G. TSOCHEV, R. YOSHINOV, N. ZHUKOVA SOME SECURITY ISSUES WITH THE INDUSTRIAL INTERNET OF THINGS AND COMPARISON TO SCADA SYSTEMS

Tsochev G., Yoshinov R., Zhukova N. Some Security Issues with the Industrial Internet of Things and Comparison to SCADA Systems. Abstract. An issue of the Internet of Things security which does not belong to the traditional problem of cybersecurity, as it is a local or distributed monitoring and/or monitoring of physical systems state connected via the Internet, is considered. An architecture of Supervisory Control and Data Acquisition system (SCADA) was considered in previous authors studies. Due to SCADA systems implementation, vulnerabilities and various options of cyberattacks on them were analyzed. As an example, a case study based on trees was considered, and the obtained results were summarized and visualized. The purpose of the paper is to compare new industrial technology of the Internet of things (Industrial Internet of Things) with the previously studied traditional SCADA systems. The Industrial Internet of Things is a network of devices which are connected through communication technologies. Some of the most common security issues for the Industrial Internet of Things are presented in this paper. A brief overview of the structure of the Industrial Internet of things is presented, basic principles of security and the main problems that can arise with devices of the Internet of things are described. Based on research and analysis of the risk of threats in the field of the Industrial Internet of things, a specific case of destructive impact based on a tree analysis is considered as the main approach. A description of an attack tree leaf node value creation and an analysis of results are provided. Analysis of the electronic record change scenario to increase the infusion rate of an overflow pump using a complexity index is performed. The consequences compared to a previous study of SCADA systems are analyzed, and respective conclusion is made.


Introduction.
In modern society, information and communication technologies have penetrated deeply and have become the basis of all activities in the economy, administration, society and privacy. Digital infrastructures are turning from a supportive environment into a major and critical factor for the management and proper functioning of all resources and systems [1].
The so-called digital transformation of the industry has emerged in the overall development of the digital society [2] in recent years, which is the result of the increasing penetration of the Internet of Things (IoT), robotics, 3D printing, cloud solutions, and artificial intelligence-based cognitive technologies. All these technologies form the so-called Industry 4.0, driven not only by design and production, but also by its relationship with the market and consumers.
Industrial technologies are among the top 5 priority areas in the EU's 2020 development strategy.
According to the Concept for Digital Transformation of Bulgarian Industry: Industry 4.0 [3] is a collection of related digital technological solutions that support the development of automation, integration and realtime data exchange in production processes. In essence, this reflects an industrial and technological transformation process that naturally follows the development of scientific and production practices. The fourth industrial transformation is a natural extension of the digitization and automation of production and includes Internet connectivity and interaction of cyberphysical systems without human involvement, processing and analysis of large information arrays, and decision making from artificial intelligence, digital modeling and simulation of production processes through virtual reality, smart automation, mass production of individualized products, the emergence of new technologies, the creation of new businesses divisible.
The future of industrial automation is evolving in such a way that robots replace humans. In the course of Industry 4.0 revolution, a new term for technological automation of processes, the Industrial Internet of Things, was introduced.
A previous study looked at the nature of the supervisory control and data acquisition (SCADA) system [4]. Through the introduction of Scada systems, vulnerabilities and various options for attacking it were analyzed. A case study based on trees was considered as an example and the results were summarized and visualized. The effects were analyzed and a conclusion was reached.
This article is intended to make a comparison with the new Industrial Internet of Things technology and to compare the results obtained with a previous study on traditional SCADA systems.
2. IoT -Definition protocols, architecture and standards. IoT is a set of technologies and applications that make devices capable of generating any kind of information, connecting these devices for instant data analysis and ideally for "smart" action ( Fig. 1) [5]. Conceptually, IoT means that physical entities can use protocols to send information about their status, position, or other data.
The whole end-to-end communication of the IoT consists of three main components: embedded devices, gateways and end applications. Embedded devices connect to their local gateway through protocols such as 6LoWPAN, ZigBee, ZWave, Thread, Bluetooth and Bluetooth LE, WiFi and WirelessHART, etc. There are also a number of remote IoT protocols such as LoRaWAN, NB-IoT, etc. Sector home automation The Home Network Automation Protocol (HNAP) is adopted by many vendors as the preferred protocol for device management. The protocol was originally patented by Pure Networks, but is now owned and developed by Cisco. At the low power level of the application, Constrained Application Protocol (CoAP) is an IETF protocol designed for RESTful applications and uses HTTP semantics (and transmitted via HTTP a wider network) but with a much smaller footprint and binary, not text, exchange. CoAP is intended for use over UDP. MQTT, The Message Queue Telemetry Transport, is an alternative to CoAP and is deployed as a protocol for publishing messages on wireless sensor networks. Fig. 1. Internet of Things illustration [6] The DNS Multiple Transmission Service (mDNS) is often used by IoT devices to detect hostnames to IP addresses within small networks that do not include a local name server. The development of Internet interoperability standards known as Hypercat is encouraged. This standard is intended to improve data discoverability and interoperability and to enable device catalogs and capabilities to be published as web storage for connected metadata devices. This is currently one of the preferred interoperability options. As with any new technology, there are many protocols and standards that are tested and offered for inclusion in IoT, they will form part of the detailed IoT reference structure. They will probably be supported in a timely manner by case-specific implementation profiles. The IoT security architecture is part of the broader IoT reference architecture. It starts with business results and stems from the security and control requirements that can be followed for those results. Given the widespread adoption of IoT, specific arguments for on-demand security architecture will be developed using standard building blocks. The nature of IoT technology (Fig. 2) will place unusual requirements on architecture such as low power algorithms, cryptographic algorithms and low latency communications [7]. Identity and access management is another challenge that requires quite different solutions to traditional corporate understandings. Secure interoperability will lead to the need for security standardization and account standardization.

