Who’s In Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems David Formby , Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, Raheem Beyah NDSS 2016 Presented by: Yi Zhang October 18 th , 2016
Cyber Physical Systems (CPS) Cyber Physical Personal Computers Motors, pumps, CPS Mobile Phones Generators, Embedded Devices Valves, Relays…
Cyber Physical Systems (CPS) • Home automaPon – LighPng, locks, thermostat, security system • Industrial control systems (ICS) – Power grid, water/sewage, oil/gas, manufacturing, supervisory control and data acquisiPon (SCADA) – Cyber-based compromise can lead to physical harm – Current ICS is filled with vulnerable, legacy devices
Motivation • ICS are vulnerable to false data and command injecPons – push system into unsafe state, cause physical harm – Previous fingerprinPng work not suited for ICS – TradiPonal IDS have limitaPons Illustration of simple false data injection • CPS fingerprinPng helps defend against these a\acks
Threat Model and Goals • Two a\acker models – Compromised node • Stuxnet – Physical access • Weak physical security • Goal – Develop accurate fingerprinPng methods to idenPfy what type of device the responses are originaPng from.
CPS Fingerprinting in ICS • Data AcquisiPon FuncPons • Control FuncPons – Cross Layer Response Time – Physical fingerprinPng (CLRT) – EsPmate physical operaPon – EsPmate device processing Pme Pme – Black Box Model fingerprints – Black Box Model fingerprints – New class of fingerprinPng - White Box Modeling
Cross-Layer Response Time (CLRT) • Fingerprints devices from data acquisiPon traffic • EsPmates device processing Pme – Time between TCP ACK and SCADA response – StaPc and unique distribuPon Adversary cannot simply respond faster • Fast links (100Mbps) with slow devices, to beat IED, must match the CLRT slow and regular traffic fingerprint
CLRT Experiment • Use a real world dataset before and ader changes in the network • AddiPonal capture from another substaPon with different network architecture • CLRT measurements taken from DNP3 polling requests
CLRT Results Same hardware, different software
CLRT Results • Uses FF-ANN • Time slices as small as 5 mins – Average accuracy 93% • Supervised Bayes classifier performs even be\er • Unsupervised learning also works well
CLRT Results • Network architecture found to have minimal effect Training Data – Original dataset Training Data – Original dataset Testing Data – Different substation Testing Data – Upgraded network
Physical Fingerprinting • Fingerprint devices from control traffic • EsPmate physical operaPon Pme – Time between command packet and event Pmestamp – Requires Pme synchronizaPon • Black Box and White Box Adversary must guess what Methods event timestamp to respond with
Physical Fingerprinting Setup • Relays – Typically used to open or close higher voltage circuits with a lower voltage signal. Common device in ICS and analogous to large scale circuit breakers Relays used in testbed, Testbed setup nearly identical specifications
Physical Fingerprinting Results No obvious differences between Clear differences in Close Open operations due to nearly operations allow for device identical ratings. fingerprinting.
Physical Fingerprinting Results
White Box Modeling • Black Box Modeling somePmes infeasible – Operate infrequently, no physical access • Construct physical model and esPmate parameters Current in coil Magnetic field Coil Force Permanent magnet force Equation of motion
White Box Modeling Results Reduced accuracy, but could be refined as true samples become available
Robust Against Forgery • Two classes of adversary – Weak adversary : compromise one of the low powered devices – Strong adversary: gain physical access to the network • The adversary is assumed to have gathered accurate samples
Conclusion • Novel passive fingerprinPng techniques for ICS – Data acquisiPon and control – 99% and 92% classificaPon accuracy – Inventory and complemenPng tradiPonal IDS – Resistant to simple mimicry a\acks • New class of fingerprinPng – White Box Models • Future work – Internet of Things, developing white box methods
Discussion • What is the contribuPon of the paper? • What are the limitaPons of the paper? • How is ICS different from other systems? • How to improve the white box modeling?
Recommend
More recommend
