers the 'real world complexities' of this attack.

Locality-based electromagnetic leakage assessment using CNN

Ian Heffron, James Dean — Tue, 28 Feb 2023 00:00:00 +0000

Deep learning side-channel analysis (SCA) attacks have recently gained in popularity. The ability of deep learning models to retrieve a key byte while minimizing the need for pre-processing steps in both cases of misaligned traces and when the leakage model is multivariate has contributed to the popularity gain. Near-field electromagnetic (EM) probes have enabled leakage capture with high spatial resolution, and the field of deep learning side-channel research looks to find models which reduce the required number of leakage traces to retrieve a key byte successfully. However, despite the many papers researching techniques to reduce the number of traces required for a successful attack, location-based research for EM SCA remains untouched. Due to the nature of EM probes and the architecture of different boards and chips, the location of the collection probe becomes important when attempting to extract the secret key within a reasonable timeframe and with a level of certainty in the result. Our contribution is a framework to determine the best location to assess localized EM leakage against a given chip platform. We use a raster scan to collect localized leakage results at 25 points in a 5x5 grid pattern on a ChipWhisperer Lite XMEGA board running an open-source implementation of the AES-128 encryption algorithm. We demonstrate the use of our framework to locate the best points for an attacker to execute a profiling attack by identifying the grid point with the most detectable leakage for a chip platform. We further execute a smaller localized 25-point raster scan in a grid over the identified location to further refine our estimate of the optimal collection location. We then demonstrate that this location can be used to execute a side-channel profiling attack against the same chip architecture and will result in a lower number of traces required to retrieve the key byte.

Using Deep Reinforcement Learning for Assessing the Consequences of Cyber Mitigation Techniques on Industrial Control Systems

Terry Merz, Romarie Morales Rosado — Tue, 28 Feb 2023 00:00:00 +0000

This paper discusses an in-progress study involving the use of deep reinforcement learning (DRL) to mitigate the effects of an advanced cyber-attack against industrial control systems (ICS). The research is a qualitative, exploratory study which emerged as a gap during the execution of two rapid prototyping studies. During these studies, cyber defensive procedures, known as “Mitigation, were characterized as actions taken to minimize the impact of ongoing advanced cyber-attacks against an ICS while enabling primary operations to continue. To execute Mitigation procedures, affected ICS components required rapid isolation and quarantining from “healthy” system segments. However today, with most attacks leveraging automation, mitigation also requires rapid decision-making capabilities operating at the speed of automation yet with human-like refinement. The authors settled on the choice of DRL as a viable solution to this problem due to the algorithm’s designs which involves “intelligent” decisions based upon continuous learning achieved through a rewards system. The primary theory of this study posits that processes informed by data sources relative to the execution path of an advanced cyber-attack as well as the consequences of deploying a particular Mitigation procedure evolve the system into an ever-improving defensive capability. This study seeks to produce a defensive DLR based software agent trained by a DRL based offensive software agent that generates policy refinements based upon extrapolations from a corrupted network state as reported by an IDS and baseline data. Results include an estimation rule that would quantify impacts of various mitigation actions while protecting the operational critical path and isolating an in-progress attack. This study is in a conceptual phase and development has not started.

This research questions for this study are:

RQ1: Can this software agent categorize correctly an in-progress cyber-attack and extrapolate the potential ICS assets affected?

RQ2: Can this software agent categorize novel cyber-attacks and extrapolate a probable attack vector while enumerating affected assets?

RQ3: Can this software agent characterize how operations are affected by quarantine actions?

RQ4: Can this software agent generate a set of ranked recommended courses of action by effectiveness, and least negative effects on the operational critical path?

Demonstrating Redundancy Advantages of a Three-Channel Communication Protocol

Scott Culbreth, Scott Graham — Tue, 28 Feb 2023 00:00:00 +0000

Multi-Channel communications have the potential to provide advantages in security and redundancy. One widespread example of additional security is the use of 2 Factor Authentication wherein an authorization code is sent via a separate channel. As another example, spread spectrum technology offers resilience against channel interference. However, no currently deployed communication protocols take advantage of the full spectrum of security and performance gains that can be obtained through transmitting data over multiple channels. Taking inspiration from Redundant Array of Inexpensive Disks (RAID) and their use of data striping and mirroring, a secure multi-channel communication protocol was developed that is able to have greater security than an equivalent single channel system while also having greater resiliency against data corruption, therefore requiring fewer, if any, retransmissions than a single channel system when operating in a low availability environment. This approach admittedly comes with significant overhead, both in the use of additional channels and the need for additional processing. Whether the security and availability gains are worth the costs is an open question, with specific answers highly dependent on the particular applications. A specific multi-channel communication protocol, with three independent channels, and incorporating duplication on the bit level, was built and exercised within the OMNeT++ simulation environment in order to examine specific aspects of performance and security of the protocol. This exercise demonstrates that a secure multi-channel protocol operates with less latency than an equivalent single channel system when experiencing less than 50% channel corruption due to adversarial injection, resulting in reduced data loss and need for re-transmissions.

