Challen allenges ges in Av Avoiding ding Process ocess An - PowerPoint PPT Presentation

Challen allenges ges in Av Avoiding ding Process ocess An Anomalies malies in Critical itical In Infrastr frastructure cture 2nd Workshop on Cyber-Physical Systems Se Ad Aditya tya Mathu thur curity and Resilience (CPS-SR) Montreal, Canada Aditya Mathur Professor and Center Director, iTrust Center for Research in Cyber Security Singapore University of Technology and Design CPSS S Work rksh shop op. June 4, 2018 18 Professor of Computer Science, Purdue University, West Lafayette, IN, USA April 15, 2019 1

Question To what extent, and how, can we avoid anomalies in operational critical infrastructure? 2

Tour Guide A. Context B. Anomalies C. Detection D. Command Validation E. Experimental Evaluation F. Next Steps 3

A. Context 4

A Distributed CI Management SCADA Historian Systems Attack point Level 2 Firewall NIDS Switch Level 1 Controller Controller Controller [PLC] [PLC] [PLC] Level 0 S A S A S A 5

ICS-CERT Annual Vulnerability Coordination Report 2016 6

Tools for Invasion Ransomware Malware Virus Social The Physical and Engineering! Virtual insider! Most potent threat 7

A Recent Successful Attack: 2019 Norsk Hydro 8

Critical Infrastructure: Interconnection Water Treatment Water Distribution Electric power generation, transmission, distribution, AMI 9

B. Anomalies 10

Process anomaly q i : plant state at time t=i Valid state sequence: q − k q − k+1 q − k+2 . . . q − 1 q 0 q 1 q 2 . . . Anomalous state sequence: q − k q − k+1 q − k+2 . . . q − 1 q’ 0 q’ 1 q’ 2 . . . Anomalous sequence Question: How to detect anomaly as close to q’ 0 as possible? 11

Anomalies: Cause and Avoidance Component failure Fault tolerant design Communications failure Thorough testing Programming errors Secure design Process data manipulated Firewalls Actuator command manipulated IDS 12

Anomaly: Birth and Travel Intrusion not detected Management SCADA Historian Systems Code upload State manipulation Switch Malicious command Controller compromised Controller Controller Controller Controller [PLC] [PLC] [PLC] deceived Malicious command S A S A S A 13 Physical device affected; process disturbed

The Anomaly Impact Pyramid None Mild Severe Catastrophic 14

C. Detection 15

Requirements Ultra-high detection rate rare for an anomaly to be not detected Ultra-low rate of false alarm: e.g., less than 1-false alarm in 6-months; data collected every second Timely detection Offers “enough” time for an operator to take corrective action and avoid damage 16

Approaches for Detection Process Fabio et al. 2013 x ̇ = f(x,u,η) Dynamics y = g(x, θ) Design Centric Adepu et al. 2016 State if (q(c)==v i ) Plant design Entanglement q(S); S0 [601, 2460] 3, 0.44, #39 [2461, 2640] 3, 0.51, #45 S3 Machine [0, 2640] 4, 0.93, #66 Qin et al. 2018 Data S1 S5 Learning: [0, 2640] 4, 0.95, #82 [0, 2640] 3, 0.92, #59 [0, 2640] 2, 1.0, #66 [0, 600] 3, 0.06, #5 Mujeeb et al.2018 S2 S6 [0, 2640] 3, 0.07, #5 Centric [0, 2640] 1, 0.12, #10 [0, 2640] 2, 0.88, #72 [0, 2640] 3, 0.05, #4 [0, 2640] 1, 0.97, #64 Model; Noise [0, 2640] 3, 1.0, #77 S9 S4 S8 [0, 2640] 2, 0.03, #2 [0, 2640] 4, 1.0, #10 [0, 2640] 2, 0.07, #5 [0, 2640] 2, 0.08, #5 Plant data S10 [0, 2640] 1, 0.93, #67 S [0, 2640] 1, 1.0, #10 S7 Y k =f(Y k-1. z 1 , z 2, … z n ) Heng et al. 2019 17

DAD: Monitor placement Monitor: A coded version of a set of rules that must hold during normal operation. Historian SCADA Plant SWITCH network Plant Plant Plant controller controller controller Tuned Monitors

Claim Near perfect anomaly detection is achievable BUT… may not be adequate to protect a plant from severe damage. 19

