Hide and Seek: An Architecture for Improving Attack-Visibility in Industrial Control Systems

In the past years we have seen an emerging field of research focusing on using the “physics” of a Cyber-Physical System to detect attacks. In its basic form, a security monitor is deployed somewhere in the industrial control network, observes a time-series of the operation of the system, and identifies anomalies in those measurements in order to detect potentially manipulated control commands or manipulated sensor readings. While there is a growing literature on detection mechanisms in that research direction, the problem of where to monitor the physical behavior of the system has received less attention.

[1]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[2]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[3]  Lui Sha,et al.  Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems , 2018, IEEE Transactions on Dependable and Secure Computing.

[4]  Paul Brooks,et al.  EtherNet/IP: Industrial Protocol White Paper , 2001 .

[5]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[6]  Stephen E. McLaughlin CPS: stateful policy enforcement for control system device usage , 2013, ACSAC.

[7]  Jianying Zhou,et al.  NoisePrint: Attack Detection Using Sensor and Process Noise Fingerprint in Cyber Physical Systems , 2018, AsiaCCS.

[8]  Theodore J. Williams,et al.  The Purdue Enterprise Reference Architecture , 1992, DIISM.

[9]  Sandro Etalle,et al.  N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols , 2012, RAID.

[10]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[11]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[12]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[13]  Frank Kargl,et al.  Specification Mining for Intrusion Detection in Networked Control Systems , 2016, USENIX Security Symposium.

[14]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[15]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[16]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[17]  Karl Henrik Johansson,et al.  Attack models and scenarios for networked control systems , 2012, HiCoNS '12.

[18]  Karl Henrik Johansson,et al.  Revealing stealthy attacks in control systems , 2012, 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[19]  Kevin Heaslip,et al.  CPS: an efficiency-motivated attack against autonomous vehicular transportation , 2013, ACSAC.

[20]  Nils Ole Tippenhauer,et al.  SWaT: a water treatment testbed for research and training on ICS security , 2016, 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).