Information Hiding in Cyber Physical Systems: Challenges for Embedding, Retrieval and Detection using Sensor Data of the SWAT Dataset

In this paper, we present an Information Hiding approach that would be suitable for exfiltrating sensible information of Industrial Control Systems (ICS) by leveraging the long-term storage of process data in historian databases. We show how hidden messages can be embedded in sensor measurements as well as retrieved asynchronously by accessing the historian. We evaluate this approach at the example of water-flow and water-level sensors of the Secure Water Treatment (SWAT) dataset from iTrust. To generalize from specific cover channels (sensors and their transmitted data), we reflect upon general challenges that arise in such Information Hiding scenarios creating network covert channels and discuss aspects of cover channel selection and and sender receiver synchronisation as well as temporal aspects such as the potential persistence of hidden messages in Cyber Physical Systems (CPS). For an empirical evaluation we design and implement a covert channel that makes use of different embedding strategies to perform an adaptive approach in regards to the noise in sensor measurements, resulting in dynamic capacity and bandwidth selection to reduce detection probability. The results of this evaluation show that, using such methods, the exfiltration of sensible information in long-term scaled attacks would indeed be possible. Additionally, we present two detection approaches for the introduced hidden channel and carry out an extensive evaluation of our detectors with multiple test data sets and different parameters. We determine a detection accuracy of up to 87.8% on test data at a false positive rate (FPR) of 0%.

[1]  Theodore J. Williams,et al.  The Purdue Enterprise Reference Architecture , 1992, DIISM.

[2]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[3]  Aditya Mathur,et al.  NoiSense: Detecting Data Integrity Attacks on Sensor Measurements using Hardware based Fingerprints , 2017, ArXiv.

[4]  José M. Fernandez,et al.  Providing SCADA Network Data Sets for Intrusion Detection Research , 2016, CSET @ USENIX Security Symposium.

[5]  Andrew D. Ker Batch Steganography and Pooled Steganalysis , 2006, Information Hiding.

[6]  金田 重郎,et al.  C4.5: Programs for Machine Learning (書評) , 1995 .

[7]  Jianying Zhou,et al.  Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate sensors in CPS , 2018, ACSAC.

[8]  Wojciech Mazurczyk,et al.  Steganography for Cyber-physicalSystems , 2017, J. Cyber Secur. Mobil..

[9]  Jana Dittmann,et al.  Information Hiding in Industrial Control Systems: An OPC UA based Supply Chain Attack and its Detection , 2020, IH&MMSec.

[10]  Dieter Gollmann,et al.  The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems , 2015, AsiaCCS.

[11]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[12]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[13]  Aditya P. Mathur,et al.  WADI: a water distribution testbed for research in the design of secure cyber physical systems , 2017, CySWATER@CPSWeek.

[14]  Hans D. Schotten,et al.  Implementing SCADA Scenarios and Introducing Attacks to Obtain Training Data for Intrusion Detection Methods , 2019, ArXiv.

[15]  Saurabh Bagchi,et al.  TCP/IP Timing Channels: Theory to Implementation , 2009, IEEE INFOCOM 2009.

[16]  Rainer Böhme,et al.  A Game-Theoretic Approach to Content-Adaptive Steganography , 2012, Information Hiding.

[17]  Wojciech Mazurczyk,et al.  Covert Channels in the MQTT-Based Internet of Things , 2019, IEEE Access.

[18]  Matthew M. Beam,et al.  Cache protection strategies of a scatter-hoarding rodent: do tree squirrels engage in behavioural deception? , 2008, Animal Behaviour.

[19]  Sridhar Adepu,et al.  A Dataset to Support Research in the Design of Secure Water Treatment Systems , 2016, CRITIS.