-
Poster: Towards an Automated Security Testing Framework for Industrial UEs
Authors:
Sotiris Michaelides,
Daniel Eguiguren Chavez,
Martin Henze
Abstract:
With the ongoing adoption of 5G for communication in industrial systems and critical infrastructure, the security of industrial UEs such as 5G-enabled industrial robots becomes an increasingly important topic. Most notably, to meet the stringent security requirements of industrial deployments, industrial UEs not only have to fully comply with the 5G specifications but also implement and use correc…
▽ More
With the ongoing adoption of 5G for communication in industrial systems and critical infrastructure, the security of industrial UEs such as 5G-enabled industrial robots becomes an increasingly important topic. Most notably, to meet the stringent security requirements of industrial deployments, industrial UEs not only have to fully comply with the 5G specifications but also implement and use correctly secure communication protocols such as TLS. To ensure the security of industrial UEs, operators of industrial 5G networks rely on security testing before deploying new devices to their production networks. However, currently only isolated tests for individual security aspects of industrial UEs exist, severely hindering comprehensive testing. In this paper, we report on our ongoing efforts to alleviate this situation by creating an automated security testing framework for industrial UEs to comprehensively evaluate their security posture before deployment. With this framework, we aim to provide stakeholders with a fully automated-method to verify that higher-layer security protocols are correctly implemented, while simultaneously ensuring that the UE's protocol stack adheres to 3GPP specifications.
△ Less
Submitted 22 May, 2025;
originally announced May 2025.
-
Assessing the Latency of Network Layer Security in 5G Networks
Authors:
Sotiris Michaelides,
Jonathan Mucke,
Martin Henze
Abstract:
In contrast to its predecessors, 5G supports a wide range of commercial, industrial, and critical infrastructure scenarios. One key feature of 5G, ultra-reliable low latency communication, is particularly appealing to such scenarios for its real-time capabilities. However, 5G's enhanced security, mostly realized through optional security controls, imposes additional overhead on the network perform…
▽ More
In contrast to its predecessors, 5G supports a wide range of commercial, industrial, and critical infrastructure scenarios. One key feature of 5G, ultra-reliable low latency communication, is particularly appealing to such scenarios for its real-time capabilities. However, 5G's enhanced security, mostly realized through optional security controls, imposes additional overhead on the network performance, potentially hindering its real-time capabilities. To better assess this impact and guide operators in choosing between different options, we measure the latency overhead of IPsec when applied over the N3 and the service-based interfaces to protect user and control plane data, respectively. Furthermore, we evaluate whether WireGuard constitutes an alternative to reduce this overhead. Our findings show that IPsec, if configured correctly, has minimal latency impact and thus is a prime candidate to secure real-time critical scenarios.
△ Less
Submitted 12 May, 2025;
originally announced May 2025.
-
CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping
Authors:
Eric Wagner,
Frederik Basels,
Jan Bauer,
Till Zimmermann,
Klaus Wehrle,
Martin Henze
Abstract:
Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have, however, exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. Current efforts to retrofit security via intrusion detection or message authentication codes are insufficient to fully secure CAN as they cannot adequately protect against…
▽ More
Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have, however, exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. Current efforts to retrofit security via intrusion detection or message authentication codes are insufficient to fully secure CAN as they cannot adequately protect against masquerading attacks, where a compromised communication device, a so-called electronic control units, imitates another device. To remedy this situation, multicast source authentication is required to reliably identify the senders of messages. In this paper, we present CAIBA, a novel multicast source authentication scheme specifically designed for communication buses like CAN. CAIBA relies on an authenticator overwriting authentication tags on-the-fly, such that a receiver only reads a valid tag if not only the integrity of a message but also its source can be verified. To integrate CAIBA into CAN, we devise a special message authentication scheme and a reactive bit overwriting mechanism. We achieve interoperability with legacy CAN devices, while protecting receivers implementing the AUTOSAR SecOC standard against masquerading attacks without communication overhead or verification delays.
△ Less
Submitted 23 April, 2025;
originally announced April 2025.
-
Simulation of Multi-Stage Attack and Defense Mechanisms in Smart Grids
Authors:
Omer Sen,
Bozhidar Ivanov,
Christian Kloos,
Christoph Zol_,
Philipp Lutat,
Martin Henze,
Andreas Ulbig
Abstract:
The power grid is a critical infrastructure essential for public safety and welfare. As its reliance on digital technologies grows, so do its vulnerabilities to sophisticated cyber threats, which could severely disrupt operations. Effective protective measures, such as intrusion detection and decision support systems, are essential to mitigate these risks. Machine learning offers significant poten…
▽ More
The power grid is a critical infrastructure essential for public safety and welfare. As its reliance on digital technologies grows, so do its vulnerabilities to sophisticated cyber threats, which could severely disrupt operations. Effective protective measures, such as intrusion detection and decision support systems, are essential to mitigate these risks. Machine learning offers significant potential in this field, yet its effectiveness is constrained by the limited availability of high-quality data due to confidentiality and access restrictions.
To address this, we introduce a simulation environment that replicates the power grid's infrastructure and communication dynamics. This environment enables the modeling of complex, multi-stage cyber attacks and defensive responses, using attack trees to outline attacker strategies and game-theoretic approaches to model defender actions. The framework generates diverse, realistic attack data to train machine learning algorithms for detecting and mitigating cyber threats. It also provides a controlled, flexible platform to evaluate emerging security technologies, including advanced decision support systems.
The environment is modular and scalable, facilitating the integration of new scenarios without dependence on external components. It supports scenario generation, data modeling, mapping, power flow simulation, and communication traffic analysis in a cohesive chain, capturing all relevant data for cyber security investigations under consistent conditions. Detailed modeling of communication protocols and grid operations offers insights into attack propagation, while datasets undergo validation in laboratory settings to ensure real-world applicability. These datasets are leveraged to train machine learning models for intrusion detection, focusing on their ability to identify complex attack patterns within power grid operations.
△ Less
Submitted 9 December, 2024;
originally announced December 2024.
-
A cyber-physical digital twin approach to replicating realistic multi-stage cyberattacks on smart grids
Authors:
Omer Sen,
Nathalie Bleser,
Martin Henze,
Andreas Ulbig
Abstract:
The integration of information and communication technology in distribution grids presents opportunities for active grid operation management, but also increases the need for security against power outages and cyberattacks. This paper examines the impact of cyberattacks on smart grids by replicating the power grid in a secure laboratory environment as a cyber-physical digital twin. A simulation is…
▽ More
The integration of information and communication technology in distribution grids presents opportunities for active grid operation management, but also increases the need for security against power outages and cyberattacks. This paper examines the impact of cyberattacks on smart grids by replicating the power grid in a secure laboratory environment as a cyber-physical digital twin. A simulation is used to study communication infrastructures for secure operation of smart grids. The cyber-physical digital twin approach combines communication network emulation and power grid simulation in a common modular environment, and is demonstrated through laboratory tests and attack replications.
△ Less
Submitted 6 December, 2024;
originally announced December 2024.
-
Seldom: An Anonymity Network with Selective Deanonymization
Authors:
Eric Wagner,
Roman Matzutt,
Martin Henze
Abstract:
While anonymity networks such as Tor provide invaluable privacy guarantees to society, they also enable all kinds of criminal activities. Consequently, many blameless citizens shy away from protecting their privacy using such technology for the fear of being associated with criminals. To grasp the potential for alternative privacy protection for those users, we design Seldom, an anonymity network…
▽ More
While anonymity networks such as Tor provide invaluable privacy guarantees to society, they also enable all kinds of criminal activities. Consequently, many blameless citizens shy away from protecting their privacy using such technology for the fear of being associated with criminals. To grasp the potential for alternative privacy protection for those users, we design Seldom, an anonymity network with integrated selective deanonymization that disincentivizes criminal activity. Seldom enables law enforcement agencies to selectively access otherwise anonymized identities of misbehaving users, while providing technical guarantees preventing these access rights from being misused. Seldom further ensures translucency, as each access request is approved by a trustworthy consortium of impartial entities and eventually disclosed to the public (without interfering with ongoing investigations). To demonstrate Seldom's feasibility and applicability, we base our implementation on Tor, the most widely used anonymity network. Our evaluation indicates minimal latency, processing, and bandwidth overheads compared to Tor, while Seldom's main costs stem from storing flow records and encrypted identities. With at most 636 TB of storage required in total to retain the encrypted identifiers of a Tor-sized network for two years, Seldom provides a practical and deployable technical solution to the inherent problem of criminal activities in anonymity networks. As such, Seldom sheds new light on the potentials and limitations when integrating selective deanonymization into anonymity networks.
△ Less
Submitted 1 December, 2024;
originally announced December 2024.
