research-article

Open access

Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems

Authors:

Magnus AlmgrenAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 817 - 831

https://doi.org/10.1145/3243734.3243781

Published: 15 October 2018 Publication History

Abstract

Recent incidents have shown that Industrial Control Systems (ICS) are becoming increasingly susceptible to sophisticated and targeted attacks initiated by adversaries with high motivation, domain knowledge, and resources. Although traditional security mechanisms can be implemented at the IT-infrastructure level of such cyber-physical systems, the community has acknowledged that it is imperative to also monitor the process-level activity, as attacks on ICS may very well influence the physical process. In this paper, we present PASAD, a novel stealthy-attack detection mechanism that monitors time series of sensor measurements in real time for structural changes in the process behavior. We demonstrate the effectiveness of our approach through simulations and experiments on data from real systems. Experimental results show that PASAD is capable of detecting not only significant deviations in the process behavior, but also subtle attack-indicating changes, significantly raising the bar for strategic adversaries who may attempt to maintain their malicious manipulation within the noise level.

Supplementary Material

MP4 File (p817-aoudi.mp4)

Download
423.17 MB

References

[1]

Ali Abbasi and Majid Hashemi. 2016. Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack. Black Hat Europe (2016).

[2]

Marshall Abrams and Joe Weiss. 2008. Malicious Control System Cyber Security Attack Case Studytextemdash Maroochy Water Services, Australia. McLean, VA: The MITRE Corporation (2008).

[3]

Matthew Allen and Carlo Pisani. 2018. Hacking and Cyber Warfare are Top Humanitarian Concerns. https://www.swissinfo.ch/eng/peter-maurer_hacking-and-cyber-warfare-are-top-humanitarian-concerns/43847744. Last visited 2018-08-01.

[4]

Magnus Almgren, Wissam Aoudi, Robert Gustafsson, Robin Krahl, and Andreas Lindhé. 2018. The Nuts and Bolts of Deploying Process-Level IDS in Real Control Systems. Technical Report. Chalmers University of Technology.

[5]

Kaung Myat Aung. 2015. Secure Water Treatment Testbed (SWaT): An Overview. Technical Report. Singapore University of Technology and Design.

[6]

George Box, Gwilym Jenkins, Gregory Reinsel, and Greta Ljung. 2015. Time Series Analysis: Forecasting and Control. John Wiley & Sons.

Digital Library

[7]

David S Broomhead and Gregory P King. 1986. Extracting Qualitative Dynamics from Experimental Data. Physica D: Nonlinear Phenomena (1986).

Digital Library

[8]

Alvaro Cárdenas, Saurabh Amin, Zong-Syun Lin, Yu-Lun Huang, Chi-Yen Huang, and Shankar Sastry. 2011. Attacks Against Process Control Systems: Risk Assessment, Detection, and Response. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM.

Digital Library

[9]

Alvaro Cárdenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, Adrian Perrig, and Shankar Sastry. 2009. Challenges for Securing Cyber Physical Systems. In Workshop on Future Directions in Cyber-Physical Systems Security.

[10]

Thomas Chen and Saeed Abu-Nimeh. 2011. Lessons from Stuxnet. Computer (2011).

Digital Library

[11]

Steven Cheung, Bruno Dutertre, Martin Fong, Ulf Lindqvist, Keith Skinner, and Alfonso Valdes. 2007. Using Model-Based Intrusion Detection for SCADA Networks Proceedings of the SCADA security scientific symposium. Citeseer.

[12]

James Downs and Ernest Vogel. 1993. A Plant-Wide Industrial Process Control Problem. Computers & Chemical Engineering (1993).

[13]

James B Elsner and Anastasios A Tsonis. 2013. Singular Spectrum Analysis: A New Tool in Time Series Analysis. Springer Science & Business Media.

[14]

Nicolas Falliere, Liam Murchu, and Eric Chien. 2011. W32. Stuxnet Dossier. White paper, Symantec Corp., Security Response (2011).