UAV Payload Identification with Acoustic Emissions and Cell Phones

Hunter Doster, Barry Mullins — Tue, 28 Feb 2023 00:00:00 +0000

The growing presence of Unmanned Aerial Vehicles (UAVs) in all sectors of society poses new security threats to civilian and military sectors. In response, new UAV detection systems have and are being developed. Current systems use techniques such as Radio Detection And Ranging (RADAR), visual recognition, and Radio Frequency (RF). Another promising solution for UAV detection uses acoustic emissions. Past researchers demonstrated the ability to use UAV acoustic signatures to determine whether a UAV carries a payload and the weight of that payload at close range with high-quality microphones. This research expands the field of study by performing acoustic payload detection using cell phones and at farther range by developing the system called HurtzHunter. The system collects audio data and extracts Mel-Frequency Cepstrum Coefficients (MFCCs) to train Support Vector Machines (SVMs). The HurtzHunter system tests acoustic payload detection with one high-quality microphone and six different cell phones at 7 m - 100 m ground distance from the UAV. At each distance, the experiment runs 6 flights each with a unique payload attached to the UAV. The HurtzHunter design achieves an 88.26% - 99.93% payload prediction accuracy depending on the configuration.

Just Warfare: Is a Nuclear Attack an appropriate Response to a Cyber Attack?

Alexia Fitz, Richard Wilson — Tue, 28 Feb 2023 00:00:00 +0000

It is well known that nuclear weapons pose a grave threat to humanity because of their destructive power and to the lives of innocent civilians potentially affected by them. What might be less known are the grave effects that cyberwarfare can potentially have on a state and its nuclear security. Most nuclear weapons systems were designed decades ago, when manipulations of computer networks, or cyber-attacks, were practically a non-existent threat. In the present international political situation, where threats about the use of strategic nuclear weapons, have been discussed, cyber threats are everywhere, and it may be expected that they will have consequences for the stability of nuclear weapons systems as well. Considering the many unknowns of the continually evolving issues related to cyber threats, it is hard to measure how serious the risks are, but the idea cannot be excluded that, over the long term, they may have “game-changing” effects on the perceived value of nuclear weapons. Potential consequences of this phenomenon include cyber operations targeting nuclear weapons development, nuclear weapons systems, and cyber operations replacing nuclear weapons.

It is crucial that nation states, such as for example the United States, work hard to prevent cyber-attacks in a world where we are becoming more reliant on computer systems that if disrupted could destroy the economy, politics, and even military operations. The question, of how far states are willing to go to protect their cyber realm, and the extent to which their nuclear policies might allow for the possibility of a nuclear response to a cyberattack, present significant issues. This analysis will employ distinctions from just war theory, to attempt to address these issues. Just warfare is important to this analysis because developing a sense of right and wrong in a case of unpreventable conflicts could avoid further escalation and even more devastating results. In other words, what occurs when we apply the ethical distinctions of Just War Theory, to Cyber Attacks related to nuclear weapons? Can the distinctions of Just War Theory be employed to create a taboo, so that, the protection of a states cyber security creates an obstacle so that cyber warfare does not lead to a result such as nuclear attack? This analysis also takes into consideration anticipatory research, while developing an argument based on ethical considerations without a nuclear attack having to occur first. Anticipatory research such as this is important as the foundation for developing preventative measures because it can be used to argue for the creation of policies (both domestic and international) that will not allow for a nuclear response to a cyber-attack, therefore eliminating the threat to the international community.

This analysis will employ a basic conceptual analysis that will proceed by defining critical terminology and will attempt to address the ethical and anticipated ethical issues related to answering the question, Is a Nuclear Attack ever an appropriate response to a cyberattack?

