[PPT] - Adaptation of Failure Detection Mechanisms to Handle Attacks PowerPoint Presentation

SLIDE 1

Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems

J. RUBIO-HERNAN and J. GARCIA-ALFARO

SLIDE 2

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms Conclusion & Future Work

2

SLIDE 3

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms Conclusion & Future Work

3

SLIDE 4

Introduction

SCADA (Supervisory Control and Data Acquisition)

–

A technology to monitor critical infrastructures

Related to larger systems, such as

Distributed Control Systems (e.g., energy transmission)
Industrial Control Systems (e.g., factories & supply chain)

4

SLIDE 5

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms Conclusion & Future Work

5

SLIDE 6

Representation of a SCADA System

Remote Terminals Sensors / Actuators Master Terminals

Security perspectives per layer

Master Terminals (i.e., traditional IT systems)
Protection of information assets
Remote terminals (i.e., middleware systems)
Reliability & performance of distributed communications
Sensors & Actuators (i.e., constrained devices)
Protection of processing assets

6

SLIDE 7

Our Research Goals

Sensors / Actuators Remote Terminals

Protection of integrity properties purely based on physical assumptions

between remote terminals & sensors/actuators

Avoid cryptography & distribution of keys

Sensors / Actuators Remote Terminals

7

SLIDE 8

Agenda

Introduction State of the Art

Some more definitions

Physical-layer Failure Detection Mechanisms

Physical-layer Failure Detection Mechanisms Conclusion & Future Work

8

SLIDE 9

Attacks vs. Accidents/Failures

Security Incident

Intentional Attack Non-intentional Accident /Failure

Decomposition of a Security Incident in an Industrial System Attack: intentional action by which an entity attempts to evade security

services and violate the security policy of a system

9

Industrial System Active Passive Vulnerability

SLIDE 10

Failure Detection Mechanisms

What is a Failure Detection Mechanism?

Mechanism to detect failures in a system

What is a Failure / Accident?

Undesirable, non intentional, variation in the system

What is an Attack?

Undesirable, intentional, variation in the system

Actuator/Plant/Sensor Controller

Failure Detection Mechanism Failure Attack 10

SLIDE 11

Safety & Security Synergies

Safety [1]: achievement of proper operating conditions, prevention of accidents

& mitigation of accident consequences, protection of workers & environment

Security [2]: establishment & maintenance of protective measures to perform

critical functions despite risks posed by intentional threats

Physical-layer Security Detection Mechanisms

Several approaches in the literature propose the adaptation of physical layer failure
Several approaches in the literature propose the adaptation of physical layer failure

(i.e., safety) detection mechanisms to handle intentional attacks (e.g., replay and injection attacks) Issues: often not well evaluated in terms of security

11

[1] Guides, S. (2007) IAEA (International Atomic Energy Agency) Safety Glossary Publications [2] Kissel, R. (2013) Glossary of Key Information Security Terms. NIST Interagency/Internal Report (NISTIR)

SLIDE 12

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms

Example: The Mo et al. Physical-layer Security Detection Mechanism
Our Adversary Model for the Mo et al. Security Detection Mechanism
Simulations Results

Conclusion & Future Work

12

SLIDE 13

The Mo et al. Detector [3,4]

Unauthenticated signals (e.g., replayed or modified messages)

affect the stability of the system and get detected by the new construction

Actuator/Plant/Sensor Actuator/Plant/Sensor

Example of a Physical-layer Security Detection Mechanism (Mo et al.)

Controller:

Adds authentication stamp to transform

a safety system into a security system Stamp: non-deterministic signal

Controller

Stamp

Controller

Stamp

Adversary [a]

a safety system into a security system

[3] Mo and Sinopoli (2009) Secure Control against Replay Attacks. 47th Annual Allerton Conference on Communication, Control, and Computing, pp. 911-918. [4] Mo, Kim, Brancik, Dickinson, Lee, Perrig, and Sinopoli (2013) Cyber–Physical Security of a Smart Grid

Infrastructure. Proceedings of the IEEE, 100(1):195-209, DOI: 10.1109/JPROC.2011.2161428

Adversary:

Without security system knowledge

13

SLIDE 14

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms

Example: The Mo et al. Physical-layer Security Detection Mechanism
Our Adversary Model for the Mo et al. Security Detection Mechanism
Simulations Results

Conclusion & Future Work

14

SLIDE 15

Objective: Show that the Mo et al. detector is less secure than expected Adversary: An active agent who periodically eavesdrops, stores and analyzes valid signals, generates new potentially valid signals (w.r.t. the authentication process), and injects them afterwards

