Whos In Control of Your Control System? Device Fingerprinting for - - PowerPoint PPT Presentation

who s in control of your control system device
SMART_READER_LITE
LIVE PREVIEW

Whos In Control of Your Control System? Device Fingerprinting for - - PowerPoint PPT Presentation

Jul 09, 2023 272 likes •482 views

Whos In Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems David Formby , Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, Raheem Beyah NDSS 2016 Presented by: Yi Zhang October 18 th , 2016 Cyber Physical

slide-1
SLIDE 1

Who’s In Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems

David Formby, Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, Raheem Beyah NDSS 2016

Presented by: Yi Zhang October 18th, 2016

slide-2
SLIDE 2

Cyber Physical Systems (CPS)

Cyber

Personal Computers Mobile Phones Embedded Devices

Physical

Motors, pumps, Generators, Valves, Relays…

CPS

slide-3
SLIDE 3

Cyber Physical Systems (CPS)

  • Home automaPon

– LighPng, locks, thermostat, security system

  • Industrial control systems (ICS)

– Power grid, water/sewage, oil/gas, manufacturing, supervisory control and data acquisiPon (SCADA) – Cyber-based compromise can lead to physical harm – Current ICS is filled with vulnerable, legacy devices

slide-4
SLIDE 4

Motivation

  • ICS are vulnerable to false data

and command injecPons

– push system into unsafe state, cause physical harm – Previous fingerprinPng work not suited for ICS – TradiPonal IDS have limitaPons

Illustration of simple false data injection

  • CPS fingerprinPng helps defend against these a\acks
slide-5
SLIDE 5

Threat Model and Goals

  • Two a\acker models

– Compromised node

  • Stuxnet

– Physical access

  • Weak physical security
  • Goal

– Develop accurate fingerprinPng methods to idenPfy what type of device the responses are originaPng from.

slide-6
SLIDE 6

CPS Fingerprinting in ICS

  • Data AcquisiPon FuncPons

– Cross Layer Response Time (CLRT) – EsPmate device processing Pme – Black Box Model fingerprints

  • Control FuncPons

– Physical fingerprinPng – EsPmate physical operaPon Pme – Black Box Model fingerprints – New class of fingerprinPng - White Box Modeling

slide-7
SLIDE 7

Cross-Layer Response Time (CLRT)

  • Fingerprints devices from data

acquisiPon traffic

  • EsPmates device processing

Pme

– Time between TCP ACK and SCADA response – StaPc and unique distribuPon

  • Fast links (100Mbps) with slow devices,

slow and regular traffic

Adversary cannot simply respond faster to beat IED, must match the CLRT fingerprint

slide-8
SLIDE 8
  • Use a real world dataset before and ader changes in the network
  • AddiPonal capture from another substaPon with different network

architecture

  • CLRT measurements taken from DNP3 polling requests

CLRT Experiment

slide-9
SLIDE 9

CLRT Results

Same hardware, different software

slide-10
SLIDE 10

CLRT Results

  • Uses FF-ANN
  • Time slices as small as 5 mins

– Average accuracy 93%

  • Supervised Bayes classifier

performs even be\er

  • Unsupervised learning also works

well

slide-11
SLIDE 11

CLRT Results

  • Network architecture found to have minimal effect

Training Data – Original dataset Testing Data – Upgraded network Training Data – Original dataset Testing Data – Different substation

slide-12
SLIDE 12

Physical Fingerprinting

  • Fingerprint devices from

control traffic

  • EsPmate physical operaPon

Pme

– Time between command packet and event Pmestamp – Requires Pme synchronizaPon

  • Black Box and White Box

Methods

Adversary must guess what event timestamp to respond with

slide-13
SLIDE 13

Physical Fingerprinting Setup

  • Relays – Typically used to open or close higher voltage circuits

with a lower voltage signal. Common device in ICS and analogous to large scale circuit breakers

Relays used in testbed, nearly identical specifications Testbed setup

slide-14
SLIDE 14

Physical Fingerprinting Results

No obvious differences between Open operations due to nearly identical ratings. Clear differences in Close

  • perations allow for device

fingerprinting.

slide-15
SLIDE 15

Physical Fingerprinting Results

slide-16
SLIDE 16

White Box Modeling

  • Black Box Modeling somePmes

infeasible

– Operate infrequently, no physical access

  • Construct physical model and

esPmate parameters

Current in coil Magnetic field Permanent magnet force Equation of motion Coil Force

slide-17
SLIDE 17

White Box Modeling Results

Reduced accuracy, but could be refined as true samples become available

slide-18
SLIDE 18
  • Two classes of adversary

– Weak adversary : compromise one of the low powered devices – Strong adversary: gain physical access to the network

  • The adversary is assumed to have gathered accurate samples

Robust Against Forgery

slide-19
SLIDE 19

Conclusion

  • Novel passive fingerprinPng techniques for ICS

– Data acquisiPon and control – 99% and 92% classificaPon accuracy – Inventory and complemenPng tradiPonal IDS – Resistant to simple mimicry a\acks

  • New class of fingerprinPng – White Box Models
  • Future work

– Internet of Things, developing white box methods

slide-20
SLIDE 20

Discussion

  • What is the contribuPon of the paper?
  • What are the limitaPons of the paper?
  • How is ICS different from other systems?
  • How to improve the white box modeling?