research-article

Public Access

Limiting the Impact of Stealthy Attacks on Industrial Control Systems

Authors:

David I. Urbina,

Jairo A. Giraldo,

Alvaro A. Cardenas,

Nils Ole Tippenhauer,

Mustafa Faisal,

Richard Candell,

Henrik SandbergAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1092 - 1105

https://doi.org/10.1145/2976749.2978388

Published: 24 October 2016 Publication History

Abstract

While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Attackers that want to remain undetected can attempt to hide their manipulation of the system by following closely the expected behavior of the system, while injecting just enough false information at each time step to achieve their goals. In this work, we study if attack-detection can limit the impact of such stealthy attacks. We start with a comprehensive review of related work on attack detection schemes in the security and control systems community. We then show that many of those works use detection schemes that are not limiting the impact of stealthy attacks. We propose a new metric to measure the impact of stealthy attacks and how they relate to our selection on an upper bound on false alarms. We finally show that the impact of such attacks can be mitigated in several cases by the proper combination and configuration of detection schemes. We demonstrate the effectiveness of our algorithms through simulations and experiments using real ICS testbeds and real ICS systems.

References

[1]

S. Amin, X. Litrico, S. Sastry, and A. Bayen. Cyber security of water SCADA systems; Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5):1963--1970, 2013.

[2]

S. Amin, X. Litrico, S. Sastry, and A. Bayen. Cyber security of water SCADA systems; Part II: Attack detection using enhanced hydrodynamic models. IEEE Transactions on Control Systems Technology, 21(5):1679--1693, 2013.

[3]

M. Andreasson, D. V. Dimarogonas, H. Sandberg, and K. H. Johansson. Distributed pi-control with applications to power systems frequency control. In Proceedings of American Control Conference (ACC), pages 3183--3188. IEEE, 2014.

[4]

K. J. Åström and P. Eykhoff. System identification-a survey. Automatica, 7(2):123--162, 1971.

Digital Library

[5]

S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC), 3(3):186--205, 2000.

Digital Library

[6]

C.-z. Bai and V. Gupta. On Kalman filtering in the presence of a compromised sensor : Fundamental performance bounds. In Proceedings of American Control Conference, pages 3029--3034, 2014.

[7]

C.-z. Bai, F. Pasqualetti, and V. Gupta. Security in stochastic control systems : Fundamental limitations and performance bounds. In Proceedings of American Control Conference, 2015.

[8]

R. B. Bobba, K. M. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, and T. J. Overbye. Detecting false data injection attacks on DC state estimation. In Proceedings of Workshop on Secure Control Systems, volume 2010, 2010.

[9]

A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and A. Trombetta. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Transactions on Industrial Informatics, 7(2):179--186, 2011.

[10]

A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and S. Sastry. Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the ACM symposium on information, computer and communications security, pages 355--366, 2011.

Digital Library

[11]

A. A. Cárdenas, J. S. Baras, and K. Seamon. A framework for the evaluation of intrusion detection systems. In Proceedings of Symposium on Security and Privacy, pages 77--91. IEEE, 2006.

Digital Library

[12]

S. Cui, Z. Han, S. Kar, T. T. Kim, H. V. Poor, and A. Tajer. Coordinated data-injection attack and detection in the smart grid: A detailed look at enriching detection solutions. Signal Processing Magazine, IEEE, 29(5):106--115, 2012.

[13]

G. Dán and H. Sandberg. Stealth attacks and protection schemes for state estimators in power systems. In Proceedings of Smart Grid Commnunications Conference (SmartGridComm), October 2010.

[14]

K. R. Davis, K. L. Morrow, R. Bobba, and E. Heine. Power flow cyber attacks and perturbation-based defense. In Proceedings of Conference on Smart Grid Communications (SmartGridComm), pages 342--347. IEEE, 2012.

[15]

V. L. Do, L. Fillatre, and I. Nikiforov. A statistical method for detecting cyber/physical attacks on SCADA systems. In Proceedings of Control Applications (CCA), pages 364--369. IEEE, 2014.