Our New Adversary Model for the Mo et

al. Security Detection Mechanism

15

Actuator/Plant/Sensor Controller Stamp [a] [a'] Adversary

SLIDE 16

Analysis of Valid Signals

Adversary knows that the system is using a non-deterministic

signal to authenticate valid messages (stamp)

Goal: separate the stamp from the deterministic signal (message)
How?
How?
E.g., By using « Wold’s Decomposition Theorem » [5]

“A process created with a deterministic signal and a non-deterministic signal mutually uncorrelated can be decomposed in two processes: one with the deterministic signal, and another with the non-deterministic signal”. [5] Wold, H. (1954) A Study in the Analysis of Stationary Time Series, Second revised edition, with an Appendix

n Recent Developments in Time Series Analysis by Peter Whittle. Almqvist and Wiksell Book Co., Uppsala.

16

SLIDE 17

Generation of a New Valid Signals

Applying

the Wold’s Decomposition Theorem to signal processing, via adaptive filters

Is possible to separate the non-deterministic signal from the deterministic signal Is possible to obtain the dynamics of the system knowing only its inputs & outputs

17

SLIDE 18

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms

Example: The Mo et al. Physical-layer Security Detection Mechanism
Our Adversary Model for the Mo et al. Security Detection Mechanism
Simulations Results

Conclusion & Future Work

18

SLIDE 19

Simulations Results

Matlab simulations using a MIMO system to simulate

an industrial plant system under attack

Two simulated attacks

Adversary without knowledge: Replay attacks hijacking sensors & replaying previous readings (Adversary in Mo et al.’s Proposal) Adversary with knowledge: Integrity attacks hijacking sensors & actuator, then injecting new sensor readings (Our New Adversary)

Actuator/Plant/Sensors

Controller

Stamp Adversary without Knowledge

[a]

Actuator/Plant/Sensors

Controller

Stamp Adversary with Knowledge

[a'] [a]

19

SLIDE 20

Use Cases

1st use case: The system is attacked by the adversary without knowledge & the system does not use security stamps 2nd use case: The system is attacked by the adversary without knowledge & the system does use security stamps 3rd use case: The system is attacked by the adversary with knowledge & the system does use security stamps

20

SLIDE 21

Results

Simulation

System under attack during the last 50 seconds Plots represent the output of the Mo et al.’s Failure Detector

1st use case (no stamp) 2nd use case (Mo et al.’s Adversary) 3rd use case (Our New Adversary) 21

SLIDE 22

Agenda

Introduction State of the Art Physical-layer Failure Detection Mechanisms Conclusion & Future Work

22

SLIDE 23

Conclusion

Physical-layer

security is necessary to assure reliability & integrity of low-power devices

Otherwise, it can affect the whole system

Adaptation of safety solutions to handle, as well,

security, without modifying the system dynamics, security, without modifying the system dynamics, should be done carefully

Must be evaluated in terms of both safety and security

The security analysis of Mo et al. Detector should be

revisited

Our simulations confirm the claim

23

SLIDE 24

Perspectives for Future Work

Improve the security of the detector to identify our

proposed adversary

Enhance the detector to differentiate failures from

attacks attacks

24

SLIDE 25

Questions?

jose.rubio_hernan@telecom-sudparis.eu

25

SLIDE 26

Adaptive filters is been used to know the non-deterministic signal

Input signal

Z-∆ ∑ +

ek = dk - yk

dk= xk + wk

Z

dk-∆ yk

Output signal Adaptive Algorithm Adaptive filter

26

SLIDE 27

Adaptive filters is been used to know the plant working

Input signal

∑ +

ek = dk - yk

Unknow System (Plant)

dk yk

Output signal Adaptive Algorithm Adaptive filter

27

SLIDE 28

Mo et al. Physical-layer Security Detection Mechanisms

Eavesdropping and injection of messages

u

c = u * +∆u

Actuator

Plant Sensor

Attack detector module Adversary

k k

y y ' /

u 'k

1 + k

x

+

uk

c = uk * +∆uk

Estimator

Attack detector module

Controller

ˆ

xk uk

*

uk −1

c

∆uk Alarms

u −1

+

[1] Mo and Sinopoli (2009) Secure Control against Replay Attacks. 47th Annual Allerton Conference on Communication, Control, and Computing, pp. 911-918. [2] Mo, Kim, Brancik, Dickinson, Lee, Perrig, and Sinopoli (2013) Cyber–Physical Security of a Smart Grid Infrastructure. Proceedings of the IEEE, 100(1):195-209, DOI: 10.1109/JPROC.2011.2161428 28