Software-Defined Networking (SDN) offers a global view over the network and the ability of centrally and dynamically managing network flows, making them ideal for creating security threat detection and mitigation solutions. Industrial networks possess specific characteristics that make them well-suited for such solutions, leading to extensive research efforts in this area. However, due to the high economic cost and potential risks associated with real equipment interaction, most studies rely on testbeds for demonstration purposes. Therefore, it becomes crucial to understand the limitations and safe operating ranges of testbed environments to ensure the development of scientifically rigorous experiments and accurate result measurements. This study focuses on analyzing MiniCPS-based testbeds in terms of network performance, experiment replicability, and the effects of different attacker implementation modes. The findings demonstrate that utilizing MiniCPS on actual hardware enables the development of highly replicable and high-performance testbeds, as long as they operate within the predefined safe operating ranges. Additionally, this work provides an in-depth analysis of various attacker implementation techniques and their impact on the network.
@article{Etxezarreta2024Use,author={Etxezarreta, Xabier and Garitano, I\~naki and Iturbe, Mikel and Zurutuza, Urko},title={On the use of MiniCPS for conducting rigorous security experiments in Software-Defined Industrial Control Systems},journal={Wireless Networks},link_publisher={https://doi.org/10.1007/s11276-023-03647-4},year={2024},doi={10.1007/s11276-023-03647-4},}
2023
Eng. Rep.
An experience in the implementation of the flipped classroom instructional model in the computer science degree
Iñigo Aldalur, Urtzi Markiegi, Mikel Iturbe, Ibai Roman, and Miren Illarramendi
Abstract In recent years, education has undergone a profound transformation process, having gone from relying only on the traditional lecture to making full use of digital formats. This gradual process, accelerated by the COVID-19 pandemic in the last years, has triggered innovative changes in the educational process. Within this context, many lecturers have adopted the flipped classroom instructional model, aiming to improve the motivation and involvement of the students. In this model, students must acquire certain theoretical knowledge at home, and the classes, with the help of the lecturer, are used for the more practical part. This article presents the results obtained when the flipped classroom model was implemented in the computer science degree. Specifically, during 2020–2021 and 2021–2022 courses, this instructional model was assessed in 15 subjects. Results show that the flipped classroom instructional model can be stated that it has improved the students’ perception of the learning experience, students’ dedication and engagement has been improved, students’ perception of their understanding of the subject has improved. The faculty considers that the teaching experience has improved and is in favor of continuing with the experience in future courses.
@article{Aldalur2023Experience,author={Aldalur, I\~nigo and Markiegi, Urtzi and Iturbe, Mikel and Roman, Ibai and Illarramendi, Miren},title={An experience in the implementation of the flipped classroom instructional model in the computer science degree},journal={Engineering Reports},volume={n/a},year={2023},number={n/a},pages={e12754},keywords={computer science degree, flipped classroom},doi={https://doi.org/10.1002/eng2.12754},}
IJCIP
Software-Defined Networking approaches for intrusion response in Industrial Control Systems: A survey
Industrial Control Systems (ICSs) are a key technology for life-sustainability, social development and economic progress used in a wide range of industrial solutions, including Critical Infrastructures (CIs), becoming the primary target for multiple security attacks. With the increase of personalized and sophisticated attacks, the need for new tailored ICS cybersecurity mechanisms has increased exponentially, complying with specific ICS requirements that Information Technology (IT) security systems fail to meet. In this survey, a comprehensive study of ICS intrusion response is conducted, focusing on the use of Software-Defined Networking (SDN) for the development of intrusion response strategies in ICS. With its centralized control plane, increased programmability and global view of the entire network, SDN enables the development of intrusion response solutions that provide a coordinated response to mitigate attacks. Through the survey, an analysis of ICS security requirements and the applicability of SDN is conducted, identifying the advantages and disadvantages compared to traditional networking and protocols. Furthermore, a taxonomy on intrusion response strategies is presented, where different proposals are discussed and categorized according to intrusion response strategy and deployment environment characteristics. Finally, future research directions and challenges are identified.