IoT Security and privacy.
A key part of the growing interconnectivity response is to ensure that the systems provided are available on request and can be trusted to protect the user's privacy. Given the commodity nature of many IoT devices and the implications of security and privacy, a stable framework of trust is required that is incorporated into product design [2]. The approach should be based on an open and integrated business model, an IT oriented architecture, and a user oriented trust model. Data needs to be more open and interconnected, but privacy and security must be at the heart of how it is stored and used. In particular, data centralization and reconciliation can be met with suspicion on the part of users and must be managed with care. There is a set of devices that require identity; they totally have a different model of trust [8]. Identity is a complex and deeply personal concept with individuals with multiple overlapping identities, each with different rights and permissions. Some identities must be kept separate and some must be consolidated. Therefore, it must be considered on a caseby-case basis whether the identities are kept separate or united, subject to the requirements set out in the Personal Data Protection Act and all other applicable laws. New ways of introducing identity protection mechanisms (passwords, PINs, digital signatures) have in practice become barriers to the de-ployment of digital services. Traditional IT systems implement security based on 25 years of security control standards that are difficult to relate to current cyber security requirements; they are quite inadequate to use as a basis for security and trust in IoT. The use of enterprise security controls is not wellfunctioning in the industrial control systems sector, where the requirement for continuous operation is incompatible with routine updating and restarting. In the same way, it is unlikely that a home light bulb will constantly check for updates, apply updates, and monitor cyber-attacks [9]. The evolution of IoT requires an approach to security and privacy that is flexible and supports unforeseen changes across a wide range of completely different technologies and applications. It requires an approach that recognizes the global ecosystem, made up of different sectors, using common solutions developed independently, in accordance with a common set of principles, but introducing a sector-specific interpretation of security. A common basis for this could be a data layer security application. An end-to-end security model between a device and an application that has reliable data analysis can be considered as part of the solution. Identity management needs to be developed as carefully as security.
4. IoT Resilience. As all sectors of government, industry, and society reap the benefits that can be realized through IoT, so is the dependency on real-time connectivity. This means that networks must not only become resilient [10], but must also strive for security to allow continued operation in the event of a cyber-attack. Internet connection communications offer some new challenges with the use of ultra-low power protocols and algorithms. While some research has been done to ensure security, resilience is an embryonic discipline that urgently needs a lot of attention.

