Keywords

1 Introduction

In the evolving landscape of cyber threats, characterized by increasingly complex and sophisticated attacks, the nature of cyber warfare has transformed this landscape [15]. The continual increase in the diversity of these threats on one hand, and the interconnectedness of critical systems, amplifies risks each year. As a result, cyber defenders are faced with new challenges. This challenge is particularly exacerbated in the case of APT attacks, which are stealthily maintained within a defender’s network and are difficult to detect as they often operate within resources trusted by the defender [7, 21]. APT campaigns have become more complex, deploying novel strategies to target critical systems, especially focusing on the OT components of Cyber-Physical Systems (CPSs) within critical infrastructures [6]. This shift necessitates a proactive approach in cybersecurity; One that is anticipatory of potential unknowns and novel attack vectors, rather than merely reactive to known threats.

The escalating complexity of cyber attacks underscores the need to understand and preemptively address these “unknowns” within system defenses. This is especially crucial in the context of CPS, where the integration of IT and OT poses unique challenges. The different priorities and mindsets between IT and OT operators often lead to delayed recognition of cyber attacks within OT environments, as system errors or anomalies are not immediately perceived as security threats [1]. Such gaps in perception and response can inadvertently create vulnerabilities ripe for exploitation by malicious actors.

In the digital realm, deception is a commonly employed tactic by malicious actors, used to manipulate and exploit legitimate users for personal gain [9]. Techniques like phishing and social engineering are often leveraged to direct users’ attention and induce specific actions [15]. While cyber defense research has explored the use of deception for developing early-warning systems and sophisticated security monitoring tools, such as honeypots, recent years have seen a marked increase in the complexity of cyber attacks.

This paper proposes a shift in perspective by considering the application of social engineering principles within the system’s operational domain. We introduce “Attention Diversion” as a novel strategy employed by attackers once they have infiltrated a system. This technique involves inducing errors or/and anomalies that mimic routine system glitches, obscuring the true nature of the attack and misleading operators into believing they are facing conventional system failures. By manipulating the focus and response of operational personnel, attackers can allow their real cyber attack to proceed undetected and unmitigated. This approach has been observed in several sophisticated attacks on critical infrastructures, particularly in the energy domain [12].

Our research aims to illuminate this subtle yet effective form of cyber manipulation, exploring its mechanics and implications. We conducted a case study using a hardware-in-the-loop digital substation testbed to investigate the attention diversion technique. Our main contributions are the following:

  • We examine the strategic application of deception techniques in cyber attacks, focusing on how attackers can effectively use these methods within Cyber-Physical Systems.

  • We introduce and define Attention Diversion as a novel tactic used by cyber attackers to mislead and manipulate the actions of system operators.

  • We propose a conceptual framework for the application of Attention Diversion, distinguishing between Atomic Deception Techniques for specific attack stages and a broader Cover Story for the overall attack strategy.

  • We illustrate the application of the proposed method using a realistic hardware-in-the-loop digital substation enclave testbed.

The reminder of the paper is organized as follows: Sect. 2 provides background studies and reviews related work. Section 3 delves into the concept of deception from the attacker’s perspective, using the cyber kill chain to explain attention diversions. Section 4 presents our case study. We conclude the paper and highlight future research directions in Sect. 5.

2 Background and Related Work

According to the Stanford Encyclopedia of Philosophy [14], a traditional definition of deception is “to intentionally cause to have a false belief that is known or believed to be false”. Following this definition, in psychology, deception is understood as an intentional act to hide, fabricate, or alter both factual and emotional information to foster or uphold beliefs in others that the deceiver knows to be untrue [16]. In the digital world, deception is a recognized method employed by malicious actors to manipulate legitimate users for their own advantage. Typically, attackers utilize cyber deception to mask their reconnaissance activities and stealthily infiltrate systems, all while avoiding detection by watchful defenders [15]. Malicious deception plays a pivotal role in a variety of cyber attacks, including phishing, APTs, man-in-the-middle attacks, and the implementation of Sybil nodes in social networks [17]. Nevertheless, our review of recent academic literature indicates that there is a significant emphasis on defensive deception tactics, while the exploration of how attackers might employ deception techniques in their operations has not been extensively investigated.

