Forensic Investigation of Industrial Control Systems Using Deterministic Replay

From manufacturing plants to power grids, industrial control systems are increasingly controlled and networked digitally. While networking these systems together improves their efficiency and convenience to control, it also opens them up to attacks by malicious actors. When these attacks occur, forensic investigators should be able to determine what was compromised and which corrective actions need to be taken.In this paper, we propose a method to investigate attacks on industrial control systems by simulating the logged inputs of the system over time using a model constructed from the control programs. We detect any attacks that will lead to perturbations of the normal operation of the system by comparing the simulated output to the actual output. We also perform dependency tracing between the inputs and outputs of the system, so that attacks can be traced from the anomaly to their sources and vice-versa. Our method can greatly aid investigators in recovering the complete attack graph used by the attacker using only the input and output logs from an industrial control system. To evaluate our method, we constructed a hybrid testbed with a simulated version of the Simplified Tennessee Eastman process, using a hardware-inthe-loop Allen-Bradley Micrologix 1100 PLC. We were able to accurately detect all attack anomalies with a false positive rate of 0.3% or less.

[1]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[2]  Sylvain Frey,et al.  SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection , 2016, CPS-SPC '16.

[3]  Yong Wang,et al.  SRID: State Relation Based Intrusion Detection for False Data Injection Attacks in SCADA , 2014, ESORICS.

[4]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[5]  Igor V. Nikiforov,et al.  A statistical method for detecting cyber/physical attacks on SCADA systems , 2014, 2014 IEEE Conference on Control Applications (CCA).

[6]  Anna Scaglione,et al.  Hybrid Control Network Intrusion Detection Systems for Automated Power Distribution Systems , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[7]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[8]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[9]  Henrik Sandberg,et al.  A Survey of Physics-Based Attack Detection in Cyber-Physical Systems , 2018, ACM Comput. Surv..

[10]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[11]  Bruno Sinopoli,et al.  Detecting Integrity Attacks on SCADA Systems , 2014, IEEE Transactions on Control Systems Technology.

[12]  Jerry den Hartog,et al.  From System Specification to Anomaly Detection (and back) , 2017, CPS-SPC@CCS.

[13]  Raheem A. Beyah,et al.  Lowering the Barriers to Industrial Control System Security with GRFICS , 2018, ASE @ USENIX Security Symposium.

[14]  Dieter Gollmann,et al.  The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems , 2015, AsiaCCS.

[15]  Alvaro A. Cárdenas,et al.  Temporal Phase Shifts in SCADA Networks , 2018, CPS-SPC@CCS.

[16]  Konrad Rieck,et al.  ZOE: Content-Based Anomaly Detection for Industrial Control Systems , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[17]  Ahmad-Reza Sadeghi,et al.  State-aware anomaly detection for industrial control systems , 2018, SAC.

[18]  Ronald M. van der Knijff,et al.  Control systems/SCADA forensics, what's the difference? , 2014, Digit. Investig..

[19]  Hanspeter Mössenböck,et al.  A Comprehensive Solution for Deterministic Replay Debugging of SoftPLC Applications , 2011, IEEE Transactions on Industrial Informatics.

[20]  N Pedro Taveras,et al.  SCADA LIVE FORENSICS: REAL TIME DATA ACQUISITION PROCESS TO DETECT, PREVENT OR EVALUATE CRITICAL SITUATIONS , 2013 .

[21]  Aiko Pras,et al.  Flow whitelisting in SCADA networks , 2013, Int. J. Crit. Infrastructure Prot..

[22]  Pieter H. Hartel,et al.  A log mining approach for process monitoring in SCADA , 2010, International Journal of Information Security.