Nowadays, many companies still use old and insecure protocols in Industrial Control Systems (ICSs). An example of such protocols is Modbus, one of the most employed industrial protocols. Also, companies are moving to Modbus/TCP when there are TCP devices involved in the facility. While remaining insecure, this migration also disrupts the assumption of air-gapped industrial networks, opening more attack surface to previously isolated systems. Due to legacy and efficiency constraint, the replacement of Modbus/TCP with secure protocols is not possible, generating big security issues. In this paper, we present TAMBUS (Transmitter Authentication and packet integrity in Modbus/TCP). This method is the first that at the same time: is not implemented in a secure by obscurity design and keeps the Modbus/TCP protocol compatible with legacy devices. TAMBUS allows detecting attacks with high statistical confidence, by leveraging two covert channels as a mean of providing security: 1) Storage-based, that hides authentication messages into the Modbus/TCP protocol fields; 2) Timing-based, that considers the inter-arrival time of packets. We demonstrate the feasibility and effectiveness of our method through a prototype implementation and testing in an industrial testbed environment. Our experiments confirm that TAMBUS introduces only a small overhead, negligible in most application, and it preserves the regular functioning of industrial systems. In particular, considering the storage-based covert channel, TAMBUS introduces an error into transmitted values of only 1.19×10⁻⁵%, without traffic overhead. On the other hand, TAMBUS can transmit correct security information through the timing-based covert channel with an accuracy of more than 99.99%.

@en

Cybercriminals have been exploiting cryptocurrencies to commit various unique financial frauds. Covert cryptomining - which is defined as an unauthorized harnessing of victims’ computational resources to mine cryptocurrencies - is one of the prevalent ways nowadays used by cybercriminals to earn financial benefits. Such exploitation of resources causes financial losses to the victims. In this paper, we present our efficient approach to detect covert crypto- mining on users’ machine. Our solution is a generic solution that, unlike currently available solutions to detect covert cryptomining, is not tailored to a specific cryptocurrency or a particular form of cryptomining. In particular, we focus on the core mining algorithms and utilize Hardware Performance Counters (HPC) to create clean signatures that grasp the execution pattern of these algorithms on a processor. We built a complete implementation of our solution employing advanced machine learning techniques. We evaluated our methodology on two different processors through an exhaustive set of experiments. In our experiments, we considered all the cryptocurrencies mined by the top-10 mining pools, which collectively represent the largest share of the cryptomining market. Our results show that our classifier can achieve a near-perfect classification with samples of length as low as five seconds. Due to its robust and practical design, our solution can even adapt to zero-day cryptocurrencies. Finally, we believe our solution is scalable and can be deployed to tackle the uprising problem of covert cryptomining.@en