Amoroso [4] introduced deception as a means to protect against sophisticated attacks that exceed the capabilities of traditional security methods. This involves strategically embedding a layer of cleverly designed trap functionality or misinformation into both internal and external interfaces of national infrastructure to mislead adversaries.

NIST 800-160 [18] refers to the deception technique as one of the 14 techniques of cyber resiliency and names: (1) obfuscation, (2) disinformation, (3) misdirection, and (4) tainting as the approaches for realizing it.

Seo et al. [20] summarized defensive cyber deception technology into: (1) moving target defense (MTD), (2) Honey-X (honeypots, honeynets, honeytokens, etc.), and (3) Decoy.

Heckman et al. [10] proposed a “deception chain” for the design, preparation, and implementation of cyber disruption and denial (Cyber-D &D) activities and integrated these methods into both an intrusion campaign and a defensive deception campaign. The author in [4] emphasized that deception in security is effective when it accomplishes any or all of the following objectives:

  1. 1.

    Attention: Diverting an adversary’s focus from real assets to bogus ones.

  2. 2.

    Energy: Draining an adversary’s valuable time and resources on false targets.

  3. 3.

    Uncertainty: Generating doubt about the legitimacy of a detected vulnerability.

  4. 4.

    Analysis: Establishing a foundation for real-time analysis of an adversary’s actions.

Likewise, incorporating any of these elements into an attack strategy can enhance the likelihood of a successful attack, a detail that has been neglected in the portrayal of the cyber kill chain when explaining attack steps.

NIST 800-160 [18] named “deception” as one of the attack vectors might be used in conducting APT attacks. However it limits the deception to only one of the 14 techniques of cyber resiliency, and defined it to enable defenders to mislead, confuse, hide critical assets from, or expose covertly tainted assets to the adversaries. It is explained that the deception technique can be realized through four different approaches, namely: Obfuscation, Disinformation, Misdirection, and Tainting. Table 1 summaries these approaches. NIST 800-160 also noted that deception technique can cause adversaries to waste effort.

Table 1. Deception technique [18]
Full size table

Heckman et al. [10] identified three common objectives in all forms of deception: firstly, to alter an adversary’s perceptions and beliefs; secondly, to prompt action or inaction based on these changes; and finally, to benefit the deceiver, in any way, from the adversary’s responses (action or inaction). Note that, the critical aspect of deception planning is not merely influencing adversary beliefs, but cleverly affecting and directing the adversary towards a desired action. The authors proposed an eight-step deception chain from the defensive cyber-D &D operation perspective that includes planning, preparing, and executing phases.

Pawlick et al. [17] highlighted that many modern attacks involve APTs. These attacks are hidden, ongoing operations that use social engineering and deception to enable attackers to gain internal access to networked systems. Nonetheless, it is essential to understand that the use of deception is not limited to just infiltrating a system. It can also be employed as a strategy to continue deceiving operators once attackers have already established a foothold inside the system. A prime illustration of this tactic is the Stuxnet attack, where deception was effectively used to misguide system operators [10].

While the concept of deception has been widely studied for defensive purposes in cybersecurity, there is a noticeable lack of in-depth research into how attackers might leverage deception. Addressing this gap could significantly enhance security training and awareness. The idea of using deception to mislead during cyber attacks, particularly in sophisticated scenarios such as APT attacks on critical infrastructure, and influencing the decisions of system operators, is what we term “Attention Diversion” in this paper, inspired by the definitions available in [4, 18]. The concept of attention diversion, as outlined here, is an essential yet under-explored area of study. Our analysis in this paper highlights that attention diversion, in the context we define, is still a largely undiscovered approach, with few existing research works delving into it.

3 Methodology and Concept

As discussed in Sect. 1, this paper investigates deception as a potential vector for attacks, particularly complex ones. Attackers might employ deception either as a supplementary technique or as the primary method to achieve their objectives. Human perception, fundamentally influenced by sensory information from the environment, plays a critical role in this context. Deception involves manipulating this sensory information to create false beliefs, which can trigger various biases in the deceived, affecting their decision-making, beliefs, and behavior [11, 19]. These biases are categorized as follows [9]:

  • Personal Biases: Originating from individual experiences, education, and traits.