D. Command Validation 20

Definitions ⍵ (t, a): A well-formed command sent to actuator a at time t. ⍵ (t, a): Valid iff f(a, ⍵ , s k ), where s k is plant state when the command is issued. f(a, ⍵ , s k ): actuator function for ⍵ (t, a) ; ensures correct and safe operation of the plant 21

Sample Actuator Functions 22

Source of invalid (malicious) commands Faulty component or network communications Faulty network communications Incorrect code Cyber attack 23

Origin of a Malicious Command Direct: Attacker sends a malicious command to an actuator. Indirect: Attacker deceives a PLC through manipulation of state variables. In turn the deceived PLC sends a malicious command. 24

A Key Requirement for Validation Given what we know about the origin of a command… …a command validator must be able to obtain accurate estimate of the system state and predict continuous state variables. 25

Challenge 1 How to ensure that a command validator can obtain accurate state estimate?

Challenge 2 Where should a command validator be installed?

Challenge 3 When a command is found to be malicious, should it be sent to the target actuator?

Challenge 4 How to avoid the damaging impact of late detection?

Past work Stone et al., 2012 Improved modeling and validation of command sequences using a checkable sequence language Mashima et al., 2016 An active command mediation approach for securing remote control interface of substations Lin et al., 2016 Runtime semantic security analysis to detect and mitigate control-related attacks in power grids Maimone et al., 2018 RP-check: An architecture for spaceflight command sequence validation Our approach Real-time (not simulation) Design centric; partial state estimation ALL commands are validated 30

The Approach

Architecture for Command Validation Wireless / Wired Networks Level 3 LIC: Local Intelligent Checker Orthogonal SCADA, Defense Level 2 HMI, Historian GIC: Global Intelligent Checker Level 1 GIC PLC Level 0 Remote I/O Splitter LIC validated from other commands stages Actuators Sensors

E. Experimental Evaluation 33

Critical Infrastructure: Water Treatment 34

Set-up 1. Attacker SCADA, HMI, EWS 2. Attacker acker L1 MSG PLC1 PLC2 MSG L0 CV RIO2 RIO1 S A S A Physical Physical Process Process

Time to make decision Case 1: No attack before t0 Case 2: Attack before t0, detected before t0 Case 3: Attack before t0, a. detected between t0 and t1, b. detected after t1, and c. Not detected.

Attacks: Stage 1 Target get Attack ack Detec tecte ted d fi first st by MV101 Open and Close (chatter CV attack) LIT101 Spoof level to low DAD; then after 6-seconds CV stopped the MV101 open command P101 Stop the pump CV LIT101 Cut sensor wire in RIO DAD

Attacks: Stage 2 Target get Attack ack Detec tecte ted d fi first st by AIT202 Decrease the pH value CV MV201 Close CV P205 (NaOCl) Stop the pump CV P201, P202 Turn ON CV

Attacks: Stage 3 Target get Attack ack Detec tecte ted d fi first st by P301 Stop outflow from UF CV DPIT301 Activate backwash CV LIT301 Spoof to HH DAD

Summary 1: Detection and anomalies CV detected 8 out of 11 attacks. Remaining three attacks: on analog values, • detected by DAD, i.e., caused anomalies, but • did not lead to the desired impact. •

Summary 2: Timing No attack detected before t 0 . Attacks detected between t 0 and t 1 : Stage 1: Two out of four attacks detected before t 1 Stage 2: All four attacks detected before t 1 Stage 3: Two out of three detected before t1

Conclusions In the experiments conducted, CV worked well in concert with the anomaly detector. Anomalies arising out of continuous state variables are detected by DAD. These may lead to malicious commands (indirect). . Direct malicious attacks possible only when intelligent checkers are compromised.

F. Next Steps 43

Full Implementation and Evaluation Implement CV across the entire plant. Design and launch single and multi-point masking attacks. 44

CV Inside PLCs? Should CV, with state prediction, be placed inside PLCs? 45

Design of Command Validator for Power Grid Will the approach work on a power grid? Timing is critical 46

100% anomaly avoidance? Is that a realizable dream? 47

Thanks… … to all those who are making it happen! PhD Students Research Staff Sridhar Adepu Jonathan Heng Mujeeb Chuadhary Gauthama Iyer Gayathri Sugumar Nandha Kandasamy Robert Kooij Collaborators Vishrut Mishra Professor Sicco Verwer Venkat Reddy Lin Qin, PhD Student Siddhant Shrivastava Andrew Yoong 48

Je vous remercie Thank You!