@article{Etxezarreta2023Software,title={Software-Defined Networking approaches for intrusion response in Industrial Control Systems: A survey},journal={International Journal of Critical Infrastructure Protection},volume={42},pages={100615},year={2023},issn={1874-5482},doi={https://doi.org/10.1016/j.ijcip.2023.100615},link_publisher={https://www.sciencedirect.com/science/article/pii/S1874548223000288},author={Etxezarreta, Xabier and Garitano, Iñaki and Iturbe, Mikel and Zurutuza, Urko}}
WINET
Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems
Industrial Control Systems are used in a wide variety of industrial facilities, including critical infrastructures, becoming the main target of multiple security attacks. A malicious and successful attack against these infrastructures could cause serious economic and environmental consequences, including the loss of human lives. Static networks configurations and topologies, which characterize Industrial Control Systems, represent an advantage for attackers, allowing them to scan for vulnerable devices or services before carrying out the attack. Identifying active devices and services is often the first step for many attacks. This paper presents a proactive network reconnaissance defense mechanism based on the temporal randomization of network IP addresses, MAC addresses and port numbers. The obtained information distortion minimizes the knowledge acquired by the attackers, hindering any attack that relies on network addressing. The temporal randomization of network attributes is performed in an adaptive way, minimizing the overhead introduced in the network and avoiding any error and latency in communications. The implementation as well as the tests have been carried out in a laboratory with real industrial equipment, demonstrating the effectiveness of the presented solution.
@article{Etxezarreta2023Low,author={Etxezarreta, Xabier and Garitano, I\~naki and Iturbe, Mikel and Zurutuza, Urko},title={Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems},journal={Wireless Networks},link_publisher={https://link.springer.com/article/10.1007/s11276-022-03212-5},year={2023},doi={10.1007/s11276-022-03212-5},}
Fuzzing is nowadays one of the most widely used bug hunting techniques. By automatically generating malformed inputs, fuzzing aims to trigger unwanted behavior on its target. While fuzzing research has matured considerably in the last years, the evaluation and comparison of different fuzzing proposals remain challenging, as no standard set of metrics, data, or experimental conditions exist to allow such observation. This paper aims to fill that gap by proposing a standard set of features to allow such comparison. For that end, it first reviews the existing evaluation methods in the literature and discusses all existing metrics by evaluating seven fuzzers under identical experimental conditions. After examining the obtained results, it recommends a set of practices –particularly on the metrics to be used–, to allow proper comparison between different fuzzing proposals.
@article{Eceiza2023Improving,author={Eceiza, Maialen and Flores, Jos\'e Lu\'is and Iturbe, Mikel},title={Improving fuzzing assessment methods through the analysis of metrics and experimental conditions},journal={Computers \& Security},year={2023},pages={102946},volume={124},issn={0167-4048},doi={10.1016/j.cose.2022.102946}}
2022
JENUI 2022
Implantación colectiva de la clase invertida en el grado de informática
Iñigo Aldalur, Miren Illarramendi, Mikel Iturbe, Urtzi Markiegi, and Ibai Roman
In Actas de las XXVIII Jornadas sobre la Enseñanza Universitaria de la Informática Jul 2022
La educación ha sufrido una gran transformación en las últimas décadas. El alumnado de hoy en día está formado por nativos digitales y la educación tradicional les parece aburrida. Por este motivo, los docentes tratan de aumentar la motivación del alumnado recurriendo a las nuevas tecnologías. Este proceso de digitalización se ha visto acelerado en los últimos años debido a la pandemia del Covid19. Entre los diferentes paradigmas que se han propuesto ante esta situación, la clase invertida toma fuerza como una de las alternativas transformadoras más estudiadas y relevantes. Este trabajo presenta los resultados del caso de estudio de la implantación de clase invertida en el grado de informática. En esta experiencia, 11 asignaturas de diferentes cursos se han visto involucradas (6 asignaturas en el primer semestre y 5 en el segundo semestre) durante el curso 2020/21. Nuestro objetivo es mostrar los pasos utilizados para la implantación de la clase invertida en distintos grados universitarios. Además, mostramos los resultados de los diferentes cuestionarios contestados tanto por el alumnado como por los docentes sobre la experiencia.
Los sistemas de control industrial se utilizan en una gran variedad de procesos físicos, incluidas las infraestructuras críticas, convirtiéndose en el principal objetivo de múltiples ataques de seguridad. Un ataque malintencionado y exitoso contra estas infraestructuras podría causar graves consecuencias económicas y ambientales, incluyendo la pérdida de vidas humanas. Las redes estáticas, que caracterizan a los sistemas de control industrial, suponen una ventaja para los atacantes, permitiéndola explorar en busca de dispositivos o servicios vulnerables antes de realizar el ataque. Identificar dispositivos activos suele ser el primer paso para muchos ataques. Este trabajo presenta un sistema de defensa ante reconocimientos de red que se basa en la aleatorización temporal de las direcciones de red. La distorsión de la información obtenida inhabilita el conocimiento adquirido por parte de los atacantes dificultando así cualquier ataque que se apoya en el direccionamiento de la red. La aleatorización temporal de las direcciones de red se realiza de forma adaptativa minimizando así la sobrecarga introducida en la red y evitando cualquier error y latencia en las comunicaciones. La implementación así como las pruebas se han realizado en un laboratorio con equipamiento industrial real, demostrando así la efectividad de la solución presentada.
@inproceedings{Etxezarreta2022Aleatorizacion,author={Etxezarreta, Xabier and Garitano, I\~naki and Iturbe, Mikel and Zurutuza, Urko},title={Aleatorizaci\'on de direcciones IP para mitigar ataques de reconocimiento de forma proactiva en sistemas de control industrial},booktitle={Proceedings of Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2022)},pages={45--54},address={Bilbao, Spain},month=jun,year={2022},}
In the last years, higher education is immersed in the transformation of the teaching experience with the aim of involving students more, as well as motivating them. Nowadays, students are very familiarized with new technologies and media while lecturers have been forced to transform their traditional notes to digital ones. This transformation pace has been accelerated in the last year due to the COVID19 pandemic. One of the main exponents of the said transformation is the adoption of the inverted classroom, a substantially studied teaching methodology where students work on some key concepts before a lecture takes place and face-to-face lecture time is reserved for added value activities. This work presents the results of a case study involving the implementation of the inverted classroom in a computer engineering bachelor’s degree. This experiment involves six different subjects in three courses during the 2020/21 academic year. The paper presents the principal motivation for the study, as well as the preparation process and methodology of the out-of-classroom multimedia materials and training of the faculty. It also covers the methodology used for multimedia content creation. Finally, the evaluation results are presented, gathered from questionnaires directed to students and lecturers.
JENUI 2021
Experiencia colectiva de aplicación de la clase invertida en el grado de informática
Iñigo Aldalur, Miren Illarramendi, Mikel Iturbe, Urtzi Markiegi, and Ibai Roman
In Actas de las XXVII Jornadas sobre la Enseñanza Universitaria de la Informática Jul 2021
Con el cambio de los hábitos de consumo de información, la educación superior se encuentra frente al desafío de transformar la experiencia docente de cara a maximizar la implicación y motivación del alumnado. Dicha transformación, basada en contenidos multimedia y en el control continuo de adquisición de conocimientos por parte del alumnado, se ha acelerado por la digitalización forzada provocada por la pandemia Covid19. De los diferentes paradigmas, la clase invertida toma fuerza como una de las alternativas transformadoras más estudiadas y relevantes. Este trabajo presenta los resultados preliminares de un caso de estudio de una implantación del aula invertida a escala -en doce asignaturas de diferentes cursos- en un grado de ingeniería informática durante el curso 2020/21. Se expone la principal motivación detrás de la transformación, la capacitación de recursos y formación del profesorado, la metodología docente aplicada (centrada en el contenido multimedia y el control de los conceptos adquiridos) y la evaluación de los resultados obtenidos. Para la evaluación, se han realizado encuestas específicamente diseñadas al profesorado y alumnado involucrado.