[16]

E. Eyisi and X. Koutsoukos. Energy-based attack detection in networked control systems. In Proceedings of the Conference on High Confidence Networked Systems (HiCoNs), pages 115--124, New York, NY, USA, 2014. ACM.

Digital Library

[17]

N. Falliere, L. O. Murchu, and E. Chien. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 2011.

[18]

D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah. Who's in control of your control system? Device fingerprinting for cyber-physical systems. In Network and Distributed System Security Symposium (NDSS), Feb, 2016.

[19]

R. M. Gerdes, C. Winstead, and K. Heaslip. CPS: an efficiency-motivated attack against autonomous vehicular transportation. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 99--108. ACM, 2013.

Digital Library

[20]

A. Giani, E. Bitar, M. Garcia, M. McQueen, P. Khargonekar, and K. Poolla. Smart grid data integrity attacks: characterizations and countermeasures π. In Proceedings of Smart Grid Communications Conference (SmartGridComm), pages 232--237. IEEE, 2011.

[21]

D. Hadziosmanović, R. Sommer, E. Zambon, and P. H. Hartel. Through the eye of the PLC: semantic security monitoring for industrial processes. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 126--135. ACM, 2014.

Digital Library

[22]

X. Hei, X. Du, S. Lin, and I. Lee. PIPAC: patient infusion pattern based access control scheme for wireless insulin pump system. In Proceedings of INFOCOM, pages 3030--3038. IEEE, 2013.

[23]

F. Hou, Z. Pang, Y. Zhou, and D. Sun. False data injection attacks for a class of output tracking control systems. In Proceedings of Chinese Control and Decision Conference, pages 3319--3323, 2015.

[24]

T. Kailath and H. V. Poor. Detection of stochastic processes. IEEE Transactions on Information Theory, 44(6):2230--2231, 1998.

Digital Library

[25]

A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys. Unmanned aircraft capture and control via gps spoofing. Journal of Field Robotics, 31(4):617--636, 2014.

Digital Library

[26]

T. T. Kim and H. V. Poor. Strategic protection against data injection attacks on power grids. IEEE Transactions on Smart Grid, 2(2):326--333, 2011.

[27]

I. Kiss, B. Genge, and P. Haller. A clustering-based approach to detect cyber attacks in process control systems. In Proceedings of Conference on Industrial Informatics (INDIN), pages 142--148. IEEE, 2015.

[28]

O. Kosut, L. Jia, R. Thomas, and L. Tong. Malicious data attacks on smart grid state estimation: Attack strategies and countermeasures. In Proceedings of Smart Grid Commnunications Conference (SmartGridComm), October 2010.

[29]

G. Koutsandria, V. Muthukumar, M. Parvania, S. Peisert, C. McParland, and A. Scaglione. A hybrid network IDS for protective digital relays in the power transmission grid. In Proceedings of Smart Grid Communications (SmartGridComm), 2014.

[30]

M. Krotofil, J. Larsen, and D. Gollmann. The process matters: Ensuring data veracity in cyber-physical systems. In Proceedings of Symposium on Information, Computer and Communications Security (ASIACCS), pages 133--144. ACM, 2015.

Digital Library

[31]

C. Kwon, W. Liu, and I. Hwang. Security analysis for cyber-physical systems against stealthy deception attacks. In Proceedings of American Control Conference, pages 3344--3349, 2013.

[32]

R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49--51, 2011.

Digital Library

[33]

J. Liang, O. Kosut, and L. Sankar. Cyber attacks on ac state estimation: Unobservability and physical consequences. In Proceedings of PES General Meeting, pages 1--5, July 2014.

[34]

H. Lin, A. Slagell, Z. Kalbarczyk, P. W. Sauer, and R. K. Iyer. Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In Proceedings of the workshop on Smart energy grid security, pages 29--34. ACM, 2013.

