Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J. RUBIO-HERNAN and J. GARCIA-ALFARO
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms � Conclusion & Future Work 2
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms � Conclusion & Future Work 3
Introduction � SCADA (Supervisory Control and Data Acquisition) A technology to monitor critical infrastructures – � Related to larger systems, such as - Distributed Control Systems (e.g., energy transmission) - Industrial Control Systems (e.g., factories & supply chain) 4
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms � Conclusion & Future Work 5
Representation of a SCADA System Remote Terminals Sensors / Actuators Master Terminals � Security perspectives per layer • Master Terminals (i.e., traditional IT systems) - Protection of information assets • Remote terminals (i.e., middleware systems) - Reliability & performance of distributed communications • Sensors & Actuators (i.e., constrained devices) - Protection of processing assets 6
Our Research Goals � Protection of integrity properties purely based on physical assumptions between remote terminals & sensors/actuators � Avoid cryptography & distribution of keys Sensors / Actuators Sensors / Actuators Remote Terminals Remote Terminals 7
Agenda � Introduction � State of the Art Some more definitions • � Physical-layer Failure Detection Mechanisms Physical-layer Failure Detection Mechanisms � Conclusion & Future Work 8
Attacks vs. Accidents/Failures � Decomposition of a Security Incident in an Industrial System Security Incident Non-intentional Intentional Attack Accident /Failure Active Passive Vulnerability Industrial System � Attack: intentional action by which an entity attempts to evade security services and violate the security policy of a system 9
Failure Detection Mechanisms � What is a Failure Detection Mechanism? - Mechanism to detect failures in a system � What is a Failure / Accident? - Undesirable, non intentional, variation in the system � What is an Attack? - Undesirable, intentional, variation in the system Actuator/Plant/Sensor Failure Controller Failure Detection Mechanism Attack 10
Safety & Security Synergies � Safety [1]: achievement of proper operating conditions, prevention of accidents & mitigation of accident consequences, protection of workers & environment � Security [2]: establishment & maintenance of protective measures to perform critical functions despite risks posed by intentional threats � Physical-layer Security Detection Mechanisms - - Several approaches in the literature propose the adaptation of physical layer failure Several approaches in the literature propose the adaptation of physical layer failure (i.e., safety) detection mechanisms to handle intentional attacks (e.g., replay and injection attacks) � Issues: often not well evaluated in terms of security [1] Guides, S. (2007) IAEA (International Atomic Energy Agency) Safety Glossary Publications [2] Kissel, R. (2013) Glossary of Key Information Security Terms . NIST Interagency/Internal Report (NISTIR) 11
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms Example: The Mo et al. Physical-layer Security Detection Mechanism • Our Adversary Model for the Mo et al. Security Detection Mechanism • Simulations Results • � Conclusion & Future Work 12
Example of a Physical-layer Security Detection Mechanism (Mo et al.) � The Mo et al. Detector [3,4] • Unauthenticated signals (e.g., replayed or modified messages) affect the stability of the system and get detected by the new construction Controller: - Adds authentication stamp to transform Actuator/Plant/Sensor Actuator/Plant/Sensor a safety system into a security system a safety system into a security system [a] Adversary Adversary: Controller Controller - Without security system knowledge Stamp Stamp Stamp: non-deterministic signal [3] Mo and Sinopoli (2009) Secure Control against Replay Attacks. 47th Annual Allerton Conference on Communication, Control, and Computing, pp. 911-918. [4] Mo, Kim, Brancik, Dickinson, Lee, Perrig, and Sinopoli (2013) Cyber–Physical Security of a Smart Grid Infrastructure. Proceedings of the IEEE , 100(1):195-209, DOI: 10.1109/JPROC.2011.2161428 13
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms Example: The Mo et al. Physical-layer Security Detection Mechanism • Our Adversary Model for the Mo et al. Security Detection Mechanism • Simulations Results • � Conclusion & Future Work 14
Our New Adversary Model for the Mo et al. Security Detection Mechanism Objective: Show that the Mo et al. detector is less secure than expected Adversary: An active agent who periodically eavesdrops, stores and analyzes valid signals, generates new potentially valid signals (w.r.t. the authentication process), and injects them afterwards Actuator/Plant/Sensor [a] [a'] Adversary Controller Stamp 15
Analysis of Valid Signals Adversary knows that the system is using a non-deterministic • signal to authenticate valid messages (stamp) - Goal: separate the stamp from the deterministic signal (message) How? How? • • E.g., By using « Wold’s Decomposition Theorem » [5] - “A process created with a deterministic signal and a non-deterministic signal mutually uncorrelated can be decomposed in two processes: one with the deterministic signal, and another with the non-deterministic signal”. [5] Wold, H. (1954) A Study in the Analysis of Stationary Time Series, Second revised edition, with an Appendix on Recent Developments in Time Series Analysis by Peter Whittle. Almqvist and Wiksell Book Co., Uppsala. 16
Generation of a New Valid Signals Applying the Wold’s Decomposition Theorem to signal • processing, via adaptive filters � Is possible to separate the non-deterministic signal from the deterministic signal � Is possible to obtain the dynamics of the system knowing only its inputs & outputs 17
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms Example: The Mo et al. Physical-layer Security Detection Mechanism • Our Adversary Model for the Mo et al. Security Detection Mechanism • Simulations Results • � Conclusion & Future Work 18
Simulations Results � Matlab simulations using a MIMO system to simulate an industrial plant system under attack • Two simulated attacks � Adversary without knowledge: Replay attacks hijacking sensors & replaying previous readings (Adversary in Mo et al.’s Proposal) � Adversary with knowledge: Integrity attacks hijacking sensors & actuator, then injecting new sensor readings (Our New Adversary) [a] [a'] [a] Actuator/Plant/Sensors Actuator/Plant/Sensors Controller Controller Stamp Stamp Adversary without Knowledge Adversary with Knowledge 19
Use Cases � 1st use case: The system is attacked by the adversary without knowledge & the system does not use security stamps � 2nd use case: The system is attacked by the adversary without knowledge & the system does use security stamps � 3rd use case: The system is attacked by the adversary with knowledge & the system does use security stamps 20
Results � Simulation � System under attack during the last 50 seconds � Plots represent the output of the Mo et al.’s Failure Detector 2nd use case (Mo et al.’s Adversary) 1st use case (no stamp) 3rd use case (Our New Adversary) 21
Agenda � Introduction � State of the Art � Physical-layer Failure Detection Mechanisms � Conclusion & Future Work 22
Conclusion � Physical-layer security is necessary to assure reliability & integrity of low-power devices - Otherwise, it can affect the whole system � Adaptation of safety solutions to handle, as well, security, without modifying the system dynamics, security, without modifying the system dynamics, should be done carefully - Must be evaluated in terms of both safety and security � The security analysis of Mo et al. Detector should be revisited - Our simulations confirm the claim 23
Perspectives for Future Work � Improve the security of the detector to identify our proposed adversary � Enhance the detector to differentiate failures from attacks attacks 24
Questions? jose.rubio_hernan@telecom-sudparis.eu 25
Adaptive filters is been used to know the non-deterministic signal d k = x k + w k e k = d k - y k + Input ∑ signal - Z - ∆ Z d k- ∆ y k Output Adaptive filter signal Adaptive Algorithm 26
Adaptive filters is been used to know the plant working d k Unknow System (Plant) + e k = d k - y k ∑ Input signal - y k Output Adaptive filter signal Adaptive Algorithm 27
Recommend
More recommend