A Review and Testing of Fault Tolerance Levels of Anti-Poaching Cybersecurity System

Isabelle Heyl, Julia Stone, Takudzwa Vincent Banda, Vian Smit, Dewald Blaauw — Tue, 28 Feb 2023 00:00:00 +0000

The development of anti-poaching networks and systems has created a new environment for animals in game reserves all over the world. Advanced technologies such as heat sensors, drones, and trip wires help prevent poachers from entering the property and therefore, creating a safer environment for animals to roam freely. Radio frequency identification (RFID) systems are used to track the location of animals. These networks are, however, susceptible to being hacked if not properly protected with cybersecurity tools, resulting in cyber-criminals gaining access into the network. Many attacks or threats can be executed on the RFID network due to some exposed vulnerabilities of elements within the anti-poaching network. The purpose of this paper is to explore the empirical methods of common attacks, used by cyber-criminals, to attack the anti-poaching network, and whether these methods used are effective in identifying weaknesses within the network. This will be executed by creating an experimental structure of the anti-poaching system with a specialised focus on the RFID elements, using quantitative research methods to produce findings. GNS3, an open-source software application that has specifically been chosen to conduct this research, is used to build the network simulation in order to analyse the weaknesses of the network. Cybersecurity protocols are implemented to protect the network and aim to protect the animals. The attacks performed, such as Flood and Scapy attacks, have shown that the anti-poaching network is vulnerable to penetration from cyber-criminals. A hypothesis test was conducted to determine whether the attacks had a significant effect on the network, by using the average ping time from specific nodes to Google. It was found that the average ping time increased by 2.0020 units, therefore stating that the elements of the network were successfully attacked. The fault tolerance test shows that the availability of the anti-poaching network is roughly 90 percent which concludes that the network is configured to deliver quality performance and handle failures, should there be any intervention. This will allow game reserves to implement and have information on a better and safer RFID system for the animals.

DACA: Automated Attack Scenarios and Dataset Generation

Frank Korving, Risto Vaarandi — Tue, 28 Feb 2023 00:00:00 +0000

Computer networks and systems are under an ever-increasing risk of being attacked and abused. High-quality datasets can assist with in-depth analysis of attack scenarios, improve detection rules, and help educate analysts. However, existing solutions for creating such datasets suffer from a number of drawbacks. First, several solutions are not open source with publicly released implementations or are not vendor neutral. Second, some existing solutions neglect the complexity and variance of specific attack techniques when creating datasets or neglect certain attack types. Third, existing solutions are not fully automating the entire data collection pipeline. This paper presents and discusses the Dataset Creation and Acquisition Engine (DACA), a configurable dataset generation testbed, built around commonly used Infrastructure-as-Code (IaC) and DevOps tooling which can be used to create varied, reproducible datasets in a highly automated fashion. DACA acts as a versatile wrapper around existing virtualization technologies and can be used by blue as well as red teamers alike to run attack scenarios and generate datasets. These in turn can be used for tuning detection rules, for educational purposes or pushed into data processing pipelines for further analysis. To show DACA's effectiveness, DACA is used to create two extensive datasets examining covert DNS Tunnelling activity on which a detailed analysis is performed.

Towards a Critical Review of Cybersecurity Risks in Anti-Poaching Systems

Christelle Steyn, Dewald Neville Blaauw — Tue, 28 Feb 2023 00:00:00 +0000

Anti-poaching operations increasingly make use of a wide variety of technology for intelligence and communications. These technologies introduce cybersecurity risk, and they need to be secured to provide greater protection to the information and people involved in anti-poaching operations, ultimately protecting vulnerable animals better. A hypothetical network of anti-poaching technologies was simulated in Graphical Network Simulator 3 (GNS3), consisting of various field devices identified in the literature, and a main control room with relevant hardware devices. A virtual Kali Linux machine was connected to the network and played the role of a digital attacker or intruder. Several cyber-attacks were carried out, to show the risks inherent to such an interoperable and socio-technical network. These attacks included Man in the Middle (MitM) and Denial of Service (DoS) attacks. These attacks were then mitigated via system configurations. Further risks and threat considerations were identified in the literature. Using the STRIDE, DREAD and Attack Tree threat models, the risks to an anti-poaching network were classified and calculated. The most prevalent threats and the attacks performed in the simulation were all calculated to have a high risk level, posing a great threat to an unsecured network. The STRIDE classes of Denial of Service and Elevation of Privilege posed the most risk to the system, both having a calculated average risk score of 9 out of 10. Mitigations to general network threats and those identified in the simulation are mentioned. Additionally, authentication for such a system was investigated, as improper authentication practices were deemed a risk and provides a foothold for further risks in the network. Recommendations made, include the proper configuration of network devices, especially the router and switch, and the use of anti-virus, firewalls, and intrusion detection systems, as well as having an external audit performed annually. Multi-factor authentication, with a password/fingerprint combination, is recommended.