  • Cultural Biases: Stemming from societal beliefs, morals, and practices.

  • Organizational Biases: Influencing perceptions and decisions within structured environments.

  • Cognitive Biases: Inherent in our process of perceiving and processing information.

Principles such as truth, denial, deceit, misdirection, and confusion, particularly misdirection and confusion, are central to deception in cybersecurity and can be used to reinforce organizational biases to serve adversaries’ purposes [3, 5]. Additionally, there are ten distinct hypotheses (maxims) relevant for deception and surprise:

  1. 1.

    Magruder’s principles.

  2. 2.

    Limitations of human information processing.

  3. 3.

    Multiple forms of surprise (cry-wolf syndrome).

  4. 4.

    Jones’ lemma.

  5. 5.

    A choice among A-type and M-type deception.

  6. 6.

    Axelrod’s contribution.

  7. 7.

    A sequencing rule.

  8. 8.

    The importance of feedback.

  9. 9.

    The Monkey’s Paw.

  10. 10.

    Care in the designed and planned placement of deceptive material.

Despite the complexities of adversarial relationships and engineering systems, deceptive interactions can be simplified into a basic schema, as shown in Fig. 1. Considering the factors previously outlined, alongside the principles of deception and the four elements highlighted in [4], we herein define “Attention Diversion” as a strategic approach for deception from the adversary’s perspective. Attention diversion aims to captivate the attention and exhaust the energy of system operators or defenders, thereby increasing the probability of a successful attack. This strategy aligns with organizational biases and is designed to established maxims for successful deception. By manipulating perceptions and leveraging biases, adversaries can effectively guide the actions and responses of their targets, thereby achieving their deceptive goals.

3.1 Definition of Attention Diversion in Cybersecurity

Attention Diversion from the the adversary perspective in cybersecurity is a strategic approach where the adversary aims to mislead or distract targets, including system operators, security teams, or users, from the actual cyber threat or malicious activity. The main goals of attention diversion are to prolong the undetected status of the actual attack particularly in APT attacks, complicate the defense and investigation processes, and exhaust the target’s resources, thereby weakening their ability to respond effectively.

Fig. 1.
figure 1

Strategic deceptive flow [9].

Full size image

3.2 Techniques of Attention Diversion

To apply the concept of attention diversion, adversaries may attempt to create minor security incidents, generate false security alerts, or induce system errors that appear innocuous. The intent is to divert focus from the adversary’s true actions. This can be achieved through dual approaches: (1) Silent manipulation and/or (2) Overt Distraction.

  1. 1.

    Silent Manipulation involves tactics like the injection of misleading data or the creation of minor anomalies that mimic routine system issues. It is designed to subtly shift the attention of security personnel, allowing the main attack to remain undetected for a longer duration. Here the attackers utilize attention diversion to reach their goal while they are trying to make less noise.

  2. 2.

    Overt Distraction can be used for immediate diversion needs, when applying more noticeable methods such as DDoS attacks are acceptable. These tactics serve to draw attention and resources towards a significant, immediate issue while simultaneously masking the real attack. This approach is particularly effective when rapid action is needed or when an attack risks being exposed.

Depending on the attack scenario and needs, attackers can choose to apply one of these approaches. It should be highlighted that the ultimate goal here is to achieve the main objective of the attack, even if it requires the use of overt distraction, which can be noisy. Based on our study of previous attacks, we have identified some techniques that might be used by adversaries for attention diversion, as follows:

  • Needle in the haystack.

  • Sending messages to interrupt communication. When the communication is reestablished (e.g., TCP connection rebuild or other protocol-level connection rebuild), the attacker can use this time to attack.

  • Sending error messages (pretending device failure) on behalf of the target device, e.g., to conceal other offensive actions.

  • Disabling necessary functions (e.g., PTP time synchronization) that divert the attention of the operator.

We will elaborate more on these techniques in Sect. 4.

3.3 Conceptual Framework

In light of the literature review and our previous hands-on attacks conducted on digital substations [2, 8], it has been realized that attention diversion can be utilized by attackers in two distinct yet complementary approaches, namely the “Atomic Deception Technique (ADT)” and “Cover Story”. Figure 2 represents these two approaches align with the cyber kill chain, a conventional representation of different steps of a cyber attack [22].

ADT approach refers to the case where adversaries apply attention diversion techniques at each individual step of an attack, such as reconnaissance or exploitation, tailoring the technique to the specific stage of the cyber kill chain. While the Cover Story represents a broader strategy that adversaries follow throughout the entire steps of an attack, covering the entire cyber kill chain. This cover story serves as a comprehensive roadmap designed by adversaries to mislead defenders throughout the attack life-cycle.

Fig. 2.
figure 2

Integration of Deception Life-cycle with the Cyber Kill Chain.

Full size image

Considering the specific requirements of the main attack, attackers may leverage either one or both approaches. This decision relies on the purpose of applying attention diversion. To this end, attackers define the primary objective of applying attention diversion and gather information related to the target system. This information includes understanding vulnerabilities, predicting potential reactions of the defenders, and identifying any biases that could be exploited later to plan and develop techniques of attention diversion. Based on the defined purpose and collected information, attackers then select the appropriate attention diversion approach. The attackers can primarily leverage each approach to fulfill their objectives as follows:

I) Applying Atomic Deception Techniques: This option is selected when the objective is to enhance specific stages of the attack with attention diversion. It is particularly useful when deception is needed to enable or augment the impact of certain attack steps.

II) Creating a Cover Story: Attackers consider creating a cover story when a more comprehensive and holistic deception strategy is required to successfully achieve their goal. This approach is appropriate for scenarios where obscuring the entire attack sequence is necessary to achieve the attack objectives.

These approaches illustrate the versatility and strategic depth of deception in cybersecurity. Section 4 details these concepts through a hands-on attack conducted in a hardware-in-the-loop digital substation testbed to observe and evaluate the applicability of the proposed attention diversion.

4 Case Study

In this case study, we leverage the digital substation (DS) Enclave testbed [13], depicted in Fig. 3 to conduct a cyber attack targeting the IEC 61850 and IEC 60870-104 protocols as explained in [2, 8]. The primary objective is to analyze and demonstrate how the integration of attention diversion can potentially enhance the outcomes of these attacks. Note that this section does not delve into the detailed aspects of the attacks, as those are thoroughly covered in our previous works [2, 8]. The emphasis of this study is on examining whether the integration of attention diversion strategies could potentially enhance the effectiveness of these attacks, and to shed light on the necessity of considering the possibility of deception in the lower layers of the operational technology part in CPSs, and to increase the awareness amongst operators and system owners.

Fig. 3.
figure 3

Digital substation enclave testbed.

Full size image

4.1 Digital Station (DS) Enclave Testbed

Figure 3 depicts a digital substation consisting of two primary components: the station bus (yellow block) and the process bus (red block). The station bus connects all bays with the supervisory level, while the process bus links Intelligent Electronic Devices (IEDs) within a bay for real-time measurements. Key elements in the digital substation includes digital station equipment, a control center machine, and engineering workstations for operations and configurations. In this tested, Siemens have provided the digital station equipment, designed for high-voltage substations, with the SICAM A8000 CP-8050 serving as a dual-role gateway. This gateway manages the interface between the substation and the dispatch center, performing protocol conversion from IEC 61850-8-1 (MMS) to IEC 60870-5-104 and acting as a network isolation mechanism.

For precise time synchronization, the substation uses Ruggedcom RSG2488 and Meinberg M1000 time servers with GPS time sources, configured for PTP compliance with the Power Utility Profile. The station and process bus network switches are interconnected for synchronization. IECTest simulates the operation control center (dispatch center), communicating with the SICAM A8000 CP-8050 gateway. The Siemens DS enclave components are updated to the latest versions, and the testbed includes several Industrial Control System (ICS) Intrusion Detection Systems (IDSs) from various vendors.

4.2 Constructing the Cover Story

The cover story is constructed based on the principle that OT personnel in critical infrastructures are more inclined to attribute system irregularities to technical glitches rather than cyber attacks, a concept rooted in organizational biases [9]. This belief forms the foundation of our deception strategy. According to [10] and aligned with Magruder’s principles, the most effective deceptions build upon preexisting beliefs. Thus, the cover story is designed to reinforce the notion that the observed network anomalies are mere system glitches, diverting attention from the actual cyber attack.

