Limiting the Impact of Stealthy Attacks on Industrial Control Systems

Authors:
David I. Urbina

University of Texas at Dallas, Richardson, TX, USA

University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Jairo A. Giraldo

University of Texas at Dallas, Richardson, TX, USA

University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Alvaro A. Cardenas

University of Texas at Dallas, Richardson, TX, USA

University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Nils Ole Tippenhauer

Singapore University of Technology and Design, Singapore, Singapore

Singapore University of Technology and Design, Singapore, Singapore
View Profile

,
Junia Valente

University of Texas at Dallas, Richardson, TX, USA

University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Mustafa Faisal

University of Texas at Dallas, Richardson, TX, USA

University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Justin Ruths

University of Texas at Dallas, Richardson, TX, USA

University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Richard Candell

National Institute of Standards and Technology, Gaithersburg, MD, USA

National Institute of Standards and Technology, Gaithersburg, MD, USA
View Profile

,
Henrik Sandberg

KTH Royal Institute of Technology, Stockholm, Sweden

KTH Royal Institute of Technology, Stockholm, Sweden
View Profile

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016Pages 1092–1105https://doi.org/10.1145/2976749.2978388

Published:24 October 2016Publication History

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1092–1105

ABSTRACT

While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Attackers that want to remain undetected can attempt to hide their manipulation of the system by following closely the expected behavior of the system, while injecting just enough false information at each time step to achieve their goals. In this work, we study if attack-detection can limit the impact of such stealthy attacks. We start with a comprehensive review of related work on attack detection schemes in the security and control systems community. We then show that many of those works use detection schemes that are not limiting the impact of stealthy attacks. We propose a new metric to measure the impact of stealthy attacks and how they relate to our selection on an upper bound on false alarms. We finally show that the impact of such attacks can be mitigated in several cases by the proper combination and configuration of detection schemes. We demonstrate the effectiveness of our algorithms through simulations and experiments using real ICS testbeds and real ICS systems.

