Cyber Attack Detection & Prevention on Industrial Control Systems
In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an Asset. A cyber-attack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. Depending on context, cyber-attacks can be labeled as a cyber-campaign, cyber-warfare or cyber-terrorism. A cyber-attack can be employed by nation-states, individuals, groups, society or organizations. A cyber-attack may originate from an anonymous source.
A cyber-attack may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyber-attacks can range from installing spyware on a personal computer to attempting to destroy the infrastructure of entire nations. Legal experts are seeking to limit the use of the term to incidents causing physical damage, distinguishing it from the more routine data breaches and broader hacking activities. Cyber-attacks have become increasingly sophisticated and dangerous.
Cyber-attacks and detection in ICS:
Access to an ICS can be obtained by malicious actors via several means including the exploitation of vulnerabilities in PLC firmware and network configuration as well as via social engineering attacks. Once in, such actors can control plant operation leading to one or more unintended consequences that affect plant safety and integrity. Such methods have been implemented in a variety of ways. For example, one implementation involves an active device that sits on the network on which the PLCs communicate. Another implementation modifies the control code in each PLC to include detection of anomalous plant behavior.
Validation of attack detection methods:
An important question is “how to validate a detection method implemented in an operational plant.” One approach is to use design validation while another is to test the system against appropriately designed tests. While both approaches have their pros and cons, testing might not be feasible in an operational plant simply because of the high availability requirement. Thus, a design-validation based approach seems a viable option in such situations. Integration of formal methods in both hardware and software development have enhanced the quality of systems significantly. Hence we expect that adoption of formal methods can also deliver comparable improvements in the security of critical infrastructures.
Formal methods have been shown to be useful in reasoning about systems security. For example, Needham and Schroeder’s work on authentication protocols and a report from Bell and LaPadula on mathematical models of secure operating systems point to the importance of using formal methods in the design of secure systems. In the context of legacy ICS, the use of formal methods becomes an attractive option when it is not possible, or economical, to test the effectiveness of an attack detection method against a variety of cyber-attacks.
Selecting a modeling formalism:
Several formalisms exist to model a system, including transition systems, I/O automata, and process algebras. Critical infrastructure, such as a water treatment plant, exhibits time dependent behavior. Most formalism techniques are limited to modeling the qualitative properties of a system. For example, while such formalisms can capture the property that “a motorized valve moves to state OPEN when water level in a tank is low,” but are not suitable for modeling “a motorized valve takes approximately three seconds to move from CLOSED to an OPEN state.” Therefore, we need to use a modeling formalism that can best capture the timing constraints specific to each component in the system, and one that allows modeling a variety of cyber-attacks. This requirement led us to consider Timed Automata to model process behavior in a critical infrastructure as well as to model attacks and components.
Industrial control systems (ICS):
Industrial control systems (ICS) constitute a class of cyber-physical systems that implement industrial processes. Although they were originally developed and employed in typical industrial environments for industrial control, their use has extended to the control and management of a wide range of processes, from avionics to power grids, from traffic management and transport systems to water management. Today, industrial control systems are employed for the management and control of most of the critical infrastructure of countries. Although ICS are computing systems, their development, management and operation differs from traditional information technology (IT) systems, since they are characterized by different interfaces, they are owned and managed by different engineers, they have strong requirements for continuous operation and real-time, they employ specialized network protocols, etc. Due to this, they are designated as operational technology (OT) systems.
Security and safety in ICS:
Safety and security are terms that have different meaning to engineers and scientists of different disciplines and backgrounds; often, they are even used interchangeably. Until recently, safety and security were considered independently as different disciplines and with different engineering methods. As a result, it is often unclear what constitutes a safe and/or secure system and what is the relationship between safety and security.
Designing safe and secure ICS:
An industrial control system is a hybrid system consisting of physical resources (also sometimes called plant), which are observed through sensors and are controlled by actuators through software applications. Designing such hybrid systems that are safe and secure is challenging mainly because of (i) the hierarchy of heterogeneous sub-systems, i.e., with different interfaces/platforms and by different vendors, and (ii) the hybrid components of ICS, i.e. the continuous physical processes and the discrete control applications. To address this challenge, the overall ICS design is logically divided into ICS computational system design and ICS network design. The former deals with the security and safety of control decisions that are implemented by computational systems and their application software, while the latter deals with the security and safety of the communicated data that deliver observations/measurements from controlled resources as well as decisions made by the control devices. In the following subsections, we discuss the two design levels, respectively.
