Skip to main content
SpringerLink
Log in

Hide and Seek: An Architecture for Improving Attack-Visibility in Industrial Control Systems

  • Conference paper
  • First Online:
Book cover Applied Cryptography and Network Security (ACNS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11464))

Included in the following conference series:

Abstract

In the past years we have seen an emerging field of research focusing on using the “physics” of a Cyber-Physical System to detect attacks. In its basic form, a security monitor is deployed somewhere in the industrial control network, observes a time-series of the operation of the system, and identifies anomalies in those measurements in order to detect potentially manipulated control commands or manipulated sensor readings. While there is a growing literature on detection mechanisms in that research direction, the problem of where to monitor the physical behavior of the system has received less attention.

In this paper, we analyze the problem of where should we monitor these systems, and what attacks can and cannot be detected depending on the location of this network monitor. The location of the monitor is particularly important, because an attacker can bypass attack-detection by lying in some network interfaces while reporting that everything is normal in the others. Our paper is the first detailed study of what can and cannot be detected based on the devices an attacker has compromised and where we monitor our network. We show that there are locations that maximize our visibility against such attacks. Based on our analysis, we design a low-level security monitor that is able to directly observe the field communication between sensors, actuators, and Programmable Logic Controllers (PLCs). We implement that security monitor in a realistic testbed, and demonstrate that it can detect attacks that would otherwise be undetected at the supervisory network.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abrams, M., Weiss, J.: Malicious control system cyber security attack case study-Maroochy water services, Australia. The MITRE Corporation, McLean (2008)

    Google Scholar 

  2. Ahmed, C.M., et al.: NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 483–497. ACM (2018)

    Google Scholar 

  3. Brooks, P.: EtherNet/IP: industrial protocol white paper. Technical report, Rockwell Automation (2001)

    Google Scholar 

  4. Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I.N., Trombetta, A.: A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inform. 7(2), 179–186 (2011)

    Article  Google Scholar 

  5. Cardenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 355–366 (2011)

    Google Scholar 

  6. Caselli, M., Zambon, E., Amann, J., Sommer, R., Kargl, F.: Specification mining for intrusion detection in networked control systems. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 791–806 (2016)

    Google Scholar 

  7. Cheng, L., Tian, K., Yao, D., Sha, L., Beyah, R.A.: Checking is believing: event-aware program anomaly detection in cyber-physical systems. IEEE Trans. Dependable Secur. Comput. (2019)

    Google Scholar 

  8. Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using model-based intrusion detection for SCADA networks. In: Proceedings of the SCADA Security Scientific Symposium, vol. 46, pp. 1–12 (2007)

    Google Scholar 

  9. Falliere, N., Murchu, L.O., Chien, E.: W32: stuxnet dossier. White paper, symantec corp., security response (2011)

    Google Scholar 

  10. Gerdes, R.M., Winstead, C., Heaslip, K.: CPS: an efficiency-motivated attack against autonomous vehicular transportation. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 99–108. ACM (2013)

    Google Scholar 

  11. Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: N-gram against the machine: on the feasibility of the N-gram network analysis for binary protocols. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 354–373. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_18

    Chapter  Google Scholar 

  12. Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 126–135. ACM (2014)

    Google Scholar 

  13. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)

    Article  Google Scholar 

  14. Langner, R.: To kill a centrifuge: a technical analysis of what stuxnet’s creators tried to achieve. Langner Group, Arlington (2013)

    Google Scholar 

  15. Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the ukrainian power grid. Technical report, SANS Industrial Control Systems, March 2016

    Google Scholar 

  16. Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric power grids. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 21–32. ACM (2009)

    Google Scholar 

  17. Mathur, A., Tippenhauer, N.O.: SWaT: a water treatment testbed for research and training on ICS security. In: Proceedings of Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), April 2016. https://doi.org/10.1109/CySWater.2016.7469060

  18. McLaughlin, S.: CPS: stateful policy enforcement for control system device usage. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 109–118. ACM, New York (2013)

    Google Scholar 

  19. Mitchell, R., Chen, I.R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4), 55:1–55:29 (2014)

    Article  Google Scholar 

  20. Pasqualetti, F., Dorfler, F., Bullo, F.: Attack detection and identification in cyber-physical systems. IEEE Trans. Autom. Control 58(11), 2715–2729 (2013)

    Article  MathSciNet  Google Scholar 

  21. Teixeira, A., Pérez, D., Sandberg, H., Johansson, K.H.: Attack models and scenarios for networked control systems. In: Proceedings of the 1st International Conference on High Confidence Networked Systems, pp. 55–64. ACM (2012)

    Google Scholar 

  22. Teixeira, A., Shames, I., Sandberg, H., Johansson, K.H.: Revealing stealthy attacks in control systems. In: 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 1806–1813. IEEE (2012)

    Google Scholar 

  23. Urbina, D., et al.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2016. https://doi.org/10.1145/2976749.2978388

  24. Williams, T.J.: The purdue enterprise reference architecture. Comput. Ind. 24(2), 141–158 (1994)

    Article  Google Scholar 

  25. Python bindings for libnetfilter\(\_\)queue, February 2017. https://github.com/fqrouter/python-netfilterqueue

  26. Python Language: version 2.7.10, February 2017. https://docs.python.org/2/

  27. Scapy Packet Manupulation Program: version 2.3.1, February 2017. http://www.secdev.org/projects/scapy/doc/

Download references

Acknowledgements

We would like to thank SUTD for giving us access to their SWaT testbed to conduct our experiments. This material is based on research sponsored by the National Science Foundation with award number CNS-1718848, by the National Institute of Standards and Technology with award number 70NANB17H282, and by the Air Force Research Laboratory under agreement number FA8750-19-2-0010. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of Air Force Research Laboratory or the U.S. Government.

Author information

Authors and Affiliations

  1. The University of Texas at Dallas, Richardson, TX, 75080, USA

    Jairo Giraldo & David Urbina

  2. University of California Santa Cruz, Santa Cruz, CA, 95064, USA

    Alvaro A. Cardenas

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Nils Ole Tippenhauer

Authors
  1. Jairo Giraldo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Urbina
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alvaro A. Cardenas
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nils Ole Tippenhauer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alvaro A. Cardenas .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  2. Universidad del Rosario, Bogota, Colombia

    Valérie Gauthier-Umaña

  3. Cyxtera Technologies, Bogota, Colombia

    Martín Ochoa

  4. Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Giraldo, J., Urbina, D., Cardenas, A.A., Tippenhauer, N.O. (2019). Hide and Seek: An Architecture for Improving Attack-Visibility in Industrial Control Systems. In: Deng, R., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2019. Lecture Notes in Computer Science(), vol 11464. Springer, Cham. https://doi.org/10.1007/978-3-030-21568-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21568-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21567-5

  • Online ISBN: 978-3-030-21568-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation