Advertisement

Legal Issues of Deception Systems in the Industrial Control Systems

  • Pavol SokolEmail author
  • Radoslav Benko
  • Laura Rózenfeldová
Chapter
  • 269 Downloads
Part of the Studies in Systems, Decision and Control book series (SSDC, volume 255)

Abstract

Deception systems, and within them deception industrial control systems, present a newly emerging type of defence in cybersecurity, providing for the detection, analysis and defence against cyber-attacks. The deception technology focuses on the attackers, their point of view and methodology used to exploit and navigate networks to identify and exfiltrate data. The chapter discusses the nature of the deception Industrial Control Systems and the legal issues encompassed with their use. It provides the legal framework of the fundamental right to privacy and the fundamental right to personal data protection, as well as the legal framework of the liability, predominantly in the area of tort law, applicable to the use of the deception Industrial Control Systems, the provider of these systems must be aware of.

Keywords

Deception system Honeypot ICS EU law Privacy Liability 

Notes

Acknowledgements

We thank our colleagues from the Czech chapter of The Honeynet Project for their valuable inputs and comments. This paper is funded by the Slovak APVV projects under contract No. APVV-14-0598 and No. APVV- APVV-17-0561.

References

  1. 1.
    Fraunholz, D., Lipps, C., Zimmermann, M., Duque Antón, S., Mueller, J.K.M., Schotten, H.D.: Deception in information security: Legal considerations in the context of German and European law. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). pp. 259–274 (2018)Google Scholar
  2. 2.
    Rowe, N.C., Rrushi, J.: Introduction to cyberdeception. Springer International Publishing, Berlin (2016)CrossRefGoogle Scholar
  3. 3.
    Qassrawi, M.T., Hongli, Z.: Deception methodology in virtual honeypots. In: NSWCTC 2010—The 2nd International Conference on Networks Security, Wireless Communications and Trusted Computing (2010)Google Scholar
  4. 4.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop. pp. 116–122. IEEE (2004)Google Scholar
  5. 5.
    Martin Lazarov and Jeremiah Onaolapo and Gianluca Stringhini: Honey sheets: What happens to leaked google spreadsheets? In: 9th Workshop on Cyber Security Experimentation and Test (CSET) 2016. USENIX Association, Austin, TX (2016)Google Scholar
  6. 6.
    Graves, R., Stingley, M.: Honeytokens and honeypots for web ID and IH. (2015)Google Scholar
  7. 7.
    Spitzner, L.: Honeypots: Catching the insider threat. In: The 19th Annual Conference on Computer Security Application (ACSAC). pp. 304–313 (2003)Google Scholar
  8. 8.
    Krishnaveni, S., Prabakaran, S., Sivamohan, S.: A survey on honeypot and honeynet systems for intrusion detection in cloud environment. J. Comput. Theor. Nanosci. 15, 2949–2953 (2018)CrossRefGoogle Scholar
  9. 9.
    Spitzner, L.: Honeypots: tracking hackers. Reading: Addison-Wesley, Boston (2003)Google Scholar
  10. 10.
    Abbasi, F.H., Harris, R.J.: Experiences with a generation III virtual honeynet. In: 2009 Australasian Telecommunication Networks and Applications Conference, ATNAC 2009—Proceedings (2009)Google Scholar
  11. 11.
    Bercovitch, M., Renford, M., Hasson, L., Shabtai, A., Rokach, L., Elovici, Y.: HoneyGen: An automated honeytokens generator. In: Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics, ISI 2011 (2011)Google Scholar
  12. 12.
    Conpot—ICS/SCADA Honeypot, http://conpot.org/
  13. 13.
    Gridpot: Open source tools for realistic-behaving electric grid honeynets, https://github.com/sk4ld/gridpot
  14. 14.
  15. 15.
    Litchfield, S.: HoneyPhy: A physics-aware CPS honeypot framework, https://smartech.gatech.edu/handle/1853/58329, (2017)
  16. 16.
    Lau, S., Klick, J., Arndt, S., Roth, V.: POSTER: Towards Highly Interactive Honeypots for Industrial Control Systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. (2016).  https://doi.org/10.1145/2976749.2989063
  17. 17.
    Buza, D.I., Juhàsz, F., Miru, G., Fèlegyhàzi, M., Holczer, T.: CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2014)Google Scholar
  18. 18.
    Pothamsetty, V., Franz, M.: SCADA HoneyNet Project: Building Honeypots for Industrial Networks, http://scadahoneynet.sourceforge.net/
  19. 19.
    Peterson, D.G.: Siemens S7 Honeynet? | Digital Bond. http://www.digitalbond.com/blog/2011/07/27/siemens-s7-honeynet/
  20. 20.
    Cao, J., Li, W., Li, J., Li, B.: DiPot: A distributed industrial honeypot system. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2018)Google Scholar
  21. 21.
    Brent Huston: HoneyPoint Security Server ICS/SCADA Deployment Example—MSI :: State of SecurityMSI :: State of Security. https://stateofsecurity.com/honeypoint-security-server-icsscada-deployment-example/
  22. 22.
    Fraunholz, D., Anton, S.D., Lipps, C., Reti, D., Krohmer, D., Pohl, F., Tammen, M., Schotten, H.D.: Demystifying Deception Technology: A Survey. arxiv.org. (2018)Google Scholar
  23. 23.
