Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems

Industrial control system (ICS) networks used in critical infrastructures such as the power grid present a unique set of security challenges. The distributed networks are difficult to physically secure, legacy equipment can make cryptography and regular patches virtually impossible, and compromises can result in catastrophic physical damage. To address these concerns, this research proposes two device type fingerprinting methods designed to augment existing intrusion detection methods in the ICS environment. The first method measures data response processing times and takes advantage of the static and lowlatency nature of dedicated ICS networks to develop accurate fingerprints, while the second method uses the physical operation times to develop a unique signature for each device type. Additionally, the physical fingerprinting method is extended to develop a completely new class of fingerprint generation that requires neither prior access to the network nor an example target device. Fingerprint classification accuracy is evaluated using a combination of a real world five month dataset from a live power substation and controlled lab experiments. Finally, simple forgery attempts are launched against the methods to investigate their strength under attack.

[1]  Ravishankar K. Iyer,et al.  Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol , 2013, CSIIRW '13.

[2]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[3]  Jian-Wei Wang,et al.  Cascade-based attack vulnerability on the US power grid. , 2009 .

[4]  Siddharth Sridhar,et al.  Cyber–Physical System Security for the Electric Power Grid , 2012, Proceedings of the IEEE.

[5]  Lennart Ljung,et al.  Perspectives on system identification , 2010, Annu. Rev. Control..

[6]  K.R. Davey Calculation of Magnetic Remanence , 2009, IEEE Transactions on Magnetics.

[7]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[8]  Raheem Beyah,et al.  GTID: A Technique for Physical Device and Device Type Fingerprinting , 2015, IEEE Transactions on Dependable and Secure Computing.

[9]  David Lee,et al.  Network Protocol System Fingerprinting - A Formal Approach , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[10]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[11]  Kevin R. B. Butler,et al.  Leveraging USB to Establish Host Identity Using Commodity Devices , 2014, NDSS.

[12]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[14]  Raheem A. Beyah,et al.  A Passive Solution to the CPU Resource Discovery Problem in Cluster Grid Networks , 2011, IEEE Transactions on Parallel and Distributed Systems.

[15]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[16]  Ke Gao,et al.  A passive approach to wireless device fingerprinting , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[17]  M. Milvich,et al.  Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS) , 2008, 2008 IEEE Conference on Technologies for Homeland Security.

[18]  Lang Tong,et al.  Limiting false data attacks on power system state estimation , 2010, 2010 44th Annual Conference on Information Sciences and Systems (CISS).

[19]  Raheem A. Beyah,et al.  An Empirical Study of TCP Vulnerabilities in Critical Power System Devices , 2014, SEGS@CCS.

[20]  Radu State,et al.  PTF: Passive Temporal Fingerprinting , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[21]  Oktay Ureten,et al.  Wireless security through RF fingerprinting , 2007, Canadian Journal of Electrical and Computer Engineering.