Stealthy Rootkits in Smart Grid Controllers

This paper presents a stealthy and persistent attack on a Cyber-Physical System (CPS), namely the smart grid and a multi-layer approach to detect such an attack. The attack on the CPS controller uses a rootkit-based malware. When activated, the rootkit overwrites operator commands to the smart grid relays while evading detection by the operator control station. The rootkit sends valid replies to the operator while corrupting the controller operation through a dynamically loaded library, which is hidden by the rootkit. The attack persists even when the controller stops and restarts since the rootkit automatically restarts the process with the malicious library by using a background daemon, which the rootkit hides from user-space tools. Using a high-fidelity simulation of the smart grid CPS, we show that the attack drastically impacts the CPS, especially when the adversary strategically chooses the target relays to attack. We design an ensemble of detectors to detect the attack and uncover its persistence and insertion mechanisms. The detector uses measures such as hardware performance counters (HPCs), change detection in binary signatures, change detection in system calls, and detection of hidden processes and file system entries.

[1]  Ramesh Karri,et al.  Cybersecurity for Control Systems: A Process-Aware Perspective , 2016, IEEE Design & Test.

[2]  Ramesh Karri,et al.  Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing , 2016, ACM Trans. Archit. Code Optim..

[3]  Jean-Pierre Seifert,et al.  Poster: Towards detecting DMA malware , 2011, CCS '11.

[4]  Gilbert L. Peterson,et al.  Analysis of Tools for Detecting Rootkits and Hidden Processes , 2007, IFIP Int. Conf. Digital Forensics.

[5]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[6]  Irfan Ahmed,et al.  CLIK on PLCs! Attacking Control Logic with Decompilation and Virtual PLC , 2019, Proceedings 2019 Workshop on Binary Analysis Research.

[7]  D. Kushner,et al.  The real story of stuxnet , 2013, IEEE Spectrum.

[8]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[9]  Shihong Miao,et al.  Hybrid flow betweenness approach for identification of vulnerable line in power system , 2015 .

[10]  Ramesh Karri,et al.  Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems , 2018, IEEE Transactions on Information Forensics and Security.

[11]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[12]  E. Byres,et al.  The Myths and Facts behind Cyber Security Risks for Industrial Control Systems , 2004 .

[13]  Thoshitha T. Gamage,et al.  Analyzing the Cyber-Physical Impact of Cyber Events on the Power Grid , 2015, IEEE Transactions on Smart Grid.

[14]  Debdeep Mukhopadhyay,et al.  RAPPER: Ransomware Prevention via Performance Counters , 2018, ArXiv.

[15]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[16]  Michail Maniatakos,et al.  Machine learning-based defense against process-aware attacks on Industrial Control Systems , 2016, 2016 IEEE International Test Conference (ITC).

[17]  Di Wu,et al.  The Concept of Betweenness in the Analysis of Power Grid Vulnerability , 2010, 2010 Complexity in Engineering.

[18]  Ramesh Karri,et al.  Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters , 2020, IEEE Transactions on Information Forensics and Security.

[19]  Raheem A. Beyah,et al.  Sensory channel threats to Cyber Physical Systems: A wake-up call , 2014, 2014 IEEE Conference on Communications and Network Security.

[20]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[21]  Thomas Arnold,et al.  Rootkit attacks and protection: a case study of teaching network security , 2011 .

[22]  Bruno Sinopoli,et al.  Challenges for Securing Cyber Physical Systems , 2009 .

[23]  Todd R. Andel,et al.  Rootkit detection through phase-space analysis of power voltage measurements , 2017, 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).

[24]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[25]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[26]  Pak Chung Wong,et al.  A novel application of parallel betweenness centrality to power grid contingency analysis , 2010, 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS).

[27]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[28]  Andreas Bunten UNIX and Linux based Rootkits Techniques and Countermeasures , 2004 .

[29]  Robert J. Turk Cyber Incidents Involving Control Systems , 2005 .

[30]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[31]  Avesta Sasan,et al.  2SMaRT: A Two-Stage Machine Learning-Based Approach for Run-Time Specialized Hardware-Assisted Malware Detection , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[32]  Douglas Ray Wampler Methods for detecting kernel rootkits , 2007 .

[33]  Prashanth Krishnamurthy,et al.  A Game Theoretic Approach to Design a Resilient Controller For a Nonlinear Discrete System , 2017 .

[34]  Sebastian Schrittwieser,et al.  The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible Countermeasures , 2017, J. Inf. Process..

[35]  Thelma Virginia Rodrigues,et al.  OpenPLC: An open source alternative to automation , 2014, IEEE Global Humanitarian Technology Conference (GHTC 2014).

[36]  Weiguo Gong,et al.  Identification of vulnerable lines in power grid based on complex network theory , 2011, 2011 International Conference on Mechatronic Science, Electric Engineering and Computer (MEC).

[37]  Ramesh Karri,et al.  BRAIN: BehavioR Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[38]  Osama A. Mohammed,et al.  Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit , 2017, NDSS.

[39]  Ramesh Karri,et al.  Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[40]  Fei Xue,et al.  Structural vulnerability of power systems: A topological approach , 2011 .

[41]  Naresh Malla,et al.  Real-time cyber physical system testbed for power system security and control , 2017 .

[42]  Li Sun,et al.  Windows Rootkits: Attacks and Countermeasures , 2010, 2010 Second Cybercrime and Trustworthy Computing Workshop.

[43]  T.J. Overbye,et al.  SCADA Cyber Security Testbed Development , 2006, 2006 38th North American Power Symposium.

[44]  Zhiyuan Zheng,et al.  Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[45]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[46]  Michail Maniatakos,et al.  Malicious Firmware Detection with Hardware Performance Counters , 2016, IEEE Transactions on Multi-Scale Computing Systems.

[47]  Ahmed S. Musleh,et al.  GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-InThe-Loop Environment , 2018 .

[48]  Anastasis Keliris,et al.  GE Multilin SR Protective Relays Passcode Vulnerability , 2017 .

[49]  Xuxian Jiang,et al.  Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction , 2010, TSEC.

[50]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[51]  Eduardo Chielle,et al.  PHYLAX: Snapshot-based profiling of real-time embedded devices via JTAG interface , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[52]  Alberto Garcia-Serrano,et al.  Anomaly Detection for malware identification using Hardware Performance Counters , 2015, ArXiv.

[53]  Sai Praveen Kadiyala,et al.  Hardware performance counters based runtime anomaly detection using SVM , 2017, 2017 TRON Symposium (TRONSHOW).

[54]  Deepa Kundur,et al.  Implementing attacks for modbus/TCP protocol in a real-time cyber physical system test bed , 2015, 2015 IEEE International Workshop Technical Committee on Communications Quality and Reliability (CQR).