With a growing number of embedded devices that create, transform and send data autonomously at its core, the Internet-of-Things (IoT) is a reality in different sectors such as manufacturing, healthcare or transportation. With this expansion, the IoT is becoming more present in critical environments, where security is paramount. Infamous attacks such as Mirai have shown the insecurity of the devices that power the IoT, as well as the potential of such large-scale attacks. Therefore, it is important to secure these embedded systems that form the backbone of the IoT. However, the particular nature of these devices and their resource constraints mean that the most cost-effective manner of securing these devices is to secure them before they are deployed, by minimizing the number of vulnerabilities they ship. To this end, fuzzing has proved itself as a valuable technique for automated vulnerability finding, where specially crafted inputs are fed to programs in order to trigger vulnerabilities and crash the system. In this survey, we link the world of embedded IoT devices and fuzzing. For this end, we list the particularities of the embedded world as far as security is concerned, we perform a literature review on fuzzing techniques and proposals, studying their applicability to embedded IoT devices and, finally, we present future research directions by pointing out the gaps identified in the review.
@article{Eceiza2021Fuzzing,author={Eceiza, Maialen and Flores, Jos\'e Lu\'is and Iturbe, Mikel},title={Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems},journal={IEEE Internet of Things Journal},year={2021},month=jul,issn={2327-4662},pages={10390--10411},volume={8},issue={13},doi={10.1109/JIOT.2021.3056179},}
2020
IGPL
Deep packet inspection for intelligent intrusion detection in software-defined industrial networks: A proof of concept
Markel Sainz, Iñaki Garitano, Mikel Iturbe, and Urko Zurutuza
Specifically tailored industrial control systems (ICSs) attacks are becoming increasingly sophisticated, accentuating the need of ICS cyber security. The nature of these systems makes traditional IT security measures not suitable, requiring expressly developed security countermeasures. Within the past decades, research has been focused in network-based intrusion detection systems. With the appearance of software-defined networks (SDNs), new opportunities and challenges have shown up in the research community. This paper describes the potential benefits of using SDNs in industrial networks with security purposes and presents the set up and results of a pilot experiment carried out in a scaled physical implementation. The experimental set up consists in the detection of ICMP flood and packet payload alteration based on signature comparison. Results point to the potential viability of the technology for intrusion detection and the need of researching in architectural scalability.
2019
Book Ch.
Who’s There? Evaluating Data Source Integrity and Veracity in IIoT Using Multivariate Statistical Process Control
Iñaki Garitano, Mikel Iturbe, Enaitz Ezpeleta, and Urko Zurutuza
The security landscape in Industrial settings has completely changed in the last decades. From the initial primitive setups, industrial networks have evolved into massively interconnected environments, thus developing the Industrial Internet of Things (IIoT) paradigm. In IIoT, multiple, heterogeneous devices collaborate by collecting, sending and processing data. These data-driven environments have made possible to develop added-value services based on data that improve industrial process operation. However, it is necessary to audit incoming data to determine that the decisions are made based on correct data. In this chapter, we present an IIoT Anomaly Detection System (ADS), that audits the integrity and veracity of the data received from incoming connections. For this end, the ADS includes field data (physical qualities based on data) and connection metadata (interval between incoming connections and packet size) in the same anomaly detection model. The approach is based on multivariate statistical process Control and has been validated using data from a real water distribution plant.
DYNA
Análisis de arquitecturas tecnológicas para el nuevo paradigma de la Industria 4.0
Felix Larrinaga, Iñigo Aldalur, Miren Illarramendi, Mikel Iturbe, Txema Perez, Gorka Unamuno, and Inaxio Lazkanoiturburu
El presente trabajo, define una arquitectura interoperable y escalable que permitirá la servitización del sector de máquina herramienta. Las TICs y el concepto de Internet of Things posibilitan interconectar diferentes dispositivos y controladores ofreciendo servicios de valor añadido. Uno de los problemas a resolver es la interoperabilidad entre los diferentes dispositivos IoT. Existen plataformas que posibilitan la interoperabilidad entre dispositivos. Nuestro trabajo se ha centrado en utilizar una de ellas: Arrowhead. Además, con el objetivo de ofrecer soluciones de forma ágil y flexible, se ha optado por usar contenedores (tecnología Docker). Así, esta plataforma de interoperabilidad se gestiona dentro de estos contenedores haciendo una configuración y operación más ágil y flexible. En el caso de uso concreto, se presenta como una máquina herramienta de Danobat puede ofrecer servicios de valor añadido de mantenimiento y eficiencia. Para ello, se adquieren los datos de la propia máquina pero también se consumen datos de otros dispositivos de terceros (dispositivo de ULMA). La interconexión de todos estos datos se hace de forma transparente para el usuario y mediante la plataforma interoperable Arrowhead. Todo este trabajo se ha llevado a cabo dentro del marco del proyecto Productive 4.0.
