Side-channel based intrusion detection for industrial control systems

Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis.

[1]  Markus G. Kuhn,et al.  Ecient Template Attacks , 2014 .

[2]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[3]  Ingrid Verbauwhede,et al.  Design and Implementation of a Waveform-Matching Based Triggering System , 2016, COSADE.

[4]  Benedikt Heinz,et al.  Localized Electromagnetic Analysis of Cryptographic Implementations , 2012, CT-RSA.

[5]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[6]  Jean-Jacques Quisquater,et al.  Automatic Code Recognition for Smartcards Using a Kohonen Neural Network , 2002, CARDIS.

[7]  David Naccache,et al.  Verifying Software Integrity in Embedded Systems: A Side Channel Approach , 2014, COSADE.

[8]  Denis Flandre,et al.  A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices , 2011, EUROCRYPT.

[9]  Markus G. Kuhn,et al.  Efficient Template Attacks , 2013, CARDIS.

[10]  Marc F. Witteman,et al.  Reverse Engineering Java Card Applets Using Power Analysis , 2007, WISTP.

[11]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[12]  Giorgio Di Natale,et al.  On the Effectiveness of Hardware Trojan Horse Detection via Side-Channel Analysis , 2013, Inf. Secur. J. A Glob. Perspect..

[13]  Majid Hashemi,et al.  Ghost in the PLC: Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack , 2016 .

[14]  Christof Paar,et al.  SCANDALee: A side-ChANnel-based DisAssembLer using local electromagnetic emanations , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[15]  Christof Paar,et al.  Building a Side Channel Based Disassembler , 2010, Trans. Comput. Sci..

[16]  Salvatore J. Stolfo,et al.  Defending Embedded Systems with Software Symbiotes , 2011, RAID.

[17]  Christof Paar,et al.  A Stochastic Model for Differential Side Channel Cryptanalysis , 2005, CHES.

[18]  Jacob A. Abraham,et al.  Stream cipher hash based execution monitoring (SCHEM) framework for intrusion detection on embedded processors , 2012, 2012 IEEE 18th International On-Line Testing Symposium (IOLTS).

[19]  Lui Sha,et al.  Memory Heat Map: Anomaly detection in real-time embedded systems using memory behavior , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[20]  Michael Tunstall,et al.  SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip , 2015, CHES.

[21]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[22]  Tao Zhang,et al.  Hardware Supported Anomaly Detection: down to the Control Flow Level , 2004 .

[23]  Eric Peeters,et al.  Template Attacks in Principal Subspaces , 2006, CHES.

[24]  Ravishankar K. Iyer,et al.  Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol , 2013, CSIIRW '13.

[25]  Wenyuan Xu,et al.  On Code Execution Tracking via Power Side-Channel , 2016, CCS.

[26]  Salvatore J. Stolfo,et al.  When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.

[27]  Eric Peeters,et al.  Power and electromagnetic analysis: Improved model, consequences and comparisons , 2007, Integr..