Using timing-based side channels for anomaly detection in industrial control systems

Abstract The critical infrastructure, which includes the electric power grid, railroads and water treatment facilities, is dependent on the proper operation of industrial control systems. However, malware such as Stuxnet has demonstrated the ability to alter industrial control system parameters to create physical effects. Of particular concern is malware that targets embedded devices that monitor and control system functionality, while masking the actions from plant operators and security analysts. Indeed, system security relies on guarantees that the assurance of these devices can be maintained throughout their lifetimes. This paper presents a novel approach that uses timing-based side channel analysis to establish a unique device fingerprint that helps detect unauthorized modifications of the device. The approach is applied to an Allen Bradley ControlLogix programmable logic controller where execution time measurements are collected and analyzed by a custom anomaly detection system to detect abnormal behavior. The anomaly detection system achieves true positive rates of 0.978–1.000 with false positive rates of 0.033–0.044. The test results demonstrate the feasibility of using timing-based side channel analysis to detect anomalous behavior in programmable logic controllers.

[1]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[2]  Peter Neumann,et al.  Communication in industrial automation—What is going on? , 2004 .

[3]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[4]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..

[5]  J. Pollet Developing a solid SCADA security strategy , 2002, 2nd ISA/IEEE Sensors for Industry Conference,.

[6]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[7]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[8]  Harry Salem,et al.  Brief History and Use of Chemical Warfare Agents in Warfare and Terrorism , 2019, Chemical Warfare Agents.

[9]  F. Ramsey,et al.  The statistical sleuth : a course in methods of data analysis , 2002 .

[10]  Jonathan Butts,et al.  A Firmware Verification Tool for Programmable Logic Controllers , 2012, Critical Infrastructure Protection.

[11]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[12]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[13]  Brian W. Kernighan,et al.  The C Programming Language , 1978 .

[14]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[15]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[16]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[17]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .

[18]  J A Swets,et al.  Measuring the accuracy of diagnostic systems. , 1988, Science.

[19]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[20]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[21]  Mohak Shah,et al.  Evaluating Learning Algorithms: A Classification Perspective , 2011 .

[22]  Thomas S. Messerges,et al.  Investigations of Power Analysis Attacks on Smartcards , 1999, Smartcard.

[23]  Michael A. Temple,et al.  Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure , 2012, Int. J. Crit. Infrastructure Prot..