2018
CCS 2018
Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems
Wissam Aoudi, Mikel Iturbe, and Magnus Almgren
In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security May 2018
Recent incidents have shown that Industrial Control Systems (ICS) are becoming increasingly susceptible to sophisticated and targeted attacks initiated by adversaries with high motivation, domain knowledge, and resources. Although traditional security mechanisms can be implemented at the IT-infrastructure level of such cyber-physical systems, the community has acknowledged that it is imperative to also monitor the process-level activity, as attacks on ICS may very well influence the physical process. In this paper, we present PASAD, a novel stealthy-attack detection mechanism that monitors time series of sensor measurements in real time for structural changes in the process behavior. We demonstrate the effectiveness of our approach through simulations and experiments on data from real systems. Experimental results show that PASAD is capable of detecting not only significant deviations in the process behavior, but also subtle attack-indicating changes, significantly raising the bar for strategic adversaries who may attempt to maintain their malicious manipulation within the noise level.
HAIS 2018
A Mood Analysis on Youtube Comments and a Method for Improved Social Spam Detection
Enaitz Ezpeleta, Mikel Iturbe, Iñaki Garitano, Iñaki Velez de Mendizabal, and Urko Zurutuza
In the same manner that Online Social Networks (OSN) usage increases, non-legitimate campaigns over these types of web services are growing. This is the reason why significant number of users are affected by social spam every day and therefore, their privacy is threatened. To deal with this issue in this study we focus on mood analysis, among all content-based analysis techniques. We demonstrate that using this technique social spam filtering results are improved. First, the best spam filtering classifiers are identified using a labeled dataset consisting of Youtube comments, including spam. Then, a new dataset is created adding the mood feature to each comment, and the best classifiers are applied to it. A comparison between obtained results with and without mood information shows that this feature can help to improve social spam filtering results: the best accuracy is improved in two different datasets, and the number of false positives is reduced 13.76% and 11.41% on average. Moreover, the results are validated carrying out the same experiment but using a different dataset.
JNIC 2018 Best PhD award
Primer premio al mejor trabajo de estudiante: Detección de anomalías en redes industriales guiada por datos
Mikel Iturbe
In Proceedings of IV Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2018) May 2018
Este artı́ culo resume el trabajo realizado en una tesis doctoral en el campo de la ciberseguridad industrial. Más concretamente, el trabajo realizado se ha centrado en la detección de anomalı́ as guiada por datos en redes industriales. Las redes industriales –entornos interconectados por sistemas dedicados a automatizar, monitorizar y controlar procesos f\’í sicos– han evolucionado enormemente, mientras que los mecanismos de seguridad aplicables no han evolucionado al mismo paso, bien porque no escalan correctamente, bien porque no han tenido en cuenta las particularidades de este tipo de redes. Esta tesis doctoral se centra en desarrollar sistemas de detección de anomalı́ as (SDAs) que utilizan los datos intrı́ nsecamente creados en este tipo de redes (mediciones de campo, tráfico de red, registros...) para detectar eventos de seguridad.