4.3 Summary of the Covering Story

The attackers initiate their operation with a phase of reconnaissance, aiming to collect information about the target network. Passive reconnaissance techniques enable them to eavesdrop on network communications, identifying key patterns and configurations such as ASDU and IOA addresses. They then transition to active reconnaissance, pinpointing the locations of gateway devices, the controlling station, and the network gateway through port scanning.

Following reconnaissance, the attackers employ deceptive techniques, deliberately creating disruptions that appear as harmless technical irregularities. This strategy diverts the attention of operators and engineers toward resolving these perceived network issues. Initially, step 4 is designed to subtly imitate common network problems, leading operators to believe they are facing regular technical difficulties.

As the network environment becomes flooded with apparent technical issues, the attackers shift their focus to manipulate the Precision Time Protocol (PTP). They subtly alter PTP settings to disrupt real clock sources, causing IEDs to rely on internal clocks and to flag missing time synchronization. Up to this point, the attackers have followed a silent manipulation approach, using attention diversion to conceal their activities targeting PTP. At Step 7, the attackers achieve their goal, and it is observed that their cover story effectively helps them conceal their manipulation. However, once the PTP attack is executed, operators may begin to understand what has happened. At this stage, the attackers can transition from silent manipulation to overt distraction, prolonging the time needed to detect the PTP attack. To further conceal their activities and divert attention from these alterations, the attackers execute DDoS attacks in Step 8. These attacks exacerbate network chaos, complicating the operators’ ability to identify the source of disruptions.

The DDoS plan serves a dual purpose in this context. Primarily, it adds a layer of chaos and confusion within the network, hindering operators’ ability to pinpoint the root cause of disruptions. Secondarily, the DDoS attacks provide the attackers with the necessary time to precisely manipulate PTP settings, introducing timing inconsistencies among IEDs. This combination of tactics not only delays detection, but also complicates the attribution of network anomalies to malicious origins. It provides a window of opportunity for attackers to move to the second stage in the kill chain and to execute an ICS attack, as described in Step 9 of the attack steps outlined below.

Based on comparisons between the results of this attack, which utilized attention diversion, and our previous work [2], we found that the former could significantly impact operators’ reactions.

4.4 Attack Steps

In the following we summarize the attack steps.

Step 1 - Initial Reconnaissance:

  • Attack Type: Passive Reconnaissance.

  • Attack Aim/Action: Gathering information about the IEC 60870-5-104 network

  • Attack Technique: Promiscuous mode listening and information gathering.

  • Outcome: Successful reconnaissance with no trace.

Step 2 - Identifying Device Types

  • Attack Type: Passive Reconnaissance.

  • Attack Aim/Action: Identifying device types and characteristic (see Fig. 4 showing the result of the reconnaissance, including which switch leg that is in used).

  • Attack Technique: Gateway fingerprinting - MAC address grabbing.

  • Outcome: Partially successful reconnaissance, identifying manufacturer information.

Step 3 - Network Discovery

  • Attack Type: Active Reconnaissance.

  • Attack Aim/Action: Finding Gateway devices, controlling station, and the interface to the protected network.

  • Attack Technique: Port scanning the subnet for open 2404 tcp ports.

  • Outcome: Successful reconnaissance, discovering key network components (see Fig. 5).

Step 4 - Distraction through Operation Failure:

  • Attack Type: Operation failure.

  • Attack Aim/Action: Sending wrong measurement values and attempt to propagate errors as well as sending error messages.

  • Attack Technique: Sending wrong data on behalf of the Gateway using packet injection and sending error messages.

  • Outcome: Successful operation failure, leading to communication disruption and diverting attention.

Step 5 - Precision Time Protocol (PTP) Setup:

  • Attack Type: Initial Reconnaissance.

  • Attack Aim/Action: Collecting information regarding clock sources (Meinberg and Siemens).

  • Attack Technique: Passive reconnaissance.

  • Outcome: Attacker obtains information necessary for the later PTP manipulation.