-
Unconsidered Installations: Discovering IoT Deployments in the IPv6 Internet
Authors:
Markus Dahlmanns,
Felix Heidenreich,
Johannes Lohmöller,
Jan Pennekamp,
Klaus Wehrle,
Martin Henze
Abstract:
Internet-wide studies provide extremely valuable insight into how operators manage their Internet of Things (IoT) deployments in reality and often reveal grievances, e.g., significant security issues. However, while IoT devices often use IPv6, past studies resorted to comprehensively scan the IPv4 address space. To fully understand how the IoT and all its services and devices is operated, includin…
▽ More
Internet-wide studies provide extremely valuable insight into how operators manage their Internet of Things (IoT) deployments in reality and often reveal grievances, e.g., significant security issues. However, while IoT devices often use IPv6, past studies resorted to comprehensively scan the IPv4 address space. To fully understand how the IoT and all its services and devices is operated, including IPv6-reachable deployments is inevitable-although scanning the entire IPv6 address space is infeasible. In this paper, we close this gap and examine how to best discover IPv6-reachable IoT deployments. To this end, we propose a methodology that allows combining various IPv6 scan direction approaches to understand the findability and prevalence of IPv6-reachable IoT deployments. Using three sources of active IPv6 addresses and eleven address generators, we discovered 6658 IoT deployments. We derive that the available address sources are a good starting point for finding IoT deployments. Additionally, we show that using two address generators is sufficient to cover most found deployments and save time as well as resources. Assessing the security of the deployments, we surprisingly find similar issues as in the IPv4 Internet, although IPv6 deployments might be newer and generally more up-to-date: Only 39% of deployments have access control in place and only 6.2% make use of TLS inviting attackers, e.g., to eavesdrop sensitive data.
△ Less
Submitted 20 November, 2024;
originally announced November 2024.
-
Adaptive Optimization of TLS Overhead for Wireless Communication in Critical Infrastructure
Authors:
Jörn Bodenhausen,
Laurenz Grote,
Michael Rademacher,
Martin Henze
Abstract:
With critical infrastructure increasingly relying on wireless communication, using end-to-end security such as TLS becomes imperative. However, TLS introduces significant overhead for resource-constrained devices and networks prevalent in critical infrastructure. In this paper, we propose to leverage the degrees of freedom in configuring TLS to dynamically adapt algorithms, parameters, and other s…
▽ More
With critical infrastructure increasingly relying on wireless communication, using end-to-end security such as TLS becomes imperative. However, TLS introduces significant overhead for resource-constrained devices and networks prevalent in critical infrastructure. In this paper, we propose to leverage the degrees of freedom in configuring TLS to dynamically adapt algorithms, parameters, and other settings to best meet the currently occurring resource and security constraints in a wireless communication scenario. Consequently, we can make the best use of scarce resources to provide tightened security for wireless networks in critical infrastructure.
△ Less
Submitted 4 November, 2024;
originally announced November 2024.
-
Secure Integration of 5G in Industrial Networks: State of the Art, Challenges and Opportunities
Authors:
Sotiris Michaelides,
Stefan Lenz,
Thomas Vogt,
Martin Henze
Abstract:
The industrial landscape is undergoing a significant transformation, moving away from traditional wired fieldbus networks to cutting-edge 5G mobile networks. This transition, extending from local applications to company-wide use and spanning multiple factories, is driven by the promise of low-latency communication and seamless connectivity for various devices in industrial settings. However, besid…
▽ More
The industrial landscape is undergoing a significant transformation, moving away from traditional wired fieldbus networks to cutting-edge 5G mobile networks. This transition, extending from local applications to company-wide use and spanning multiple factories, is driven by the promise of low-latency communication and seamless connectivity for various devices in industrial settings. However, besides these tremendous benefits, the integration of 5G as the communication infrastructure in industrial networks introduces a new set of risks and threats to the security of industrial systems. The inherent complexity of 5G systems poses unique challenges for ensuring a secure integration, surpassing those encountered with any technology previously utilized in industrial networks. Most importantly, the distinct characteristics of industrial networks, such as real-time operation, required safety guarantees, and high availability requirements, further complicate this task. As the industrial transition from wired to wireless networks is a relatively new concept, a lack of guidance and recommendations on securely integrating 5G renders many industrial systems vulnerable and exposed to threats associated with 5G. To address this situation, in this paper, we summarize the state-of-the-art and derive a set of recommendations for the secure integration of 5G into industrial networks based on a thorough analysis of the research landscape. Furthermore, we identify opportunities to utilize 5G to enhance security and indicate remaining challenges, identifying future academic directions.
△ Less
Submitted 6 December, 2024; v1 submitted 29 August, 2024;
originally announced August 2024.
-
Introducing a Comprehensive, Continuous, and Collaborative Survey of Intrusion Detection Datasets
Authors:
Philipp Bönninghausen,
Rafael Uetz,
Martin Henze
Abstract:
Researchers in the highly active field of intrusion detection largely rely on public datasets for their experimental evaluations. However, the large number of existing datasets, the discovery of previously unknown flaws therein, and the frequent publication of new datasets make it hard to select suitable options and sufficiently understand their respective limitations. Hence, there is a great risk…
▽ More
Researchers in the highly active field of intrusion detection largely rely on public datasets for their experimental evaluations. However, the large number of existing datasets, the discovery of previously unknown flaws therein, and the frequent publication of new datasets make it hard to select suitable options and sufficiently understand their respective limitations. Hence, there is a great risk of drawing invalid conclusions from experimental results with respect to detection performance of novel methods in the real world. While there exist various surveys on intrusion detection datasets, they have deficiencies in providing researchers with a profound decision basis since they lack comprehensiveness, actionable details, and up-to-dateness. In this paper, we present COMIDDS, an ongoing effort to comprehensively survey intrusion detection datasets with an unprecedented level of detail, implemented as a website backed by a public GitHub repository. COMIDDS allows researchers to quickly identify suitable datasets depending on their requirements and provides structured and critical information on each dataset, including actual data samples and links to relevant publications. COMIDDS is freely accessible, regularly updated, and open to contributions.
△ Less
Submitted 5 August, 2024;
originally announced August 2024.
-
Enhancing SCADA Security: Developing a Host-Based Intrusion Detection System to Safeguard Against Cyberattacks
Authors:
Omer Sen,
Tarek Hassan,
Andreas Ulbig,
Martin Henze
Abstract:
With the increasing reliance of smart grids on correctly functioning SCADA systems and their vulnerability to cyberattacks, there is a pressing need for effective security measures. SCADA systems are prone to cyberattacks, posing risks to critical infrastructure. As there is a lack of host-based intrusion detection systems specifically designed for the stable nature of SCADA systems, the objective…
▽ More
With the increasing reliance of smart grids on correctly functioning SCADA systems and their vulnerability to cyberattacks, there is a pressing need for effective security measures. SCADA systems are prone to cyberattacks, posing risks to critical infrastructure. As there is a lack of host-based intrusion detection systems specifically designed for the stable nature of SCADA systems, the objective of this work is to propose a host-based intrusion detection system tailored for SCADA systems in smart grids. The proposed system utilizes USB device identification, flagging, and process memory scanning to monitor and detect anomalies in SCADA systems, providing enhanced security measures. Evaluation in three different scenarios demonstrates the tool's effectiveness in detecting and disabling malware. The proposed approach effectively identifies potential threats and enhances the security of SCADA systems in smart grids, providing a promising solution to protect against cyberattacks.
△ Less
Submitted 22 February, 2024;
originally announced February 2024.
-
POSTER: Towards Secure 5G Infrastructures for Production Systems
Authors:
Martin Henze,
Maximilian Ortmann,
Thomas Vogt,
Osman Ugus,
Kai Hermann,
Svenja Nohr,
Zeren Lu,
Sotiris Michaelides,
Angela Massonet,
Robert H. Schmitt
Abstract:
To meet the requirements of modern production, industrial communication increasingly shifts from wired fieldbus to wireless 5G communication. Besides tremendous benefits, this shift introduces severe novel risks, ranging from limited reliability over new security vulnerabilities to a lack of accountability. To address these risks, we present approaches to (i) prevent attacks through authentication…
▽ More
To meet the requirements of modern production, industrial communication increasingly shifts from wired fieldbus to wireless 5G communication. Besides tremendous benefits, this shift introduces severe novel risks, ranging from limited reliability over new security vulnerabilities to a lack of accountability. To address these risks, we present approaches to (i) prevent attacks through authentication and redundant communication, (ii) detect anomalies and jamming, and (iii) respond to detected attacks through device exclusion and accountability measures.
△ Less
Submitted 24 January, 2024;
originally announced January 2024.
-
An Approach to Abstract Multi-stage Cyberattack Data Generation for ML-Based IDS in Smart Grids
Authors:
Ömer Sen,
Philipp Malskorn,
Simon Glomb,
Immanuel Hacker,
Martin Henze,
Andreas Ulbig
Abstract:
Power grids are becoming more digitized, resulting in new opportunities for the grid operation but also new challenges, such as new threats from the cyber-domain. To address these challenges, cybersecurity solutions are being considered in the form of preventive, detective, and reactive measures. Machine learning-based intrusion detection systems are used as part of detection efforts to detect and…
▽ More
Power grids are becoming more digitized, resulting in new opportunities for the grid operation but also new challenges, such as new threats from the cyber-domain. To address these challenges, cybersecurity solutions are being considered in the form of preventive, detective, and reactive measures. Machine learning-based intrusion detection systems are used as part of detection efforts to detect and defend against cyberattacks. However, training and testing data for these systems are often not available or suitable for use in machine learning models for detecting multi-stage cyberattacks in smart grids. In this paper, we propose a method to generate synthetic data using a graph-based approach for training machine learning models in smart grids. We use an abstract form of multi-stage cyberattacks defined via graph formulations and simulate the propagation behavior of attacks in the network. Within the selected scenarios, we observed promising results, but a larger number of scenarios need to be studied to draw a more informed conclusion about the suitability of synthesized data.
