SafeCI: Avoiding process anomalies in critical infrastructure

https://doi.org/10.1016/j.ijcip.2021.100435Get rights and content

Abstract

A cyber attack on a water or power system may lead to a process anomaly. Several methods have been proposed to detect such anomalies. An obvious and implicit assumption that underlies anomaly detection is that the detection occurs after the process moves into an anomalous state. While such detection is necessary during plant operation, it may not be sufficient to avoid plant damage and service disruption. This work explores a method, referred to as SafeCI, to assess the validity of a command issued by a plant controller, or directly by a malicious agent, prior to its reception at the target actuator. Modelling using SafeCI is illustrated using an example from a critical infrastructure, namely a water treatment plant named SWaT. An experimental evaluation was conducted on SWaT to assess the SafeCI in avoiding a plant from entering into an anomalous state. Results from the experiments are summarized and potential enhancements to SafeCI proposed.

Introduction

A Cyber Physical System (CPS) is a combination of cyber and physical subsystems. Most Critical Infrastructure (CI), including power systems and water systems, are examples of CPS. The cyber subsystem in a CI, often referred to as an Industrial Control System (ICS), is responsible for controlling the process inherent in the physical subsystem. In a CI, the cyber and physical subsystems are often complex and distributed. For example, in a water plant1 the cyber subsystem includes a Supervisory Control and Data Acquisition (SCADA) system and multiple Programmable Logic Controllers (PLCs). These cyber components are communicate through a communication network. The physical subsystem includes, among others, components such as water tanks, pumps, and valves. Sensors and actuators collect state of the physical subsystems and transmit it to the cyber subsystem. This interface enables a PLC to obtain the process state and apply control signals to the actuators to move the process to its next natural state. The design of systems that fall in the CI category often follow a Purdue layered architecture [1] across sensors, actuators, PLCs and SCADA as shown in Fig. 1.

Vulnerabilities in the cyber subsystem are exploited by malicious actors with the intent to move the CI to an anomalous state. A CI that remains in such a state for sufficiently long duration may experience component damage or loss of service [2], [3]. Malicious insiders could also exploit their access to a plant and launch cyber attacks [4]. Attempts to disrupt or damage CI appear to be on the rise [5]. In addition to exploiting vulnerabilities in software and communications infrastructure, attackers also use social engineering to extract credentials of plant operators and managers to enter the cyber subsystem of a plant from where they could launch commands to disrupt normal operation [2], [6]. More targeted attacks are also possible in ICS [7], [8], [9]. However, prevention and detection of targeted attacks against ICS is challenging given the numerous system characteristics that need to be accounted for including a multitude of devices, protocols, and operational process parameters, that could be manipulated by an attacker.

The discussion above highlights the importance of designing a secure CI that contains mechanisms for attack prevention and timely detection. A plethora of such systems exist and are often deployed in CI. Some of the mechanisms include firewalls configured to allow only traffic that meets certain source and destination addresses with specific timing requirements; we note that several proposals exist for more intelligent firewalls [10]. Intrusion detection systems [11] monitor network traffic and alert the user when the traffic pattern does not conform to the specification or a known signature. Prevention systems exist that can detect an intrusive activity and can also attempt to stop the activity ideally before it reaches its targets. Detection systems are more common in CI than prevention systems, i.e., if prevention is incorrectly configured it may cause an impact on the safety of the plant. Intrusion detection approaches are useful when a firewall is breached. Often such approaches are based on detecting network traffic anomalies likely resulting from the actions of a malicious intruder [11]. Another class of approaches that detect cyber intrusions is based on detecting process anomalies [12], [13], [14]. Supervised machine learning characterizes physical invariants of the CPS [15]. Methods that detect network and process anomalies generate an alert after an attacker has entered the plant. Thus, depending on how early an alert is generated, and the corresponding response initiated, the attacker may have been already successful in realising the intentions, such as, for example, opening a circuit breaker or causing input power oscillations in an electric pump. An anomaly may occur due to a failure of one or more components in the plant such as a motor or a valve. The focus in this work is on anomalies that occur due to the actions of an attacker. It is imperative that methods that focus not only on detecting but also preventing process anomalies, be developed and investigated. SafeCI is one such method proposed in this paper.

