Who’s In Control of Your Control System? Device Fingerprin<ng for Cyber-Physical Systems David Formby 1 , Preethi Srinivasan 1 , Andrew Leonard 2 , Jonathan Rogers 2 , Raheem Beyah 1 Communica<ons Assurance and Performance (CAP) Group School of Electrical and Computer Engineering 1 School of Mechanical Engineering 2 Georgia Ins<tute of Technology @GTCAPGROUP
Cyber-Physical Systems (CPS) Cyber Physical Personal Computers Motors, pumps, CPS Mobile Phones Generators, Embedded Devices Valves, Relays… D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 2
Cyber-Physical Systems • Industrial control systems (ICS) – Power grid, water/sewage, oil/gas, manufacturing, supervisory control and data acquisi<on (SCADA) • Home automa<on – Ligh<ng, locks, thermostat, security system Vulnerabilities can lead to physical harm ICS filled with vulnerable, legacy devices ICSA-15-041-02 ICSA-15-006-01 ICSA-15-169-01B https://ics-cert.us-cert.gov/advisories D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 3
Mo<va<on • ICS vulnerable to false data injec<on and false command responses – Can push system into unsafe state, cause physical harm – Previous fingerprin<ng work not suited for ICS – False data detec<on and Illustration of simple false data injection IDS have limita<ons • CPS fingerprin<ng helps defend against these a\acks D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 4
A\acker Model • Two cases – Compromised PLC • Stuxnet – Physical access • Insider • Weak physical security • Goal – Inject false data and command responses while masquerading as a different device D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 5
CPS Fingerprin<ng • Data Acquisi<on • Control – Cross Layer Response – Physical fingerprin<ng Time (CLRT) – Es<mate physical – Es<mate device opera<on <me processing <me – Black Box Model – Black Box Model fingerprints fingerprints – New class of fingerprin<ng - White Box Modeling D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 6
Cross-Layer Response Time (CLRT) • Fingerprints devices from data acquisi<on traffic • Es<mates device processing <me – Time between TCP ACK and SCADA response – Fast links (100Mbps) Adversary cannot simply respond with slow devices, slow faster to beat IED, must match and regular traffic the CLRT fingerprint D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 7
CLRT Clusters Same hardware, different software D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 8
Cross-Layer Response Time • Network Architecture – 100Mbps fiber links – Path distance ranged from 1 switch at 10 yards, to roughly 30 switches around 10 miles away • Devices s<ll had same signature no ma\er the distance D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 9
Cross-Layer Response Time Accuracy 𝑈𝑄 + 𝑈𝑂/𝑈𝑄 + 𝑈𝑂 + 𝐺𝑄 + 𝐺𝑂 Precision 𝑈𝑄/𝑈𝑄 + 𝐺𝑄 Recall 𝑈𝑄/𝑈𝑄 + 𝐺𝑂 Detection time – Time to gather samples before making a decision D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 10
Cross-Layer Response Time • Network architecture found to have minimal effect Training Data – Original dataset Training Data – Original dataset Testing Data – Upgraded network Testing Data – Different substation D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 11
Physical Fingerprin<ng • Fingerprint devices from control traffic • Es<mate physical opera<on <me – Time between command packet and event <mestamp • Black Box and White Box Methods Adversary must guess what event timestamp to respond with D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 12
Physical Fingerprin<ng Setup • Relays – Typically used to open or close higher voltage circuits with a lower voltage signal. Common device in ICS and analogous to large scale circuit breakers Relays used in testbed, Testbed setup nearly identical specifications D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 13
Physical Fingerprin<ng Results No obvious differences between Clear differences in Close Open operations due to nearly operations allow for device identical ratings. fingerprinting. D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 14
Physical Fingerprin<ng Results D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 15
White Box Modeling • Black Box Modeling some<mes infeasible – Operate infrequently, no physical access • Construct physical model and es<mate parameters D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 16
White Box Modeling Current in coil Magnetic field Coil Force Permanent magnet force Equation of motion Armature angular velocity Armature displacement D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 17
White Box Modeling Results Reduced accuracy, but could be refined as true samples become available D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 18
Discussion • Assump<ons – TCP Quick ACKs for CLRT and <mestamps for physical • Accuracy: 99% and 92% – Not high enough for stand-alone IDS, but can complement tradi<onal IDS • White Box Modeling – Reduced accuracy and requires some exper<se, combine with “gray box” modeling to overcome • Strength Under Mimicry A\ack – Skilled adversary would evade detec<on, countermeasures could randomize requests, send extra D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 19
Conclusion • Novel passive fingerprin<ng techniques for ICS – Data acquisi<on and control – 99% and 92% classifica<on accuracy – Inventory and complemen<ng tradi<onal IDS – Resistant to simple mimicry a\acks • New class of fingerprin<ng – White Box Models • Future work – Internet of Things, developing white box methods D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 20
Backup – Across Substa<ons D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 21
Backup - Soqware D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 22
Backup – White Box D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 23
Backup – Mimicry A\acks • Weak Adversary – Simulate compromised PLC – BeagleBone Black at 300MHz, 512MB RAM • Strong Adversary – Simulate on-site a\acker – Desktop with 3.4 GHz quad-core i7, 16GB RAM • Goal – Given the target distribu<ons, masquerade as target device while responding to read requests D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 24
Backup – Mimicry A\acks D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah Who’s In Control of Your Control System? 25
Recommend
More recommend