△ Less
Submitted 21 December, 2023;
originally announced December 2023.
-
Benchmark Evaluation of Anomaly-Based Intrusion Detection Systems in the Context of Smart Grids
Authors:
Ömer Sen,
Simon Glomb,
Martin Henze,
Andreas Ulbig
Abstract:
The increasing digitization of smart grids has made addressing cybersecurity issues crucial in order to secure the power supply. Anomaly detection has emerged as a key technology for cybersecurity in smart grids, enabling the detection of unknown threats. Many research efforts have proposed various machine-learning-based approaches for anomaly detection in grid operations. However, there is a need…
▽ More
The increasing digitization of smart grids has made addressing cybersecurity issues crucial in order to secure the power supply. Anomaly detection has emerged as a key technology for cybersecurity in smart grids, enabling the detection of unknown threats. Many research efforts have proposed various machine-learning-based approaches for anomaly detection in grid operations. However, there is a need for a reproducible and comprehensive evaluation environment to investigate and compare different approaches to anomaly detection. The assessment process is highly dependent on the specific application and requires an evaluation that considers representative datasets from the use case as well as the specific characteristics of the use case. In this work, we present an evaluation environment for anomaly detection methods in smart grids that facilitates reproducible and comprehensive evaluation of different anomaly detection methods.
△ Less
Submitted 21 December, 2023;
originally announced December 2023.
-
Investigation of Multi-stage Attack and Defense Simulation for Data Synthesis
Authors:
Ömer Sen,
Bozhidar Ivanov,
Martin Henze,
Andreas Ulbig
Abstract:
The power grid is a critical infrastructure that plays a vital role in modern society. Its availability is of utmost importance, as a loss can endanger human lives. However, with the increasing digitalization of the power grid, it also becomes vulnerable to new cyberattacks that can compromise its availability. To counter these threats, intrusion detection systems are developed and deployed to det…
▽ More
The power grid is a critical infrastructure that plays a vital role in modern society. Its availability is of utmost importance, as a loss can endanger human lives. However, with the increasing digitalization of the power grid, it also becomes vulnerable to new cyberattacks that can compromise its availability. To counter these threats, intrusion detection systems are developed and deployed to detect cyberattacks targeting the power grid. Among intrusion detection systems, anomaly detection models based on machine learning have shown potential in detecting unknown attack vectors. However, the scarcity of data for training these models remains a challenge due to confidentiality concerns. To overcome this challenge, this study proposes a model for generating synthetic data of multi-stage cyber attacks in the power grid, using attack trees to model the attacker's sequence of steps and a game-theoretic approach to incorporate the defender's actions. This model aims to create diverse attack data on which machine learning algorithms can be trained.
△ Less
Submitted 21 December, 2023;
originally announced December 2023.
-
When and How to Aggregate Message Authentication Codes on Lossy Channels?
Authors:
Eric Wagner,
Martin Serror,
Klaus Wehrle,
Martin Henze
Abstract:
Aggregation of message authentication codes (MACs) is a proven and efficient method to preserve valuable bandwidth in resource-constrained environments: Instead of appending a long authentication tag to each message, the integrity protection of multiple messages is aggregated into a single tag. However, while such aggregation saves bandwidth, a single lost message typically means that authenticati…
▽ More
Aggregation of message authentication codes (MACs) is a proven and efficient method to preserve valuable bandwidth in resource-constrained environments: Instead of appending a long authentication tag to each message, the integrity protection of multiple messages is aggregated into a single tag. However, while such aggregation saves bandwidth, a single lost message typically means that authentication information for multiple messages cannot be verified anymore. With the significant increase of bandwidth-constrained lossy communication, as applications shift towards wireless channels, it thus becomes paramount to study the impact of packet loss on the diverse MAC aggregation schemes proposed over the past 15 years to assess when and how to aggregate message authentication. Therefore, we empirically study all relevant MAC aggregation schemes in the context of lossy channels, investigating achievable goodput improvements, the resulting verification delays, processing overhead, and resilience to denial-of-service attacks. Our analysis shows the importance of carefully choosing and configuring MAC aggregation, as selecting and correctly parameterizing the right scheme can, e.g., improve goodput by 39% to 444%, depending on the scenario. However, since no aggregation scheme performs best in all scenarios, we provide guidelines for network operators to select optimal schemes and parameterizations suiting specific network settings.
△ Less
Submitted 15 December, 2023;
originally announced December 2023.
-
Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication
Authors:
Eric Wagner,
David Heye,
Martin Serror,
Ike Kunze,
Klaus Wehrle,
Martin Henze
Abstract:
Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees a…
▽ More
Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
△ Less
Submitted 15 December, 2023;
originally announced December 2023.
-
You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks
Authors:
Rafael Uetz,
Marco Herzog,
Louis Hackländer,
Simon Schwarz,
Martin Henze
Abstract:
Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally…
▽ More
Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally collect security-related events and scan them for attack indicators using expert-written detection rules. However, as we show by analyzing a set of widespread SIEM detection rules, adversaries can evade almost half of them easily, allowing them to perform common malicious actions within an enterprise network without being detected. To remedy these critical detection blind spots, we propose the idea of adaptive misuse detection, which utilizes machine learning to compare incoming events to SIEM rules on the one hand and known-benign events on the other hand to discover successful evasions. Based on this idea, we present AMIDES, an open-source proof-of-concept adaptive misuse detection system. Using four weeks of SIEM events from a large enterprise network and more than 500 hand-crafted evasions, we show that AMIDES successfully detects a majority of these evasions without any false alerts. In addition, AMIDES eases alert analysis by assessing which rules were evaded. Its computational efficiency qualifies AMIDES for real-world operation and hence enables organizations to significantly reduce detection blind spots with moderate effort.
△ Less
Submitted 19 December, 2023; v1 submitted 16 November, 2023;
originally announced November 2023.
-
SoK: Evaluations in Industrial Intrusion Detection Research
Authors:
Olav Lamberts,
Konrad Wolsing,
Eric Wagner,
Jan Pennekamp,
Jan Bauer,
Klaus Wehrle,
Martin Henze
Abstract:
Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This…
▽ More
Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward.
△ Less
Submitted 6 November, 2023;
originally announced November 2023.
-
Securing Wireless Communication in Critical Infrastructure: Challenges and Opportunities
Authors:
Jörn Bodenhausen,
Christian Sorgatz,
Thomas Vogt,
Kolja Grafflage,
Sebastian Rötzel,
Michael Rademacher,
Martin Henze
Abstract:
Critical infrastructure constitutes the foundation of every society. While traditionally solely relying on dedicated cable-based communication, this infrastructure rapidly transforms to highly digitized and interconnected systems which increasingly rely on wireless communication. Besides providing tremendous benefits, especially affording the easy, cheap, and flexible interconnection of a large nu…
▽ More
Critical infrastructure constitutes the foundation of every society. While traditionally solely relying on dedicated cable-based communication, this infrastructure rapidly transforms to highly digitized and interconnected systems which increasingly rely on wireless communication. Besides providing tremendous benefits, especially affording the easy, cheap, and flexible interconnection of a large number of assets spread over larger geographic areas, wireless communication in critical infrastructure also raises unique security challenges. Most importantly, the shift from dedicated private wired networks to heterogeneous wireless communication over public and shared networks requires significantly more involved security measures. In this paper, we identify the most relevant challenges resulting from the use of wireless communication in critical infrastructure and use those to identify a comprehensive set of promising opportunities to preserve the high security standards of critical infrastructure even when switching from wired to wireless communication.
△ Less
Submitted 2 November, 2023;
originally announced November 2023.
-
Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead
Authors:
Jan Pennekamp,
Anastasiia Belova,
Thomas Bergs,
Matthias Bodenbenner,
Andreas Bührig-Polaczek,
Markus Dahlmanns,
Ike Kunze,
Moritz Kröger,
Sandra Geisler,
Martin Henze,
Daniel Lütticke,
Benjamin Montavon,
Philipp Niemietz,
Lucia Ortjohann,
Maximilian Rudack,
Robert H. Schmitt,
Uwe Vroomen,
Klaus Wehrle,
Michael Zeng
Abstract:
The Internet of Production (IoP) leverages concepts such as digital shadows, data lakes, and a World Wide Lab (WWL) to advance today's production. Consequently, it requires a technical infrastructure that can support the agile deployment of these concepts and corresponding high-level applications, which, e.g., demand the processing of massive data in motion and at rest. As such, key research aspec…
▽ More
The Internet of Production (IoP) leverages concepts such as digital shadows, data lakes, and a World Wide Lab (WWL) to advance today's production. Consequently, it requires a technical infrastructure that can support the agile deployment of these concepts and corresponding high-level applications, which, e.g., demand the processing of massive data in motion and at rest. As such, key research aspects are the support for low-latency control loops, concepts on scalable data stream processing, deployable information security, and semantically rich and efficient long-term storage. In particular, such an infrastructure cannot continue to be limited to machines and sensors, but additionally needs to encompass networked environments: production cells, edge computing, and location-independent cloud infrastructures. Finally, in light of the envisioned WWL, i.e., the interconnection of production sites, the technical infrastructure must be advanced to support secure and privacy-preserving industrial collaboration. To evolve today's production sites and lay the infrastructural foundation for the IoP, we identify five broad streams of research: (1) adapting data and stream processing to heterogeneous data from distributed sources, (2) ensuring data interoperability between systems and production sites, (3) exchanging and sharing data with different stakeholders, (4) network security approaches addressing the risks of increasing interconnectivity, and (5) security architectures to enable secure and privacy-preserving industrial collaboration. With our research, we evolve the underlying infrastructure from isolated, sparsely networked production sites toward an architecture that supports high-level applications and sophisticated digital shadows while facilitating the transition toward a WWL.
△ Less
Submitted 17 May, 2023;
originally announced May 2023.
-
Comprehensively Analyzing the Impact of Cyberattacks on Power Grids
Authors:
Lennart Bader,
Martin Serror,
Olav Lamberts,
Ömer Sen,
Dennis van der Velde,
Immanuel Hacker,
Julian Filter,
Elmar Padilla,
Martin Henze
Abstract:
The increasing digitalization of power grids and especially the shift towards IP-based communication drastically increase the susceptibility to cyberattacks, potentially leading to blackouts and physical damage. Understanding the involved risks, the interplay of communication and physical assets, and the effects of cyberattacks are paramount for the uninterrupted operation of this critical infrast…
▽ More
The increasing digitalization of power grids and especially the shift towards IP-based communication drastically increase the susceptibility to cyberattacks, potentially leading to blackouts and physical damage. Understanding the involved risks, the interplay of communication and physical assets, and the effects of cyberattacks are paramount for the uninterrupted operation of this critical infrastructure. However, as the impact of cyberattacks cannot be researched in real-world power grids, current efforts tend to focus on analyzing isolated aspects at small scales, often covering only either physical or communication assets. To fill this gap, we present WATTSON, a comprehensive research environment that facilitates reproducing, implementing, and analyzing cyberattacks against power grids and, in particular, their impact on both communication and physical processes. We validate WATTSON's accuracy against a physical testbed and show its scalability to realistic power grid sizes. We then perform authentic cyberattacks, such as Industroyer, within the environment and study their impact on the power grid's energy and communication side. Besides known vulnerabilities, our results reveal the ripple effects of susceptible communication on complex cyber-physical processes and thus lay the foundation for effective countermeasures.
△ Less
Submitted 16 May, 2023;
originally announced May 2023.
-
On the Observability of Recurrent Nova Super-Remnants
Authors:
M. W. Healy-Kalesh,
M. J. Darnley,
E. J. Harvey,
C. M. Copperwheat,
P. A. James,
T. Andersson,
M. Henze,
T. J. O'Brien
Abstract:
The nova super-remnant (NSR) surrounding M31N 2008-12a (12a), the annually erupting recurrent nova (RN), is the only known example of this phenomenon. As this structure has grown as a result of frequent eruptions from 12a, we might expect to see NSRs around other RNe; this would confirm the RN--NSR association and strengthen the connection between novae and type Ia supernovae (SN Ia) as NSRs cente…
▽ More
The nova super-remnant (NSR) surrounding M31N 2008-12a (12a), the annually erupting recurrent nova (RN), is the only known example of this phenomenon. As this structure has grown as a result of frequent eruptions from 12a, we might expect to see NSRs around other RNe; this would confirm the RN--NSR association and strengthen the connection between novae and type Ia supernovae (SN Ia) as NSRs centered on SN Ia provide a lasting, unequivocal signpost to the single degenerate progenitor type of that explosion. The only previous NSR simulation used identical eruptions from a static white dwarf (WD). In this Paper, we simulate the growth of NSRs alongside the natural growth/erosion of the central WD, within a range of environments, accretion rates, WD temperatures, and initial WD masses. The subsequent evolving eruptions create dynamic NSRs tens of parsecs in radius comprising a low-density cavity, bordered by a hot ejecta pile-up region, and surrounded by a cool high-density, thin, shell. Higher density environments restrict NSR size, as do higher accretion rates, whereas the WD temperature and initial mass have less impact. NSRs form around growing or eroding WDs, indicating that NSRs also exist around old novae with low-mass WDs. Observables such as X-ray and H$α$ emission from the modelled NSRs are derived to aid searches for more examples; only NSRs around high accretion rate novae will currently be observable. The observed properties of the 12a NSR can be reproduced when considering both the dynamically grown NSR and photoionisation by the nova system.
△ Less
Submitted 23 February, 2023;
originally announced February 2023.
-
On Specification-based Cyber-Attack Detection in Smart Grids
Authors:
Ömer Sen Dennis van der Velde,
Maik Lühman,
Florian Sprünken,
Immanuel Hacker,
Andreas Ulbig,
Michael Andres,
Martin Henze
Abstract:
The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cybe…
▽ More
The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication ows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.
△ Less
Submitted 9 September, 2022;
originally announced September 2022.
-
PowerDuck: A GOOSE Data Set of Cyberattacks in Substations
Authors:
Sven Zemanek,
Immanuel Hacker,
Konrad Wolsing,
Eric Wagner,
Martin Henze,
Martin Serror
Abstract:
Power grids worldwide are increasingly victims of cyberattacks, where attackers can cause immense damage to critical infrastructure. The growing digitalization and networking in power grids combined with insufficient protection against cyberattacks further exacerbate this trend. Hence, security engineers and researchers must counter these new risks by continuously improving security measures. Data…
▽ More
Power grids worldwide are increasingly victims of cyberattacks, where attackers can cause immense damage to critical infrastructure. The growing digitalization and networking in power grids combined with insufficient protection against cyberattacks further exacerbate this trend. Hence, security engineers and researchers must counter these new risks by continuously improving security measures. Data sets of real network traffic during cyberattacks play a decisive role in analyzing and understanding such attacks. Therefore, this paper presents PowerDuck, a publicly available security data set containing network traces of GOOSE communication in a physical substation testbed. The data set includes recordings of various scenarios with and without the presence of attacks. Furthermore, all network packets originating from the attacker are clearly labeled to facilitate their identification. We thus envision PowerDuck improving and complementing existing data sets of substations, which are often generated synthetically, thus enhancing the security of power grids.
△ Less
Submitted 11 July, 2022;
originally announced July 2022.
-
Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things
Authors:
Markus Dahlmanns,
Johannes Lohmöller,
Jan Pennekamp,
Jörn Bodenhausen,
Klaus Wehrle,
Martin Henze
Abstract:
The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed t…
▽ More
The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed to use TLS. To understand whether these changes indeed lead to secure Industrial Internet of Things deployments, i.e., using TLS-based protocols, which are configured according to security best practices, we perform an Internet-wide security assessment of ten industrial protocols covering the complete IPv4 address space.
Our results show that both, retrofitted existing protocols and newly developed secure alternatives, are barely noticeable in the wild. While we find that new protocols have a higher TLS adoption rate than traditional protocols (7.2% vs. 0.4%), the overall adoption of TLS is comparably low (6.5% of hosts). Thus, most industrial deployments (934,736 hosts) are insecurely connected to the Internet. Furthermore, we identify that 42% of hosts with TLS support (26,665 hosts) show security deficits, e.g., missing access control. Finally, we show that support in configuring systems securely, e.g., via configuration templates, is promising to strengthen security.
△ Less
Submitted 1 June, 2022;
originally announced June 2022.
-
Scalable and Privacy-Focused Company-Centric Supply Chain Management
Authors:
Eric Wagner,
Roman Matzutt,
Jan Pennekamp,
Lennart Bader,
Irakli Bajelidze,
Klaus Wehrle,
Martin Henze
Abstract:
Blockchain technology promises to overcome trust and privacy concerns inherent to centralized information sharing. However, current decentralized supply chain management systems do either not meet privacy and scalability requirements or require a trustworthy consortium, which is challenging for increasingly dynamic supply chains with constantly changing participants. In this paper, we propose CCCh…
▽ More
Blockchain technology promises to overcome trust and privacy concerns inherent to centralized information sharing. However, current decentralized supply chain management systems do either not meet privacy and scalability requirements or require a trustworthy consortium, which is challenging for increasingly dynamic supply chains with constantly changing participants. In this paper, we propose CCChain, a scalable and privacy-aware supply chain management system that stores all information locally to give companies complete sovereignty over who accesses their data. Still, tamper protection of all data through a permissionless blockchain enables on-demand tracking and tracing of products as well as reliable information sharing while affording the detection of data inconsistencies. Our evaluation confirms that CCChain offers superior scalability in comparison to alternatives while also enabling near real-time tracking and tracing for many, less complex products.