GIoTS 2018
Null is Not Always Empty: Monitoring the Null Space for Field-Level Anomaly Detection in Industrial IoT Environments
Ekhi Zugasti, Mikel Iturbe, Iñaki Garitano, and Urko Zurutuza
In 2018 IEEE Global Internet of Things Summit (GIoTS) Proceedings May 2018
Industrial environments have vastly changed since the conception of initial primitive and isolated networks. The current full interconnection paradigm, where connectivity between different devices and the Internet has become a business necessity, has driven device interconnectivity towards building the Industrial Internet of Things (IIoT), enabling added value services such as supply chain optimization or improved process control. However, whereas interconnectivity has increased, IIoT security practices has not evolved at the same pace, due partly to inherited security practices from when industrial networks where not connected and the existence of basic hardware with no security functionalities. In this work, we present an Anomaly Detection System for industrial environments that monitors physical quantities to detect intrusions. It is based in the null space detection, which is at the same time, based on Stochastic Subspace Identification (SSI). The approach is validated using the Tennessee-Eastman chemical process.
2017
SCN
Towards Large-Scale, Heterogeneous, Anomaly Detection Systems in Industrial Networks: A Survey of Current Trends
Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria
Industrial Networks (INs) are widespread environments where heterogeneous devices collaborate to control and monitor physical processes. Some of the controlled processes belong to Critical Infrastructures (CIs), and as such, IN protection is an active research field. Among different types of security solutions, IN Anomaly Detection Systems (ADSs) have received wide attention from the scientific community. While INs have grown in size and in complexity, requiring the development of novel, Big Data, solutions for data processing, IN ADSs have not evolved at the same pace. In parallel, the development of Big Data frameworks such as Hadoop or Spark has led the way for applying Big Data analytics to the field of cyber-security, mainly focusing in the Information Technology (IT) domain. However, due to the particularities of INs, it is not feasible to directly apply IT security mechanisms in INs, as IN ADSs face unique characteristics. In this work we introduce three main contributions. First, we survey the area of Big Data ADSs that could be applicable to INs and compare the surveyed works. Second, we develop a novel taxonomy to classify existing IN-based ADSs. And finally, we present a discussion of open problems in the field of Big Data ADSs for INs that can lead to further development.
CISIS 2017
Software Defined Networking Opportunities for Intelligent Security Enhancement of Industrial Control Systems
Markel Sainz, Mikel Iturbe, Iñaki Garitano, and Urko Zurutuza
In Proceedings of the International Joint Conference SOCO’17-CISIS’17-ICEUTE’17, León, Spain, September 6-8, 2017 May 2017
In the last years, cyber security of Industrial Control Systems (ICSs) has become an important issue due to the discovery of sophisticated malware that by attacking Critical Infrastructures, could cause catastrophic safety results. Researches have been developing countermeasures to enhance cyber security for pre-Internet era systems, which are extremely vulnerable to threats. This paper presents the potential opportunities that Software Defined Networking (SDN) provides for the security enhancement of Industrial Control Networks. SDN permits a high level of configuration of a network by the separation of control and data planes. In this work, we describe the affinities between SDN and ICSs and we discuss about implementation strategies.
JNIC 2017
Hacia un conjunto estándar de ataques contra sistemas de control para la evaluación de contramedidas
Mikel Iturbe, Iñaki Garitano, Ignacio Arenaza-Nuño, and Urko Zurutuza
In Proceedings of III Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2017) Jun 2017
On the Feasibility of Distinguishing Between Process Disturbances and Intrusions in Process Control Systems Using Multivariate Statistical Process Control
Process Control Systems (PCSs) are the operating core of Critical Infrastructures (CIs). As such, anomaly detection has been an active research field to ensure CI normal operation. Previous approaches have leveraged network level data for anomaly detection, or have disregarded the existence of process disturbances, thus opening the possibility of mislabelling disturbances as attacks and vice versa. In this paper we present an anomaly detection and diagnostic system based on Multivariate Statistical Process Control (MSPC), that aims to distinguish between attacks and disturbances. For this end, we expand traditional MSPC to monitor process level and controller level data. We evaluate our approach using the Tennessee-Eastman process. Results show that our approach can be used to distinguish disturbances from intrusions to a certain extent and we conclude that the proposed approach can be extended with other sources of data for improving results.
JNIC 2016
Diseño de un banco de pruebas híbrido para la investigación de seguridad y resiliencia en redes industriales
Mikel Iturbe, Unai Izagirre, Iñaki Garitano, Ignacio Arenaza-Nuño, Urko Zurutuza, and Roberto Uribeetxeberria
In Proceedings of II Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2016) Jun 2016