Cybersecurity vs. IoT and cyber-physical security.
The Internet of Things security is not traditional cybersecurity, but a merger of cybersecurity with other engineering disciplines. It addresses much more than just data, servers, network infrastructures and information security [8]. Rather, it involves the direct or distributed monitoring and / or control of the condition of physical systems connected via the Internet. In other words, what distinguishes IoT from cybersecurity is called "cyber-physical systems" [11]. Cybersecurity does not usually address the physical security aspects of a hardware device or the interactions in the physical world that it may have. Digital control of physical processes on networks makes unifying IoT, since security is not limited to the principles of providing basic information in terms of confidentiality, integrity, etc., but also of physical resources and machines that originate and receive information in the physical world. In other words, IoT has many real analog and physical elements.
IoT devices are physical systems, many of which are safety related. Therefore, the compromise of such devices can lead to physical damage to persons and property, even death. Therefore, the object of IoT security is not to apply a single, static set of meta-security rules, as they apply to network devices and hosts. This requires a unique application for each system and system of systems in which Internet devices are involved. IoT devices have many different options, but an IoT collective device has almost all of the following features:  Manipulates or monitors something physical (in the device or in the middle or middle of the device), the job itself or the direct connection to something;  Ability to communicate directly or indirectly via the Internet. Knowing these two properties, any physical system can be an IoT device because everything physical can be connected to the Internet with appropriate electronic interfaces. IoT device security (Fig. 3) is a function of device usage, physical process, or the state affected by or controlled by the device, and the sensitivity of the systems to which the device connects.

IoT Security Principles.
Security has traditionally been considered in terms of confidentiality, availability and integrity. There is no best internet security design. There are many different IoT devices and security needs to be considered in the context of how the device will be used. The device itself will not provide complete security; it must be supported by good end-to-end architecture. While the business requirements are best de- signed for each use case, the IoT Security Foundation has identified a number of IoT security principles [12]:  Establishing Principles for Internet of Things Security  Does the data need to be trusted?  Is the safe and/or timely arrival of data important?  Is it necessary to restrict access to or control of the device?  Is it necessary to update the software on the device?  Will ownership of the device need to be managed or transferred in a secure manner?
 Does the data need to be audited? They are grouped into three areas (Fig. 4).

Application layer.
CoAP uses Datagram Transport-Layer Security (DTLS) to secure messages in CoAP -a TLS variant that can take on the unreliable nature of UDP communications. It has a small number of compulsory configurations identified as suitable for restricted environments. This provides support for confidentiality, authentication, integrity, denial and protection against repressive attacks. CoAP has four security modes for key management: NoSec, PreSharedKey, RawPublicKey and Certificates.
The DTLS connection for authentication and key consent has a significant impact on the resources of restricted devices, especially the requirement for encryption with an elliptical curve. Studies in DTLS optimization continue in the middle of the Internet of Things and incorporate elliptical curve cryptography into hardware.

IoT communication.
In most cases, an IoT device communicates with a gateway, which in turn communicates with a controller or web service (Fig. 5).

_____________________________________________
Fi. Gateways like this are sometimes called edge-edge gateways. Others may be more centrally located in data centers to support any number of special or proprietary IoT protocols, such as MQTT or Representational State Transfer (REST). The web service may be provided by a device manufacturer or an enterprise or public cloud service that collects information from manually operated devices. In many situations, the end-toend connection between the load device and the web service can be provided by a series of field and cloud gateways, each of which integrates large amounts of data. Dell, Intel and other companies have recently introduced internet gateways to the market. Companies like Systech offer multiple protocol gateways that allow connecting different types of devices to IoTs using multiple antennas and receivers. There are also userfocused gateways, also called commercially available hubs that support intelligent home communication.
One of the main aspects of IoT is how small power supplies selforganize and exchange information (route information and data) with each other. Although these sensor devices are energy-limited, they must store and process data, dynamically connect to the network, and interact with other devices. Some devices may act as internal or border routers. There are five key issues to consider secure route creation, automatic recovery and stabilization, malicious detection, hardware-based calculations, and node location confidentiality.

Message protocols.
At the top of the IoT communication packet are stored protocols that support the exchange of formatted messages between two endpoints, usually client-server or client-client. Protocols, such as MQTT, CoAP, The Data Distribution Service (DDS), Advanced Message Queuing Protocol (AMQP), and The Extensible Messaging and Presence Protocol (XMPP), which work on lower layer communications and enable effectively contract clients and servers to share data. Possible communications can be done very efficiently and in many Internet systems. Today, communications based on REST and MQTT appear to be leading the way. (Fig. 6) is a publish/subscribe model where clients subscribe to topics and maintain a TCP connection to a broker server. As new messages are sent to the broker, they include the subject of the message, which allows the broker to determine which clients receive the message. Messages are sent to customers through a constantly working connection.

XMPP. XMPP is XML-based (Extensible Markup Language)
and is an open source real-time communication technology. It is developed by the Jabber Instant Messaging (IM) protocol. XMPP supports the transmission of XML messages over TCP transport, which allows IoT developers to effectively detect and troubleshoot defects.  (Fig. 7) is another UDP-based IoT message protocol designed to be used on resource-limiting Internet devices, such as WSN nodes. It consists of a set of messages that easily navigate to HTTP: GET, POST, PUT and DELETE. www.proceedings.spiiras.nw.ru (Fig. 8) is an information bus used to integrate intelligent machines. Like MQTT, it uses a reader publishing / subscription model to subscribe to topics of interest. Fig. 8. Architecture of DDS 6. Risk Analysis Method. Data security issues are becoming increasingly important as civilization moves toward a global information age. The information revolution has changed the way of communication all over the world and also drawn unprecedented attention to network security issues [13].

DDS. DDS
The Internet of Things has a very promising development and its development is very turbulent. The problem with detecting possible attacks or breakdowns in Threat Risk Analysis (TRA) systems. Part of TRA is treebased analysis. Attack Tree Analysis is a modeling technique for understanding risk in complex situations. Based on the previous study, the method [4] of risk analysis of a security breach based on trees was selected.
7. IoT Attack Scenario. This section describes how the values of each leaf node of an attack tree are generated [14], as well as an analysis of these data and results (Table 1 and 2) [15,16]. All nodes of the attack in full view are shown in Figures 9 and 10 Backdoors installation: The need to install Backdoors is to allow attackers to repeatedly access systems and intranet sites whenever they wish, bypassing normal security controls [17,18]. During this time, the attacker finds other loopholes in the system that can be operated to achieve the desired goal.
 Email threat transmission -An attacker can send an infected file through an attachment to an email or group of people in the hospital. Once the file is opened on a computer on the hospital network, a back door can be created that allows the hacker to connect to that computer from a remote location. This method is highly accessible because emails are sent over the Internet and there are no restrictions.
 USB threat transmission -An attacker can transmit malware to the target EHR server via a USB device. Alternative USB devices for hospital staff or tricking a doctor into sharing a file from a computer system may be an alternative. Low technical ability to perform this attack is required.
 Port Scanning -Upon successful access to the hospital network, the attacker will scan for open network ports that can be used to get started. It takes a very low technical skill to perform this attack as there are numerous online tutorials explaining how this can be done [19]. Identifying working exploits: Once an attacker has established himself in the system, the next objective of the attack is to detect vulnerabilities in the system.
 SQL Injection -The purpose of an attacker is to request a database that can change the electronic records in the database.
 Spillover management -Upon entering the hospital network, the attacker may decide to execute arbitrary operating system commands through a vulnerable application.
Login with a valid username and password: An attacker who can access the server may try to use different combinations of username and passwords to gain access to the system.
Extracting traffic: In order to compromise a network, an attacker must retrieve the traffic as it passes between the client and the server [20].
 Accessing data through a host or network -An attacker may attempt to retrieve data destined for the hospital network.
 Access to data destined for a particular host or network -The attacker may attempt to retrieve data coming from the hospital network.
Repeat Attack: The attacker may decide to forward already captured data so that the EHR server receives authentic data in real time. If successful, this will result in incorrect transfer of the record, since the original data are not the same as the repeated data.
 Real-time data manipulation -An attacker must capture and modify incoming packets during real-time transmission to capture SSL flow.
 Data Transmission -Data forwarding is the least that an attacker can do. An attacker may attempt to apply additional techniques to ensure that the attack is critical enough when transmitting modified data.
 Overcoming SSL / TLS -This attack node has a very high technical result as a high level of understanding of the basic principles of encryption is required to launch an attack. The attacker must have access to real-time data to capture the SSL stream.
8. Comparative analysis. SecurlTree software provides a tool that allows identifying threat profiles [1].
Attack scenarios that fall under threat level 1 have the highest level of attack complexity [21]. The level of complexity of attacks decreases from threat level 1 to threat level 5. While attacks that are below threat level 1 are the most complex, threat level 5 may lead to attack against infrastructure, with less complexity and good result. In the SCADA attack scenario, it can be seen that only attackers under threat 1 and 3 can carry out the attack.
Comparing both results (Table 3), it can be seen that the level of threat 4 and 5 may lead to an attack on infrastructure, but not on the industrial SCADA system. This means that the skills required to attack an IoT application, such as a drug overflow pump, are less than an industrial SCADA system.
Analysis of the electronic record change scenario to increase the infusion rate of an overflow pump -using a complexity index (CI).  An attacker can modify electronic records by attacking the EHR server, EHR client, or network. In order to attack the server, it is assumed that the attacker exploits the existing vulnerabilities. In order to carry out the attack, the attacker must combine elements of social engineering, insubordination, remote administration and APT. This makes CI the value of this attack scenario 4. In the network attack scenario, it has been suggested that if an attacker wants to compromise a server that correctly implements SSL / TLS data encryption, a Zero-Day vulnerability must be used. This increases the complexity of this attack to 5, otherwise the CI score for an attack on the network layer is considered to be 4. The lowest complexity attack against an EHR is an attack against a client machine. The script here introduces an attacker who gains remote access to the client machine after using social engineering techniques to obtain vital access information. The CI result for such an attack is 2.  10. Results of an IIoT attack. Using indicators related to the complexity of attacks to analyze the capabilities at each threat level, it is observed that the threat level 5 is the lowest threat level that can attack an infrastructure. Attacking can lead to a physical impact, such as endangering a patient's life. Two attacks can be achieved through threat level 5. The purpose of both attacks is to successfully replicate the transmitted data between the patient's device and the EHR server. Repeated attack would result in incorrect data being recorded in normal data, if the physician starts treating a patient based on this data, the result could be catastrophic.
The result of the analysis also shows that threat level 1 is the highest threat level for IoT infrastructure. Threat Level 1 aims to change the encoded data during transmission. This may include changing patients 'names, changing patient's blood type, and modifying the data used to determine the patient's rate of transfusion, etc.
Some of the attack nodes include network traffic capture, real-time data manipulation, SSL/TLS encryption processing before the final forwarding of the data.
For the system attack tree, five scenarios can be performed with a threat level of 2. These attacks consist of an attack that is designed to trick the physician into introducing medical records into a false domain, a spy phishing attack that is the precursor to receiving a custom username and password to remotely access the EHR and find the vulnerability in the server for remote server operation. The same attack scenarios can be performed from threat level 3 and threat level 4. These attacks include the Man-In-The-Middle attack of the overflow pump itself, the controller attack, and the server operation of the EHR server. These attacks cannot be carried out by a second level threat because of their reduced technical ability. At the end of the analysis it can be seen that none of the attacks can be carried out with a threat level of 1, 2 and 3.

Conclusion.
For the IIoT infrastructure, each node is described in detail, and for SCADA, the infrastructure relies on data provided by different reports.
After using the data correlation, the introduction of the corresponding value of each leaf attack into the securITree system was continued and a table was created to categorize the threat level. Amenaza's methodology is also used to generate a complexity index for all attacks. This makes it possible to compare the level of complexity of SCADA and IoT infrastructures. Such attacks can be carried out to an IoT application, with lower complexity requirements and still produce a physical result.
The safe and secure deployment of IoT is a major challenge, given the unique characteristics of these systems, their ability to impact events in the physical world, and the diversity of IoT applications.