SafeCI includes a strategically placed command validation subsystem for distributed ICS. The focus of SafeCI is on preventing a plant from entering an anomalous state. To do so, SafeCI validates commands targeted at actuators, such as a pump, a generator, or a circuit breaker. The command itself may have originated at devices such as a PLC, SCADA workstation, or a malicious computer connected directly to the plant network. By monitoring the system state using a secure subsystem named Argus [16], and evaluating actuator functions described later, SafeCI validates a command prior to its arrival at the target and generates an alert when found invalid. Argus ensures that SafeCI has access to the actual plant state which may be different, in case of a sources of malicious commands (refer Section 3.1), from the state as seen by a PLC or a SCADA workstation. While the placement of SafeCI makes it challenging for attackers to disable its operation.

Contribution: SafeCI, a command validation method for distributed ICS, is presented. The method is (a) independent of the PLCs and SCADA systems used in an ICS, (b) allows the use of information from an anomaly detector, if one exists, in identifying bad commands sent to actuators, and (c) was evalauted experimentally in an operational water treatment plant [17].

Novelty: Several intrusion detection and prevention systems exist [18]. Prevention systems include intelligent firewalls [10] that focus on preventing an attacker from entering the network. However, vulnerabilities in such firewalls and their configuration could lead to a breach [5]. Upon entry into the plant network an attacker may be able to manipulate plant data and inject malicious commands to different actuators. While network and process anomaly detectors may detect and generate an alert, it may be too late and the targeted plant may move into an undesirable state. SafeCI goes beyond intrusion detection and prevention and aims at avoiding plant anomalies by identifying and acting prior to a malicious command arriving at a PLC, i.e., when an active prevention system has been breached and a detection system may or may not have detected an anomaly.

Organization: Related work is discussed in Section 2. The sources of malicious commands and threat model that explains how and why malicious commands can arrive at an actuator is in Section 3. The architecture and implementation of SafeCI is presented in Section 4. Plant model is presented in Section 5. Details of an experimental evaluation of SafeCI on SWaT are in Section 6. Section 7 summarizes this work and presents conclusions.

Section snippets

Related work

There exists a significant body of work that relates to the protection of ICS. These include survey papers as well as those pointing to the opportunities and challenges in ICS protection [14], [19], [20], [21], [22], [23], [24], [25]. A detailed survey of detection and prevention of attacks is available in [18]. Detection raises an alert when traffic patterns does not conform to the specification or signature. However, such systems do not focus on avoiding anomalies in the physical process of

Malicious commands and threat model

This section presents the sources of malicious commands and the threat-models considered in this paper. The need for SafeCI arises due to the possibility of malicious commands arriving at actuators in a CI. Below we enumerate the various sources of such commands and a threat model.

Design

Consider an ICS that consists of distributed interacting PLCs. Here, each PLC communicates with sensors, actuators, and the SCADA workstation. Such interactions can be categorized into multiple levels as exemplified in Fig. 1. At level 0 (L0 in the figure) each PLC interacts with its respective sensors and actuators. At level 1 (L1 in the figure) PLCs interact each other.

SafeCI obtains plant state from sensors using a secure mechanism. Argus [16] is one such mechanism used in this work. As

Plant model

The context of in which SafeCI was evaluated and model of the plant are described next.

Context: SafeCI was implemented and experimentally evaluated in a water treatment plant named SWaT [17]. SWaT is distributed across six stages shown in Figs. 4 and 5. It produces 5 gallons/min of purified water. Several published articles in ICS security have made use of data collected from SWaT [54], [55], [56], [57], [58], [59].

Components and states: A plant P is represented as a triple (PLC,C,V), wherePLC={

Evaluation of SafeCI

Effectiveness of SafeCI was evaluated on SWaT, an operational water treatment plant [17]. Metrics used in the evaluation, blueattack design, and the results, are described next.

Summary and conclusions

SafeCI is an approach to avoid process anomalies in critical infrastructure, which is in contrast to detecting network traffic anomalies– the focus of several IDS. While detection of anomalies is important, one could raise the security level of a plant by adding mechanisms for avoiding anomalies. SafeCI offers an approach complementary to anomaly detection. SafeCI uses a design-centric approach. Experiments reported here are indicative of the high reliability of SafeCI in flagging commands as

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (63)

  • Department of Homeland Security, ICS-CERT Advisories https://ics-cert.us-cert.gov/advisories,...
  • B. Green et al.

    The impact of social engineering on industrial control system security

    Proceedings of the CPS-SPC

    (2015)
  • A.A. Cárdenas

    Attacks against process control systems: risk assessment, detection, and response

    Proceedings of the 6th ASIACCS

    (2011)
  • T. Sommestad et al.

    Cyber security risks assessment with Bayesian defense graphs and architectural models

    Proceedings of the 42nd Hawaii International Conference on System Sciences

    (2009)
  • L. Garcia et al.

    Hey, my malware knows physics! attacking PLCs with physical model aware rootkit

    Proceedings of the NDSS

    (2017)
  • S.-S. Wu et al.

    Distributed specification-based firewalls for power grid substations

    Proceedings of the IEEE PES, ISGT-Europe

    (2014)
  • R. Sekar

    Specification-based anomaly detection: a new approach for detecting network intrusions

    in Proceedings of the 9thASIACCS

    (2002)
  • Y. Liu et al.

    False data injection attacks against state estimation in electric power grids

    Proceedings of the 16th ACM CCS

    (2009)
  • G. Howser et al.

    A modal model of Stuxnet attacks on cyber-physical systems: a matter of trust

    Proceedings of the Eighth International Conference on Software Security and Reliability (SERE)

    (2014)
  • R. Mitchell et al.

    A survey of intrusion detection techniques for cyber-physical systems

    ACM CSUR

    (2014)
  • Y. Chen et al.

    Learning from mutants: using code mutation to learn and monitor invariants of a cyber-physical system

    Proceedings of the IEEE S&P

    (2018)
  • A.P. Mathur et al.

    SWaT: a water treatment testbed for research and training on ICS security

    Proceedings of the International Workshop on CySWater

    (2016)
  • D. Robb, Top intrusion detection and prevention systems: guide to IDPS, 2019,...
  • A.A. Cardenas et al.

    Secure control: towards survivable cyber-physical systems

    Proceedings of the 28th ICDCS.

    (2008)
  • E.A. Lee

    Cyber-physical systems: design challenges, http://www.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-8.html

    Technical Report

    (2008)
  • A. Sajid et al.

    Cloud-assisted iot-based SCADA systems security: a review of the state of the art and future challenges

    IEEE Access

    (2016)
  • A. Humayed et al.

    Cyber-physical systems security – a survey

    IEEE Internet Things J.

    (2017)
  • J. Suaboot et al.

    A taxonomy of supervised learning for IDSs in SCADA environments

    ACM Comput. Surv. (CSUR)

    (2020)
  • H. Lin et al.

    Challenges and opportunities in the detection of safety-critical cyberphysical attacks

    Computer

    (2020)
  • S. Han et al.

    Intrusion detection in cyber-physical systems: techniques and challenges

    Syst. J. IEEE

    (2014)
  • T.T. Gamage et al.

    Enforcing information flow security properties in cyber-physical systems: a generalized framework based on compensation

    Proceedings of the Computer Software and Applications Conference Workshops (COMPSACW), IEEE 34th Annual

    (2010)
  • Cited by (3)

    View full text