Publications | Eric Wagner

2025

GeCos Replacing Experts: Generalizable and Comprehensible Industrial Intrusion Detection

Konrad Wolsing, Eric Wagner, Luisa Lux, Klaus Wehrle, and Martin Henze

In Proceedings of the 34th USENIX Security Symposium (USENIX Sec’25), 2025

Abs Bib PDF Code

Protecting industrial control systems against cyberattacks is crucial to counter escalating threats to critical infrastructure. To this end, Industrial Intrusion Detection Systems (IIDSs) provide an easily retrofittable approach to uncover attacks quickly and before they can cause significant damage. Current research focuses either on maximizing automation, usually through heavy use of machine learning, or on expert systems that rely on detailed knowledge of the monitored systems. While the former hinders the interpretability of alarms, the latter is impractical in real deployments due to excessive manual work for each individual deployment. To bridge the gap between maximizing automation and leveraging expert knowledge, we introduce GeCo, a novel IIDS based on automatically derived comprehensible models of benign system behavior. GeCo leverages state-space models mined from historical process data to minimize manual effort for operators while maintaining high detection performance and generalizability across diverse industrial domains. Our evaluation against state-of-the-art IIDSs and datasets demonstrates GeCo’s superior performance while remaining comprehensible and performing on par with expert-derived rules. GeCo represents a critical step towards empowering operators with control over their cybersecurity toolset, thereby enhancing the protection of valuable physical processes in industrial control systems and critical infrastructures.
@inproceedings{wolsing2025geco, title = {{GeCos Replacing Experts: Generalizable and Comprehensible Industrial Intrusion Detection}}, author = {Wolsing, Konrad and Wagner, Eric and Lux, Luisa and Wehrle, Klaus and Henze, Martin}, year = {2025}, booktitle = {Proceedings of the 34th USENIX Security Symposium (USENIX~Sec'25)} }
CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping

Eric Wagner, Frederik Basels, Jan Bauer, Till Zimmermann, Klaus Wehrle, and Martin Henze

In Proceedings of the 2025 IEEE 10th European Symposium on Security and Privacy (EuroS&P’25), 2025

Abs DOI Bib PDF Code

Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have, however, exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. Current efforts to retrofit security via intrusion detection or message authentication codes are insufficient to fully secure CAN as they cannot adequately protect against masquerading attacks, where a compromised communication device, a so-called electronic control units, imitates another device. To remedy this situation, multicast source authentication is required to reliably identify the senders of messages. In this paper, we present CAIBA, a novel multicast source authentication scheme specifically designed for communication buses like CAN. CAIBA relies on an authenticator overwriting authentication tags on-the-fly, such that a receiver only reads a valid tag if not only the integrity of a message but also its source can be verified. To integrate CAIBA into CAN, we devise a special message authentication scheme and a reactive bit overwriting mechanism. We achieve interoperability with legacy CAN devices, while protecting receivers implementing the AUTOSAR SecOC standard against masquerading attacks without communication overhead or verification delays.
@inproceedings{wagner2025caiba, title = {{CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping}}, author = {Wagner, Eric and Basels, Frederik and Bauer, Jan and Zimmermann, Till and Wehrle, Klaus and Henze, Martin}, year = {2025}, booktitle = {Proceedings of the 2025 IEEE 10th European Symposium on Security and Privacy~(EuroS\&P'25)}, doi = {10.1109/EuroSP63326.2025.00045} }
Sherlock: A Dataset for Process-aware Intrusion Detection Research on Power Grid Networks

Eric Wagner, Lennart Bader, Konrad Wolsing, and Martin Serror

In Proceedings of the 15th ACM Conference on Data and Application Security and Privacy (CODASPY’25), 2025

Abs DOI Bib PDF Dataset

Physically distributed components and legacy protocols make the protection of power grids against increasing cyberattack threats challenging. Infamously, the 2015 and 2016 blackouts in Ukraine were caused by cyberattacks, and the German Federal Office for Information Security (BSI) recorded over 200 cyber incidents against the German energy sector between 2023 and 2024. Intrusion detection promises to quickly detect such attacks and mitigate the worst consequences. However, public datasets of realistic scenarios are vital to evaluate these systems. This paper introduces Sherlock, a dataset generated with the co-simulator Wattson. In total, Sherlock covers three scenarios with various attacks manipulating the process state by injecting malicious commands or manipulating measurement values. We additionally test five recently-published intrusion detection systems on Sherlock, highlighting specific challenges for intrusion detection in power grids. Dataset and documentation are available at https://sherlock.wattson.it/.
@inproceedings{wagner2025sherlock, title = {{Sherlock: A Dataset for Process-aware Intrusion Detection Research on Power Grid Networks}}, author = {Wagner, Eric and Bader, Lennart and Wolsing, Konrad and Serror, Martin}, year = {2025}, booktitle = {{Proceedings of the 15th ACM Conference on Data and Application Security and Privacy (CODASPY'25)}}, doi = {10.1145/3714393.3726006} }
Integrating MAC Aggregation over Lossy Channels in DTLS 1.3

Eric Wagner, David Heye, Jan Bauer, Klaus Wehrle, and Martin Serror

In Proceedings of the 33rd IEEE International Conference on Network Protocols (ICNP’25), 2025

Abs DOI Bib PDF

Aggregating Message Authentication Codes (MACs) promises to save valuable bandwidth in resource-constrained environments. The idea is simple: Instead of appending an authentication tag to each message in a communication stream, the integrity protection of multiple messages is aggregated into a single tag. Recent studies postulate, e.g., based on simulations, that these benefits also spread to wireless, and thus lossy, scenarios despite each lost packet typically resulting in the loss of integrity protection information for multiple messages. In this paper, we investigate these claims in a real deployment. Therefore, we first design a MAC aggregation extension for the Datagram Transport Layer Security (DTLS) 1.3 protocol. Afterward, we extensively evaluate the performance of MAC aggregation on a complete communication protocol stack on embedded hardware. We find that MAC aggregation can indeed increase goodput by up to 50 % and save up to 17 % of energy expenditure for the transmission of short messages, even in lossy channels.
@inproceedings{wagner2025dtls, title = {{Integrating MAC Aggregation over Lossy Channels in DTLS 1.3}}, author = {Wagner, Eric and Heye, David and Bauer, Jan and Wehrle, Klaus and Serror, Martin}, year = {2025}, booktitle = {Proceedings of the 33rd IEEE International Conference on Network Protocols~(ICNP'25)}, doi = {10.1109/ICNP65844.2025.11192339} }
CERERE-An Emulation Environment to Evaluate the Resilience of Complex Systems against Cyber Electro-Magnetic Activities

Matteo Attenni, Sara Belluccini, Giordano Colò, Andrea Pompili, Pietro Tedeschi, Lennart Bader, and 5 more authors

In Proceedings of the 2025 International Conference on Military Communication and Information Systems (ICMCIS’25), 2025

Abs DOI Bib

Current penetration testing or red-teaming activities to evaluate the cyber resilience of a system mostly rely on subsets of known vulnerabilities or procedures. Despite the use of these techniques, it is hard to assess the process and risks falling into repetitive patterns, which do not effectively validate the resilience of the system against potential zero-day attacks. Countermeasures in the system-under-test are often left out of the cyber resilience evaluation phase. We propose CERERE-an automated framework designed to measure and test the cyber resilience of complex IT systems, such as critical national infrastructure and military networks. CERERE simulates the effects of attacks on the system regardless of exploitation methods. The framework consists of war gaming exercises where attacker and defender modules interact in a simulated test environment to allow a dynamic evaluation of resilience. The attacker module uses heuristic algorithms to generate kill chains, while the defender module leverages AI-based algorithms to simulate defense strategies. CERERE has been validated by evaluating the resilience of a given scenario and identifying the optimal configuration of responses and countermeasures
@inproceedings{attenni2025cerere, title = {{CERERE-An Emulation Environment to Evaluate the Resilience of Complex Systems against Cyber Electro-Magnetic Activities}}, author = {Attenni, Matteo and Belluccini, Sara and Col{\`o}, Giordano and Pompili, Andrea and Tedeschi, Pietro and Bader, Lennart and Serror, Martin and Wagner, Eric and Aurisch, Thorsten and Prahl-Kamps, Maximilian and Ziβner, Philipp}, booktitle = {Proceedings of the 2025 International Conference on Military Communication and Information Systems (ICMCIS'25)}, doi = {10.1109/ICMCIS64378.2025.11047556}, year = {2025} }

2024

An Interdisciplinary Survey on Information Flows in Supply Chains

Jan Pennekamp, Roman Matzutt, Christopher Klinkmüller, Lennart Bader, Martin Serror, Eric Wagner, and 9 more authors

ACM Computing Surveys, 2024

Abs DOI Bib PDF

Supply chains form the backbone of modern economies and therefore require reliable information flows. In practice, however, supply chains face severe technical challenges, especially regarding security and privacy. In this work, we consolidate studies from supply chain management, information systems, and computer science from 2010–2021 in an interdisciplinary meta-survey to make this topic holistically accessible to interdisciplinary research. In particular, we identify a significant potential for computer scientists to remedy technical challenges and improve the robustness of information flows. We subsequently present a concise information flow-focused taxonomy for supply chains before discussing future research directions to provide possible entry points.
@article{pennekamp2024supply_chain, title = {{An Interdisciplinary Survey on Information Flows in Supply Chains}}, author = {Pennekamp, Jan and Matzutt, Roman and Klinkmüller, Christopher and Bader, Lennart and Serror, Martin and Wagner, Eric and Malik, Sidra and Spiß, Maria and Rahn, Jessica and Gürpinar, Tan and Vlad, Eduard and Leemans, Sander J. J. and Kanhere, Salil S. and Stich, Volker and Wehrle, Klaus}, year = {2024}, journal = {{ACM Computing Surveys}}, volume = {56}, number = {2}, doi = {10.1145/3606693} }
Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication

Eric Wagner, David Heye, Martin Serror, Ike Kunze, Klaus Wehrle, and Martin Henze

In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (AsiaCCS’24), 2024

Abs DOI Bib PDF

Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
@inproceedings{wagner2024madtls, title = {{Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication}}, author = {Wagner, Eric and Heye, David and Serror, Martin and Kunze, Ike and Wehrle, Klaus and Henze, Martin}, year = {2024}, booktitle = {Proceedings of the 19th ACM Asia Conference on Computer and Communications Security~(AsiaCCS'24)}, doi = {10.1145/3634737.3637640} }
When and How to Aggregate Message Authentication Codes on Lossy Channels?

