Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Industrial control systems are used to operate critical infrastructure assets in the civilian and military sectors. Current industrial control system architectures are predominantly based on networked digital computers that enable reliable monitoring and control of critical functions via localized and distributed operations. Many industrial control systems, in particular, supervisory control and data acquisition (SCADA) systems, implement monitoring and control using programmable logic controllers, which have served as gateways through which cyber attacks have been orchestrated against high-profile industrial control system targets.This paper focuses on securing the programmable logic controller gateway against unauthorized entry and mitigating attack risks by (i) adopting a previously demonstrated capability that provides hardware device discrimination using information extracted from intentional radio frequency (RF) emissions; and (ii) adapting the RF-based verification methodology to exploit information in unintentional programmable logic controller emissions to detect anomalous operations and enhance industrial control system security. Operational status verification (normal operation versus anomalous operation) is demonstrated using emissions from 10 like-model programmable logic controllers. The correlation-based verification approach with Hilbert transform features demonstrates superior performance than with untransformed time domain features. Experimental results demonstrate that an arbitrary equal error rate (EER) benchmark ( EER ? 10 % ) is achieved for all programmable logic controllers with a signal-to-noise ratio (SNR) of 5.0dB when Hilbert-transformed features are used for complete programmable logic controller program scans or SNR=0.0dB when each programmable logic controller program operation is compared independently. This benchmark was not achieved for any programmable logic controllers when untransformed time domain features were employed.

[1]  Darko Kirovski,et al.  RF-DNA: Radio-Frequency Certificates of Authenticity , 2007, CHES.

[2]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[3]  Tin Kam Ho,et al.  Complexity Measures of Supervised Classification Problems , 2002, IEEE Trans. Pattern Anal. Mach. Intell..

[4]  Barack Obama,et al.  Executive Order 13636: Improving Critical Infrastructure Cybersecurity , 2013 .

[5]  H. Zimmermann,et al.  OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection , 1980, IEEE Transactions on Communications.

[6]  John G. Proakis,et al.  Digital Communications , 1983 .

[7]  Sheldon A. Munns,et al.  RF-DNA Fingerprinting for Airport WiMax Communications Security , 2010, 2010 Fourth International Conference on Network and System Security.

[8]  Jeffrey H. Reed,et al.  Detecting unauthorized software execution in SDR using power fingerprinting , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[9]  Michael A. Temple,et al.  Augmenting Bit-Level Network Security Using Physical Layer RF-DNA Fingerprinting , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[10]  Sharad Malik,et al.  Instruction level power analysis and optimization of software , 1996, J. VLSI Signal Process..

[11]  Arun Ross,et al.  An introduction to biometric recognition , 2004, IEEE Transactions on Circuits and Systems for Video Technology.

[12]  Michael A. Temple,et al.  Classifier selection for physical layer security augmentation in Cognitive Radio networks , 2013, 2013 IEEE International Conference on Communications (ICC).

[13]  Petros Maragos,et al.  A comparison of the energy operator and the Hilbert transform approach to signal and speech demodulation , 1994, Signal Process..

[14]  Michael A. Temple,et al.  Improved wireless security for GMSK-based devices using RF fingerprinting , 2010, Int. J. Electron. Secur. Digit. Forensics.

[15]  Andy Jones,et al.  A Framework for Anomaly Detection in OKL4-Linux Based Smartphones , 2008 .

[16]  David G. Stork,et al.  Pattern Classification , 1973 .

[17]  N. Serinken,et al.  Characteristics of radio transmitter fingerprints , 2001 .

[18]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Jeffrey H. Reed,et al.  Power fingerprinting in SDR integrity assessment for security and regulatory compliance , 2011 .

[20]  Michael A. Temple,et al.  Sensitivity Analysis of Burst Detection and RF Fingerprinting Classification Performance , 2009, 2009 IEEE International Conference on Communications.

[21]  R. Elakkiya,et al.  A hybrid framework of intrusion detection system for resource consumption based attacks in wireless ad-hoc networks , 2012, 2012 International Conference on Systems and Informatics (ICSAI2012).

[22]  Michael A. Temple,et al.  Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure , 2012, Int. J. Crit. Infrastructure Prot..

[23]  John F. Walkup,et al.  Optimal correlation filters for images with signal-dependent noise , 1994 .

[24]  Ahmed Amine Jerraya,et al.  Automatic generation and targeting of application specific operating systems and embedded systems software , 2001, DATE '01.

[25]  Michael A. Temple,et al.  Intrinsic Physical-Layer Authentication of Integrated Circuits , 2012, IEEE Transactions on Information Forensics and Security.