[15]

Cheng Feng, Tingting Li, and Deeph Chana. 2017. Multi-Level Anomaly Detection in Industrial Control Systems via Package Signatures and LS™ Networks 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE.

[16]

Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A Dataset to Support Research in the Design of Secure Water Treatment Systems International Conference on Critical Information Infrastructures Security. Springer.

[17]

Nina Golyandina and Anton Korobeynikov. 2014. Basic Singular Spectrum Analysis and Forecasting with R. Computational Statistics & Data Analysis (2014).

[18]

Nina Golyandina, Vladimir Viktorovich Nekrutkin, and Anatoly Alexandrovich Zhigljavsky. 2001. Analysis of Time Series Structure: SSA and Related Techniques. Chapman & Hall/CRC.

[19]

Nina Golyandina and Anatoly Zhigljavsky. 2013. Singular Spectrum Analysis for Time Series. Springer Science & Business Media.

[20]

Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2017. On Ladder Logic Bombs in Industrial Control Systems. In Computer Security. Springer.

[21]

Bengt Gregory-Brown. 2017. Securing Industrial Control Systems-2017. SANS Institute InfoSec Reading Room (2017).

[22]

Dina Hadvziosmanović, Robin Sommer, Emmanuele Zambon, and Pieter H Hartel. 2014. Through the Eye of the PLC: Semantic Security Monitoring for Industrial Processes. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM.

Digital Library

[23]

Hossein Hassani. 2010. A Brief Introduction to Singular Spectrum Analysis. Optimal Decisions in Statistics and Data Analysis (2010).

[24]

John Hearon. 1967. Partially Isometric Matrices. J. Res. Nat. Bur. Standards Sect. B (1967).

[25]

Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, and Christopher Glyer. 2017. Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html. Last visited 2018-08-01.

[26]

Khurum Nazir Junejo and Jonathan Goh. 2016. Behaviour-Based Attack Detection and Classification in Cyber Physical Systems Using Machine Learning. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security. ACM.

Digital Library

[27]

Andrew Kerns, Daniel Shepard, Jahshan Bhatti, and Todd Humphreys. 2014. Unmanned Aircraft Capture and Control via GPS Spoofing. Journal of Field Robotics (2014).

Digital Library

[28]

Istvan Kiss, Bela Genge, and Piroska Haller. 2015. A Clustering-Based Approach to Detect Cyber Attacks in Process Control Systems Industrial Informatics (INDIN).

[29]

Marina Krotofil and Alvaro Cárdenas. 2013. Resilience of Process Control Systems to Cyber-Physical Attacks Nordic Conference on Secure IT Systems. Springer.

Digital Library

[30]

Marina Krotofil and Jason Larsen. 2015. Rocking the Pocket Book: Hacking Chemical Plants DefCon Conference, DEFCON.

[31]

Marina Krotofil, Jason Larson, and Dieter Gollmann. 2015. The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '15). ACM.

Digital Library

[32]

Truls Larsson, Kristin Hestetun, Espen Hovland, and Sigurd Skogestad. 2001. Self-Optimizing Control of a Large-Scale Plant: The Tennessee Eastman Process. Industrial & Engineering Chemistry Research (2001).

[33]

Robert Lee, Michael Assante, and Tim Conway. 2014. German Steel Mill Cyber Attack. Technical Report. SANS Industrial Control Systems.

[34]

Robert Lee, Michael Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Technical Report. SANS Industrial Control Systems and E-ISAC.

[35]

Yao Liu, Peng Ning, and Michael Reiter. 2011. False Data Injection Attacks Against State Estimation in Electric Power Grids. ACM Transactions on Information and System Security (TISSEC) (2011).

Digital Library

[36]

Aditya Mathur and Nils Tippenhauer. 2016. SWaT: A Water Treatment Testbed for Research and Training on ICS Security 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).

[37]

Thomas McEvoy and Stephen Wolthusen. 2011. A Plant-Wide Industrial Process Control Security Problem International Conference on Critical Infrastructure Protection. Springer.