Digital Library

[35]

Y. Liu, P. Ning, and M. K. Reiter. False data injection attacks against state estimation in electric power grids. In Proceedings of ACM conference on Computer and communications security (CCS), pages 21--32. ACM, 2009.

Digital Library

[36]

Y. Liu, P. Ning, and M. K. Reiter. False data injection attacks against state estimation in electric power grids. ACM Transactions on Information and System Security (TISSEC), 14(1):13, 2011.

Digital Library

[37]

L. Ljung. The Control Handbook, chapter System Identification, pages 1033--1054. CRC Press, 1996.

[38]

L. Ljung. System Identification: Theory for the User. Prentice Hall PTR, Upper Saddle River, NJ, USA, 2 edition, 1999.

Digital Library

[39]

L. Ljung. System Identification Toolbox for Use with MATLAB. The MathWorks, Inc., 2007.

[40]

D. Mashima and A. A. Cárdenas. Evaluating electricity theft detectors in smart grid networks. In Research in Attacks, Intrusions, and Defenses, pages 210--229. Springer, 2012.

Digital Library

[41]

I. MathWorks. Identifying input-output polynomial models. www.mathworks.com/help/ident/ug/identifying-input-output-polynomial-models.html, October 2014.

[42]

S. McLaughlin. CPS: Stateful policy enforcement for control system device usage. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 109--118, New York, NY, USA, 2013. ACM.

Digital Library

[43]

F. Miao, Q. Zhu, M. Pajic, and G. J. Pappas. Coding sensor outputs for injection attacks detection. In Proceedings of Conference on Decision and Control, pages 5776--5781, 2014.

[44]

Y. Mo and B. Sinopoli. Secure control against replay attacks. In Proceedings of Allerton Conference on Communication, Control, and Computing (Allerton), pages 911--918. IEEE, 2009.

Digital Library

[45]

Y. Mo, S. Weerakkody, and B. Sinopoli. Physical authentication of control systems: designing watermarked control inputs to detect counterfeit sensor outputs. IEEE Control Systems, 35(1):93--109, 2015.

[46]

Y. L. Mo, R. Chabukswar, and B. Sinopoli. Detecting integrity attacks on SCADA systems. IEEE Transactions on Control Systems Technology, 22(4):1396--1407, 2014.

[47]

K. L. Morrow, E. Heine, K. M. Rogers, R. B. Bobba, and T. J. Overbye. Topology perturbation for detecting malicious data injection. In Proceedings of Hawaii International Conference on System Science (HICSS), pages 2104--2113. IEEE, 2012.

Digital Library

[48]

E. Ott, C. Grebogi, and J. A. Yorke. Controlling chaos. Physical review letters, 64(11):1196, 1990.

[49]

M. Parvania, G. Koutsandria, V. Muthukumary, S. Peisert, C. McParland, and A. Scaglione. Hybrid control network intrusion detection systems for automated power distribution systems. In Proceedings of Conference on Dependable Systems and Networks (DSN), pages 774--779, June 2014.

Digital Library

[50]

F. Pasqualetti, F. Dorfler, and F. Bullo. Attack detection and identification in cyber-physical systems. Automatic Control, IEEE Transactions on, 58(11):2715--2729, Nov 2013.

[51]

V. Paxson. Bro: a system for detecting network intruders in real-time. Computer networks, 31(23):2435--2463, 1999.

Digital Library

[52]

S. Postalcioglu and Y. Becerikli. Wavelet networks for nonlinear system modeling. Neural Computing and Applications, 16(4--5):433--441, 2007.

Digital Library

[53]

I. Sajjad, D. D. Dunn, R. Sharma, and R. Gerdes. Attack mitigation in adversarial platooning using detection-based sliding mode control. In Proceedings of the ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (CPS-SPC), pages 43--53, New York, NY, USA, 2015. ACM. http://doi.acm.org/10.1145/2808705.2808713.

Digital Library

[54]

H. Sandberg, A. Teixeira, and K. H. Johansson. On security indices for state estimators in power networks. In Proceedings of Workshop on Secure Control Systems, 2010.

[55]

Y. Shoukry, P. Martin, Y. Yona, S. Diggavi, and M. Srivastava. PyCRA: Physical challenge-response authentication for active sensors under spoofing attacks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1004--1015, New York, NY, USA, 2015. ACM.

Digital Library

[56]

R. Smith. A decoupled feedback structure for covertly appropriating networked control systems. In Proceedings of IFAC World Congress, volume 18, pages 90--95, 2011.

[57]

S. Sridhar and M. Govindarasu. Model-based attack detection and mitigation for automatic generation control. Smart Grid, IEEE Transactions on, 5(2):580--591, 2014.

[58]

R. Tan, V. Badrinath Krishna, D. K. Yau, and Z. Kalbarczyk. Impact of integrity attacks on real-time pricing in smart grids. In Proceedings of the SIGSAC conference on Computer & communications security (CCS), pages 439--450. ACM, 2013.

Digital Library

[59]

A. Teixeira, S. Amin, H. Sandberg, K. H. Johansson, and S. S. Sastry. Cyber security analysis of state estimators in electric power systems. In Proceedings of Conference on Decision and Control (CDC), pages 5991--5998. IEEE, 2010.

[60]

A. Teixeira, D. Pérez, H. Sandberg, and K. H. Johansson. Attack models and scenarios for networked control systems. In Proceedings of the conference on High Confidence Networked Systems (HiCoNs), pages 55--64. ACM, 2012.

Digital Library

[61]

A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson. Revealing stealthy attacks in control systems. In Proceedings of Allerton Conference on Communication, Control, and Computing (Allerton), pages 1806--1813. IEEE, 2012.

[62]

A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson. A secure control framework for resource-limited adversaries. Automatica, 51:135--148, 2015.

Digital Library

[63]

The Modbus Organization. Modbus application protocol specification, 2012. Version 1.1v3.

[64]

D. Urbina, J. Giraldo, N. Tippenhauer, and A. Cárdenas. Attacking fieldbus communications in ics: Applications to the swat testbed. In Proceedings of the Singapore Cyber-Security Conference (SG-CRC), Singapore, volume 14, pages 75--89, 2016.

[65]

J. Valente and A. A. Cardenas. Using visual challenges to verify the integrity of security cameras. In Proceedings of Annual Computer Security Applications Conference (ACSAC). ACM, 2015.

Digital Library

[66]

O. Vuković and G. Dán. On the security of distributed power system state estimation under targeted attacks. In Proceedings of the Symposium on Applied Computing, pages 666--672. ACM, 2013.

Digital Library

[67]

Y. Wang, Z. Xu, J. Zhang, L. Xu, H. Wang, and G. Gu. SRID: State relation based intrusion detection for false data injection attacks in SCADA. In Proceedings of European Symposium on Research in Computer Security (ESORICS), pages 401--418. Springer, 2014.

Digital Library

[68]

Pandas: Python data analysis library. http://pandas.pydata.org, November 2015.

[69]

M. Zeller. Myth or reality-does the aurora vulnerability pose a risk to my generator? In Proceedings of Conference for Protective Relay Engineers, pages 130--136. IEEE, 2011.

Cited By

Nalbant KAlmutairi SAlshehri AKemal HAlsuhibany SChoi B(2024)An efficient algorithm for data transmission certainty in IIoT sensing network: A priority-based approachPLOS ONE10.1371/journal.pone.030509219:7(e0305092)Online publication date: 17-Jul-2024
https://doi.org/10.1371/journal.pone.0305092
Yang ZPu HHe LYao CZhou JCheng PChen J(2024)Deception-Resistant Stochastic Manufacturing for Automated Production LinesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678896(546-560)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678896
Chen CShin KDadras S(2024)Context-Aware Anomaly Detection Using Vehicle DynamicsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678895(531-545)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678895
Show More Cited By

