Wissam Aoudi
Mikel Iturbe
ABSTRACT
Recent incidents have shown that Industrial Control Systems (ICS) are becoming increasingly susceptible to sophisticated and targeted attacks initiated by adversaries with high motivation, domain knowledge, and resources. Although traditional security mechanisms can be implemented at the IT-infrastructure level of such cyber-physical systems, the community has acknowledged that it is imperative to also monitor the process-level activity, as attacks on ICS may very well influence the physical process. In this paper, we present PASAD, a novel stealthy-attack detection mechanism that monitors time series of sensor measurements in real time for structural changes in the process behavior. We demonstrate the effectiveness of our approach through simulations and experiments on data from real systems. Experimental results show that PASAD is capable of detecting not only significant deviations in the process behavior, but also subtle attack-indicating changes, significantly raising the bar for strategic adversaries who may attempt to maintain their malicious manipulation within the noise level.
Supplemental Material
References
- Ali Abbasi and Majid Hashemi. 2016. Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack. Black Hat Europe (2016).Google Scholar
- Marshall Abrams and Joe Weiss. 2008. Malicious Control System Cyber Security Attack Case Studytextemdash Maroochy Water Services, Australia. McLean, VA: The MITRE Corporation (2008).Google Scholar
- Matthew Allen and Carlo Pisani. 2018. Hacking and Cyber Warfare are Top Humanitarian Concerns. https://www.swissinfo.ch/eng/peter-maurer_hacking-and-cyber-warfare-are-top-humanitarian-concerns/43847744. Last visited 2018-08-01.Google Scholar
- Magnus Almgren, Wissam Aoudi, Robert Gustafsson, Robin Krahl, and Andreas Lindhé. 2018. The Nuts and Bolts of Deploying Process-Level IDS in Real Control Systems. Technical Report. Chalmers University of Technology.Google Scholar
- Kaung Myat Aung. 2015. Secure Water Treatment Testbed (SWaT): An Overview. Technical Report. Singapore University of Technology and Design.Google Scholar
- George Box, Gwilym Jenkins, Gregory Reinsel, and Greta Ljung. 2015. Time Series Analysis: Forecasting and Control. John Wiley & Sons. Google ScholarDigital Library
- David S Broomhead and Gregory P King. 1986. Extracting Qualitative Dynamics from Experimental Data. Physica D: Nonlinear Phenomena (1986). Google ScholarDigital Library
- Alvaro Cárdenas, Saurabh Amin, Zong-Syun Lin, Yu-Lun Huang, Chi-Yen Huang, and Shankar Sastry. 2011. Attacks Against Process Control Systems: Risk Assessment, Detection, and Response. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM. Google ScholarDigital Library
- Alvaro Cárdenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, Adrian Perrig, and Shankar Sastry. 2009. Challenges for Securing Cyber Physical Systems. In Workshop on Future Directions in Cyber-Physical Systems Security.Google Scholar
- Thomas Chen and Saeed Abu-Nimeh. 2011. Lessons from Stuxnet. Computer (2011). Google ScholarDigital Library
- Steven Cheung, Bruno Dutertre, Martin Fong, Ulf Lindqvist, Keith Skinner, and Alfonso Valdes. 2007. Using Model-Based Intrusion Detection for SCADA Networks Proceedings of the SCADA security scientific symposium. Citeseer.Google Scholar
- James Downs and Ernest Vogel. 1993. A Plant-Wide Industrial Process Control Problem. Computers & Chemical Engineering (1993).Google Scholar
- James B Elsner and Anastasios A Tsonis. 2013. Singular Spectrum Analysis: A New Tool in Time Series Analysis. Springer Science & Business Media.Google Scholar
- Nicolas Falliere, Liam Murchu, and Eric Chien. 2011. W32. Stuxnet Dossier. White paper, Symantec Corp., Security Response (2011).Google Scholar
- Cheng Feng, Tingting Li, and Deeph Chana. 2017. Multi-Level Anomaly Detection in Industrial Control Systems via Package Signatures and LS™ Networks 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE.Google Scholar
- Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A Dataset to Support Research in the Design of Secure Water Treatment Systems International Conference on Critical Information Infrastructures Security. Springer.Google Scholar
- Nina Golyandina and Anton Korobeynikov. 2014. Basic Singular Spectrum Analysis and Forecasting with R. Computational Statistics & Data Analysis (2014).Google Scholar
- Nina Golyandina, Vladimir Viktorovich Nekrutkin, and Anatoly Alexandrovich Zhigljavsky. 2001. Analysis of Time Series Structure: SSA and Related Techniques. Chapman & Hall/CRC.Google Scholar
- Nina Golyandina and Anatoly Zhigljavsky. 2013. Singular Spectrum Analysis for Time Series. Springer Science & Business Media.Google Scholar
- Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2017. On Ladder Logic Bombs in Industrial Control Systems. In Computer Security. Springer.Google Scholar
- Bengt Gregory-Brown. 2017. Securing Industrial Control Systems-2017. SANS Institute InfoSec Reading Room (2017).Google Scholar
- Dina Hadvziosmanović, Robin Sommer, Emmanuele Zambon, and Pieter H Hartel. 2014. Through the Eye of the PLC: Semantic Security Monitoring for Industrial Processes. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM. Google ScholarDigital Library
- Hossein Hassani. 2010. A Brief Introduction to Singular Spectrum Analysis. Optimal Decisions in Statistics and Data Analysis (2010).Google Scholar
- John Hearon. 1967. Partially Isometric Matrices. J. Res. Nat. Bur. Standards Sect. B (1967).Google Scholar
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, and Christopher Glyer. 2017. Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html. Last visited 2018-08-01.Google Scholar
- Khurum Nazir Junejo and Jonathan Goh. 2016. Behaviour-Based Attack Detection and Classification in Cyber Physical Systems Using Machine Learning. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security. ACM. Google ScholarDigital Library
- Andrew Kerns, Daniel Shepard, Jahshan Bhatti, and Todd Humphreys. 2014. Unmanned Aircraft Capture and Control via GPS Spoofing. Journal of Field Robotics (2014). Google ScholarDigital Library
- Istvan Kiss, Bela Genge, and Piroska Haller. 2015. A Clustering-Based Approach to Detect Cyber Attacks in Process Control Systems Industrial Informatics (INDIN).Google Scholar
- Marina Krotofil and Alvaro Cárdenas. 2013. Resilience of Process Control Systems to Cyber-Physical Attacks Nordic Conference on Secure IT Systems. Springer. Google ScholarDigital Library
- Marina Krotofil and Jason Larsen. 2015. Rocking the Pocket Book: Hacking Chemical Plants DefCon Conference, DEFCON.Google Scholar
- Marina Krotofil, Jason Larson, and Dieter Gollmann. 2015. The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '15). ACM. Google ScholarDigital Library
- Truls Larsson, Kristin Hestetun, Espen Hovland, and Sigurd Skogestad. 2001. Self-Optimizing Control of a Large-Scale Plant: The Tennessee Eastman Process. Industrial & Engineering Chemistry Research (2001).Google Scholar
- Robert Lee, Michael Assante, and Tim Conway. 2014. German Steel Mill Cyber Attack. Technical Report. SANS Industrial Control Systems.Google Scholar
- Robert Lee, Michael Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Technical Report. SANS Industrial Control Systems and E-ISAC.Google Scholar
- Yao Liu, Peng Ning, and Michael Reiter. 2011. False Data Injection Attacks Against State Estimation in Electric Power Grids. ACM Transactions on Information and System Security (TISSEC) (2011). Google ScholarDigital Library