Step 6 - PTP Master Clock Emulation:

Fig. 4.
figure 4

Passive reconnaissance.

Full size image

  • Attack Type: Attacker takes over as the master clock.

  • Attack Aim/Action: Manipulating the PTP to become the master clock on the network.

  • Attack Technique: Rough master clock emulation.

  • Outcome: Multiple clocks in the network (more than what is configured in the network).

Step 7 - PTP Manipulation:

  • Attack Type: Attacker maintains status with the master clock emulation.

  • Attacker Aim/Action: Repeating the master clock emulation message every second.

  • Attack Technique: Rough master clock emulation with broadcast messages.

  • Outcome: Real clock sources stop working, no PTP time synchronization in the network, IEDs start using their internal clock and flagging missing time synchronization on Sample Value Messages (SVMs).

Step 8 - DDoS:

Fig. 5.
figure 5

Discovery of the equipment communicating on the network.

Full size image

  • Attack Type: DDoS.

  • Attacker Aim/Action: Attention diversion by (1) disabling communication between the Gateway and the control center, (2) ARP poisoning, and (3) disabling Gateway accessibility.

  • Attack Technique: ASDU RESET flood with packet injection, controlling center source IP spoofing, ARP poisoning without packet forwarding, and TCP level SYN flood of the Gateway.

  • Outcome: TCP connection reset, a large amount of fake ARP replies, and an excessive amount of SYN packets towards the Gateway (see Figs. 6, 7, and 8).

Fig. 6.
figure 6

DoS attack with spoofed reset commands using packet injection to disable communication between the Gateway and the control center.

Full size image
Fig. 7.
figure 7

DoS attack with ARP poisoning.

Full size image
Fig. 8.
figure 8

DoS attack with SYN flood to disable the Gateway accessibility.

Full size image

Step 9 - ICS attack:

  • Attack Type: ICS attack.

  • Attacker Aim/Action: Attacker takes advantage of the window of opportunity to execute the actual ICS attack (stage 2 of the ICS kill chain).

  • Attack Technique: Attacker may follow different techniques depending on the attack aim.

  • Outcome: The results will vary and depend on the techniques used by the attacker. Examples of outcomes are as defined by MITRE ATT &CK for ICS: Damage to property, Denial of control, Denial of View, Loss of availability, Loss of control, Loss of productivity and revenue, Loss of protection, Loss of safety, Loss of View, Manipulation of control, Manipulation of view, and Theft of operational information.

Figure 9 illustrates the comprehensive integration of Atomic Deception Techniques and the Cover story across the various attack steps, highlighting the strategic transition from silent manipulation in the initial steps to overt distraction in the final phase. This visual representation provides a clear overview of how deceptive tactics are systematically employed throughout the different stages of the cyber attack in this case study.

Fig. 9.
figure 9

Illustration of Attention Diversion techniques used in the case study.

Full size image

5 Conclusion and Future Work

This paper highlights a research gap in the study of complex cyber attacks, such as APTs, namely the role of deception techniques from the attacker’s perspective in the realization of these attacks. We explored how deception can influence system operators’ decisions in sophisticated attacks. We introduced the concept of Attention Diversion and discussed its role and the possibility of utilizing attention diversion in the OT part of CPSs to mislead operators. Two different techniques of attention diversion: silent manipulation and overt distraction, have been explained and demonstrated in a case study. Additionally, we discussed the utilization of attention diversion in the form of Atomic Deception Techniques and Cover Story, based on the cyber kill chain steps. We also demonstrated how silent manipulation and overt distraction can prolong attacks and complicate defense strategies, and demonstrated this in the case study which was executed in a digital substation testbed.

Future work will delve deeper into the impact of deception on system operators, aiming to improve training and awareness. This is key to developing advanced cyber defense strategies and equipping defenders to counter sophisticated threats, as well as demonstrating the need for continued exploration in this crucial area of cybersecurity. This research is a step towards filling a critical research gap, emphasizing the need to understand and prepare for the use of deception in cyber attacks. Our work highlights the importance of investigating this area, which could substantially transform cybersecurity practices and defenses. In future work, we will also consider obfuscation as another deception technique from the attacker perspective, as well as attempt to propose solutions to mitigate such attack techniques.