△ Less
Submitted 22 May, 2022;
originally announced May 2022.
-
BP-MAC: Fast Authentication for Short Messages
Authors:
Eric Wagner,
Martin Serror,
Klaus Wehrle,
Martin Henze
Abstract:
Resource-constrained devices increasingly rely on wireless communication for the reliable and low-latency transmission of short messages. However, especially the implementation of adequate integrity protection of time-critical messages places a significant burden on these devices. We address this issue by proposing BP-MAC, a fast and memory-efficient approach for computing message authentication c…
▽ More
Resource-constrained devices increasingly rely on wireless communication for the reliable and low-latency transmission of short messages. However, especially the implementation of adequate integrity protection of time-critical messages places a significant burden on these devices. We address this issue by proposing BP-MAC, a fast and memory-efficient approach for computing message authentication codes based on the well-established Carter-Wegman construction. Our key idea is to offload resource-intensive computations to idle phases and thus save valuable time in latency-critical phases, i.e., when new data awaits processing. Therefore, BP-MAC leverages a universal hash function designed for the bitwise preprocessing of integrity protection to later only require a few XOR operations during the latency-critical phase. Our evaluation on embedded hardware shows that BP-MAC outperforms the state-of-the-art in terms of latency and memory overhead, notably for small messages, as required to adequately protect resource-constrained devices with stringent security and latency requirements.
△ Less
Submitted 19 May, 2022;
originally announced May 2022.
-
A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection
Authors:
Dominik Kus,
Eric Wagner,
Jan Pennekamp,
Konrad Wolsing,
Ina Berenice Fink,
Markus Dahlmanns,
Klaus Wehrle,
Martin Henze
Abstract:
Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations.As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99%. However, these approac…
▽ More
Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations.As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99%. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2% and 14.7% for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.
△ Less
Submitted 18 May, 2022;
originally announced May 2022.
-
Collaboration is not Evil: A Systematic Look at Security Research for Industrial Use
Authors:
Jan Pennekamp,
Erik Buchholz,
Markus Dahlmanns,
Ike Kunze,
Stefan Braun,
Eric Wagner,
Matthias Brockmann,
Klaus Wehrle,
Martin Henze
Abstract:
Following the recent Internet of Things-induced trends on digitization in general, industrial applications will further evolve as well. With a focus on the domains of manufacturing and production, the Internet of Production pursues the vision of a digitized, globally interconnected, yet secure environment by establishing a distributed knowledge base. Background. As part of our collaborative resear…
▽ More
Following the recent Internet of Things-induced trends on digitization in general, industrial applications will further evolve as well. With a focus on the domains of manufacturing and production, the Internet of Production pursues the vision of a digitized, globally interconnected, yet secure environment by establishing a distributed knowledge base. Background. As part of our collaborative research of advancing the scope of industrial applications through cybersecurity and privacy, we identified a set of common challenges and pitfalls that surface in such applied interdisciplinary collaborations. Aim. Our goal with this paper is to support researchers in the emerging field of cybersecurity in industrial settings by formalizing our experiences as reference for other research efforts, in industry and academia alike. Method. Based on our experience, we derived a process cycle of performing such interdisciplinary research, from the initial idea to the eventual dissemination and paper writing. This presented methodology strives to successfully bootstrap further research and to encourage further work in this emerging area. Results. Apart from our newly proposed process cycle, we report on our experiences and conduct a case study applying this methodology, raising awareness for challenges in cybersecurity research for industrial applications. We further detail the interplay between our process cycle and the data lifecycle in applied research data management. Finally, we augment our discussion with an industrial as well as an academic view on this research area and highlight that both areas still have to overcome significant challenges to sustainably and securely advance industrial applications. Conclusions. With our proposed process cycle for interdisciplinary research in the intersection of cybersecurity and industrial application, we provide a foundation for further research.
△ Less
Submitted 21 December, 2021;
originally announced December 2021.
-
CoinPrune: Shrinking Bitcoin's Blockchain Retrospectively
Authors:
Roman Matzutt,
Benedikt Kalde,
Jan Pennekamp,
Arthur Drichel,
Martin Henze,
Klaus Wehrle
Abstract:
Popular cryptocurrencies continue to face serious scalability issues due to their ever-growing blockchains. Thus, modern blockchain designs began to prune old blocks and rely on recent snapshots for their bootstrapping processes instead. Unfortunately, established systems are often considered incapable of adopting these improvements. In this work, we present CoinPrune, our block-pruning scheme wit…
▽ More
Popular cryptocurrencies continue to face serious scalability issues due to their ever-growing blockchains. Thus, modern blockchain designs began to prune old blocks and rely on recent snapshots for their bootstrapping processes instead. Unfortunately, established systems are often considered incapable of adopting these improvements. In this work, we present CoinPrune, our block-pruning scheme with full Bitcoin compatibility, to revise this popular belief. CoinPrune bootstraps joining nodes via snapshots that are periodically created from Bitcoin's set of unspent transaction outputs (UTXO set). Our scheme establishes trust in these snapshots by relying on CoinPrune-supporting miners to mutually reaffirm a snapshot's correctness on the blockchain. This way, snapshots remain trustworthy even if adversaries attempt to tamper with them. Our scheme maintains its retrospective deployability by relying on positive feedback only, i.e., blocks containing invalid reaffirmations are not rejected, but invalid reaffirmations are outpaced by the benign ones created by an honest majority among CoinPrune-supporting miners. Already today, CoinPrune reduces the storage requirements for Bitcoin nodes by two orders of magnitude, as joining nodes need to fetch and process only 6 GiB instead of 271 GiB of data in our evaluation, reducing the synchronization time of powerful devices from currently 7 h to 51 min, with even larger potential drops for less powerful devices. CoinPrune is further aware of higher-level application data, i.e., it conserves otherwise pruned application data and allows nodes to obfuscate objectionable and potentially illegal blockchain content from their UTXO set and the snapshots they distribute.
△ Less
Submitted 26 November, 2021;
originally announced November 2021.
-
Challenges and Opportunities in Securing the Industrial Internet of Things
Authors:
Martin Serror,
Sacha Hack,
Martin Henze,
Marko Schuba,
Klaus Wehrle
Abstract:
Given the tremendous success of the Internet of Things in interconnecting consumer devices, we observe a natural trend to likewise interconnect devices in industrial settings, referred to as Industrial Internet of Things or Industry 4.0. While this coupling of industrial components provides many benefits, it also introduces serious security challenges. Although sharing many similarities with the c…
▽ More
Given the tremendous success of the Internet of Things in interconnecting consumer devices, we observe a natural trend to likewise interconnect devices in industrial settings, referred to as Industrial Internet of Things or Industry 4.0. While this coupling of industrial components provides many benefits, it also introduces serious security challenges. Although sharing many similarities with the consumer Internet of Things, securing the Industrial Internet of Things introduces its own challenges but also opportunities, mainly resulting from a longer lifetime of components and a larger scale of networks. In this paper, we identify the unique security goals and challenges of the Industrial Internet of Things, which, unlike consumer deployments, mainly follow from safety and productivity requirements. To address these security goals and challenges, we provide a comprehensive survey of research efforts to secure the Industrial Internet of Things, discuss their applicability, and analyze their security benefits.
△ Less
Submitted 23 November, 2021;
originally announced November 2021.
-
Reproducible and Adaptable Log Data Generation for Sound Cybersecurity Experiments
Authors:
Rafael Uetz,
Christian Hemminghaus,
Louis Hackländer,
Philipp Schlipper,
Martin Henze
Abstract:
Artifacts such as log data and network traffic are fundamental for cybersecurity research, e.g., in the area of intrusion detection. Yet, most research is based on artifacts that are not available to others or cannot be adapted to own purposes, thus making it difficult to reproduce and build on existing work. In this paper, we identify the challenges of artifact generation with the goal of conduct…
▽ More
Artifacts such as log data and network traffic are fundamental for cybersecurity research, e.g., in the area of intrusion detection. Yet, most research is based on artifacts that are not available to others or cannot be adapted to own purposes, thus making it difficult to reproduce and build on existing work. In this paper, we identify the challenges of artifact generation with the goal of conducting sound experiments that are valid, controlled, and reproducible. We argue that testbeds for artifact generation have to be designed specifically with reproducibility and adaptability in mind. To achieve this goal, we present SOCBED, our proof-of-concept implementation and the first testbed with a focus on generating realistic log data for cybersecurity experiments in a reproducible and adaptable manner. SOCBED enables researchers to reproduce testbed instances on commodity computers, adapt them according to own requirements, and verify their correct functionality. We evaluate SOCBED with an exemplary, practical experiment on detecting a multi-step intrusion of an enterprise network and show that the resulting experiment is indeed valid, controlled, and reproducible. Both SOCBED and the log dataset underlying our evaluation are freely available.
△ Less
Submitted 15 November, 2021;
originally announced November 2021.
-
IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems
Authors:
Konrad Wolsing,
Eric Wagner,
Antoine Saillard,
Martin Henze
Abstract:
The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isol…
▽ More
The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL's correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos.
△ Less
Submitted 11 July, 2022; v1 submitted 5 November, 2021;
originally announced November 2021.
-
Investigating Man-in-the-Middle-based False Data Injection in a Smart Grid Laboratory Environment
Authors:
Ömer Sen,
Dennis van der Velde,
Philipp Linnartz,
Immanuel Hacker,
Martin Henze,
Michael Andres,
Andreas Ulbig
Abstract:
With the increasing use of information and communication technology in electrical power grids, the security of energy supply is increasingly threatened by cyber-attacks. Traditional cyber-security measures, such as firewalls or intrusion detection/prevention systems, can be used as mitigation and prevention measures, but their effective use requires a deep understanding of the potential threat lan…
▽ More
With the increasing use of information and communication technology in electrical power grids, the security of energy supply is increasingly threatened by cyber-attacks. Traditional cyber-security measures, such as firewalls or intrusion detection/prevention systems, can be used as mitigation and prevention measures, but their effective use requires a deep understanding of the potential threat landscape and complex attack processes in energy information systems. Given the complexity and lack of detailed knowledge of coordinated, timed attacks in smart grid applications, we need information and insight into realistic attack scenarios in an appropriate and practical setting. In this paper, we present a man-in-the-middle-based attack scenario that intercepts process communication between control systems and field devices, employs false data injection techniques, and performs data corruption such as sending false commands to field devices. We demonstrate the applicability of the presented attack scenario in a physical smart grid laboratory environment and analyze the generated data under normal and attack conditions to extract domain-specific knowledge for detection mechanisms.
△ Less
Submitted 18 October, 2021;
originally announced October 2021.
-
An Approach of Replicating Multi-Staged Cyber-Attacks and Countermeasures in a Smart Grid Co-Simulation Environment
Authors:
Ömer Sen,
Dennis van der Velde,
Sebastian N. Peters,
Martin Henze
Abstract:
While the digitization of power distribution grids brings many benefits, it also introduces new vulnerabilities for cyber-attacks. To maintain secure operations in the emerging threat landscape, detecting and implementing countermeasures against cyber-attacks are paramount. However, due to the lack of publicly available attack data against Smart Grids (SGs) for countermeasure development, simulati…
▽ More
While the digitization of power distribution grids brings many benefits, it also introduces new vulnerabilities for cyber-attacks. To maintain secure operations in the emerging threat landscape, detecting and implementing countermeasures against cyber-attacks are paramount. However, due to the lack of publicly available attack data against Smart Grids (SGs) for countermeasure development, simulation-based data generation approaches offer the potential to provide the needed data foundation. Therefore, our proposed approach provides flexible and scalable replication of multi-staged cyber-attacks in an SG Co-Simulation Environment (COSE). The COSE consists of an energy grid simulator, simulators for Operation Technology (OT) devices, and a network emulator for realistic IT process networks. Focusing on defensive and offensive use cases in COSE, our simulated attacker can perform network scans, find vulnerabilities, exploit them, gain administrative privileges, and execute malicious commands on OT devices. As an exemplary countermeasure, we present a built-in Intrusion Detection System (IDS) that analyzes generated network traffic using anomaly detection with Machine Learning (ML) approaches. In this work, we provide an overview of the SG COSE, present a multi-stage attack model with the potential to disrupt grid operations, and show exemplary performance evaluations of the IDS in specific scenarios.
△ Less
Submitted 5 October, 2021;
originally announced October 2021.
-
Path Loss in Urban LoRa Networks: A Large-Scale Measurement Study
Authors:
Michael Rademacher,
Hendrik Linka,
Thorsten Horstmann,
Martin Henze
Abstract:
Urban LoRa networks promise to provide a cost-efficient and scalable communication backbone for smart cities. One core challenge in rolling out and operating these networks is radio network planning, i.e., precise predictions about possible new locations and their impact on network coverage. Path loss models aid in this task, but evaluating and comparing different models requires a sufficiently la…
▽ More
Urban LoRa networks promise to provide a cost-efficient and scalable communication backbone for smart cities. One core challenge in rolling out and operating these networks is radio network planning, i.e., precise predictions about possible new locations and their impact on network coverage. Path loss models aid in this task, but evaluating and comparing different models requires a sufficiently large set of high-quality received packet power samples. In this paper, we report on a corresponding large-scale measurement study covering an urban area of 200km2 over a period of 230 days using sensors deployed on garbage trucks, resulting in more than 112 thousand high-quality samples for received packet power. Using this data, we compare eleven previously proposed path loss models and additionally provide new coefficients for the Log-distance model. Our results reveal that the Log-distance model and other well-known empirical models such as Okumura or Winner+ provide reasonable estimations in an urban environment, and terrain based models such as ITM or ITWOM have no advantages. In addition, we derive estimations for the needed sample size in similar measurement campaigns. To stimulate further research in this direction, we make all our data publicly available.
△ Less
Submitted 16 September, 2021;
originally announced September 2021.
-
Towards an Approach to Contextual Detection of Multi-Stage Cyber Attacks in Smart Grids
Authors:
Ömer Sen,
Dennis van der Velde,
Katharina A. Wehrmeister,
Immanuel Hacker,
Martin Henze,
Michael Andres
Abstract:
Electric power grids are at risk of being compromised by high-impact cyber-security threats such as coordinated, timed attacks. Navigating this new threat landscape requires a deep understanding of the potential risks and complex attack processes in energy information systems, which in turn demands an unmanageable manual effort to timely process a large amount of cross-domain information. To provi…
▽ More
Electric power grids are at risk of being compromised by high-impact cyber-security threats such as coordinated, timed attacks. Navigating this new threat landscape requires a deep understanding of the potential risks and complex attack processes in energy information systems, which in turn demands an unmanageable manual effort to timely process a large amount of cross-domain information. To provide an adequate basis to contextually assess and understand the situation of smart grids in case of coordinated cyber-attacks, we need a systematic and coherent approach to identify cyber incidents. In this paper, we present an approach that collects and correlates cross-domain cyber threat information to detect multi-stage cyber-attacks in energy information systems. We investigate the applicability and performance of the presented correlation approach and discuss the results to highlight challenges in domain-specific detection mechanisms.
△ Less
Submitted 6 September, 2021;
originally announced September 2021.
-
Nova LMC 2009a as observed with XMM-Newton, compared with other novae
Authors:
Marina Orio,
Andrej Dobrotka,
Ciro Pinto,
Martin Henze,
Jan-Uwe Ness,
Nataly Ospina,
Songpeng Pei,
Ehud Behar,
Michael F. Bode,
Sou Her,
Margarita Hernanz,
Gloria Sala
Abstract:
We examine four high resolution reflection grating spectrometers (RGS) spectra of the February 2009 outburst of the luminous recurrent nova LMC 2009a. They were very complex and rich in intricate absorption and emission features. The continuum was consistent with a dominant component originating in the atmosphere of a shell burning white dwarf (WD) with peak effective temperature between 810,000 K…
▽ More
We examine four high resolution reflection grating spectrometers (RGS) spectra of the February 2009 outburst of the luminous recurrent nova LMC 2009a. They were very complex and rich in intricate absorption and emission features. The continuum was consistent with a dominant component originating in the atmosphere of a shell burning white dwarf (WD) with peak effective temperature between 810,000 K and a million K, and mass in the 1.2-1.4 M$_\odot$ range. A moderate blue shift of the absorption features of a few hundred km s$^{-1}$ can be explained with a residual nova wind depleting the WD surface at a rate of about 10$^{-8}$ M$_\odot$ yr$^{-1}$. The emission spectrum seems to be due to both photoionization and shock ionization in the ejecta. The supersoft X-ray flux was irregularly variable on time scales of hours, with decreasing amplitude of the variability. We find that both the period and the amplitude of another, already known 33.3 s modulation, varied within timescales of hours. We compared N LMC 2009a with other Magellanic Clouds novae, including 4 serendipitously discovered as supersoft X-ray sources (SSS) among 13 observed within 16 years after the eruption. The new detected targets were much less luminous than expected: we suggest that they were partially obscured by the accretion disk. Lack of SSS detections in the Magellanic Clouds novae more than 5.5 years after the eruption constrains the average duration of the nuclear burning phase.
△ Less
Submitted 11 May, 2021;
originally announced May 2021.
-
Cybersecurity in Power Grids: Challenges and Opportunities
Authors:
Tim Krause,
Raphael Ernst,
Benedikt Klaer,
Immanuel Hacker,
Martin Henze
Abstract:
Increasing volatilities within power transmission and distribution force power grid operators to amplify their use of communication infrastructure to monitor and control their grid. The resulting increase in communication creates a larger attack surface for malicious actors. Indeed, cyber attacks on power grids have already succeeded in causing temporary, large-scale blackouts in the recent past.…
▽ More
Increasing volatilities within power transmission and distribution force power grid operators to amplify their use of communication infrastructure to monitor and control their grid. The resulting increase in communication creates a larger attack surface for malicious actors. Indeed, cyber attacks on power grids have already succeeded in causing temporary, large-scale blackouts in the recent past. In this paper, we analyze the communication infrastructure of power grids to derive resulting fundamental challenges of power grids with respect to cybersecurity. Based on these challenges, we identify a broad set of resulting attack vectors and attack scenarios that threaten the security of power grids. To address these challenges, we propose to rely on a defense-in-depth strategy, which encompasses measures for (i) device and application security, (ii) network security, (iii) physical security, as well as (iv) policies, procedures, and awareness. For each of these categories, we distill and discuss a comprehensive set of state-of-the art approaches, and identify further opportunities to strengthen cybersecurity in interconnected power grids.