Eric Wagner, Martin Serror, Klaus Wehrle, and Martin Henze

In Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS’24), 2024

Abs DOI Bib PDF

Aggregation of message authentication codes (MACs) is a proven and efficient method to preserve valuable bandwidth in resource-constrained environments: Instead of appending a long authentication tag to each message, the integrity protection of multiple messages is aggregated into a single tag. However, while such aggregation saves bandwidth, a single lost message typically means that authentication information for multiple messages cannot be verified anymore. With the significant increase of bandwidth-constrained lossy communication, as applications shift towards wireless channels, it thus becomes paramount to study the impact of packet loss on the diverse MAC aggregation schemes proposed over the past 15 years to assess when and how to aggregate message authentication. Therefore, we empirically study all relevant MAC aggregation schemes in the context of lossy channels, investigating achievable goodput improvements, the resulting verification delays, processing overhead, and resilience to denial-of-service attacks. Our analysis shows the importance of carefully choosing and configuring MAC aggregation, as selecting and correctly parameterizing the right scheme can, e.g., improve goodput by 39 % to 444 %, depending on the scenario. However, since no aggregation scheme performs best in all scenarios, we provide guidelines for network operators to select optimal schemes and parameterizations suiting specific network settings.
@inproceedings{wagner2024mac_aggregation, title = {{When and How to Aggregate Message Authentication Codes on Lossy Channels?}}, author = {Wagner, Eric and Serror, Martin and Wehrle, Klaus and Henze, Martin}, year = {2024}, booktitle = {Proceedings of the International Conference on Applied Cryptography and Network Security~(ACNS'24)}, doi = {10.1007/978-3-031-54773-7_10} }
Deployment Challenges of Industrial Intrusion Detection Systems

Konrad Wolsing, Eric Wagner, Frederik Basels, Patrick Wagner, and Klaus Wehrle

In Proceedings of the 10th Workshop on the Security of Industrial Control Systems & of Cyber-Physical Systems (ICPS’24), 2024

Abs DOI Bib PDF

With the escalating threats posed by cyberattacks on Industrial Control Systems (ICSs), the development of customized Industrial Intrusion Detection Systems (IIDSs) received significant attention in research. While the existing literature proposes effective IIDS solutions evaluated in controlled environments, their deployment in real-world industrial settings poses several challenges. Adding to known obstructions, this paper highlights two critical aspects that significantly impact IIDSs’ practical deployment, i.e., the need for sufficient amounts of data to train the IIDS models and the challenges associated with finding suitable hyperparameters, especially for IIDSs training only on normal ICS data. Through empirical experiments conducted on multiple state-of-the-art IIDSs and diverse datasets, we establish the criticality of these issues in deploying IIDSs in ICS environments. Our findings show the necessity of extensive malicious training data for supervised IIDSs, which can be impractical considering the complexity of recording and labeling attacks in actual ICSs. Furthermore, while other IIDSs circumvent the previous issue by requiring only benign training data, these can suffer from the difficulty of setting appropriate hyperparameters, which likewise can diminish their performance. By shedding light on these challenges, we aim to enhance the current understanding of limitations and considerations necessary for deploying effective cybersecurity solutions in ICSs, which might be one reason why IIDSs see few deployments.
@inproceedings{wolsing2024challenges, title = {{Deployment Challenges of Industrial Intrusion Detection Systems}}, author = {Wolsing, Konrad and Wagner, Eric and Basels, Frederik and Wagner, Patrick and Wehrle, Klaus}, year = {2024}, booktitle = {{Proceedings of the 10th Workshop on the Security of Industrial Control Systems \& of Cyber-Physical Systems (ICPS'24)}}, doi = {10.1007/978-3-031-82349-7_29} }
Blockchain Technology Accelerating Industry 4.0

Jan Pennekamp, Lennart Bader, Eric Wagner, Jens Hiller, Roman Matzutt, and Klaus Wehrle

In Blockchains – A Handbook on Fundamentals, 2024

Abs DOI Bib

Competitive industrial environments impose significant requirements on data sharing as well as the accountability and verifiability of related processes. Here, blockchain technology emerges as a possible driver that satisfies demands even in settings with mutually distrustful stakeholders. We identify significant benefits achieved by blockchain technology for Industry 4.0 but also point out challenges and corresponding design options when applying blockchain technology in the industrial domain. Furthermore, we survey diverse industrial sectors to shed light on the current intersection between blockchain technology and industry, which provides the foundation for ongoing as well as upcoming research. As industrial blockchain applications are still in their infancy, we expect that new designs and concepts will develop gradually, creating both supporting tools and groundbreaking innovations.
@incollection{pennekamp2024blockchain_technology, title = {{Blockchain Technology Accelerating Industry 4.0}}, author = {Pennekamp, Jan and Bader, Lennart and Wagner, Eric and Hiller, Jens and Matzutt, Roman and Wehrle, Klaus}, year = {2024}, booktitle = {{Blockchains – A Handbook on Fundamentals}}, doi = {10.1007/978-3-031-32146-7_17} }
Towards Improving Accountability in Sensitive-Disclosure Scenarios

Roman Matzutt and Eric Wagner

In Proceedings of the 2024 European Interdisciplinary Cybersecurity Conference (EICC’24), 2024

Abs DOI Bib PDF

Public transparency has become increasingly important to uphold trust in government agencies and private companies alike, e.g., by establishing police accountability and proving abiding to ethical supply chain practices. Oftentimes, however, this public interest conflicts with the need for confidentiality of ongoing processes. In this paper, we investigate these sensitive-disclosure scenarios and the requirements for technical solutions to support the data dissemination in these scenarios. We identify translucent blockchains as a promising building block to provide transparency in sensitive-disclosure scenarios with fine-granular access control.
@inproceedings{matzutt2024towards, title = {{Towards Improving Accountability in Sensitive-Disclosure Scenarios}}, author = {Matzutt, Roman and Wagner, Eric}, year = {2024}, booktitle = {{Proceedings of the 2024 European Interdisciplinary Cybersecurity Conference (EICC'24)}}, doi = {10.1145/3655693.3655715} }

2023

METRICS: A Methodology for Evaluating and Testing the Resilience of Industrial Control Systems to Cyberattacks

Lennart Bader, Eric Wagner, Martin Henze, and Martin Serror

In Proceedings of the 8th Workshop on the Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS’23), 2023

Abs DOI Bib PDF

The increasing digitalization and interconnectivity of industrial control systems (ICSs) create enormous benefits, such as enhanced productivity and flexibility, but also amplify the impact of cyberattacks. Cybersecurity research thus continuously needs to adapt to new threats while proposing comprehensive security mechanisms for the ICS domain. As a prerequisite, researchers need to understand the resilience of ICSs against cyberattacks by systematically testing new security approaches without interfering with productive systems. Therefore, one possibility for such evaluations is using already available ICS testbeds and datasets. However, the heterogeneity of the industrial landscape poses great challenges to obtaining comparable and transferable results. In this paper, we propose to bridge this gap with METRICS, a methodology for systematic resilience evaluation of ICSs. METRICS complements existing ICS testbeds by enabling the configuration of measurement campaigns for comprehensive resilience evaluations. Therefore, the user specifies individual evaluation scenarios consisting of cyberattacks and countermeasures while facilitating manual and automatic interventions. Moreover, METRICS provides domain-agnostic evaluation capabilities to achieve comparable results, which user-defined domain-specific metrics can complement. We apply the methodology in a use case study with the power grid simulator Wattson, demonstrating its effectiveness in providing valuable insights for security practitioners and researchers.
@inproceedings{bader2023metrics, title = {{METRICS: A Methodology for Evaluating and Testing the Resilience of Industrial Control Systems to Cyberattacks}}, author = {Bader, Lennart and Wagner, Eric and Henze, Martin and Serror, Martin}, year = {2023}, booktitle = {Proceedings of the 8th Workshop on the Security of Industrial Control Systems \& of Cyber-Physical Systems (CyberICPS'23)}, doi = {10.1007/978-3-031-54204-6_2} }
SoK: Evaluations in Industrial Intrusion Detection Research

Olav Lamberts, Konrad Wolsing, Eric Wagner, Jan Pennekamp, Jan Bauer, Klaus Wehrle, and 1 more author

Journal of Systems Research, 2023

Abs DOI Bib PDF Code Artifacts

Industrial systems are increasingly threatened by cyberattacks with potentially disastrous consequences. To counter such attacks, industrial intrusion detection systems strive to timely uncover even the most sophisticated breaches. Due to its criticality for society, this fast-growing field attracts researchers from diverse backgrounds, resulting in 130 new detection approaches in 2021 alone. This huge momentum facilitates the exploration of diverse promising paths but likewise risks fragmenting the research landscape and burying promising progress. Consequently, it needs sound and comprehensible evaluations to mitigate this risk and catalyze efforts into sustainable scientific progress with real-world applicability. In this paper, we therefore systematically analyze the evaluation methodologies of this field to understand the current state of industrial intrusion detection research. Our analysis of 609 publications shows that the rapid growth of this research field has positive and negative consequences. While we observe an increased use of public datasets, publications still only evaluate 1.3 datasets on average, and frequently used benchmarking metrics are ambiguous. At the same time, the adoption of newly developed benchmarking metrics sees little advancement. Finally, our systematic analysis enables us to provide actionable recommendations for all actors involved and thus bring the entire research field forward.
@article{lamberts2023sok, title = {{SoK: Evaluations in Industrial Intrusion Detection Research}}, author = {Lamberts, Olav and Wolsing, Konrad and Wagner, Eric and Pennekamp, Jan and Bauer, Jan and Wehrle, Klaus and Henze, Martin}, year = {2023}, journal = {Journal of Systems Research}, volume = {3}, number = {1}, doi = {10.5070/SR33162445} }
Retrofitting Integrity Protection into Unused Header Fields of Legacy Industrial Protocols

Eric Wagner, Nils Rothaug, Konrad Wolsing, Lennart Bader, Klaus Wehrle, and Martin Henze

In Proceedings of the IEEE 48th Conference on Local Computer Networks (LCN’23), 2023

Abs DOI Bib PDF Code

Industrial networks become increasingly interconnected, which opens the floodgates for cyberattacks on legacy networks designed without security in mind. Consequently, the vast landscape of legacy industrial communication protocols urgently demands a universal solution to integrate security features retroactively. However, current proposals are hardly adaptable to new scenarios and protocols, even though most industrial protocols share a common theme: Due to their progressive development, previously important legacy features became irrelevant and resulting unused protocol fields now offer a unique opportunity for retrofitting security. Our analysis of three prominent protocols shows that headers offer between 36 and 63 bits of unused space. To take advantage of this space, we designed the REtrofittable ProtEction Library (RePeL), which supports embedding authentication tags into arbitrary combinations of unused header fields. We show that RePeL incurs negligible overhead beyond the cryptographic processing, which can be adapted to hit performance targets or fulfill legal requirements.
@inproceedings{wagner2023repel, title = {{Retrofitting Integrity Protection into Unused Header Fields of Legacy Industrial Protocols}}, author = {Wagner, Eric and Rothaug, Nils and Wolsing, Konrad and Bader, Lennart and Wehrle, Klaus and Henze, Martin}, year = {2023}, booktitle = {Proceedings of the IEEE 48th Conference on Local Computer Networks~(LCN'23)}, doi = {10.1109/LCN58197.2023.10223384} }
One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection

Konrad Wolsing, Dominik Kus, Eric Wagner, Jan Pennekamp, Klaus Wehrle, and Martin Henze

In Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS’23), 2023

Abs DOI Bib PDF Code Artifacts

Industrial Intrusion Detection Systems (IIDSs) play a critical role in safeguarding Industrial Control Systems (ICSs) against targeted cyberattacks. Unsupervised anomaly detectors, capable of learning the expected behavior of physical processes, have proven effective in detecting even novel cyberattacks. While offering decent attack detection, these systems, however, still suffer from too many False-Positive Alarms (FPAs) that operators need to investigate, eventually leading to alarm fatigue. To address this issue, in this paper, we challenge the notion of relying on a single IIDS and explore the benefits of combining multiple IIDSs. To this end, we examine the concept of ensemble learning, where a collection of classifiers (IIDSs in our case) are combined to optimize attack detection and reduce FPAs. While training ensembles for supervised classifiers is relatively straightforward, retaining the unsupervised nature of IIDSs proves challenging. In that regard, novel time-aware ensemble methods that incorporate temporal correlations between alerts and transfer-learning to best utilize the scarce training data constitute viable solutions. By combining diverse IIDSs, the detection performance can be improved beyond the individual approaches with close to no FPAs, resulting in a promising path for strengthening ICS cybersecurity.
@inproceedings{wolsing2023ensemble, title = {{One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection}}, author = {Wolsing, Konrad and Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wehrle, Klaus and Henze, Martin}, year = {2023}, booktitle = {Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS'23)}, doi = {10.1007/978-3-031-51476-0_6} }

2022

BP-MAC: Fast Authentication for Short Messages

Eric Wagner, Martin Serror, Klaus Wehrle, and Martin Henze

In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’22), 2022

Abs DOI Bib PDF Code

Resource-constrained devices increasingly rely on wireless communication for the reliable and low-latency transmission of short messages. However, especially the implementation of adequate integrity protection of time-critical messages places a significant burden on these devices. We address this issue by proposing BP-MAC, a fast and memory-efficient approach for computing message authentication codes based on the well-established Carter-Wegman construction. Our key idea is to offload resource-intensive computations to idle phases and thus save valuable time in latency-critical phases, i.e., when new data awaits processing. Therefore, BP-MAC leverages a universal hash function designed for the bitwise preprocessing of integrity protection to later only require a few XOR operations during the latency-critical phase. Our evaluation on embedded hardware shows that BP-MAC outperforms the state-of-the-art in terms of latency and memory overhead, notably for small messages, as required to adequately protect resource-constrained devices with stringent security and latency requirements.
@inproceedings{wagner2022bpmac, title = {{BP-MAC: Fast Authentication for Short Messages}}, author = {Wagner, Eric and Serror, Martin and Wehrle, Klaus and Henze, Martin}, year = {2022}, booktitle = {{Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks~(WiSec'22)}}, doi = {10.1145/3507657.3528554} }
Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes

Eric Wagner, Jan Bauer, and Martin Henze

In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’22), 2022

Abs DOI Bib PDF Code

Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, to achieve this goal, message authentication considerably expands packet sizes, which is especially problematic in constrained wireless environments. To address this issue, progressive message authentication provides initially reduced integrity protection that is often sufficient to process messages upon reception. This reduced security is then successively improved with subsequent messages to uphold the strong guarantees of traditional integrity protection. However, contrary to previous claims, we show in this paper that existing progressive message authentication schemes are highly susceptible to packet loss induced by poor channel conditions or jamming attacks. Thus, we consider it imperative to rethink how authentication tags depend on the successful reception of surrounding packets. To this end, we propose R2-D2, which uses randomized dependencies with parameterized security guarantees to increase the resilience of progressive authentication against packet loss. To deploy our approach to resource-constrained devices, we introduce SP-MAC, which implements R2-D2 using efficient XOR operations. Our evaluation shows that SP-MAC is resilient to sophisticated network-level attacks and operates as resources-conscious and fast as existing, yet insecure, progressive message authentication schemes.
@inproceedings{wagner2022spmac, title = {{Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes}}, author = {Wagner, Eric and Bauer, Jan and Henze, Martin}, year = {2022}, booktitle = {Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks~(WiSec'22)}, doi = {10.1145/3507657.3528539} }
A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection

Dominik Kus, Eric Wagner, Jan Pennekamp, Konrad Wolsing, Ina Berenice Fink, Markus Dahlmanns, and 2 more authors

In Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS’22), 2022

Abs DOI Bib PDF Artifacts

Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 %. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 % and 14.7 % for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks.
@inproceedings{kus2022generalizability, title = {{A False Sense of Security? Revisiting the State of Machine Learning-Based Industrial Intrusion Detection}}, author = {Kus, Dominik and Wagner, Eric and Pennekamp, Jan and Wolsing, Konrad and Fink, Ina Berenice and Dahlmanns, Markus and Wehrle, Klaus and Henze, Martin}, year = {2022}, booktitle = {Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS'22)}, doi = {10.1145/3494107.3522773} }
Scalable and Privacy-Focused Company-Centric Supply Chain Management

Eric Wagner, Roman Matzutt, Jan Pennekamp, Lennart Bader, Irakli Bajelidze, Klaus Wehrle, and 1 more author

In Proceedings of the 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC’22), 2022

Abs DOI Bib PDF

Blockchain technology promises to overcome trust and privacy concerns inherent to centralized information sharing. However, current decentralized supply chain management systems do either not meet privacy and scalability requirements or require a trustworthy consortium, which is challenging for increasingly dynamic supply chains with constantly changing participants. In this paper, we propose CCChain, a scalable and privacy-aware supply chain management system that stores all information locally to give companies complete sovereignty over who accesses their data. Still, tamper protection of all data through a permissionless blockchain enables on-demand tracking and tracing of products as well as reliable information sharing while affording the detection of data inconsistencies. Our evaluation confirms that CCChain offers superior scalability in comparison to alternatives while also enabling near real-time tracking and tracing for many, less complex products.
@inproceedings{wagner2022ccchain, title = {{Scalable and Privacy-Focused Company-Centric Supply Chain Management}}, author = {Wagner, Eric and Matzutt, Roman and Pennekamp, Jan and Bader, Lennart and Bajelidze, Irakli and Wehrle, Klaus and Henze, Martin}, year = {2022}, booktitle = {Proceedings of the 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC'22)}, doi = {10.1109/ICBC54727.2022.9805503} }
Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset

Konrad Wolsing, Antoine Saillard, Jan Bauer, Eric Wagner, Christian Sloun, Ina Berenice Fink, and 3 more authors

In Proceedings of the 47th IEEE Conference on Local Computer Networks (LCN’22), 2022

Abs DOI Bib PDF Dataset

Shipboard marine radar systems are essential for safe navigation, helping seafarers perceive their surroundings as they provide bearing and range estimations, object detection, and tracking. Since onboard systems have become increasingly digitized, interconnecting distributed electronics, radars have been integrated into modern bridge systems. But digitization increases the risk of cyberattacks, especially as vessels cannot be considered air-gapped. Consequently, in-depth security is crucial. However, particularly radar systems are not sufficiently protected against harmful network-level adversaries. Therefore, we ask: Can seafarers believe their eyes? In this paper, we identify possible attacks on radar communication and discuss how these threaten safe vessel operation in an attack taxonomy. Furthermore, we develop a holistic simulation environment with radar, complementary nautical sensors, and prototypically implemented cyberattacks from our taxonomy. Finally, leveraging this environment, we create a comprehensive dataset (RadarPWN) with radar network attacks that provides a foundation for future security research to secure marine radar communication.
@inproceedings{wolsing2022radar, title = {{Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset}}, author = {Wolsing, Konrad and Saillard, Antoine and Bauer, Jan and Wagner, Eric and van Sloun, Christian and Fink, Ina Berenice and Schmidt, Mari and Wehrle, Klaus and Henze, Martin}, year = {2022}, booktitle = {Proceedings of the 47th IEEE Conference on Local Computer Networks (LCN'22)}, doi = {10.1109/LCN53696.2022.9843801} }
Can Industrial Intrusion Detection Be SIMPLE?

Konrad Wolsing, Lea Thiemt, Christian Sloun, Eric Wagner, Klaus Wehrle, and Martin Henze

In Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS’22), 2022

Abs DOI Bib PDF Code

Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.
@inproceedings{wolsing2022simple, title = {{Can Industrial Intrusion Detection Be SIMPLE?}}, author = {Wolsing, Konrad and Thiemt, Lea and van Sloun, Christian and Wagner, Eric and Wehrle, Klaus and Henze, Martin}, year = {2022}, booktitle = {Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS'22)}, doi = {10.1007/978-3-031-17143-7_28} }
IPAL: Breaking Up Silos of Protocol-Dependent and Domain-Specific Industrial Intrusion Detection Systems

Konrad Wolsing, Eric Wagner, Antoine Saillard, and Martin Henze

In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’22), 2022

Abs DOI Bib PDF Code

The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL’s correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos.
@inproceedings{wolsing2022ipal, title = {{IPAL: Breaking Up Silos of Protocol-Dependent and Domain-Specific Industrial Intrusion Detection Systems}}, author = {Wolsing, Konrad and Wagner, Eric and Saillard, Antoine and Henze, Martin}, year = {2022}, booktitle = {Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses~(RAID'22)}, doi = {10.1145/3545948.3545968} }
PowerDuck: A GOOSE Data Set of Cyberattacks in Substations

Sven Zemanek, Immanuel Hacker, Konrad Wolsing, Eric Wagner, Martin Henze, and Martin Serror

In Proceedings of the 15th Workshop on Cyber Security Experimentation and Test (CSET’22), 2022

Abs DOI Bib PDF Dataset

Power grids worldwide are increasingly victims of cyberattacks, where attackers can cause immense damage to critical infrastructure. The growing digitalization and networking in power grids combined with insufficient protection against cyberattacks further exacerbate this trend. Hence, security engineers and researchers must counter these new risks by continuously improving security measures. Data sets of real network traffic during cyberattacks play a decisive role in analyzing and understanding such attacks. Therefore, this paper presents PowerDuck, a publicly available security data set containing network traces of GOOSE communication in a physical substation testbed. The data set includes recordings of various scenarios with and without the presence of attacks. Furthermore, all network packets originating from the attacker are clearly labeled to facilitate their identification. We thus envision PowerDuck improving and complementing existing data sets of substations, which are often generated synthetically, thus enhancing the security of power grids.
@inproceedings{zemanek2022powerduck, title = {{PowerDuck: A GOOSE Data Set of Cyberattacks in Substations}}, author = {Zemanek, Sven and Hacker, Immanuel and Wolsing, Konrad and Wagner, Eric and Henze, Martin and Serror, Martin}, year = {2022}, booktitle = {Proceedings of the 15th Workshop on Cyber Security Experimentation and Test (CSET'22)}, doi = {10.1145/3546096.3546102} }
Poster: Ensemble Learning for Industrial Intrusion Detection

Dominik Kus, Konrad Wolsing, Jan Pennekamp, Eric Wagner, Martin Henze, and Klaus Wehrle

2022

Abs DOI Bib PDF

Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept’s feasibility with initial results of various methods to combine detectors.
@misc{kus2022ensemble, author = {Kus, Dominik and Wolsing, Konrad and Pennekamp, Jan and Wagner, Eric and Henze, Martin and Wehrle, Klaus}, title = {{Poster: Ensemble Learning for Industrial Intrusion Detection}}, year = {2022}, howpublished = {Poster Session at the 38th Annual Computer Security Applications Conference (ACSAC)}, doi = {10.18154/RWTH-2022-10809} }

2021

Collaboration is not Evil: A Systematic Look at Security Research for Industrial Use

Jan Pennekamp, Erik Buchholz, Markus Dahlmanns, Ike Kunze, Stefan Braun, Eric Wagner, and 3 more authors

In Proceedings of the Workshop on Learning from Authoritative Security Experiment Results (LASER’21), 2021

Abs DOI Bib PDF

Following the recent Internet of Things-induced trends on digitization in general, industrial applications will further evolve as well. With a focus on the domains of manufacturing and production, the Internet of Production pursues the vision of a digitized, globally interconnected, yet secure environment by establishing a distributed knowledge base. Background. As part of our collaborative research of advancing the scope of industrial applications through cybersecurity and privacy, we identified a set of common challenges and pitfalls that surface in such applied interdisciplinary collaborations. Aim. Our goal with this paper is to support researchers in the emerging field of cybersecurity in industrial settings by formalizing our experiences as reference for other research efforts, in industry and academia alike. Method. Based on our experience, we derived a process cycle of performing such interdisciplinary research, from the initial idea to the eventual dissemination and paper writing. This presented methodology strives to successfully bootstrap further research and to encourage further work in this emerging area. Results. Apart from our newly proposed process cycle, we report on our experiences and conduct a case study applying this methodology, raising awareness for challenges in cybersecurity research for industrial applications. We further detail the interplay between our process cycle and the data lifecycle in applied research data management. Finally, we augment our discussion with an industrial as well as an academic view on this research area and highlight that both areas still have to overcome significant challenges to sustainably and securely advance industrial applications. Conclusions. With our proposed process cycle for interdisciplinary research in the intersection of cybersecurity and industrial application, we provide a foundation for further research. We look forward to promising research initiatives, projects, and directions that emerge based on our methodological work.
@inproceedings{pennekamp2021collaboration, title = {{Collaboration is not Evil: A Systematic Look at Security Research for Industrial Use}}, author = {Pennekamp, Jan and Buchholz, Erik and Dahlmanns, Markus and Kunze, Ike and Braun, Stefan and Wagner, Eric and Brockmann, Matthias and Wehrle, Klaus and Henze, Martin}, year = {2021}, booktitle = {{Proceedings of the Workshop on Learning from Authoritative Security Experiment Results (LASER'21)}}, doi = {10.14722/laser-acsac.2020.23088} }

2020

QWIN: Facilitating QoS in Wireless Industrial Networks Through Cooperation

Martin Serror, Eric Wagner, René Glebke, and Klaus Wehrle

In Proceedings of the IFIP/IEEE Networking Conference (NETWORKING’20), 2020

Abs Bib PDF

For successfully establishing wireless communication in industrial environments, new approaches supporting the stringent requirements of industrial machine-to-machine communication are needed. Thereby, the main challenge is that different applications with distinct requirements compete against each other on the same wireless communication medium. Then again, an essential property of industrial scenarios is that the participating stations typically collaboratively work toward a common goal. In this paper, we thus investigate QWIN, a novel approach that leverages this cooperative nature by enabling the stations to share the scarce transmission resources. The stations hence offload their priority queues into the network and share them according to the quality-of-service requirements imposed by the overlying industrial applications. We implemented the cooperation mechanisms on prototypical hardware and evaluated them in a real-world testbed and by simulations. The evaluation reveals that our distributed decision approach effectively ensures that higher priority messages are conveyed more reliably within 1ms, without reducing the reliability of lower priority messages.
@inproceedings{serror2020qwin, title = {{QWIN: Facilitating QoS in Wireless Industrial Networks Through Cooperation}}, author = {Serror, Martin and Wagner, Eric and Glebke, René and Wehrle, Klaus}, year = {2020}, booktitle = {Proceedings of the IFIP/IEEE Networking Conference~(NETWORKING'20)}, }
Poster: Facilitating Protocol-independent Industrial Intrusion Detection Systems

Konrad Wolsing, Eric Wagner, and Martin Henze

In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS’20), 2020

Abs DOI Bib PDF

Cyber-physical systems are increasingly threatened by sophisticated attackers, also attacking the physical aspect of systems. Supplementing protective measures, industrial intrusion detection systems promise to detect such attacks. However, due to industrial protocol diversity and lack of standard interfaces, great efforts are required to adapt these technologies to a large number of different protocols. To address this issue, we identify existing universally applicable intrusion detection approaches and propose a transcription for industrial protocols to realize protocol-independent semantic intrusion detection on top of different industrial protocols.
@inproceedings{wolsing2020facilitating, title = {{Poster: Facilitating Protocol-independent Industrial Intrusion Detection Systems}}, author = {Wolsing, Konrad and Wagner, Eric and Henze, Martin}, year = {2020}, booktitle = {Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security~(CCS'20)}, doi = {10.1145/3372297.3420019} }

2019

Dispute Resolution for Smart Contract-based Two-Party Protocols

Eric Wagner, Achim Völker, Frederik Fuhrmann, Roman Matzutt, and Klaus Wehrle

In Proceedings of the 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC’19), 2019

Abs DOI Bib PDF Code

Blockchain systems promise to mediate interactions of mutually distrusting parties without a trusted third party. However, protocols with full smart contract-based security are either limited in functionality or complex, with high costs for secured interactions. This observation leads to the development of protocol-specific schemes to avoid costly dispute resolution in case all participants remain honest. In this paper, we introduce SmartJudge, an extensible generalization of this trend for smart contract-based two-party protocols. SmartJudge relies on a protocol-independent mediator smart contract that moderates two-party interactions and only consults protocol-specific verifier smart contracts in case of a dispute. This way, SmartJudge avoids verification costs in absence of disputes and sustains interaction confidentiality among honest parties. We implement verifier smart contracts for cross-blockchain trades and exchanging digital goods and show that SmartJudge can reduce costs by 46-50% and 22% over current state of the art, respectively.
@inproceedings{wagner2019smartjudge, title = {{Dispute Resolution for Smart Contract-based Two-Party Protocols}}, author = {Wagner, Eric and Völker, Achim and Fuhrmann, Frederik and Matzutt, Roman and Wehrle, Klaus}, year = {2019}, booktitle = {{Proceedings of the 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC'19)}}, doi = {10.1109/BLOC.2019.8751312} }

2018

Secure Low Latency Communication for Constrained Industrial IoT Scenarios

Jens Hiller, Martin Henze, Martin Serror, Eric Wagner, Jan Niklas Richter, and Klaus Wehrle

In Proceedings of the 42nd IEEE Conference on Local Computer Networks (LCN’18), 2018

Abs DOI Bib PDF

The emerging Internet of Things (IoT) promises value-added services for private and business applications. However, especially the industrial IoT often faces tough communication latency boundaries, e.g., to react to production errors, realize human-robot interaction, or counter fluctuations in smart grids. Simultaneously, devices must apply security measures such as encryption and integrity protection to guard business secrets and prevent sabotage. As security processing requires significant time, the goals of secure communication and low latency contradict each other. Especially on constrained IoT devices, which are equipped with cheap, low-power processors, the overhead for security processing aggregates to a primary source of latency. We show that antedated encryption and data authentication with templates enables IoT devices to meet both, security and low latency requirements. These mechanisms offload significant security processing to a preprocessing phase and thus decrease latency during actual transmission by up to 75.9 %. Thereby they work for well-established security-proven standard ciphers.
@inproceedings{hiller2018secure, title = {{Secure Low Latency Communication for Constrained Industrial IoT Scenarios}}, author = {Hiller, Jens and Henze, Martin and Serror, Martin and Wagner, Eric and Richter, Jan Niklas and Wehrle, Klaus}, year = {2018}, booktitle = {Proceedings of the 42nd IEEE Conference on Local Computer Networks~(LCN'18)}, doi = {10.1109/LCN.2018.8638027} }