Index Terms

Limiting the Impact of Stealthy Attacks on Industrial Control Systems
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Attack detection/prevention system against cyber attack in industrial control systems
Abstract
Industrial control systems (ICS) are vital for countries’ industrial facilities and critical infrastructures. However, there are not enough security assessments against cyber attacks carried out on ICS for not preventing business ...
Observing industrial control system attacks launched via metasploit framework
ACMSE '13: Proceedings of the 51st annual ACM Southeast Conference

Industrial Control Systems (ICS) are present across many industries ranging from automotive to utilities. These systems have been found to be connected to corporate enterprise servers and can communicate over unencrypted communication channels. ...
Poisoning attacks on cyber attack detectors for industrial control systems
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

Recently, neural network (NN)-based methods, including autoencoders, have been proposed for the detection of cyber attacks targeting industrial control systems (ICSs). Such detectors are often retrained, using data collected during system operation, to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Research Foundation Singapore
National Science Foundation
National Institute of Standards and Technology
Swedish Research Council

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

237
Total Citations
View Citations
5,212
Total Downloads

Downloads (Last 12 months)762
Downloads (Last 6 weeks)75

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nalbant KAlmutairi SAlshehri AKemal HAlsuhibany SChoi B(2024)An efficient algorithm for data transmission certainty in IIoT sensing network: A priority-based approachPLOS ONE10.1371/journal.pone.030509219:7(e0305092)Online publication date: 17-Jul-2024
https://doi.org/10.1371/journal.pone.0305092
Yang ZPu HHe LYao CZhou JCheng PChen J(2024)Deception-Resistant Stochastic Manufacturing for Automated Production LinesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678896(546-560)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678896
Chen CShin KDadras S(2024)Context-Aware Anomaly Detection Using Vehicle DynamicsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678895(531-545)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678895
Bin DLing YXie M(2024)Smart Grid Intrusion Detection Based on Device Fingerprint TechnologyProceedings of the 2024 8th International Conference on High Performance Compilation, Computing and Communications10.1145/3675018.3675769(54-59)Online publication date: 7-Jun-2024
https://dl.acm.org/doi/10.1145/3675018.3675769
Hong ZLu LZheng DSuo JSun PBeyah RWen Z(2024)Detect Insider Attacks in Industrial Cyber-physical Systems Using Multi-physical Features-based FingerprintingACM Transactions on Sensor Networks10.1145/358269120:2(1-27)Online publication date: 9-Jan-2024
https://dl.acm.org/doi/10.1145/3582691
Jichici CBerdich AMusuroi AGroza B(2024)Control System Level Intrusion Detection on J1939 Heavy-Duty Vehicle BusesIEEE Transactions on Industrial Informatics10.1109/TII.2023.328399520:2(2029-2041)Online publication date: Feb-2024
https://doi.org/10.1109/TII.2023.3283995
Li SChen YChen XLi ZFang DLiu KLv SSun L(2024)PowerGuard: Using Power Side-Channel Signals to Secure Motion Controllers in ICSIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345136219(8275-8290)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3451362
Roy PBhattacharjee SAbedzadeh SDas S(2024)Noise Resilient Learning for Attack Detection in Smart Grid PMU InfrastructureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.322328821:2(618-635)Online publication date: Mar-2024
https://doi.org/10.1109/TDSC.2022.3223288
Umsonst DSartaş SDán GSandberg H(2024)A Bayesian Nash Equilibrium-Based Moving Target Defense Against Stealthy Sensor AttacksIEEE Transactions on Automatic Control10.1109/TAC.2023.332875469:3(1659-1674)Online publication date: Mar-2024
https://doi.org/10.1109/TAC.2023.3328754
Abedzadeh SBhattacharjee S(2024)On the Role of Re-Descending M-Estimators in Resilient Anomaly Detection for Smart Living CPS2024 IEEE International Conference on Smart Computing (SMARTCOMP)10.1109/SMARTCOMP61445.2024.00047(198-205)Online publication date: 29-Jun-2024
https://doi.org/10.1109/SMARTCOMP61445.2024.00047
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents