Using timing-based side channels for anomaly detection in industrial control systems

https://doi.org/10.1016/j.ijcip.2016.07.003Get rights and content

Abstract

The critical infrastructure, which includes the electric power grid, railroads and water treatment facilities, is dependent on the proper operation of industrial control systems. However, malware such as Stuxnet has demonstrated the ability to alter industrial control system parameters to create physical effects. Of particular concern is malware that targets embedded devices that monitor and control system functionality, while masking the actions from plant operators and security analysts. Indeed, system security relies on guarantees that the assurance of these devices can be maintained throughout their lifetimes. This paper presents a novel approach that uses timing-based side channel analysis to establish a unique device fingerprint that helps detect unauthorized modifications of the device. The approach is applied to an Allen Bradley ControlLogix programmable logic controller where execution time measurements are collected and analyzed by a custom anomaly detection system to detect abnormal behavior. The anomaly detection system achieves true positive rates of 0.978–1.000 with false positive rates of 0.033–0.044. The test results demonstrate the feasibility of using timing-based side channel analysis to detect anomalous behavior in programmable logic controllers.

Introduction

During a siege in 590 BCE, Solon of Athens poisoned the water supply of the town of Cirrha using hellebore roots [20]. The contaminated water incapacitated the unsuspecting Cirrhaeans with uncontrollable diarrhea and the Athenians quickly overwhelmed the city [20]. In 2000, Vitek Boden leveraged unauthorized wireless access to a sewage treatment plant to release 800,000 l of raw sewage into public water supplies in Australia [22]. In this incident, one malicious actor without direct physical access was able to cause a significant environmental impact. Due to increasing network connectivity, critical infrastructure systems are more susceptible to malicious attacks than ever before.

Modern society relies on industrial control systems (ICSs) to automate the operation of the critical infrastructure. Historically, industrial control systems were considered to be secure due to their isolation from external networks. Recently, however, industrial control systems have become less isolated as they incorporate commodity information technologies to improve efficiency and decrease costs [25]. The trend to interconnect industrial control devices exposes them to external networks and potential threats. Common devices, such as programmable logic controllers (PLCs), often lack security mechanisms such as authentication and encryption [25]. Stuxnet [8] demonstrated that significant damage can occur if a programmable logic controller in an industrial facility is compromised. Stuxnet also demonstrated that network protection mechanisms such as intrusion detection and air gapping, while important and effective, are unable to protect sensitive systems from sophisticated attackers.

A programmable logic controller has three layers: (i) hardware layer; (ii) firmware layer; and (iii) programming layer [4]. Building and maintaining trust in a device requires validating all three layers against a known-good baseline. The hardware is the lowest layer that executes the firmware. The firmware handles functionality such as communications, programming layer execution and error handling. Compromising the firmware of a device enables an attacker to cause negative effects and hide them from operators. The programming layer, also called the application layer, is designed to perform high-level system tasks. The applications in this programmable logic controller layer are often implemented using ladder logic programs. Stuxnet [8] demonstrated that the application layer of a programmable logic controller can be modified to cause significant damage to the controlled physical systems.

Section snippets

Background

This paper describes a novel technique for fingerprinting a programmable logic controller after it has been deployed. The fingerprint is developed by monitoring the execution characteristics of the device while it is in operation. The device is then fingerprinted periodically to verify that it has not been modified intentionally or unintentionally. The timing characteristics of the programmable logic controller are determined by the firmware and ladder logic programs that execute on the device.

Anomaly detection system

This section describes the anomaly detection system that uses side channel analysis to detect unauthorized modifications made to programmable logic controller firmware and ladder logic programs. The approach analyzes the execution time characteristics of programmable logic controllers to detect intentional or unintentional modifications.

Experimental design

The test equipment for the experiments included an Allen Bradley ControlLogix programmable logic controller with a 1756-L61 CPU module and a Windows XP computer with RSLogix 5000 and Python installed. The two devices were connected via Ethernet to a common switch.

ControlLogix series programmable logic controllers have a feature that allows users to obtain performance data over Ethernet. This feature was important because it enabled remote characterization with minimal intrusiveness. The

Implementation and results

This section provides details of the anomaly detection system implementation and the anomaly detection results.

Conclusions

The timing-based side channel analysis technique presented in this paper enables control system operators to detect modifications to the firmware and ladder logic programs of programmable logic controllers. A field device can be fingerprinted when it is first deployed to create a baseline fingerprint specific to the application. Subsequent fingerprints taken of the device are compared against the baseline to ensure that no modifications have been made. The technique may be used to detect

Acknowledgments

Note that the views expressed in this paper are those of the authors and do not reflect the official policy or position of the U.S. Air Force, U.S. Army, U.S. Department of Defense or U.S. Government.

References (29)

  • O. Aciicmez, W. Schindler and C. Koc, Cache based remote timing attack on the AES, in Topics in Cryptology – CT-RSA...
  • D. Agrawal, B. Archambeault, J. Rao and P. Rohatgi, The EM side-channel(s), Proceedings of the Fourth International...
  • C. Arnold, J. Butts and K. Thirunarayan, Strategies for combating sophisticated attacks, Journal of Information...
  • Z. Basnight, J. Butts, J. Lopez and T. Dube, Analysis of programmable logic controller firmware for threat assessment...
  • D. Brumley and D. Boneh, Remote timing attacks are practical, Proceedings of the Twelfth USENIX Security Symposium,...
  • B. Chevallier-Mames, M. Ciet and M. Joye, Low-cost solutions for preventing simple side-channel analysis: Side-channel...
  • J. Dhem, F. Koeune, P. Leroux, P. Mestre, J. Quisquater and J. Willems, A practical implementation of the timing...
  • N. Falliere, L. O׳Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California,...
  • N. Japkowicz and M. Shah, Evaluating Learning Algorithms: A Classification Perspective, Cambridge University Press,...
  • J. Kelsey, B. Schneier, D. Wagner and C. Hall, Side channel cryptanalysis of product ciphers, Journal of Computer...
  • B. Kernighan and D. Ritchie, The C Programming Language, Prentice Hall, Englewood Cliffs, New Jersey,...
  • P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems, Proceedings of the...
  • B. Kopf and D. Basin, An information-theoretic model for adaptive side-channel attacks, Proceedings of the Fourteenth...
  • L. McMinn and J. Butts, A firmware verification tool for programmable logic controllers, in Critical Infrastructure...

    • Cited by (0)

    View full text
    Published by Elsevier B.V.