△ Less
Submitted 5 October, 2021; v1 submitted 30 April, 2021;
originally announced May 2021.
-
Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes
Authors:
Eric Wagner,
Jan Bauer,
Martin Henze
Abstract:
Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, to achieve this goal, message authentication considerably expands packet sizes, which is especially problematic in constrained wireless environments. To address this issue, progressive message authentication provides initially reduced integrity protection that is often sufficient to process mess…
▽ More
Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, to achieve this goal, message authentication considerably expands packet sizes, which is especially problematic in constrained wireless environments. To address this issue, progressive message authentication provides initially reduced integrity protection that is often sufficient to process messages upon reception. This reduced security is then successively improved with subsequent messages to uphold the strong guarantees of traditional integrity protection. However, contrary to previous claims, we show in this paper that existing progressive message authentication schemes are highly susceptible to packet loss induced by poor channel conditions or jamming attacks. Thus, we consider it imperative to rethink how authentication tags depend on the successful reception of surrounding packets. To this end, we propose R2-D2, which uses randomized dependencies with parameterized security guarantees to increase the resilience of progressive authentication against packet loss. To deploy our approach to resource-constrained devices, we introduce SP-MAC, which implements R2-D2 using efficient XOR operations. Our evaluation shows that SP-MAC is resilient to sophisticated network-level attacks and operates as resources-conscious and fast as existing, yet insecure, progressive message authentication schemes.
△ Less
Submitted 19 May, 2022; v1 submitted 15 March, 2021;
originally announced March 2021.
-
Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments
Authors:
Markus Dahlmanns,
Johannes Lohmöller,
Ina Berenice Fink,
Jan Pennekamp,
Klaus Wehrle,
Martin Henze
Abstract:
Due to increasing digitalization, formerly isolated industrial networks, e.g., for factory and process automation, move closer and closer to the Internet, mandating secure communication. However, securely setting up OPC UA, the prime candidate for secure industrial communication, is challenging due to a large variety of insecure options. To study whether Internet-facing OPC UA appliances are confi…
▽ More
Due to increasing digitalization, formerly isolated industrial networks, e.g., for factory and process automation, move closer and closer to the Internet, mandating secure communication. However, securely setting up OPC UA, the prime candidate for secure industrial communication, is challenging due to a large variety of insecure options. To study whether Internet-facing OPC UA appliances are configured securely, we actively scan the IPv4 address space for publicly reachable OPC UA systems and assess the security of their configurations. We observe problematic security configurations such as missing access control (on 24% of hosts), disabled security functionality (24%), or use of deprecated cryptographic primitives (25%) on in total 92% of the reachable deployments. Furthermore, we discover several hundred devices in multiple autonomous systems sharing the same security certificate, opening the door for impersonation attacks. Overall, in this paper, we highlight commonly found security misconfigurations and underline the importance of appropriate configuration for security-featuring protocols.
△ Less
Submitted 26 October, 2020;
originally announced October 2020.
-
A Theory for the Maximum Magnitude versus Rate of Decline (MMRD) Relation of Classical Novae
Authors:
Izumi Hachisu,
Hideyuki Saio,
Mariko Kato,
Martin Henze,
Allen W. Shafter
Abstract:
We propose a theory for the MMRD relation of novae, using free-free emission model light curves built on the optically thick wind theory. We calculated $(t_3,M_{V,\rm max})$ for various sets of $(\dot M_{\rm acc}, M_{\rm WD})$, where $M_{V,\rm max}$ is the peak absolute $V$ magnitude, $t_3$ is the 3-mag decay time from the peak, and $\dot M_{\rm acc}$ is the mass accretion rate on to the white dwa…
▽ More
We propose a theory for the MMRD relation of novae, using free-free emission model light curves built on the optically thick wind theory. We calculated $(t_3,M_{V,\rm max})$ for various sets of $(\dot M_{\rm acc}, M_{\rm WD})$, where $M_{V,\rm max}$ is the peak absolute $V$ magnitude, $t_3$ is the 3-mag decay time from the peak, and $\dot M_{\rm acc}$ is the mass accretion rate on to the white dwarf (WD) of mass $M_{\rm WD}$. The model light curves are uniquely characterized by $x\equiv M_{\rm env}/M_{\rm sc}$, where $M_{\rm env}$ is the hydrogen-rich envelope mass and $M_{\rm sc}$ is the scaling mass at which the wind has a certain wind mass-loss rate. For a given ignition mass $M_{\rm ig}$, we can specify the first point $x_0= M_{\rm ig}/M_{\rm sc}$ on the model light curve, and calculate the corresponding peak brightness and $t_3$ time from this first point. Our $(t_3, M_{V,\rm max})$ points cover well the distribution of existing novae. The lower the mass accretion rate, the brighter the peak. The maximum brightness is limited to $M_{V,\rm max} \gtrsim -10.4$ by the lowest mass-accretion rate of $\dot M_{\rm acc} \gtrsim1 \times 10^{-11}~M_\odot$ yr$^{-1}$. A significant part of the observational MMRD trend corresponds to the $\dot M_{\rm acc}\sim5\times10^{-9}~M_\odot$ yr$^{-1}$ line with different WD masses. A scatter from the trend line indicates a variation in their mass-accretion rates. Thus, the global trend of an MMRD relation does exist, but its scatter is too large for it to be a precision distance indicator of individual novae. We tabulate $(t_3, M_{V,\rm max})$ for many sets of $(\dot M_{\rm acc},M_{\rm WD})$.
△ Less
Submitted 7 September, 2020;
originally announced September 2020.
-
Graph-based Model of Smart Grid Architectures
Authors:
Benedikt Klaer,
Ömer Sen,
Dennis van der Velde,
Immanuel Hacker,
Michael Andres,
Martin Henze
Abstract:
The rising use of information and communication technology in smart grids likewise increases the risk of failures that endanger the security of power supply, e.g., due to errors in the communication configuration, faulty control algorithms, or cyber-attacks. Co-simulations can be used to investigate such effects, but require precise modeling of the energy, communication, and information domain wit…
▽ More
The rising use of information and communication technology in smart grids likewise increases the risk of failures that endanger the security of power supply, e.g., due to errors in the communication configuration, faulty control algorithms, or cyber-attacks. Co-simulations can be used to investigate such effects, but require precise modeling of the energy, communication, and information domain within an integrated smart grid infrastructure model. Given the complexity and lack of detailed publicly available communication network models for smart grid scenarios, there is a need for an automated and systematic approach to creating such coupled models. In this paper, we present an approach to automatically generate smart grid infrastructure models based on an arbitrary electrical distribution grid model using a generic architectural template. We demonstrate the applicability and unique features of our approach alongside examples concerning network planning, co-simulation setup, and specification of domain-specific intrusion detection systems.
△ Less
Submitted 1 September, 2020;
originally announced September 2020.
-
How to Securely Prune Bitcoin's Blockchain
Authors:
Roman Matzutt,
Benedikt Kalde,
Jan Pennekamp,
Arthur Drichel,
Martin Henze,
Klaus Wehrle
Abstract:
Bitcoin was the first successful decentralized cryptocurrency and remains the most popular of its kind to this day. Despite the benefits of its blockchain, Bitcoin still faces serious scalability issues, most importantly its ever-increasing blockchain size. While alternative designs introduced schemes to periodically create snapshots and thereafter prune older blocks, already-deployed systems such…
▽ More
Bitcoin was the first successful decentralized cryptocurrency and remains the most popular of its kind to this day. Despite the benefits of its blockchain, Bitcoin still faces serious scalability issues, most importantly its ever-increasing blockchain size. While alternative designs introduced schemes to periodically create snapshots and thereafter prune older blocks, already-deployed systems such as Bitcoin are often considered incapable of adopting corresponding approaches. In this work, we revise this popular belief and present CoinPrune, a snapshot-based pruning scheme that is fully compatible with Bitcoin. CoinPrune can be deployed through an opt-in velvet fork, i.e., without impeding the established Bitcoin network. By requiring miners to publicly announce and jointly reaffirm recent snapshots on the blockchain, CoinPrune establishes trust into the snapshots' correctness even in the presence of powerful adversaries. Our evaluation shows that CoinPrune reduces the storage requirements of Bitcoin already by two orders of magnitude today, with further relative savings as the blockchain grows. In our experiments, nodes only have to fetch and process 5 GiB instead of 230 GiB of data when joining the network, reducing the synchronization time on powerful devices from currently 5 h to 46 min, with even more savings for less powerful devices.
△ Less
Submitted 15 April, 2020;
originally announced April 2020.
-
Assessing the Security of OPC UA Deployments
Authors:
Linus Roepert,
Markus Dahlmanns,
Ina Berenice Fink,
Jan Pennekamp,
Martin Henze
Abstract:
To address the increasing security demands of industrial deployments, OPC UA is one of the first industrial protocols explicitly designed with security in mind. However, deploying it securely requires a thorough configuration of a wide range of options. Thus, assessing the security of OPC UA deployments and their configuration is necessary to ensure secure operation, most importantly confidentiali…
▽ More
To address the increasing security demands of industrial deployments, OPC UA is one of the first industrial protocols explicitly designed with security in mind. However, deploying it securely requires a thorough configuration of a wide range of options. Thus, assessing the security of OPC UA deployments and their configuration is necessary to ensure secure operation, most importantly confidentiality and integrity of industrial processes. In this work, we present extensions to the popular Metasploit Framework to ease network-based security assessments of OPC UA deployments. To this end, we discuss methods to discover OPC UA servers, test their authentication, obtain their configuration, and check for vulnerabilities. Ultimately, our work enables operators to verify the (security) configuration of their systems and identify potential attack vectors.
△ Less
Submitted 27 March, 2020;
originally announced March 2020.
-
Methods for Actors in the Electric Power System to Prevent, Detect and React to ICT Attacks and Failures
Authors:
Dennis van der Velde,
Martin Henze,
Philipp Kathmann,
Erik Wassermann,
Michael Andres,
Detert Bracht,
Raphael Ernst,
George Hallak,
Benedikt Klaer,
Philipp Linnartz,
Benjamin Meyer,
Simon Ofner,
Tobias Pletzer,
Richard Sethmann
Abstract:
The fundamental changes in power supply and increasing decentralization require more active grid operation and an increased integration of ICT at all power system actors. This trend raises complexity and increasingly leads to interactions between primary grid operation and ICT as well as different power system actors. For example, virtual power plants control various assets in the distribution gri…
▽ More
The fundamental changes in power supply and increasing decentralization require more active grid operation and an increased integration of ICT at all power system actors. This trend raises complexity and increasingly leads to interactions between primary grid operation and ICT as well as different power system actors. For example, virtual power plants control various assets in the distribution grid via ICT to jointly market existing flexibilities. Failures of ICT or targeted attacks can thus have serious effects on security of supply and system stability. This paper presents a holistic approach to providing methods specifically for actors in the power system for prevention, detection, and reaction to ICT attacks and failures. The focus of our measures are solutions for ICT monitoring, systems for the detection of ICT attacks and intrusions in the process network, and the provision of actionable guidelines as well as a practice environment for the response to potential ICT security incidents.
△ Less
Submitted 13 March, 2020;
originally announced March 2020.
-
Deep XMM-Newton observations of the northern disk of M31 II: Tracing the hot interstellar medium
Authors:
Patrick J. Kavanagh,
Manami Sasaki,
Dieter Breitschwerdt,
Miguel A. de Avillez,
Miroslav D. Filipovic,
Timothy Galvin,
Frank Haberl,
Despina Hatzidimitriou,
Martin Henze,
Paul P. Plucinsky,
Sara Saeedi,
Kirill V. Sokolovsky,
Benjamin F. Williams
Abstract:
Aims: We use new deep XMM-Newton observations of the northern disk of M 31 to trace the hot interstellar medium (ISM) in unprecedented detail and to characterise the physical properties of the X-ray emitting plasmas. Methods: We used all XMM-Newton data up to and including our new observations to produce the most detailed image yet of the hot ISM plasma in a grand design spiral galaxy such as our…
▽ More
Aims: We use new deep XMM-Newton observations of the northern disk of M 31 to trace the hot interstellar medium (ISM) in unprecedented detail and to characterise the physical properties of the X-ray emitting plasmas. Methods: We used all XMM-Newton data up to and including our new observations to produce the most detailed image yet of the hot ISM plasma in a grand design spiral galaxy such as our own. We compared the X-ray morphology to multi-wavelength studies in the literature to set it in the context of the multi-phase ISM. We performed spectral analyses on the extended emission using our new observations as they offer sufficient depth and count statistics to constrain the plasma properties. Data from the Panchromatic Hubble Andromeda Treasury were used to estimate the energy injected by massive stars and their supernovae. We compared these results to the hot gas properties. Results: The brightest emission regions were found to be correlated with populations of massive stars, notably in the 10 kpc star-forming ring. The plasma temperatures in the ring regions are ~0.2 keV up to ~0.6 keV. We suggest this emission is hot ISM heated in massive stellar clusters and superbubbles. We derived X-ray luminosities, densities, and pressures for the gas in each region. We also found large extended emission filling low density gaps in the dust morphology of the northern disk, notably between the 5 kpc and 10 kpc star-forming rings. We propose that the hot gas was heated and expelled into the gaps by the populations of massive stars in the rings. Conclusions. It is clear that the massive stellar populations are responsible for heating the ISM to X-ray emitting temperatures, filling their surroundings, and possibly driving the hot gas into the low density regions. Overall, the morphology and spectra of the hot gas in the northern disk of M 31 is similar to other galaxy disks.
△ Less
Submitted 31 March, 2020; v1 submitted 28 October, 2019;
originally announced October 2019.
-
On a century of extragalactic novae and the rise of the rapid recurrent novae
Authors:
Matthew J. Darnley,
Martin Henze
Abstract:
Novae are the observable outcome of a transient thermonuclear runaway on the surface of an accreting white dwarf in a close binary system. Their high peak luminosity renders them visible in galaxies out beyond the distance of the Virgo Cluster. Over the past century, surveys of extragalactic novae, particularly within the nearby Andromeda Galaxy, have yielded substantial insights regarding the pro…
▽ More
Novae are the observable outcome of a transient thermonuclear runaway on the surface of an accreting white dwarf in a close binary system. Their high peak luminosity renders them visible in galaxies out beyond the distance of the Virgo Cluster. Over the past century, surveys of extragalactic novae, particularly within the nearby Andromeda Galaxy, have yielded substantial insights regarding the properties of their populations and sub-populations. The recent decade has seen the first detailed panchromatic studies of individual extragalactic novae and the discovery of two probably related sub-groups: the 'faint-fast' and the 'rapid recurrent' novae. In this review we summarise the past 100 years of extragalactic efforts, introduce the rapid recurrent sub-group, and look in detail at the remarkable faint-fast, and rapid recurrent, nova M31N 2008-12a. We end with a brief look forward, not to the next 100 years, but the next few decades, and the study of novae in the upcoming era of wide-field and multi-messenger time-domain surveys.
△ Less
Submitted 23 September, 2019;
originally announced September 2019.
-
The January 2016 eruption of recurrent nova LMC 1968
Authors:
N. P. M. Kuin,
K. L. Page,
P. Mróz,
M. J. Darnley,
S. N. Shore,
J. P. Osborne,
F. Walter,
F. Di Mille,
N. Morrell,
U. Munari,
T. Bohlsen,
A. Evans,
R. D. Gehrz,
S. Starrfield,
M. Henze,
S. C. Williams,
G. J. Schwarz,
A. Udalski,
M. K. Szymański,
R. Poleski,
I. Soszyński,
V. A. R. M. Ribeiro,
R. Angeloni,
A. A. Breeveld,
A. P. Beardmore
, et al. (1 additional authors not shown)
Abstract:
We present a comprehensive review of all observations of the eclipsing recurrent Nova LMC 1968 in the Large Magellanic Cloud which was previously observed in eruption in 1968, 1990, 2002, 2010, and most recently in 2016. We derive a probable recurrence time of $6.2 \pm 1.2$ years and provide the ephemerides of the eclipse. In the ultraviolet-optical-IR photometry the light curve shows high variabi…
▽ More
We present a comprehensive review of all observations of the eclipsing recurrent Nova LMC 1968 in the Large Magellanic Cloud which was previously observed in eruption in 1968, 1990, 2002, 2010, and most recently in 2016. We derive a probable recurrence time of $6.2 \pm 1.2$ years and provide the ephemerides of the eclipse. In the ultraviolet-optical-IR photometry the light curve shows high variability right from the first observation around two days after eruption. Therefore no colour changes can be substantiated. Outburst spectra from 2016 and 1990 are very similar and are dominated by H and He lines longward of 2000 Angstrom. Interstellar reddening is found to be E(B-V) = $0.07\pm0.01$. The super soft X-ray luminosity is lower than the Eddington luminosity and the X-ray spectra suggest the mass of the WD is larger than 1.3 M$_\odot$. Eclipses in the light curve suggest that the system is at high orbital inclination. On day four after the eruption a recombination wave was observed in Fe II ultraviolet absorption lines. Narrow line components are seen after day 6 and explained as being due to reionisation of ejecta from a previous eruption. The UV spectrum varies with orbital phase, in particular a component of the He II 1640 Angstrom emission line, which leads us to propose that early-on the inner WD Roche lobe might be filled with a bound opaque medium prior to the re-formation of an accretion disk. Both this medium and the ejecta can cause the delay in the appearance of the soft X-ray source.
△ Less
Submitted 20 October, 2019; v1 submitted 7 September, 2019;
originally announced September 2019.