[38]

Yilin Mo and Bruno Sinopoli. 2016. On the Performance Degradation of Cyber-Physical Systems under Stealthy Integrity Attacks. IEEE Trans. Automat. Control (2016).

[39]

Valentina Moskvina and Anatoly Zhigljavsky. 2003. An Algorithm Based on Singular Spectrum Analysis for Change-Point Detection. Communications in Statistics-Simulation and Computation (2003).

[40]

Patric Nader, Paul Honeine, and Pierre Beauseroy. 2014. Lp-Norms in One-Class Classification for Intrusion Detection in SCADA Systems. IEEE Transactions on Industrial Informatics (2014).

[41]

Nell Nelson. 2016. The Impact of Dragonfly Malware on Industrial Control Systems. SANS Institute (2016).

[42]

Shengyi Pan, Thomas Morris, and Uttam Adhikari. 2015. Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems. IEEE Transactions on Smart Grid (2015).

[43]

Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-Time. Computer networks (1999).

Digital Library

[44]

Pavel Polityuk, Oleg Vukmanovic, and Stephen Jewkes. 2017. Ukraine's Power Outage was a Cyber Attack: Ukrenergo. https://www.reuters.com/article/us-ukraine-cyber-attack-energy/ukraines-power-outage-was-a-cyber-attack-ukrenergo-idUSKBN1521BA. Last visited 2018-08-01.

[45]

Lawrence Ricker. 1996. Decentralized Control of the Tennessee Eastman Challenge Process. Journal of Process Control (1996).

[46]

Yasser Shoukry, Paul Martin, Yair Yona, Suhas Diggavi, and Mani Srivastava. 2015. PyCRA: Physical Challenge-Response Authentication for Active Sensors under Spoofing Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM.

Digital Library

[47]

Ralf Spenneberg, Maik Brüggemann, and Hendrik Schwartke. 2016. PLC-Blaster: A Worm Living Solely in the PLC. Black Hat Asia, Marina Bay Sands, Singapore (2016).

[48]

Keith Stouffer, Joe Falco, and Karen Scarfone. 2011. Guide to Industrial Control Systems (ICS) Security. NIST special publication (2011).

[49]

Gilbert Strang. 2016. Introduction to Linear Algebra. Wellesley-Cambridge Press.

[50]

David Urbina, Jairo Giraldo, Alvaro Cárdenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016 a. Limiting the Impact of Stealthy Attacks on Industrial Control Systems Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM.

Digital Library

[51]

David Urbina, Jairo Giraldo, Alvaro Cárdenas, Junia Valente, Mustafa Faisal, Nils Ole Tippenhauer, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016 b. Survey and New Directions for Physics-Based Attack Detection in Control Systems. Technical Report. National Institute of Standards and Technology.

[52]

Robert Vautard and Michael Ghil. 1989. Singular Spectrum Analysis in Nonlinear Dynamics, with Applications to Paleoclimatic Time Series. Physica D: Nonlinear Phenomena (1989).

[53]

Oleg Vukmanovic and Stephen Jewkes. 2017. Suspected Russia-Backed Hackers Target Baltic Energy Networks. http://mobile.reuters.com/article/idUSKBN1871W5. Last visited 2018-08-01.

[54]

Yu-jun Xiao, Wen-yuan Xu, Zhen-hua Jia, Zhuo-ran Ma, and Dong-lian Qi. 2017. NIPAD: A Non-Invasive Power-Based Anomaly Detection Scheme for Programmable Logic Controllers. Frontiers of Information Technology & Electronic Engineering (2017).