Monitoring industrial control systems for security and safety:
Independently of compliance with standards, an ICS that has been designed to be safe and secure is not guaranteed to operate as expected in a real environment; ICS, like other systems, are designed and tested in a safe and controlled environment, while their field operation is in larger and uncontrolled environments. Thus, it is necessary to monitor system operation at runtime to ensure that the process execution is secure and safe as well. This monitoring is typically implemented with security monitors, which compare system execution with a reference model to detect any security or safety breach. There are two facets of monitoring in ICS environments: (i) monitor the identity and privacy of the ICS system components and users, assuring that only legal components/users have access to ICS system, and (ii) monitor the reliability of the operations of the ICS, assuring that ICS components/users are operating as desired. Based on these facets, in the following, we present methods to monitor industrial control systems.
Resource-variant ICS environment have well defined communication and thus, sophisticated attacks can be detected through monitoring the network traffic among system components. Intrusion detection systems (IDS) are an example of such monitors, which aims to detect attacks by understanding system behavior through analysis of network traffic. There are different variants of IDS which depend on (i) how such systems characterize the behavior (e.g., profile-based or model based) and (ii) how they compare behaviors (e.g., comparison to bad behavior or violation of good behavior). These variants of monitors can be classified into four classes. Profile-based methods build a profile of system components by observing system parameters.
Inter-Area Communication Protection Based on SDN:
A dynamic and customized security inter-area communication technology based on Software Defined Network (SDN) is discussed, where a bypass mechanism without affecting the original communications is adopted for security analysis. In detail, a communication architecture among the different zones of ICSs is designed firstly, where the OpenFlow technique is used. And the flow table, which is used to manage the communication link, is defined. Then, a security inspection mechanism based on information entropy is presented for deeply analyzing the packet flow. And the flow table is updated according to the results. Finally, the availability and effectiveness are verified through a series of experiments.
Security Analysis for Ingress Packets:
When a cyber-attack acts on a network, some basic situations shown as follows may be emerged: a) Packet flows are increased rapidly. b) Large volume point to point flows are usually generated. And c) a large number of unsuccessful responses, such as TCP RST, ICMP etc., are generated. Network traffic features will be changed obviously when invaded, and if the features’ distribution in a network can be obtained, the anomaly caused by cyber-attacks will be detected.
Conclusion and Current trends on cyber attack:
Recently, a statistically rigorous method for testing ICS systems has been proposed. The method employs High Throughput Testing (HTT) combinatorial methods, which enables multi-facet testing and analysis of cyber threats by creating a probabilistic model of the system’s response. Furthermore, the method also helps to determine optimum defense configurations for system resilience. However, such methods fail to assure that a given design is free of some classes of attacks, vulnerabilities and threats, such as data integrity attacks, and cannot identify sophisticated threats to ICS systems, e.g. advanced persistent threats, as demonstrated by recent attacks. Since the development of an industrial control system design employs a distributed supply chain process that involves various organizational divisions and vendors, there is a high risk that the process may introduce some vulnerabilities in the designed system.
There are two aspects in the security of this process. The first one is to secure the supply chain itself, protecting it from misuse. The second one is to develop techniques that enable the integration of components in a secure system, although the components originate from different groups (with different tools, design techniques and testing processes) and may have vulnerabilities; i.e. we need techniques that integrate untrusted components.
Software components of ICS employ different techniques, to establish system integrity and process isolation and to protect the design process; such techniques include secure system booting and process level attestation techniques. These methods also help to manage distributed control of the processes, e.g., memory management and inter process communication. Overall, the increasing automation of these processes requires more robust software security techniques. Software techniques have several advantages over hardware techniques, e.g. cost, continuous evolution and dynamic changes. Furthermore, the combination of software techniques with trusted computing modules enables the development of trusted computing platforms for applications and services.