Side-channel based intrusion detection for industrial control - - PowerPoint PPT Presentation

▶

Mar 24, 2023 608 likes •929 views

Side-channel based intrusion detection for industrial control systems I have no idea what this device is doing, but at least its still doing the same thing. CRITIS 2017, October 9 th , 2017 Pol Van Aubel 1/31 Authors Joint work:

SLIDE 1

Side-channel based intrusion detection for industrial control systems

“I have no idea what this device is doing, but at least it’s still doing the same thing.” CRITIS 2017, October 9th, 2017

Pol Van Aubel

1/31

SLIDE 2

Authors

Joint work: Pol Van Aubel

pol.vanaubel@cs.ru.nl

Radboud University iCIS|Digital Security

Łukasz Chmielewski

chmielewski@riscure.com

Riscure BV

Kostas Papagiannopoulos

k.papagiannopoulos@cs.ru.nl

Radboud University iCIS|Digital Security

Christian Doerr

c.doerr@tudelft.nl

Delft University of Technology Pol Van Aubel

2/31

SLIDE 3

Outline

Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion

Pol Van Aubel

3/31

SLIDE 4

Outline

Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion

Pol Van Aubel

4/31

SLIDE 5

The scenario

What if an attacker changes the software on the control systems?

Natanz
Ukraine
. . .

Pol Van Aubel

5/31

SLIDE 6

The problem

After a program is

written
tested
deployed

how do we ensure that we are always running that program?

Pol Van Aubel

6/31

SLIDE 7

Prevent other software from running

Verify software signatures with a Trusted Platform Module. Or similar solutions, requiring integration.

Pol Van Aubel

7/31

SLIDE 8

Detect when other software is running

Network intrusion detection . . . and prevention?
Host intrusion detection.

Requiring integration. May be circumvented or worse.

Pol Van Aubel

8/31

SLIDE 9

What about the legacy?

Large number of deployed systems. We need an option that can be used

without software modifications,
without hardware modifications,
at most superficial hardware additions.

There are no silver bullets.

Pol Van Aubel

9/31

SLIDE 10

Side-channel based intrusion detection

We propose a system to detect software compromise of embedded industrial control systems by using the electromagnetic side-channel emissions of the underlying hardware.

Pol Van Aubel

10/31

SLIDE 11

Outline

Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion

Pol Van Aubel

11/31

SLIDE 12

Side-channels

What is a side-channel? Non-functional transmission of information about the state of a system.

Execution time
Processor temperature
Power consumption
Coil whine
WiFi power levels
Electromagnetic radiation

Mostly used for breaking cryptography / security / privacy.

Pol Van Aubel

12/31

SLIDE 13

How to capture EM-radiation?

Pol Van Aubel

13/31

SLIDE 14

What does it look like?

Pol Van Aubel

14/31

SLIDE 15

PLCs 101

Dedicated industrial computers that are built for

stability,
robustness,
real-time characteristics,
and huge numbers of I/O arrangements.

Pol Van Aubel

15/31

SLIDE 16

PLCs 101

Operate on a “scan cycle”:

1. read all inputs into memory,
2. execute the user program,
3. do error handling and other stuff,
4. drive all outputs from memory.
ver and over again.

Pol Van Aubel

16/31

SLIDE 17

What does it look like?

Pol Van Aubel

17/31

SLIDE 18

Outline

Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion

Pol Van Aubel

18/31

SLIDE 19

Attacker model

Attacker can upload new software to the PLC to replace or modify the existing user program. Attacker cannot control the PLC operating system.

Pol Van Aubel

19/31

SLIDE 20

Two-layered intrusion detection

1. Timing layer: check program runtime.
2. EM layer: compare program EM trace to baseline.

Pol Van Aubel

20/31

SLIDE 21

Timing side-channel layer

Trivially detects large alterations.
Determining runtime?

– EM-analysis – OS-emitted signal

Pol Van Aubel

21/31

SLIDE 22

Determine runtime through EM-analysis

Pol Van Aubel

22/31

SLIDE 23

EM side-channel layer

Distinguish between programs with minor modifications

in program logic (instructions).
in comparison constants (values).

Pol Van Aubel

23/31

SLIDE 24

Outline

Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion

Pol Van Aubel

24/31

SLIDE 25

Best results – comparison constant

Pol Van Aubel

25/31

SLIDE 26

Best results – comparison constant

Pol Van Aubel

26/31

SLIDE 27

Best results – program logic

Pol Van Aubel

27/31

SLIDE 28

Best results – program logic

Pol Van Aubel

28/31

SLIDE 29

Outline

Software behaviour verification Side-channel analysis Proposed system Results Future work, conclusions, and discussion

Pol Van Aubel

29/31

SLIDE 30

Future work

Expand on classification techniques to improve recognition rates.
Consider the PLC operating system.
Analyse the impact of EM-noisy environments.

Pol Van Aubel

30/31

SLIDE 31

Main conclusions

Our method is feasible.
However, it does not come without a cost.
Detects when attacker replaces user program.
Software available at

https://polvanaubel.com/research/em-ics/code/. Pol Van Aubel

pol.vanaubel@cs.ru.nl PGP key fingerprint: 5937 4550 F873 5C57 A778 BDE2 B563 848A 5F60 0EAE

Paper 59

n the conf. USB

Kostas Papagiannopoulos

k.papagiannopoulos@cs.ru.nl

Łukasz Chmielewski

chmielewski@riscure.com

Christian Doerr

c.doerr@tudelft.nl

Pol Van Aubel

31/31