    Warren, M.J., Hutchinson, W.: Australian hackers and ethics. Australas. J. Inf. Syst. (2015).  https://doi.org/10.3127/ajis.v10i2.163CrossRefGoogle Scholar
  24. 24.
    Spitzner, L.: The honeynet project: Trapping the hackers, (2003)Google Scholar
  25. 25.
    Mokube, I., Adams, M.: Honeypots: Concepts, Approaches, and Challenges. In: ACM-SE 45 Proceedings of the 45th annual southeast regional conference (2007)Google Scholar
  26. 26.
    Scottberg, B., Yurcik, W., Doss, D.: Internet honeypots: protection or entrapment? Presented at the (2003)Google Scholar
  27. 27.
    Dornseif, M., Gärtner, F.C., Holz, T.: Vulnerability Assessment using Honeypots. PIK—Prax. der Informationsverarbeitung und Kommun. 27, 195–201 (2007).  https://doi.org/10.1515/piko.2004.195
  28. 28.
    Sokol, P., Host, J.: Evolution of legal issues of honeynets. Studies in Systems. Decision and Control, pp. 179–200. Springer, Cham (2016)Google Scholar
  29. 29.
    Sokol, P., Míšek, J., Husák, M.: Honeypots and honeynets: issues of privacy. Eurasip J. Inf. Secur. (2017).  https://doi.org/10.1186/s13635-017-0057-4
  30. 30.
    Sokol, P., Andrejko, M.: Deploying honeypots and honeynets: Issues of liability. In: Communications in Computer and Information Science. pp. 92–101 (2015)Google Scholar
  31. 31.
    Convention n. 108 of 18. January 1981 of the Council of Europe for the protection of individuals with regard to automatic processing of personal data. (1981)Google Scholar
  32. 32.
    Additional Protocol to Convention 108 of 8. November 2001 regarding supervisory authorities and transborder data flows, ETS 181. (2001)Google Scholar
  33. 33.
    Charter of Fundamental Rights of the European Union. OJ C 202, 7.6.2016. (2016)Google Scholar
  34. 34.
    Peers, S., Hervey, T., Kenner, J., Ward, A.: The EU Charter of fundamental rights: a commentary. (2014)Google Scholar
  35. 35.
    Westin, A.F.: Privacy and freedom. Wash. Lee Law Rev. 25, 166 (1968)Google Scholar
  36. 36.
    Albers, M.: Informationelle Selbstbestimmung, Baden-Baden, 2005, zugl. Habil. (2005)Google Scholar
  37. 37.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Da. (2016)Google Scholar
  38. 38.
    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement. (2018)Google Scholar
  39. 39.
    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). OJ L. (2002)Google Scholar
  40. 40.
    Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive). (2002)Google Scholar
  41. 41.
    Judgment of the Court of Justice, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), C 70/10, EU:C:2011:771. (2011)Google Scholar
  42. 42.
    Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. OJ L 194, 19.7.2016, pp. 1–30Google Scholar
  43. 43.
    Glas, L.R.: European convention on human rights. Netherlands Q. Hum. Rights. 31, 505–510 (2014).  https://doi.org/10.5771/9783845258942CrossRefGoogle Scholar
  44. 44.
    Black, H.C.: A dictionary of law. Yale Law J. 1, 88 (2006).  https://doi.org/10.2307/783720CrossRefGoogle Scholar
  45. 45.
    Garner, B.A.: Black’s Law Dictionary: Shield law. (2014)Google Scholar
  46. 46.
    Koch, B.A.: The European group on tort law and its principles of European tort law. Am. J. Comp. Law. 53, 189–205 (2005)CrossRefGoogle Scholar
  47. 47.
    Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products OJ L 210, 7.8.1985, pp. 29–33. (1985)Google Scholar
  48. 48.
    Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) OJ L 178, 17.7.2000. (2000)Google Scholar
  49. 49.
    CZ.NIC—Honeypot as a Service. https://haas.nic.cz/
  50. 50.
  51. 51.
    Report with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)). http://www.europarl.europa.eu/doceo/ document/A-8-2017-0005_EN.html
  52. 52.
    Communication from the Commission to the European parliament, the European Council, the Council, the European economic and social committee and the Committee of the regions- Artificial Intelligence for Europe (Com/2018/237 final). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2018%3A237%3AFIN
  53. 53.
    European Group on Tort Law.: http://www.egtl.org/
  54. 54.
    Spier, J., Busnelli, F.: Unification of tort law: Causation. Kluwer Law International (2000)Google Scholar
  55. 55.
    Koch, B.A.: The principles of European tort law. ERA Forum. 8, 107–124 (2007).  https://doi.org/10.1007/s12027-007-0003-xCrossRefGoogle Scholar
  56. 56.
    Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services (Text with EEA relevance) OJ L 337, 18.12.2009, pp. 37–69Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Pavol Sokol
    • 1
    Email author
  • Radoslav Benko
    • 2
  • Laura Rózenfeldová
    • 3
  1. 1.Faculty of Science Institute of Computer SciencePavol Jozef Šafárik University in KošiceKošiceSlovakia
  2. 2.Faculty of Law Institute of International Law and European LawPavol Jozef Šafárik University in KošiceKošiceSlovakia
  3. 3.Faculty of Law, Department of Commercial Law and Business LawPavol Jozef Šafárik University in KošiceKošiceSlovakia

Personalised recommendations