References

S. Amin, X. Litrico, S. Sastry, and A. Bayen. Cyber security of water SCADA systems; Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5):1963--1970, 2013.Google ScholarCross Ref
S. Amin, X. Litrico, S. Sastry, and A. Bayen. Cyber security of water SCADA systems; Part II: Attack detection using enhanced hydrodynamic models. IEEE Transactions on Control Systems Technology, 21(5):1679--1693, 2013.Google ScholarCross Ref
M. Andreasson, D. V. Dimarogonas, H. Sandberg, and K. H. Johansson. Distributed pi-control with applications to power systems frequency control. In Proceedings of American Control Conference (ACC), pages 3183--3188. IEEE, 2014.Google ScholarCross Ref
K. J. Åström and P. Eykhoff. System identification-a survey. Automatica, 7(2):123--162, 1971. Google ScholarDigital Library
S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC), 3(3):186--205, 2000. Google ScholarDigital Library
C.-z. Bai and V. Gupta. On Kalman filtering in the presence of a compromised sensor : Fundamental performance bounds. In Proceedings of American Control Conference, pages 3029--3034, 2014.Google ScholarCross Ref
C.-z. Bai, F. Pasqualetti, and V. Gupta. Security in stochastic control systems : Fundamental limitations and performance bounds. In Proceedings of American Control Conference, 2015.Google ScholarCross Ref
R. B. Bobba, K. M. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, and T. J. Overbye. Detecting false data injection attacks on DC state estimation. In Proceedings of Workshop on Secure Control Systems, volume 2010, 2010.Google Scholar
A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and A. Trombetta. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Transactions on Industrial Informatics, 7(2):179--186, 2011.Google ScholarCross Ref
A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and S. Sastry. Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the ACM symposium on information, computer and communications security, pages 355--366, 2011. Google ScholarDigital Library
A. A. Cárdenas, J. S. Baras, and K. Seamon. A framework for the evaluation of intrusion detection systems. In Proceedings of Symposium on Security and Privacy, pages 77--91. IEEE, 2006. Google ScholarDigital Library
S. Cui, Z. Han, S. Kar, T. T. Kim, H. V. Poor, and A. Tajer. Coordinated data-injection attack and detection in the smart grid: A detailed look at enriching detection solutions. Signal Processing Magazine, IEEE, 29(5):106--115, 2012.Google ScholarCross Ref
G. Dán and H. Sandberg. Stealth attacks and protection schemes for state estimators in power systems. In Proceedings of Smart Grid Commnunications Conference (SmartGridComm), October 2010.Google ScholarCross Ref
K. R. Davis, K. L. Morrow, R. Bobba, and E. Heine. Power flow cyber attacks and perturbation-based defense. In Proceedings of Conference on Smart Grid Communications (SmartGridComm), pages 342--347. IEEE, 2012.Google ScholarCross Ref
V. L. Do, L. Fillatre, and I. Nikiforov. A statistical method for detecting cyber/physical attacks on SCADA systems. In Proceedings of Control Applications (CCA), pages 364--369. IEEE, 2014.Google ScholarCross Ref
E. Eyisi and X. Koutsoukos. Energy-based attack detection in networked control systems. In Proceedings of the Conference on High Confidence Networked Systems (HiCoNs), pages 115--124, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
N. Falliere, L. O. Murchu, and E. Chien. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 2011.Google Scholar
D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah. Who's in control of your control system? Device fingerprinting for cyber-physical systems. In Network and Distributed System Security Symposium (NDSS), Feb, 2016.Google ScholarCross Ref
R. M. Gerdes, C. Winstead, and K. Heaslip. CPS: an efficiency-motivated attack against autonomous vehicular transportation. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 99--108. ACM, 2013. Google ScholarDigital Library
A. Giani, E. Bitar, M. Garcia, M. McQueen, P. Khargonekar, and K. Poolla. Smart grid data integrity attacks: characterizations and countermeasures π. In Proceedings of Smart Grid Communications Conference (SmartGridComm), pages 232--237. IEEE, 2011.Google Scholar
D. Hadziosmanović, R. Sommer, E. Zambon, and P. H. Hartel. Through the eye of the PLC: semantic security monitoring for industrial processes. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 126--135. ACM, 2014. Google ScholarDigital Library
X. Hei, X. Du, S. Lin, and I. Lee. PIPAC: patient infusion pattern based access control scheme for wireless insulin pump system. In Proceedings of INFOCOM, pages 3030--3038. IEEE, 2013.Google ScholarCross Ref
F. Hou, Z. Pang, Y. Zhou, and D. Sun. False data injection attacks for a class of output tracking control systems. In Proceedings of Chinese Control and Decision Conference, pages 3319--3323, 2015.Google ScholarCross Ref
T. Kailath and H. V. Poor. Detection of stochastic processes. IEEE Transactions on Information Theory, 44(6):2230--2231, 1998. Google ScholarDigital Library
A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys. Unmanned aircraft capture and control via gps spoofing. Journal of Field Robotics, 31(4):617--636, 2014. Google ScholarDigital Library
T. T. Kim and H. V. Poor. Strategic protection against data injection attacks on power grids. IEEE Transactions on Smart Grid, 2(2):326--333, 2011.Google ScholarCross Ref
I. Kiss, B. Genge, and P. Haller. A clustering-based approach to detect cyber attacks in process control systems. In Proceedings of Conference on Industrial Informatics (INDIN), pages 142--148. IEEE, 2015.Google ScholarCross Ref
O. Kosut, L. Jia, R. Thomas, and L. Tong. Malicious data attacks on smart grid state estimation: Attack strategies and countermeasures. In Proceedings of Smart Grid Commnunications Conference (SmartGridComm), October 2010.Google ScholarCross Ref
G. Koutsandria, V. Muthukumar, M. Parvania, S. Peisert, C. McParland, and A. Scaglione. A hybrid network IDS for protective digital relays in the power transmission grid. In Proceedings of Smart Grid Communications (SmartGridComm), 2014.Google ScholarCross Ref
M. Krotofil, J. Larsen, and D. Gollmann. The process matters: Ensuring data veracity in cyber-physical systems. In Proceedings of Symposium on Information, Computer and Communications Security (ASIACCS), pages 133--144. ACM, 2015. Google ScholarDigital Library
C. Kwon, W. Liu, and I. Hwang. Security analysis for cyber-physical systems against stealthy deception attacks. In Proceedings of American Control Conference, pages 3344--3349, 2013.Google Scholar
R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49--51, 2011. Google ScholarDigital Library
J. Liang, O. Kosut, and L. Sankar. Cyber attacks on ac state estimation: Unobservability and physical consequences. In Proceedings of PES General Meeting, pages 1--5, July 2014.Google ScholarCross Ref
H. Lin, A. Slagell, Z. Kalbarczyk, P. W. Sauer, and R. K. Iyer. Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In Proceedings of the workshop on Smart energy grid security, pages 29--34. ACM, 2013. Google ScholarDigital Library
Y. Liu, P. Ning, and M. K. Reiter. False data injection attacks against state estimation in electric power grids. In Proceedings of ACM conference on Computer and communications security (CCS), pages 21--32. ACM, 2009. Google ScholarDigital Library
Y. Liu, P. Ning, and M. K. Reiter. False data injection attacks against state estimation in electric power grids. ACM Transactions on Information and System Security (TISSEC), 14(1):13, 2011. Google ScholarDigital Library
L. Ljung. The Control Handbook, chapter System Identification, pages 1033--1054. CRC Press, 1996.Google Scholar
L. Ljung. System Identification: Theory for the User. Prentice Hall PTR, Upper Saddle River, NJ, USA, 2 edition, 1999. Google ScholarDigital Library
L. Ljung. System Identification Toolbox for Use with MATLAB. The MathWorks, Inc., 2007.Google Scholar
D. Mashima and A. A. Cárdenas. Evaluating electricity theft detectors in smart grid networks. In Research in Attacks, Intrusions, and Defenses, pages 210--229. Springer, 2012. Google ScholarDigital Library
I. MathWorks. Identifying input-output polynomial models. www.mathworks.com/help/ident/ug/identifying-input-output-polynomial-models.html, October 2014.Google Scholar
S. McLaughlin. CPS: Stateful policy enforcement for control system device usage. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 109--118, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
F. Miao, Q. Zhu, M. Pajic, and G. J. Pappas. Coding sensor outputs for injection attacks detection. In Proceedings of Conference on Decision and Control, pages 5776--5781, 2014.Google ScholarCross Ref
Y. Mo and B. Sinopoli. Secure control against replay attacks. In Proceedings of Allerton Conference on Communication, Control, and Computing (Allerton), pages 911--918. IEEE, 2009. Google ScholarDigital Library
Y. Mo, S. Weerakkody, and B. Sinopoli. Physical authentication of control systems: designing watermarked control inputs to detect counterfeit sensor outputs. IEEE Control Systems, 35(1):93--109, 2015.Google ScholarCross Ref
Y. L. Mo, R. Chabukswar, and B. Sinopoli. Detecting integrity attacks on SCADA systems. IEEE Transactions on Control Systems Technology, 22(4):1396--1407, 2014.Google ScholarCross Ref
K. L. Morrow, E. Heine, K. M. Rogers, R. B. Bobba, and T. J. Overbye. Topology perturbation for detecting malicious data injection. In Proceedings of Hawaii International Conference on System Science (HICSS), pages 2104--2113. IEEE, 2012. Google ScholarDigital Library
E. Ott, C. Grebogi, and J. A. Yorke. Controlling chaos. Physical review letters, 64(11):1196, 1990.Google Scholar
M. Parvania, G. Koutsandria, V. Muthukumary, S. Peisert, C. McParland, and A. Scaglione. Hybrid control network intrusion detection systems for automated power distribution systems. In Proceedings of Conference on Dependable Systems and Networks (DSN), pages 774--779, June 2014. Google ScholarDigital Library
F. Pasqualetti, F. Dorfler, and F. Bullo. Attack detection and identification in cyber-physical systems. Automatic Control, IEEE Transactions on, 58(11):2715--2729, Nov 2013.Google Scholar
V. Paxson. Bro: a system for detecting network intruders in real-time. Computer networks, 31(23):2435--2463, 1999. Google ScholarDigital Library
S. Postalcioglu and Y. Becerikli. Wavelet networks for nonlinear system modeling. Neural Computing and Applications, 16(4--5):433--441, 2007. Google ScholarDigital Library
I. Sajjad, D. D. Dunn, R. Sharma, and R. Gerdes. Attack mitigation in adversarial platooning using detection-based sliding mode control. In Proceedings of the ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (CPS-SPC), pages 43--53, New York, NY, USA, 2015. ACM. http://doi.acm.org/10.1145/2808705.2808713. Google ScholarDigital Library
H. Sandberg, A. Teixeira, and K. H. Johansson. On security indices for state estimators in power networks. In Proceedings of Workshop on Secure Control Systems, 2010.Google Scholar
Y. Shoukry, P. Martin, Y. Yona, S. Diggavi, and M. Srivastava. PyCRA: Physical challenge-response authentication for active sensors under spoofing attacks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1004--1015, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
R. Smith. A decoupled feedback structure for covertly appropriating networked control systems. In Proceedings of IFAC World Congress, volume 18, pages 90--95, 2011.Google ScholarCross Ref
S. Sridhar and M. Govindarasu. Model-based attack detection and mitigation for automatic generation control. Smart Grid, IEEE Transactions on, 5(2):580--591, 2014.Google Scholar
R. Tan, V. Badrinath Krishna, D. K. Yau, and Z. Kalbarczyk. Impact of integrity attacks on real-time pricing in smart grids. In Proceedings of the SIGSAC conference on Computer & communications security (CCS), pages 439--450. ACM, 2013. Google ScholarDigital Library
A. Teixeira, S. Amin, H. Sandberg, K. H. Johansson, and S. S. Sastry. Cyber security analysis of state estimators in electric power systems. In Proceedings of Conference on Decision and Control (CDC), pages 5991--5998. IEEE, 2010.Google ScholarCross Ref
A. Teixeira, D. Pérez, H. Sandberg, and K. H. Johansson. Attack models and scenarios for networked control systems. In Proceedings of the conference on High Confidence Networked Systems (HiCoNs), pages 55--64. ACM, 2012. Google ScholarDigital Library
A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson. Revealing stealthy attacks in control systems. In Proceedings of Allerton Conference on Communication, Control, and Computing (Allerton), pages 1806--1813. IEEE, 2012.Google ScholarCross Ref
A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson. A secure control framework for resource-limited adversaries. Automatica, 51:135--148, 2015. Google ScholarDigital Library
The Modbus Organization. Modbus application protocol specification, 2012. Version 1.1v3.Google Scholar
D. Urbina, J. Giraldo, N. Tippenhauer, and A. Cárdenas. Attacking fieldbus communications in ics: Applications to the swat testbed. In Proceedings of the Singapore Cyber-Security Conference (SG-CRC), Singapore, volume 14, pages 75--89, 2016.Google Scholar
J. Valente and A. A. Cardenas. Using visual challenges to verify the integrity of security cameras. In Proceedings of Annual Computer Security Applications Conference (ACSAC). ACM, 2015. Google ScholarDigital Library
O. Vuković and G. Dán. On the security of distributed power system state estimation under targeted attacks. In Proceedings of the Symposium on Applied Computing, pages 666--672. ACM, 2013. Google ScholarDigital Library
Y. Wang, Z. Xu, J. Zhang, L. Xu, H. Wang, and G. Gu. SRID: State relation based intrusion detection for false data injection attacks in SCADA. In Proceedings of European Symposium on Research in Computer Security (ESORICS), pages 401--418. Springer, 2014.Google ScholarDigital Library
Pandas: Python data analysis library. http://pandas.pydata.org, November 2015.Google Scholar
M. Zeller. Myth or reality-does the aurora vulnerability pose a risk to my generator? In Proceedings of Conference for Protective Relay Engineers, pages 130--136. IEEE, 2011.Google ScholarCross Ref

Index Terms

Limiting the Impact of Stealthy Attacks on Industrial Control Systems
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Observing industrial control system attacks launched via metasploit framework
ACMSE '13: Proceedings of the 51st ACM Southeast Conference

Industrial Control Systems (ICS) are present across many industries ranging from automotive to utilities. These systems have been found to be connected to corporate enterprise servers and can communicate over unencrypted communication channels. ...
Read More
Attack detection/prevention system against cyber attack in industrial control systems
Abstract
Industrial control systems (ICS) are vital for countries’ industrial facilities and critical infrastructures. However, there are not enough security assessments against cyber attacks carried out on ICS for not preventing business ...
Read More
Poisoning attacks on cyber attack detectors for industrial control systems
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

Recently, neural network (NN)-based methods, including autoencoders, have been proposed for the detection of cyber attacks targeting industrial control systems (ICSs). Such detectors are often retrained, using data collected during system operation, to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA
Copyright © 2016 ACM
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
industrial control systems
intrusion detection
physics-based detection
security metrics
stealthy attacks
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '16 Paper Acceptance Rate137of831submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 220
  Total Citations
  View Citations
- 4,918
  Total Downloads
- Downloads (Last 12 months)667
- Downloads (Last 6 weeks)62
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Limiting the Impact of Stealthy Attacks on Industrial Control Systems

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Observing industrial control system attacks launched via metasploit framework

Attack detection/prevention system against cyber attack in industrial control systems

Poisoning attacks on cyber attack detectors for industrial control systems