Cited By

Yang ZHe LCheng PChen J(2025)Mismatched Control and Monitoring Frequencies: Vulnerability, Attack, and MitigationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.338414622:1(16-33)Online publication date: Jan-2025
https://doi.org/10.1109/TDSC.2024.3384146
Zhu QDing YJiang JYang S(2025)Anomaly detection using invariant rules in Industrial Control SystemsControl Engineering Practice10.1016/j.conengprac.2024.106164154(106164)Online publication date: Jan-2025
https://doi.org/10.1016/j.conengprac.2024.106164
Mehmood MBaig ZSyed N(2025)Time Series Analysis and Rule Mining for Detecting Industrial Control System Data Injection AttacksFifth International Conference on Computing and Network Communications10.1007/978-981-97-4540-1_20(263-276)Online publication date: 6-Feb-2025
https://doi.org/10.1007/978-981-97-4540-1_20
Show More Cited By

Index Terms

Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Limiting the Impact of Stealthy Attacks on Industrial Control Systems
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker ...
Adversarial attacks and mitigation for anomaly detectors of cyber-physical systems
Highlights
- Successfully evaded RNN-based anomaly detectors in real-world CPSs using a gradient-based adversarial attack.
Abstract
The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of ...
A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
Abstract
In recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights
- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Swedish Civil Contingencies Agency (MSB)
Department of Economic Development and Infrastructures of the Basque Government

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
3,243
Total Downloads

Downloads (Last 12 months)350
Downloads (Last 6 weeks)34

Reflects downloads up to 06 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yang ZHe LCheng PChen J(2025)Mismatched Control and Monitoring Frequencies: Vulnerability, Attack, and MitigationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.338414622:1(16-33)Online publication date: Jan-2025
https://doi.org/10.1109/TDSC.2024.3384146
Zhu QDing YJiang JYang S(2025)Anomaly detection using invariant rules in Industrial Control SystemsControl Engineering Practice10.1016/j.conengprac.2024.106164154(106164)Online publication date: Jan-2025
https://doi.org/10.1016/j.conengprac.2024.106164
Mehmood MBaig ZSyed N(2025)Time Series Analysis and Rule Mining for Detecting Industrial Control System Data Injection AttacksFifth International Conference on Computing and Network Communications10.1007/978-981-97-4540-1_20(263-276)Online publication date: 6-Feb-2025
https://doi.org/10.1007/978-981-97-4540-1_20
Anastasakis KRashid AFawaz KAlmgren M(2024)Towards Linking Indicators of Compromise to Operational Resilience and Safety RequirementsProceedings of the Sixth Workshop on CPS&IoT Security and Privacy10.1145/3690134.3694827(104-110)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3690134.3694827
Erba AMurillo ATaormina RGalelli STippenhauer NSun RZhang M(2024)On Practical Realization of Evasion Attacks for Industrial Control SystemsProceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security10.1145/3689930.3695213(9-25)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3689930.3695213
Yang ZPu HHe LYao CZhou JCheng PChen J(2024)Deception-Resistant Stochastic Manufacturing for Automated Production LinesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678896(546-560)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678896
Chen CShin KDadras S(2024)Context-Aware Anomaly Detection Using Vehicle DynamicsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678895(531-545)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678895
Ensansefat NKordestani MChaibakhsh ASaif MKhorasani K(2024)Secure Cyberattack and Anomaly Detections in the Presence of Actuators Lags and Communication Delays With Application to Industrial Gas TurbinesIEEE Transactions on Industrial Cyber-Physical Systems10.1109/TICPS.2024.34016152(130-142)Online publication date: 2024
https://doi.org/10.1109/TICPS.2024.3401615
Wang ZQiu QKong F(2024)Pinpointing Actuator Attacks: A Novel Diagnostic Framework for Cyber-Physical Systems2024 International Conference on Assured Autonomy (ICAA)10.1109/ICAA64256.2024.00019(77-86)Online publication date: 10-Oct-2024
https://doi.org/10.1109/ICAA64256.2024.00019
Rehman MBahşi H(2024)Process-aware security monitoring in industrial control systems: A systematic review and future directionsInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2024.10071947(100719)Online publication date: Dec-2024
https://doi.org/10.1016/j.ijcip.2024.100719
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten