SafeCI: Avoiding process anomalies in critical infrastructure
Introduction
A Cyber Physical System (CPS) is a combination of cyber and physical subsystems. Most Critical Infrastructure (CI), including power systems and water systems, are examples of CPS. The cyber subsystem in a CI, often referred to as an Industrial Control System (ICS), is responsible for controlling the process inherent in the physical subsystem. In a CI, the cyber and physical subsystems are often complex and distributed. For example, in a water plant1 the cyber subsystem includes a Supervisory Control and Data Acquisition (SCADA) system and multiple Programmable Logic Controllers (PLCs). These cyber components are communicate through a communication network. The physical subsystem includes, among others, components such as water tanks, pumps, and valves. Sensors and actuators collect state of the physical subsystems and transmit it to the cyber subsystem. This interface enables a PLC to obtain the process state and apply control signals to the actuators to move the process to its next natural state. The design of systems that fall in the CI category often follow a Purdue layered architecture [1] across sensors, actuators, PLCs and SCADA as shown in Fig. 1.
Vulnerabilities in the cyber subsystem are exploited by malicious actors with the intent to move the CI to an anomalous state. A CI that remains in such a state for sufficiently long duration may experience component damage or loss of service [2], [3]. Malicious insiders could also exploit their access to a plant and launch cyber attacks [4]. Attempts to disrupt or damage CI appear to be on the rise [5]. In addition to exploiting vulnerabilities in software and communications infrastructure, attackers also use social engineering to extract credentials of plant operators and managers to enter the cyber subsystem of a plant from where they could launch commands to disrupt normal operation [2], [6]. More targeted attacks are also possible in ICS [7], [8], [9]. However, prevention and detection of targeted attacks against ICS is challenging given the numerous system characteristics that need to be accounted for including a multitude of devices, protocols, and operational process parameters, that could be manipulated by an attacker.
The discussion above highlights the importance of designing a secure CI that contains mechanisms for attack prevention and timely detection. A plethora of such systems exist and are often deployed in CI. Some of the mechanisms include firewalls configured to allow only traffic that meets certain source and destination addresses with specific timing requirements; we note that several proposals exist for more intelligent firewalls [10]. Intrusion detection systems [11] monitor network traffic and alert the user when the traffic pattern does not conform to the specification or a known signature. Prevention systems exist that can detect an intrusive activity and can also attempt to stop the activity ideally before it reaches its targets. Detection systems are more common in CI than prevention systems, i.e., if prevention is incorrectly configured it may cause an impact on the safety of the plant. Intrusion detection approaches are useful when a firewall is breached. Often such approaches are based on detecting network traffic anomalies likely resulting from the actions of a malicious intruder [11]. Another class of approaches that detect cyber intrusions is based on detecting process anomalies [12], [13], [14]. Supervised machine learning characterizes physical invariants of the CPS [15]. Methods that detect network and process anomalies generate an alert after an attacker has entered the plant. Thus, depending on how early an alert is generated, and the corresponding response initiated, the attacker may have been already successful in realising the intentions, such as, for example, opening a circuit breaker or causing input power oscillations in an electric pump. An anomaly may occur due to a failure of one or more components in the plant such as a motor or a valve. The focus in this work is on anomalies that occur due to the actions of an attacker. It is imperative that methods that focus not only on detecting but also preventing process anomalies, be developed and investigated. SafeCI is one such method proposed in this paper.
SafeCI includes a strategically placed command validation subsystem for distributed ICS. The focus of SafeCI is on preventing a plant from entering an anomalous state. To do so, SafeCI validates commands targeted at actuators, such as a pump, a generator, or a circuit breaker. The command itself may have originated at devices such as a PLC, SCADA workstation, or a malicious computer connected directly to the plant network. By monitoring the system state using a secure subsystem named Argus [16], and evaluating actuator functions described later, SafeCI validates a command prior to its arrival at the target and generates an alert when found invalid. Argus ensures that SafeCI has access to the actual plant state which may be different, in case of a sources of malicious commands (refer Section 3.1), from the state as seen by a PLC or a SCADA workstation. While the placement of SafeCI makes it challenging for attackers to disable its operation.
Contribution: SafeCI, a command validation method for distributed ICS, is presented. The method is (a) independent of the PLCs and SCADA systems used in an ICS, (b) allows the use of information from an anomaly detector, if one exists, in identifying bad commands sent to actuators, and (c) was evalauted experimentally in an operational water treatment plant [17].
Novelty: Several intrusion detection and prevention systems exist [18]. Prevention systems include intelligent firewalls [10] that focus on preventing an attacker from entering the network. However, vulnerabilities in such firewalls and their configuration could lead to a breach [5]. Upon entry into the plant network an attacker may be able to manipulate plant data and inject malicious commands to different actuators. While network and process anomaly detectors may detect and generate an alert, it may be too late and the targeted plant may move into an undesirable state. SafeCI goes beyond intrusion detection and prevention and aims at avoiding plant anomalies by identifying and acting prior to a malicious command arriving at a PLC, i.e., when an active prevention system has been breached and a detection system may or may not have detected an anomaly.
Organization: Related work is discussed in Section 2. The sources of malicious commands and threat model that explains how and why malicious commands can arrive at an actuator is in Section 3. The architecture and implementation of SafeCI is presented in Section 4. Plant model is presented in Section 5. Details of an experimental evaluation of SafeCI on SWaT are in Section 6. Section 7 summarizes this work and presents conclusions.
Section snippets
Related work
There exists a significant body of work that relates to the protection of ICS. These include survey papers as well as those pointing to the opportunities and challenges in ICS protection [14], [19], [20], [21], [22], [23], [24], [25]. A detailed survey of detection and prevention of attacks is available in [18]. Detection raises an alert when traffic patterns does not conform to the specification or signature. However, such systems do not focus on avoiding anomalies in the physical process of
Malicious commands and threat model
This section presents the sources of malicious commands and the threat-models considered in this paper. The need for SafeCI arises due to the possibility of malicious commands arriving at actuators in a CI. Below we enumerate the various sources of such commands and a threat model.
Design
Consider an ICS that consists of distributed interacting PLCs. Here, each PLC communicates with sensors, actuators, and the SCADA workstation. Such interactions can be categorized into multiple levels as exemplified in Fig. 1. At level 0 (L0 in the figure) each PLC interacts with its respective sensors and actuators. At level 1 (L1 in the figure) PLCs interact each other.
SafeCI obtains plant state from sensors using a secure mechanism. Argus [16] is one such mechanism used in this work. As
Plant model
The context of in which SafeCI was evaluated and model of the plant are described next.
Context: SafeCI was implemented and experimentally evaluated in a water treatment plant named SWaT [17]. SWaT is distributed across six stages shown in Figs. 4 and 5. It produces 5 gallons/min of purified water. Several published articles in ICS security have made use of data collected from SWaT [54], [55], [56], [57], [58], [59].
Components and states: A plant is represented as a triple where
Evaluation of SafeCI
Effectiveness of SafeCI was evaluated on SWaT, an operational water treatment plant [17]. Metrics used in the evaluation, blueattack design, and the results, are described next.
Summary and conclusions
SafeCI is an approach to avoid process anomalies in critical infrastructure, which is in contrast to detecting network traffic anomalies– the focus of several IDS. While detection of anomalies is important, one could raise the security level of a plant by adding mechanisms for avoiding anomalies. SafeCI offers an approach complementary to anomaly detection. SafeCI uses a design-centric approach. Experiments reported here are indicative of the high reliability of SafeCI in flagging commands as
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (63)
- et al.
Design and assessment of an orthogonal defense mechanism for a water treatment facility
Robot. Auton. Syst.
(2018) - et al.
Accurate modeling of modbus/TCP for intrusion detection in SCADA systems
Int. J. Crit. Infrastruct. Prot.
(2013) - et al.
On using physical based intrusion detection in SCADA systems
Proc. Comput. Sci.
(2020) - et al.
Firmware modification attacks on programmable logic controllers
Int. J. Crit. Infrastruct. Prot.
(2013) - et al.
ICS-BlockOpS: blockchain for operational data security in industrial control system
Pervasive Mob. Comput.
(2019) - et al.
Anomaly detection in industrial control systems using logical analysis of data
Comput. Secur.
(2020) The Purdue enterprise reference architecture
Proceedings of the JSPE/IFIP TC5/WG5.3 Workshop on the Design of Information Infrastructure Systems for Manufacturing
(1993)- R. Lipovsky, New wave of cyber attacks against Ukrainian power industry, 2016,...
- et al.
Stuxnet Under the Microscope
(2010) - et al.
Malicious Control System Cyber Security Attack Case Study–Maroochy Water Services, Australia
(2008)
The impact of social engineering on industrial control system security
Proceedings of the CPS-SPC
Attacks against process control systems: risk assessment, detection, and response
Proceedings of the 6th ASIACCS
Cyber security risks assessment with Bayesian defense graphs and architectural models
Proceedings of the 42nd Hawaii International Conference on System Sciences
Hey, my malware knows physics! attacking PLCs with physical model aware rootkit
Proceedings of the NDSS
Distributed specification-based firewalls for power grid substations
Proceedings of the IEEE PES, ISGT-Europe
Specification-based anomaly detection: a new approach for detecting network intrusions
in Proceedings of the 9thASIACCS
False data injection attacks against state estimation in electric power grids
Proceedings of the 16th ACM CCS
A modal model of Stuxnet attacks on cyber-physical systems: a matter of trust
Proceedings of the Eighth International Conference on Software Security and Reliability (SERE)
A survey of intrusion detection techniques for cyber-physical systems
ACM CSUR
Learning from mutants: using code mutation to learn and monitor invariants of a cyber-physical system
Proceedings of the IEEE S&P
SWaT: a water treatment testbed for research and training on ICS security
Proceedings of the International Workshop on CySWater
Secure control: towards survivable cyber-physical systems
Proceedings of the 28th ICDCS.
Cyber-physical systems: design challenges, http://www.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-8.html
Technical Report
Cloud-assisted iot-based SCADA systems security: a review of the state of the art and future challenges
IEEE Access
Cyber-physical systems security – a survey
IEEE Internet Things J.
A taxonomy of supervised learning for IDSs in SCADA environments
ACM Comput. Surv. (CSUR)
Challenges and opportunities in the detection of safety-critical cyberphysical attacks
Computer
Intrusion detection in cyber-physical systems: techniques and challenges
Syst. J. IEEE
Enforcing information flow security properties in cyber-physical systems: a generalized framework based on compensation
Proceedings of the Computer Software and Applications Conference Workshops (COMPSACW), IEEE 34th Annual
Cited by (3)
Next Generation Cyber-Physical Architecture and Training
2023, International Series in Operations Research and Management SciencePCAT: PLC Command Analysis Tool for automatic incidence response in Water Treatment Plants
2021, Proceedings - 2021 IEEE International Conference on Big Data, Big Data 2021Super Detector: An Ensemble Approach for Anomaly Detection in Industrial Control Systems
2021, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)