The Resource Usage Viewpoint of Industrial Control System Security: An Inference-Based Intrusion Detection System

Programmable Logic Controllers (PLC) are a part of a broader category of systems commonly known as Industrial Control Systems (ICS). These systems are primarily used to monitor and control various manufacturing and distribution processes, such as switches, pumps, or centrifuges. Since these devices perform relatively the same tasks throughout their lifetime, they likely have a fixed and predictable CPU load or usage for extended periods of time. Our work is primarily based on the premise that we are able to infer CPU load by remotely profiling the network traffic emitted by an ICS device and use that inference to detect potentially malicious modifications to the behavior of the ICS device. This is in stark contrast to traditional (e.g., signature and rule-based) and even other non-traditional (e.g., power fingerprinting and backplane traffic monitoring) intrusion detection mechanisms for ICS networks, since our approach does not require signature or rule updates, special access to ICS backplane devices, or additional software to be installed on the ICS device. In previous work, we have demonstrated that it is feasible to use network traffic and machine learning to remotely infer the typical task cycle periods (i.e., CPU load) for an ABB RTU560 (contains a built-in PLC), even on a lightly loaded network one hop away. We now extend this capability to inferring the presence of anomalous CPU load behavior by introducing a Stuxnet-type threat model (i.e., state-sponsored root-kit) to showcase our prototype’s detection ability (i.e., the ability to discern normal baseline states from those introduced by a threat). The main benefits of this approach are that: (1) it requires no additional software to be installed on the ICS devices to communicate with the monitor node, (2) the tool is low maintenance, since there are no software updates or signatures to be continuously installed on each ICS device, and (3) the risk of a centralized network-based monitor node being compromised is lower than if it were host-based software on each ICS device due to a reduced attack surface. Our overall prototype tool implements a graphical user interface (GUI) that can be used to monitor and alert on a small-sized to medium-sized ICS network of IP-based RTUs or PLCs similar to the ABB RTU560.

[1]  Raheem A. Beyah,et al.  A Passive Solution to the CPU Resource Discovery Problem in Cluster Grid Networks , 2011, IEEE Transactions on Parallel and Distributed Systems.

[2]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[3]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[4]  Aditya Ashok,et al.  Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid , 2013, IEEE Transactions on Smart Grid.

[5]  Garth V. Crosby,et al.  Using network traffic to infer power levels in wireless sensor nodes , 2014, 2014 International Conference on Computing, Networking and Communications (ICNC).

[6]  J. H. Reed,et al.  Enhancing Smart Grid cyber security using power fingerprinting: Integrity assessment and intrusion detection , 2012, 2012 Future of Instrumentation International Workshop (FIIW) Proceedings.

[7]  Raheem A. Beyah,et al.  Using Network Traffic to Infer Hardware State , 2015, ACM Trans. Embed. Comput. Syst..

[8]  Raheem A. Beyah,et al.  Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems , 2016, NDSS.

[9]  William H. Robinson,et al.  Remotely inferring device manipulation of industrial control systems via network behavior , 2015, 2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops).

[10]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[11]  Sang-Soo Yeo,et al.  Secure Model against APT in m-Connected SCADA Network , 2014, Int. J. Distributed Sens. Networks.

[12]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[13]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[14]  Raheem A. Beyah,et al.  A Passive Solution to the Memory Resource Discovery Problem in Computational Clusters , 2010, IEEE Transactions on Network and Service Management.

[15]  Man-Ki Yoon,et al.  Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems , 2014 .

[16]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.