Defending malicious attacks in Cyber Physical Systems

Chen, Chia-Mei; Hsiao, Han-Wei; Yang, Peng-Yu; Ou, Ya-Hui

doi:10.1109/cpsna.2013.6614240

Cited by 11 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Different kinds of anomaly-based IDS models have been suggested for SCADA systems [36], [2], [9], [37], [17], [15], [11]. Model-based anomaly detection for the Modbus/TCP industrial network protocol was first studied by Cheung et al [10].…”

Section: B Related Work 1) Attacksmentioning

confidence: 99%

Temporal Phase Shifts in SCADA Networks

Markman

Wool

Cárdenas

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

View full text Add to dashboard Cite

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automatabased model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.

show abstract

Section: B Related Work 1) Attacksmentioning

confidence: 99%

Temporal Phase Shifts in SCADA Networks

Markman

Wool

Cárdenas

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

View full text Add to dashboard Cite

show abstract

“…Several recent studies (such as (Atassi, Elhajj, Chehab, & Kayssi, 2014) & (Chen, Hsiao, Yang, & Ou, 2013)) suggest anomaly-based detection for SCADA systems that is based on Markov chains. However, (Ye, Zhang, & Borror, 2004) showed that although the detection accuracy of this technique is high, the number of 'false positive' values is also high, as it is sensitive to noise.…”

Section: Related Workmentioning

confidence: 99%

Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics

Kleinmann¹,

Wool²

2014

JDFSL

View full text Add to dashboard Cite

The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate -over 99.82% of the traffic was identified as normal.

show abstract

“…Anomaly-based intrusion detection approaches are based on "the belief that an intruder's behavior will be noticeably different from that of a legitimate user" [34]. The main types of anomaly detection approaches that are applied to SCADA systems [3,4,11] are: Network-aware detection in which the anomaly detection models only consider network and OS-level events; Protocol-aware detection in which modeling the normal traffic relies on deep-packet-inspection and considers the SCADA control protocol's meta-data (message sizes, timing, argument addresses, command sequence); and Process-aware approaches which are based on process invariants, mathematical relationships among physical properties of the process controlled by the PLCs.…”

Section: Industrial Control Systems (Ics)mentioning

confidence: 99%

“…Surveys of techniques related to learning and detection of anomalies in critical control systems can be found in [3,4,11]. While most of the current commercial network intrusion detection systems (NIDS) are signature-based, i.e., they recognize an attack when it matches a previously defined signature, anomaly-based NIDS "are based on the belief that an intruder's behavior will be noticeably different from that of a legitimate user" [34].…”

Section: Anomaly Detection In Icsmentioning

confidence: 99%

Stealthy Deception Attacks Against SCADA Systems

et al. 2017

View full text Add to dashboard Cite

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta-data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system-wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.

show abstract

Defending malicious attacks in Cyber Physical Systems

Cited by 11 publications

References 11 publications

Temporal Phase Shifts in SCADA Networks

Temporal Phase Shifts in SCADA Networks

Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics

Stealthy Deception Attacks Against SCADA Systems

Contact Info

Product

Resources

About