- Aditya Mathur and Nils Tippenhauer. 2016. SWaT: A Water Treatment Testbed for Research and Training on ICS Security 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).Google Scholar
- Thomas McEvoy and Stephen Wolthusen. 2011. A Plant-Wide Industrial Process Control Security Problem International Conference on Critical Infrastructure Protection. Springer.Google Scholar
- Yilin Mo and Bruno Sinopoli. 2016. On the Performance Degradation of Cyber-Physical Systems under Stealthy Integrity Attacks. IEEE Trans. Automat. Control (2016).Google ScholarCross Ref
- Valentina Moskvina and Anatoly Zhigljavsky. 2003. An Algorithm Based on Singular Spectrum Analysis for Change-Point Detection. Communications in Statistics-Simulation and Computation (2003).Google Scholar
- Patric Nader, Paul Honeine, and Pierre Beauseroy. 2014. Lp-Norms in One-Class Classification for Intrusion Detection in SCADA Systems. IEEE Transactions on Industrial Informatics (2014).Google Scholar
- Nell Nelson. 2016. The Impact of Dragonfly Malware on Industrial Control Systems. SANS Institute (2016).Google Scholar
- Shengyi Pan, Thomas Morris, and Uttam Adhikari. 2015. Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems. IEEE Transactions on Smart Grid (2015).Google ScholarCross Ref
- Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-Time. Computer networks (1999). Google ScholarDigital Library
- Pavel Polityuk, Oleg Vukmanovic, and Stephen Jewkes. 2017. Ukraine's Power Outage was a Cyber Attack: Ukrenergo. https://www.reuters.com/article/us-ukraine-cyber-attack-energy/ukraines-power-outage-was-a-cyber-attack-ukrenergo-idUSKBN1521BA. Last visited 2018-08-01.Google Scholar
- Lawrence Ricker. 1996. Decentralized Control of the Tennessee Eastman Challenge Process. Journal of Process Control (1996).Google Scholar
- Yasser Shoukry, Paul Martin, Yair Yona, Suhas Diggavi, and Mani Srivastava. 2015. PyCRA: Physical Challenge-Response Authentication for Active Sensors under Spoofing Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
- Ralf Spenneberg, Maik Brüggemann, and Hendrik Schwartke. 2016. PLC-Blaster: A Worm Living Solely in the PLC. Black Hat Asia, Marina Bay Sands, Singapore (2016).Google Scholar
- Keith Stouffer, Joe Falco, and Karen Scarfone. 2011. Guide to Industrial Control Systems (ICS) Security. NIST special publication (2011).Google Scholar
- Gilbert Strang. 2016. Introduction to Linear Algebra. Wellesley-Cambridge Press.Google Scholar
- David Urbina, Jairo Giraldo, Alvaro Cárdenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016 a. Limiting the Impact of Stealthy Attacks on Industrial Control Systems Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
- David Urbina, Jairo Giraldo, Alvaro Cárdenas, Junia Valente, Mustafa Faisal, Nils Ole Tippenhauer, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016 b. Survey and New Directions for Physics-Based Attack Detection in Control Systems. Technical Report. National Institute of Standards and Technology.Google Scholar
- Robert Vautard and Michael Ghil. 1989. Singular Spectrum Analysis in Nonlinear Dynamics, with Applications to Paleoclimatic Time Series. Physica D: Nonlinear Phenomena (1989).Google Scholar
- Oleg Vukmanovic and Stephen Jewkes. 2017. Suspected Russia-Backed Hackers Target Baltic Energy Networks. http://mobile.reuters.com/article/idUSKBN1871W5. Last visited 2018-08-01.Google Scholar
- Yu-jun Xiao, Wen-yuan Xu, Zhen-hua Jia, Zhuo-ran Ma, and Dong-lian Qi. 2017. NIPAD: A Non-Invasive Power-Based Anomaly Detection Scheme for Programmable Logic Controllers. Frontiers of Information Technology & Electronic Engineering (2017).Google Scholar
Index Terms
Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems
Comments