Remotely inferring device manipulation of industrial control systems via network behavior

This paper presents preliminary findings on a novel method to remotely fingerprint a network of Cyber Physical Systems and demonstrates the ability to remotely infer the functionality of an Industrial Control System device. A monitoring node measures the target device's response to network requests and statistically analyzes the collected data to build and classify a profile of the device's functionality via machine learning. As ICSs are used to control critical infrastructure processes such as power generation and distribution, it is vital to develop methods to detect tampering. A system employing our measurement technique could discover if an insider has made unauthorized changes to a device's logic. Our architecture also has advantages because the monitoring node is separate from the measured device. Our results indicate the ability to accurately infer (i.e., using a tunable threshold value) discrete ranges of task cycle periods (i.e., CPU loads) that could correspond to different functions.

[1]  Insik Shin,et al.  Towards hierarchical scheduling in VxWorks , 2008 .

[2]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[3]  Raheem A. Beyah,et al.  A Passive Solution to the CPU Resource Discovery Problem in Cluster Grid Networks , 2011, IEEE Transactions on Parallel and Distributed Systems.

[4]  Deepa Kundur,et al.  Bloom filter based intrusion detection for smart grid SCADA , 2012, 2012 25th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE).

[5]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[6]  Man-Ki Yoon,et al.  Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems , 2014 .

[7]  S. Sastry,et al.  SCADA-specific Intrusion Detection / Prevention Systems : A Survey and Taxonomy , 2010 .

[8]  Raheem A. Beyah,et al.  Using Network Traffic to Infer Hardware State , 2015, ACM Trans. Embed. Comput. Syst..